From 18af8a130dd74a00f0d223be282bd044aca01563 Mon Sep 17 00:00:00 2001 From: German Date: Mon, 9 Feb 2026 09:30:19 -0800 Subject: [PATCH 1/9] feat: add k3s-azure-fleet playground Add a new playground demonstrating DocumentDB on k3s clusters running on Azure VMs, integrated with KubeFleet for cluster membership and Istio for cross-cluster networking. Key features: - k3s on Azure VMs (lightweight Kubernetes for edge scenarios) - AKS hub cluster with KubeFleet for fleet management - Istio service mesh for cross-cluster replication - Azure VM Run Command for all VM operations (no SSH required) - Multi-region deployment across 3 Azure regions - Comprehensive troubleshooting and lessons learned docs Files: Bicep infrastructure, 8 deployment scripts, CRP manifests, README --- .../k3s-azure-fleet/.gitignore | 10 + .../k3s-azure-fleet/README.md | 509 ++++++++++++++++++ .../k3s-azure-fleet/cert-manager-crp.yaml | 44 ++ .../k3s-azure-fleet/delete-resources.sh | 166 ++++++ .../k3s-azure-fleet/deploy-documentdb.sh | 261 +++++++++ .../k3s-azure-fleet/deploy-infrastructure.sh | 307 +++++++++++ .../documentdb-operator-crp.yaml | 113 ++++ .../documentdb-resource-crp.yaml | 88 +++ .../k3s-azure-fleet/install-cert-manager.sh | 106 ++++ .../install-documentdb-operator.sh | 179 ++++++ .../k3s-azure-fleet/install-istio.sh | 309 +++++++++++ .../k3s-azure-fleet/main.bicep | 329 +++++++++++ .../k3s-azure-fleet/main.json | 382 +++++++++++++ .../k3s-azure-fleet/parameters.bicepparam | 28 + .../k3s-azure-fleet/setup-fleet.sh | 195 +++++++ .../k3s-azure-fleet/test-connection.sh | 139 +++++ 16 files changed, 3165 insertions(+) create mode 100644 documentdb-playground/k3s-azure-fleet/.gitignore create mode 100644 documentdb-playground/k3s-azure-fleet/README.md create mode 100644 documentdb-playground/k3s-azure-fleet/cert-manager-crp.yaml create mode 100755 documentdb-playground/k3s-azure-fleet/delete-resources.sh create mode 100755 documentdb-playground/k3s-azure-fleet/deploy-documentdb.sh create mode 100755 documentdb-playground/k3s-azure-fleet/deploy-infrastructure.sh create mode 100644 documentdb-playground/k3s-azure-fleet/documentdb-operator-crp.yaml create mode 100644 documentdb-playground/k3s-azure-fleet/documentdb-resource-crp.yaml create mode 100755 documentdb-playground/k3s-azure-fleet/install-cert-manager.sh create mode 100755 documentdb-playground/k3s-azure-fleet/install-documentdb-operator.sh create mode 100755 documentdb-playground/k3s-azure-fleet/install-istio.sh create mode 100644 documentdb-playground/k3s-azure-fleet/main.bicep create mode 100644 documentdb-playground/k3s-azure-fleet/main.json create mode 100644 documentdb-playground/k3s-azure-fleet/parameters.bicepparam create mode 100755 documentdb-playground/k3s-azure-fleet/setup-fleet.sh create mode 100755 documentdb-playground/k3s-azure-fleet/test-connection.sh diff --git a/documentdb-playground/k3s-azure-fleet/.gitignore b/documentdb-playground/k3s-azure-fleet/.gitignore new file mode 100644 index 00000000..d84a23e9 --- /dev/null +++ b/documentdb-playground/k3s-azure-fleet/.gitignore @@ -0,0 +1,10 @@ +# Generated files +.deployment-info +.istio-certs/ +istio-*/ +*.tgz +*.log + +# SSH key (required by Azure but not used - we use Run Command) +.ssh-key +.ssh-key.pub diff --git a/documentdb-playground/k3s-azure-fleet/README.md b/documentdb-playground/k3s-azure-fleet/README.md new file mode 100644 index 00000000..54ceaac9 --- /dev/null +++ b/documentdb-playground/k3s-azure-fleet/README.md @@ -0,0 +1,509 @@ +# k3s on Azure VMs with KubeFleet and Istio Multi-Cluster Management + +This playground demonstrates deploying DocumentDB on **k3s clusters running on Azure VMs**, integrated with **KubeFleet** for cluster membership and **Istio** for cross-cluster networking. This hybrid architecture showcases: + +- **Lightweight Kubernetes**: k3s on Azure VMs for edge/resource-constrained scenarios +- **Cluster Membership**: KubeFleet hub for fleet-wide resource propagation (e.g., DocumentDB CRDs) +- **Istio Service Mesh**: Cross-cluster networking without complex VNet peering +- **Multi-Region**: AKS + k3s clusters across multiple Azure regions +- **DocumentDB**: Multi-region database deployment with Istio-based replication + +## Architecture + +``` +┌─────────────────────────────────────────────────────────────────────────────┐ +│ Istio Service Mesh (mesh1) │ +├─────────────────────────────────────────────────────────────────────────────┤ +│ │ +│ ┌────────────────────┐ ┌────────────────────┐ │ +│ │ AKS Hub Cluster │ │ k3s Cluster │ │ +│ │ (westus3) │ │ (eastus2) │ │ +│ │ │ │ │ │ +│ │ ┌──────────────┐ │ │ ┌──────────────┐ │ │ +│ │ │ KubeFleet │ │ │ │ Fleet Member │ │ │ +│ │ │ Hub Agent │ │ │ │ Agent │ │ │ +│ │ └──────────────┘ │ │ └──────────────┘ │ │ +│ │ ┌──────────────┐ │ │ ┌──────────────┐ │ │ +│ │ │ Istio ─┼──┼─────────┼──┼─ Istio │ │ │ +│ │ │ East-West GW │ │ │ │ East-West GW │ │ │ +│ │ └──────────────┘ │ │ └──────────────┘ │ │ +│ │ ┌──────────────┐ │ │ ┌──────────────┐ │ │ +│ │ │ DocumentDB │ │◄───────►│ │ DocumentDB │ │ │ +│ │ │ (Primary) │ │ Istio │ │ (Replica) │ │ │ +│ │ └──────────────┘ │ │ └──────────────┘ │ │ +│ └────────────────────┘ └────────────────────┘ │ +│ │ │ │ +│ │ Remote Secrets │ │ +│ └──────────────┬───────────────┘ │ +│ │ │ +│ ┌────────────────────────┴─────────────────────────┐ │ +│ │ k3s Cluster (uksouth) │ │ +│ │ ┌──────────────┐ ┌──────────────┐ │ │ +│ │ │ Fleet Member │ │ Istio │ │ │ +│ │ │ Agent │ │ East-West GW │ │ │ +│ │ └──────────────┘ └──────────────┘ │ │ +│ │ ┌──────────────────────────────────┐ │ │ +│ │ │ DocumentDB (Replica) │ │ │ +│ │ └──────────────────────────────────┘ │ │ +│ └──────────────────────────────────────────────────┘ │ +│ │ +└─────────────────────────────────────────────────────────────────────────────┘ +``` + +## Networking Design + +- **Istio Service Mesh** handles all cross-cluster communication +- **East-West Gateways** expose services between clusters via LoadBalancer +- **Remote Secrets** enable service discovery across cluster boundaries +- **No VNet Peering Required** - Istio routes traffic over public LoadBalancers with mTLS +- **Shared Root CA** ensures all clusters trust each other + +## Network Requirements + +> **Important**: The k3s VMs require the following network access: +> +> | Port | Protocol | Direction | Purpose | +> |------|----------|-----------|---------| +> | 6443 | TCP | Inbound | Kubernetes API server (kubectl access) | +> | 15443 | TCP | Inbound | Istio east-west gateway | +> | 80, 443 | TCP | Inbound | HTTP/HTTPS traffic | +> +> **Corporate Environment Considerations**: +> - This playground uses **Azure VM Run Command** for VM operations (no SSH/port 22 needed) +> - However, **kubectl access to k3s clusters** requires port 6443 to be reachable from your client +> - Corporate firewalls may block port 6443 even when NSG rules allow it +> - **If you cannot reach k3s API**: Use Azure VPN Gateway or deploy from within the Azure network +> - The AKS hub cluster uses Azure AD authentication and works through corporate firewalls + +## Prerequisites + +- Azure CLI installed and logged in (`az login`) +- Sufficient quota in target regions for VMs and AKS clusters +- Contributor access to the subscription +- kubelogin for Azure AD authentication: `az aks install-cli` +- Helm 3.x installed +- jq for JSON processing +- istioctl (auto-downloaded if not present) +- **Network access to port 6443 on k3s VM public IPs** (see Network Requirements) + +## Quick Start + +```bash +# Set your resource group (optional, defaults to documentdb-k3s-fleet-rg) +export RESOURCE_GROUP=my-documentdb-fleet + +# 1. Deploy all infrastructure (AKS hub, k3s VMs) +./deploy-infrastructure.sh + +# 2. Install Istio service mesh across all clusters +./install-istio.sh + +# 3. Setup KubeFleet hub and join all members +./setup-fleet.sh + +# 4. Install cert-manager across all clusters +./install-cert-manager.sh + +# 5. Install DocumentDB operator on all clusters +./install-documentdb-operator.sh + +# 6. Deploy multi-region DocumentDB +./deploy-documentdb.sh + +# Test connection +./test-connection.sh +``` + +## Deployment Scripts + +### 1. `deploy-infrastructure.sh` + +Deploys Azure infrastructure: +- AKS hub cluster in westus3 (also serves as a member) +- Azure VMs with k3s in eastus2 and uksouth +- Each cluster in its own VNet (no peering required - Istio handles connectivity) + +```bash +# With defaults +./deploy-infrastructure.sh + +# With custom resource group +RESOURCE_GROUP=my-rg ./deploy-infrastructure.sh + +# With custom regions +export K3S_REGIONS_CSV="eastus2,uksouth,northeurope" +./deploy-infrastructure.sh +``` + +### 2. `install-istio.sh` + +Installs Istio service mesh on all clusters: +- Generates shared root CA for cross-cluster trust +- AKS hub: installs via `istioctl` (standard approach) +- k3s VMs: installs via **Helm** (`istio-base` + `istiod`) to avoid ownership conflicts, plus `istioctl` for east-west gateway only +- Patches k3s east-west gateways with VM public IPs (k3s `servicelb` only assigns internal IPs) +- Creates remote secrets for cross-cluster service discovery + +```bash +./install-istio.sh +``` + +### 3. `setup-fleet.sh` + +Sets up KubeFleet for multi-cluster management: +- Installs KubeFleet hub-agent on the hub cluster +- Joins all clusters (AKS and k3s) as fleet members +- **Known issue**: `joinMC.sh` has a context-switching bug; if a member fails to join, see Troubleshooting +- Fleet is used for cluster membership; Istio handles data traffic + +```bash +./setup-fleet.sh +``` + +### 4. `install-cert-manager.sh` + +Installs cert-manager on all clusters: +- Applies CRDs explicitly before Helm install (avoids silent failures) +- Installs via Helm with `startupapicheck.enabled=false` (avoids timeouts on k3s) +- Applies ClusterResourcePlacement for future cluster propagation + +```bash +./install-cert-manager.sh +``` + +### 5. `install-documentdb-operator.sh` + +Deploys DocumentDB operator on all clusters: +- Packages and installs the operator Helm chart on the AKS hub +- Installs CNPG from upstream release + DocumentDB manifests on k3s via Run Command +- Verifies deployment across all clusters + +```bash +# Build from local chart (default) +./install-documentdb-operator.sh + +# With custom values file +VALUES_FILE=custom-values.yaml ./install-documentdb-operator.sh +``` + +### 6. `deploy-documentdb.sh` + +Deploys multi-region DocumentDB with Istio networking: +- Creates namespace with istio-injection label +- Deploys DocumentDB with crossCloudNetworkingStrategy: Istio +- Configures primary and replicas across all regions + +```bash +# With auto-generated password +./deploy-documentdb.sh + +# With custom password +./deploy-documentdb.sh "MySecurePassword123!" +``` + +## Configuration + +### Default Settings + +| Setting | Default | Description | +|---------|---------|-------------| +| `RESOURCE_GROUP` | `documentdb-k3s-fleet-rg` | Azure resource group | +| `HUB_REGION` | `westus3` | KubeFleet hub region (AKS) | +| `K3S_REGIONS` | `eastus2,uksouth` | k3s VM regions | +| `VM_SIZE` | `Standard_D2s_v3` | Azure VM size for k3s | +| `AKS_VM_SIZE` | `Standard_DS2_v2` | AKS node VM size | +| `K3S_VERSION` | `v1.30.4+k3s1` | k3s version | +| `ISTIO_VERSION` | `1.24.0` | Istio version | + +### Network Configuration (Istio) + +Each cluster has its own isolated VNet - Istio east-west gateways handle all cross-cluster traffic: + +| Cluster | Region | Network ID | VNet CIDR | +|---------|--------|------------|-----------| +| hub-westus3 (AKS) | westus3 | network1 | 10.1.0.0/16 | +| k3s-eastus2 | eastus2 | network2 | 10.2.0.0/16 | +| k3s-uksouth | uksouth | network3 | 10.3.0.0/16 | + +## kubectl Aliases + +After deployment, these aliases are configured in `~/.bashrc`: + +```bash +source ~/.bashrc + +# AKS hub cluster +k-westus3 get nodes +k-hub get nodes + +# k3s clusters +k-eastus2 get nodes +k-uksouth get nodes +``` + +## Istio Management + +```bash +# Check Istio installation on each cluster +for ctx in hub-westus3 k3s-eastus2 k3s-uksouth; do + echo "=== $ctx ===" + kubectl --context $ctx get pods -n istio-system +done + +# Check east-west gateway services +k-hub get svc -n istio-system istio-eastwestgateway + +# Verify remote secrets (for service discovery) +k-hub get secrets -n istio-system -l istio/multiCluster=true +``` + +## Fleet Management + +```bash +# List all member clusters +k-hub get membercluster + +# Check ClusterResourcePlacement status +k-hub get clusterresourceplacement + +# View fleet hub agent logs +k-hub logs -n fleet-system-hub -l app=hub-agent + +# Check member agent on k3s cluster +k-uksouth logs -n fleet-system -l app=member-agent +``` + +## DocumentDB Management + +### Check Status + +```bash +# Check operator on all clusters +for ctx in hub-westus3 k3s-eastus2 k3s-uksouth; do + echo "=== $ctx ===" + kubectl --context $ctx get pods -n documentdb-operator +done + +# Check DocumentDB instances +for ctx in hub-westus3 k3s-eastus2 k3s-uksouth; do + echo "=== $ctx ===" + kubectl --context $ctx get documentdb -n documentdb-preview-ns +done +``` + +### Connect to Database + +```bash +# Port forward to primary +k-westus3 port-forward -n documentdb-preview-ns svc/documentdb-preview 10260:10260 + +# Connection string +mongodb://default_user:@localhost:10260/?directConnection=true&authMechanism=SCRAM-SHA-256&tls=true&tlsAllowInvalidCertificates=true +``` + +### Failover + +```bash +# Failover to k3s cluster in UK South +k-hub patch documentdb documentdb-preview -n documentdb-preview-ns \ + --type='merge' -p '{"spec":{"clusterReplication":{"primary":"k3s-uksouth"}}}' +``` + +## Use Cases + +### Edge Computing +k3s on Azure VMs simulates edge locations where full AKS might be too heavy. DocumentDB replication ensures data availability at the edge while maintaining consistency with central clusters. + +### Hybrid Cloud +Mix AKS managed clusters with self-managed k3s for: +- Cost optimization (k3s on cheaper VMs) +- Specific compliance requirements +- Testing/development environments + +### Disaster Recovery +Multi-region deployment with automatic failover capabilities: +- Primary in AKS (production-grade) +- Replicas in k3s (cost-effective DR) + +## Troubleshooting + +### k3s VM Issues + +```bash +# Check k3s status via Run Command (no SSH needed) +az vm run-command invoke \ + --resource-group $RESOURCE_GROUP \ + --name k3s-uksouth \ + --command-id RunShellScript \ + --scripts "sudo systemctl status k3s; sudo k3s kubectl get nodes" + +# View k3s logs via Run Command +az vm run-command invoke \ + --resource-group $RESOURCE_GROUP \ + --name k3s-uksouth \ + --command-id RunShellScript \ + --scripts "sudo journalctl -u k3s --no-pager -n 50" +``` + +### Istio Issues + +```bash +# Check Istio pods +k-uksouth get pods -n istio-system + +# Check east-west gateway external IP +k-uksouth get svc -n istio-system istio-eastwestgateway + +# Verify remote secrets exist +k-hub get secrets -n istio-system -l istio/multiCluster=true + +# Check Istio proxy status in DocumentDB namespace +k-uksouth get pods -n documentdb-preview-ns -o jsonpath='{.items[*].spec.containers[*].name}' | tr ' ' '\n' | grep istio +``` + +### Fleet Member Not Joining + +```bash +# Check member agent logs on k3s +k-uksouth logs -n fleet-system deployment/member-agent + +# Verify hub API server is reachable (via Istio) +k-uksouth run test --rm -it --image=curlimages/curl -- curl -k https://hub-westus3-api:443/healthz +``` + +### DocumentDB Not Propagating + +```bash +# Check ClusterResourcePlacement +k-hub describe clusterresourceplacement documentdb-namespace-crp + +# Verify namespace exists on member +k-uksouth get namespace documentdb-preview-ns +``` + +### Cross-Cluster Connectivity (Istio) + +```bash +# Test Istio mesh connectivity +kubectl --context k3s-uksouth run test --rm -it --image=nicolaka/netshoot -- \ + curl -k https://documentdb-preview.documentdb-preview-ns.svc:10260/health + +# Check Istio eastwest gateway is exposed +k-uksouth get svc -n istio-system istio-eastwestgateway -o wide +``` + +## Cleanup + +```bash +# Delete everything +./delete-resources.sh + +# Force delete without confirmation +./delete-resources.sh --force + +# Delete specific resources only +./delete-resources.sh --vms-only # Only k3s VMs +./delete-resources.sh --aks-only # Only AKS clusters +``` + +## Cost Estimates + +| Resource | Configuration | Estimated Monthly Cost | +|----------|---------------|----------------------| +| AKS Hub (westus3) | 2x Standard_DS2_v2 | ~$140 | +| k3s VM (eastus2) | 1x Standard_D2s_v3 | ~$70 | +| k3s VM (uksouth) | 1x Standard_D2s_v3 | ~$70 | +| Storage (3x 10GB) | Premium SSD | ~$6 | +| Load Balancers | 3x Standard (Istio) | ~$54 | +| **Total** | | **~$340/month** | + +> **Tip**: Use `./delete-resources.sh` when not in use to avoid charges. + +## Files Reference + +| File | Description | +|------|-------------| +| `main.bicep` | Bicep template for Azure infrastructure | +| `parameters.bicepparam` | Bicep parameters file | +| `deploy-infrastructure.sh` | Deploy VMs, VNets, AKS cluster | +| `install-istio.sh` | Install Istio service mesh | +| `setup-fleet.sh` | Configure KubeFleet hub and members | +| `install-cert-manager.sh` | Install cert-manager | +| `install-documentdb-operator.sh` | Deploy DocumentDB operator | +| `deploy-documentdb.sh` | Deploy multi-region DocumentDB | +| `delete-resources.sh` | Cleanup all resources | +| `test-connection.sh` | Test DocumentDB connectivity | +| `documentdb-operator-crp.yaml` | Operator CRP (reference only — not applied) | +| `cert-manager-crp.yaml` | cert-manager CRP (for future cluster propagation) | +| `documentdb-resource-crp.yaml` | DocumentDB ClusterResourcePlacement | + +## Known Issues & Lessons Learned + +### Azure VM Run Command +This playground uses Azure VM Run Command instead of SSH for all VM operations: +- **Benefits**: Works through corporate firewalls, no SSH keys to manage, no port 22 required +- **Limitations**: ~30-60 seconds per invocation, output format requires parsing +- **Output parsing**: Results come as `[stdout]\n...\n[stderr]\n...` — extract with: + ```bash + az vm run-command invoke ... --query 'value[0].message' -o tsv | \ + awk '/^\[stdout\]/{flag=1; next} /^\[stderr\]/{flag=0} flag' + ``` + +### k3s TLS SANs and API Server (Critical) +- k3s generates certificates with `127.0.0.1` only — external access requires adding the public IP as a TLS SAN +- The cloud-init uses Azure Instance Metadata Service (IMDS) to get the public IP before k3s install: + ```bash + curl -s -H Metadata:true "http://169.254.169.254/metadata/instance/network/interface/0/ipv4/ipAddress/0/publicIpAddress?api-version=2021-02-01&format=text" + ``` +- **`advertise-address`**: Must be set to the private IP, otherwise `kubernetes` endpoint uses the public IP which breaks internal pod→API server connectivity via ClusterIP (10.43.0.1) +- **`node-external-ip`**: Set to public IP so LoadBalancer services get the public IP + +### k3s kubeconfig Management +- k3s generates kubeconfig with `127.0.0.1` — scripts automatically update to public IP +- When redeploying, old kubeconfigs have stale IPs/certs — scripts delete old contexts first +- Use `kubectl config delete-context ` to clean up manually if needed + +### Istio on k3s +- **Use Helm**, not `istioctl install`, for k3s clusters — `istioctl` creates resources without Helm annotations, causing ownership conflicts if you later use Helm +- k3s uses `servicelb` (klipper) for LoadBalancer services which assigns node IPs, not public IPs +- Patch east-west gateway services with `externalIPs` pointing to the node's public IP: + ```bash + kubectl patch svc istio-eastwestgateway -n istio-system \ + --type='json' -p='[{"op": "add", "path": "/spec/externalIPs", "value": [""]}]' + ``` +- Set `pilot.autoscaleEnabled=false` and `pilot.replicaCount=1` for single-node k3s clusters + +### DocumentDB on k3s +- The `environment` field only supports `aks`, `eks`, `gke` — **use `aks` for k3s clusters** +- DocumentDB operator is installed on k3s via Run Command (base64-encoded manifests + CNPG upstream release) +- CNPG must be installed separately on k3s since the Helm chart can't be transferred easily + +### cert-manager on k3s +- Set `startupapicheck.enabled=false` to avoid timeouts on resource-constrained k3s +- Apply CRDs explicitly with `kubectl apply -f` before Helm install (the `crds.enabled=true` flag can silently fail) + +### Corporate Network (NRMS) +- Azure NRMS policies auto-add deny rules at priority 105-109 on NSGs +- Port 22 is denied by NRMS-Rule-106; to enable SSH, add allow rule at priority 100 +- Port 6443 is not in NRMS deny lists but corporate VPN/firewall may block it +- NSG minimum priority is 100 (cannot go lower) + +### Bicep Deployment Tips +- Use `resourceId()` function for subnet references to avoid race conditions +- Add explicit `dependsOn` for AKS clusters referencing VNets +- Check AKS supported Kubernetes versions: `az aks get-versions --location ` +- Azure VMs require SSH key even when not using SSH; changing key on existing VM causes "PropertyChangeNotAllowed" error + +## Related Playgrounds + +- [aks-fleet-deployment](../aks-fleet-deployment/) - Pure AKS multi-region with KubeFleet +- [aks-setup](../aks-setup/) - Single AKS cluster setup +- [multi-cloud-deployment](../multi-cloud-deployment/) - Cross-cloud (AKS + GKE + EKS) with Istio + +## Additional Resources + +- [k3s Documentation](https://docs.k3s.io/) +- [KubeFleet Documentation](https://kubefleet.dev/docs/) +- [Istio Multi-Cluster](https://istio.io/latest/docs/setup/install/multicluster/) +- [Azure VMs Documentation](https://docs.microsoft.com/en-us/azure/virtual-machines/) +- [DocumentDB Kubernetes Operator](../../README.md) diff --git a/documentdb-playground/k3s-azure-fleet/cert-manager-crp.yaml b/documentdb-playground/k3s-azure-fleet/cert-manager-crp.yaml new file mode 100644 index 00000000..75a90575 --- /dev/null +++ b/documentdb-playground/k3s-azure-fleet/cert-manager-crp.yaml @@ -0,0 +1,44 @@ +apiVersion: placement.kubernetes-fleet.io/v1beta1 +kind: ClusterResourcePlacement +metadata: + name: cert-manager-crp +spec: + resourceSelectors: + - group: "" + version: v1 + kind: Namespace + name: cert-manager + - group: "apiextensions.k8s.io" + version: v1 + kind: CustomResourceDefinition + labelSelector: + matchLabels: + app.kubernetes.io/instance: cert-manager + - group: "rbac.authorization.k8s.io" + version: v1 + kind: ClusterRole + labelSelector: + matchLabels: + app.kubernetes.io/instance: cert-manager + - group: "rbac.authorization.k8s.io" + version: v1 + kind: ClusterRoleBinding + labelSelector: + matchLabels: + app.kubernetes.io/instance: cert-manager + - group: "admissionregistration.k8s.io" + version: v1 + kind: MutatingWebhookConfiguration + labelSelector: + matchLabels: + app.kubernetes.io/instance: cert-manager + - group: "admissionregistration.k8s.io" + version: v1 + kind: ValidatingWebhookConfiguration + labelSelector: + matchLabels: + app.kubernetes.io/instance: cert-manager + policy: + placementType: PickAll + strategy: + type: RollingUpdate diff --git a/documentdb-playground/k3s-azure-fleet/delete-resources.sh b/documentdb-playground/k3s-azure-fleet/delete-resources.sh new file mode 100755 index 00000000..4b5036ff --- /dev/null +++ b/documentdb-playground/k3s-azure-fleet/delete-resources.sh @@ -0,0 +1,166 @@ +#!/usr/bin/env bash +set -euo pipefail + +# Delete all resources created by this playground + +SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" + +# Load deployment info if available +if [ -f "$SCRIPT_DIR/.deployment-info" ]; then + source "$SCRIPT_DIR/.deployment-info" +fi + +RESOURCE_GROUP="${RESOURCE_GROUP:-documentdb-k3s-fleet-rg}" +FORCE="${FORCE:-false}" + +# Parse arguments +while [[ $# -gt 0 ]]; do + case $1 in + --force|-f) + FORCE="true" + shift + ;; + --resource-group|-g) + RESOURCE_GROUP="$2" + shift 2 + ;; + --vms-only) + VMS_ONLY="true" + shift + ;; + --aks-only) + AKS_ONLY="true" + shift + ;; + -h|--help) + echo "Usage: $0 [OPTIONS]" + echo "" + echo "Options:" + echo " --force, -f Skip confirmation prompts" + echo " --resource-group, -g Resource group name (default: documentdb-k3s-fleet-rg)" + echo " --vms-only Delete only k3s VMs" + echo " --aks-only Delete only AKS clusters" + echo " -h, --help Show this help" + exit 0 + ;; + *) + echo "Unknown option: $1" + exit 1 + ;; + esac +done + +echo "=======================================" +echo "Resource Cleanup" +echo "=======================================" +echo "Resource Group: $RESOURCE_GROUP" +echo "=======================================" + +# Check if resource group exists +if ! az group show --name "$RESOURCE_GROUP" &>/dev/null; then + echo "Resource group '$RESOURCE_GROUP' does not exist. Nothing to delete." + exit 0 +fi + +# Confirmation +if [ "$FORCE" != "true" ]; then + echo "" + echo "⚠️ WARNING: This will delete all resources in '$RESOURCE_GROUP'" + echo "" + read -p "Are you sure? (yes/no): " CONFIRM + if [ "$CONFIRM" != "yes" ]; then + echo "Cancelled." + exit 0 + fi +fi + +# Delete specific resources if requested +if [ "${VMS_ONLY:-false}" = "true" ]; then + echo "" + echo "Deleting k3s VMs only..." + + VMS=$(az vm list -g "$RESOURCE_GROUP" --query "[?contains(name,'k3s')].name" -o tsv) + for vm in $VMS; do + echo " Deleting VM: $vm" + az vm delete -g "$RESOURCE_GROUP" -n "$vm" --yes --no-wait + done + + echo "✓ VM deletion initiated" + exit 0 +fi + +if [ "${AKS_ONLY:-false}" = "true" ]; then + echo "" + echo "Deleting AKS clusters only..." + + CLUSTERS=$(az aks list -g "$RESOURCE_GROUP" --query "[].name" -o tsv) + for cluster in $CLUSTERS; do + echo " Deleting AKS cluster: $cluster" + az aks delete -g "$RESOURCE_GROUP" -n "$cluster" --yes --no-wait + done + + echo "✓ AKS deletion initiated" + exit 0 +fi + +# Delete DocumentDB resources first (if clusters still exist) +echo "" +echo "Cleaning up Kubernetes resources..." + +# Try to delete DocumentDB resources from hub +if [ -n "${HUB_CLUSTER_NAME:-}" ]; then + if kubectl config get-contexts "$HUB_CLUSTER_NAME" &>/dev/null 2>&1; then + echo " Deleting DocumentDB ClusterResourcePlacement..." + kubectl --context "$HUB_CLUSTER_NAME" delete clusterresourceplacement documentdb-namespace-crp --ignore-not-found=true 2>/dev/null || true + kubectl --context "$HUB_CLUSTER_NAME" delete clusterresourceplacement documentdb-operator-crp --ignore-not-found=true 2>/dev/null || true + kubectl --context "$HUB_CLUSTER_NAME" delete clusterresourceplacement cert-manager-crp --ignore-not-found=true 2>/dev/null || true + + echo " Deleting DocumentDB namespace..." + kubectl --context "$HUB_CLUSTER_NAME" delete namespace documentdb-preview-ns --ignore-not-found=true 2>/dev/null || true + fi +fi + +# Delete entire resource group +echo "" +echo "Deleting resource group '$RESOURCE_GROUP'..." +echo "This will delete all VMs, AKS clusters, VNets, and associated resources." +az group delete --name "$RESOURCE_GROUP" --yes --no-wait + +echo "" +echo "✓ Resource group deletion initiated" + +# Clean up local files +echo "" +echo "Cleaning up local files..." +rm -f "$SCRIPT_DIR/.deployment-info" +rm -f "$SCRIPT_DIR/documentdb-operator-*.tgz" +rm -rf "$SCRIPT_DIR/.istio-certs" + +# Clean up kubeconfig contexts +echo "Cleaning up kubectl contexts..." +for ctx in $(kubectl config get-contexts -o name 2>/dev/null | grep -E "(hub-|member-|k3s-)" || true); do + kubectl config delete-context "$ctx" 2>/dev/null || true +done + +# Remove aliases from shell config files +for SHELL_RC in "$HOME/.bashrc" "$HOME/.zshrc"; do + if [ -f "$SHELL_RC" ]; then + if grep -q "# BEGIN k3s-fleet aliases" "$SHELL_RC" 2>/dev/null; then + echo "Removing kubectl aliases from $SHELL_RC..." + awk '/# BEGIN k3s-fleet aliases/,/# END k3s-fleet aliases/ {next} {print}' "$SHELL_RC" > "$SHELL_RC.tmp" + mv "$SHELL_RC.tmp" "$SHELL_RC" + fi + fi +done + +echo "" +echo "=======================================" +echo "✅ Cleanup Complete!" +echo "=======================================" +echo "" +echo "Resource group deletion is running in the background." +echo "Run 'az group show -n $RESOURCE_GROUP' to check status." +echo "" +echo "To verify deletion is complete:" +echo " az group list --query \"[?name=='$RESOURCE_GROUP']\" -o table" +echo "=======================================" diff --git a/documentdb-playground/k3s-azure-fleet/deploy-documentdb.sh b/documentdb-playground/k3s-azure-fleet/deploy-documentdb.sh new file mode 100755 index 00000000..2d539b32 --- /dev/null +++ b/documentdb-playground/k3s-azure-fleet/deploy-documentdb.sh @@ -0,0 +1,261 @@ +#!/usr/bin/env bash +set -euo pipefail + +# Deploy multi-region DocumentDB with cross-cluster replication using Istio + +SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" + +# Load deployment info +if [ -f "$SCRIPT_DIR/.deployment-info" ]; then + source "$SCRIPT_DIR/.deployment-info" +else + echo "Error: Deployment info not found. Run deploy-infrastructure.sh first." + exit 1 +fi + +# Password from argument or environment +DOCUMENTDB_PASSWORD="${1:-${DOCUMENTDB_PASSWORD:-}}" + +# Generate password if not provided +if [ -z "$DOCUMENTDB_PASSWORD" ]; then + echo "No password provided. Generating a secure password..." + DOCUMENTDB_PASSWORD=$(openssl rand -base64 32 | tr -d "=+/" | cut -c1-25) + echo "Generated password: $DOCUMENTDB_PASSWORD" + echo "(Save this password - you'll need it to connect to the database)" + echo "" +fi + +HUB_CLUSTER_NAME="hub-${HUB_REGION}" + +echo "=======================================" +echo "DocumentDB Multi-Region Deployment" +echo "=======================================" +echo "Hub Cluster: $HUB_CLUSTER_NAME" +echo "Cross-cluster networking: Istio" +echo "=======================================" + +# Build list of all clusters +ALL_CLUSTERS="$HUB_CLUSTER_NAME" + +# Add k3s clusters +IFS=' ' read -ra K3S_REGION_ARRAY <<< "$K3S_REGIONS" +for region in "${K3S_REGION_ARRAY[@]}"; do + if kubectl config get-contexts "k3s-$region" &>/dev/null; then + ALL_CLUSTERS="$ALL_CLUSTERS k3s-$region" + fi +done + +CLUSTER_ARRAY=($ALL_CLUSTERS) +echo "Discovered ${#CLUSTER_ARRAY[@]} clusters:" +for cluster in "${CLUSTER_ARRAY[@]}"; do + echo " - $cluster" +done + +# Select primary cluster (prefer hub cluster) +PRIMARY_CLUSTER="$HUB_CLUSTER_NAME" +echo "" +echo "Selected primary cluster: $PRIMARY_CLUSTER" + +# Build cluster list YAML +CLUSTER_LIST="" +for cluster in "${CLUSTER_ARRAY[@]}"; do + # Note: DocumentDB only supports 'aks', 'eks', 'gke' environments. + # k3s clusters use 'aks' environment since they behave similarly. + ENV="aks" + + if [ -z "$CLUSTER_LIST" ]; then + CLUSTER_LIST=" - name: ${cluster}" + CLUSTER_LIST="${CLUSTER_LIST}"$'\n'" environment: ${ENV}" + else + CLUSTER_LIST="${CLUSTER_LIST}"$'\n'" - name: ${cluster}" + CLUSTER_LIST="${CLUSTER_LIST}"$'\n'" environment: ${ENV}" + fi +done + +# Create cluster identification ConfigMaps +echo "" +echo "=======================================" +echo "Creating cluster identification ConfigMaps..." +echo "=======================================" + +for cluster in "${CLUSTER_ARRAY[@]}"; do + echo "Processing $cluster..." + + if ! kubectl config get-contexts "$cluster" &>/dev/null; then + echo " ✗ Context not found, skipping" + continue + fi + + kubectl --context "$cluster" create configmap cluster-name \ + -n kube-system \ + --from-literal=name="$cluster" \ + --dry-run=client -o yaml | kubectl --context "$cluster" apply -f - + + echo " ✓ ConfigMap created" +done + +# Deploy DocumentDB resources +echo "" +echo "=======================================" +echo "Deploying DocumentDB resources..." +echo "=======================================" + +kubectl config use-context "$HUB_CLUSTER_NAME" + +# Check for existing resources +EXISTING="" +if kubectl get namespace documentdb-preview-ns &>/dev/null 2>&1; then + EXISTING="${EXISTING}namespace " +fi +if kubectl get secret documentdb-credentials -n documentdb-preview-ns &>/dev/null 2>&1; then + EXISTING="${EXISTING}secret " +fi +if kubectl get documentdb documentdb-preview -n documentdb-preview-ns &>/dev/null 2>&1; then + EXISTING="${EXISTING}documentdb " +fi + +if [ -n "$EXISTING" ]; then + echo "" + echo "⚠️ Warning: Existing resources found: $EXISTING" + echo "" + echo "Options:" + echo "1. Delete existing resources and redeploy" + echo "2. Update existing deployment" + echo "3. Cancel" + read -p "Choose (1/2/3): " CHOICE + + case $CHOICE in + 1) + echo "Deleting existing resources..." + kubectl delete clusterresourceplacement documentdb-namespace-crp --ignore-not-found=true + kubectl delete namespace documentdb-preview-ns --ignore-not-found=true + sleep 10 + ;; + 2) + echo "Updating existing deployment..." + ;; + 3|*) + echo "Cancelled." + exit 0 + ;; + esac +fi + +# Generate manifest with substitutions +TEMP_YAML=$(mktemp) + +sed -e "s/{{DOCUMENTDB_PASSWORD}}/$DOCUMENTDB_PASSWORD/g" \ + -e "s/{{PRIMARY_CLUSTER}}/$PRIMARY_CLUSTER/g" \ + "$SCRIPT_DIR/documentdb-resource-crp.yaml" | \ +while IFS= read -r line; do + if [[ "$line" == '{{CLUSTER_LIST}}' ]]; then + echo "$CLUSTER_LIST" + else + echo "$line" + fi +done > "$TEMP_YAML" + +echo "" +echo "Generated configuration:" +echo "------------------------" +echo "Primary: $PRIMARY_CLUSTER" +echo "Clusters:" +echo "$CLUSTER_LIST" +echo "------------------------" + +# Apply configuration +echo "" +echo "Applying DocumentDB configuration..." +kubectl apply -f "$TEMP_YAML" +rm -f "$TEMP_YAML" + +# Check ClusterResourcePlacement +echo "" +echo "Checking ClusterResourcePlacement status..." +kubectl get clusterresourceplacement documentdb-namespace-crp -o wide + +# Wait for propagation +echo "" +echo "Waiting for resources to propagate..." +sleep 15 + +# Verify deployment +echo "" +echo "=======================================" +echo "Deployment Verification" +echo "=======================================" + +for cluster in "${CLUSTER_ARRAY[@]}"; do + echo "" + echo "=== $cluster ===" + + if ! kubectl config get-contexts "$cluster" &>/dev/null; then + echo " ✗ Context not found" + continue + fi + + # Check namespace + if kubectl --context "$cluster" get namespace documentdb-preview-ns &>/dev/null; then + echo " ✓ Namespace exists" + + # Check DocumentDB + if kubectl --context "$cluster" get documentdb documentdb-preview -n documentdb-preview-ns &>/dev/null; then + STATUS=$(kubectl --context "$cluster" get documentdb documentdb-preview -n documentdb-preview-ns -o jsonpath='{.status.phase}' 2>/dev/null || echo "Unknown") + ROLE="REPLICA" + [ "$cluster" = "$PRIMARY_CLUSTER" ] && ROLE="PRIMARY" + echo " ✓ DocumentDB: $STATUS (Role: $ROLE)" + else + echo " ✗ DocumentDB not found" + fi + + # Check pods + PODS=$(kubectl --context "$cluster" get pods -n documentdb-preview-ns --no-headers 2>/dev/null | wc -l || echo "0") + echo " Pods: $PODS" + + if [ "$PODS" -gt 0 ]; then + kubectl --context "$cluster" get pods -n documentdb-preview-ns 2>/dev/null | head -5 + fi + else + echo " ✗ Namespace not found (propagating...)" + fi +done + +# Connection information +echo "" +echo "=======================================" +echo "Connection Information" +echo "=======================================" +echo "" +echo "Username: default_user" +echo "Password: $DOCUMENTDB_PASSWORD" +echo "" +echo "To connect via port-forward:" +echo " kubectl --context $PRIMARY_CLUSTER port-forward -n documentdb-preview-ns svc/documentdb-preview 10260:10260" +echo "" +echo "Connection string:" +echo " mongodb://default_user:$DOCUMENTDB_PASSWORD@localhost:10260/?directConnection=true&authMechanism=SCRAM-SHA-256&tls=true&tlsAllowInvalidCertificates=true" +echo "" + +# Failover commands +echo "Failover commands:" +for cluster in "${CLUSTER_ARRAY[@]}"; do + if [ "$cluster" != "$PRIMARY_CLUSTER" ]; then + echo "" + echo "# Failover to $cluster:" + echo "kubectl --context $HUB_CLUSTER_NAME patch documentdb documentdb-preview -n documentdb-preview-ns \\" + echo " --type='merge' -p '{\"spec\":{\"clusterReplication\":{\"primary\":\"$cluster\"}}}'" + fi +done + +echo "" +echo "=======================================" +echo "✅ DocumentDB Deployment Complete!" +echo "=======================================" +echo "" +echo "Monitor deployment:" +echo " watch 'kubectl --context $HUB_CLUSTER_NAME get clusterresourceplacement documentdb-namespace-crp -o wide'" +echo "" +echo "Check all clusters:" +CLUSTER_STRING=$(IFS=' '; echo "${CLUSTER_ARRAY[*]}") +echo " for c in $CLUSTER_STRING; do echo \"=== \$c ===\"; kubectl --context \$c get documentdb,pods -n documentdb-preview-ns; done" +echo "=======================================" diff --git a/documentdb-playground/k3s-azure-fleet/deploy-infrastructure.sh b/documentdb-playground/k3s-azure-fleet/deploy-infrastructure.sh new file mode 100755 index 00000000..0a0113c4 --- /dev/null +++ b/documentdb-playground/k3s-azure-fleet/deploy-infrastructure.sh @@ -0,0 +1,307 @@ +#!/bin/bash +set -e + +# ================================ +# k3s + AKS Infrastructure Deployment with Istio +# ================================ +# Deploys: +# - 1 AKS cluster (hub) in westus3 +# - 2 k3s VMs in eastus2 and uksouth +# - No VNet peering (Istio handles cross-cluster traffic) +# - Uses Azure VM Run Command (no SSH required) + +SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" + +# Configuration +RESOURCE_GROUP="${RESOURCE_GROUP:-documentdb-k3s-fleet-rg}" +HUB_REGION="${HUB_REGION:-westus3}" +K3S_REGIONS="${K3S_REGIONS_CSV:-eastus2,uksouth}" + +# Convert comma-separated to array +IFS=',' read -ra K3S_REGION_ARRAY <<< "$K3S_REGIONS" + +echo "=======================================" +echo "k3s + AKS Infrastructure Deployment" +echo "=======================================" +echo "Resource Group: $RESOURCE_GROUP" +echo "Hub Region: $HUB_REGION" +echo "k3s Regions: ${K3S_REGION_ARRAY[*]}" +echo "" +echo "Networking: Istio service mesh (no VNet peering)" +echo "VM Access: Azure VM Run Command (no SSH required)" +echo "=======================================" +echo "" + +# Use a stable SSH key path (Azure requires SSH key for VMs, but we use Run Command instead) +SSH_KEY_PATH="${SCRIPT_DIR}/.ssh-key" +if [ ! -f "$SSH_KEY_PATH" ]; then + echo "Generating SSH key (required by Azure, but we use Run Command instead)..." + ssh-keygen -t rsa -b 2048 -f "$SSH_KEY_PATH" -N "" -C "k3s-azure-fleet" -q +fi +SSH_PUBLIC_KEY=$(cat "${SSH_KEY_PATH}.pub") + +# Create resource group +echo "Creating/verifying resource group..." +if az group show --name "$RESOURCE_GROUP" &>/dev/null; then + RG_STATE=$(az group show --name "$RESOURCE_GROUP" --query "properties.provisioningState" -o tsv 2>/dev/null || echo "Unknown") + if [ "$RG_STATE" = "Deleting" ]; then + echo "Resource group is being deleted. Waiting..." + while az group show --name "$RESOURCE_GROUP" &>/dev/null; do + sleep 10 + done + echo "Creating resource group '$RESOURCE_GROUP' in '$HUB_REGION'" + az group create --name "$RESOURCE_GROUP" --location "$HUB_REGION" --output none + else + echo "Using existing resource group '$RESOURCE_GROUP'" + fi +else + echo "Creating resource group '$RESOURCE_GROUP' in '$HUB_REGION'" + az group create --name "$RESOURCE_GROUP" --location "$HUB_REGION" --output none +fi + +# Check if VMs already exist (to skip Bicep if just re-running for kubeconfig) +EXISTING_VMS=$(az vm list -g "$RESOURCE_GROUP" --query "[?contains(name,'k3s')].name" -o tsv 2>/dev/null | wc -l | tr -d ' ') +SKIP_BICEP=false + +if [ "$EXISTING_VMS" -gt 0 ]; then + echo "" + echo "Found $EXISTING_VMS existing k3s VM(s). Skipping Bicep deployment." + echo "(Delete VMs or resource group to force re-deployment)" + SKIP_BICEP=true +fi + +if [ "$SKIP_BICEP" = "false" ]; then + # Deploy Bicep template + echo "" + echo "Deploying Azure infrastructure with Bicep..." + echo "(This includes AKS hub and k3s VMs - typically takes 5-10 minutes)" + + # Build k3s regions array for Bicep + K3S_REGIONS_JSON=$(printf '%s\n' "${K3S_REGION_ARRAY[@]}" | jq -R . | jq -s .) + + az deployment group create \ + --resource-group "$RESOURCE_GROUP" \ + --template-file "${SCRIPT_DIR}/main.bicep" \ + --parameters hubLocation="$HUB_REGION" \ + --parameters k3sRegions="$K3S_REGIONS_JSON" \ + --parameters sshPublicKey="$SSH_PUBLIC_KEY" \ + --output none + + echo "✓ Infrastructure deployed" +fi + +# Get deployment outputs +echo "" +echo "Retrieving deployment outputs..." + +DEPLOYMENT_OUTPUT=$(az deployment group show \ + --resource-group "$RESOURCE_GROUP" \ + --name main \ + --query "properties.outputs" \ + -o json 2>/dev/null || echo "{}") + +AKS_CLUSTER_NAME=$(echo "$DEPLOYMENT_OUTPUT" | jq -r '.aksClusterName.value // empty') +K3S_VM_NAMES=$(echo "$DEPLOYMENT_OUTPUT" | jq -r '.k3sVmNames.value // [] | @csv' | tr -d '"') +K3S_PUBLIC_IPS=$(echo "$DEPLOYMENT_OUTPUT" | jq -r '.k3sVmPublicIps.value // [] | @csv' | tr -d '"') + +# Fallback if outputs not available yet +if [ -z "$AKS_CLUSTER_NAME" ]; then + AKS_CLUSTER_NAME="hub-${HUB_REGION}" +fi + +echo "AKS Cluster: $AKS_CLUSTER_NAME" +echo "k3s VMs: $K3S_VM_NAMES" +echo "k3s IPs: $K3S_PUBLIC_IPS" + +# Configure kubectl for AKS +echo "" +echo "Configuring kubectl for AKS hub cluster..." +az aks get-credentials \ + --resource-group "$RESOURCE_GROUP" \ + --name "$AKS_CLUSTER_NAME" \ + --overwrite-existing \ + --admin \ + --context "hub-${HUB_REGION}" \ + 2>/dev/null || \ +az aks get-credentials \ + --resource-group "$RESOURCE_GROUP" \ + --name "$AKS_CLUSTER_NAME" \ + --overwrite-existing \ + --context "hub-${HUB_REGION}" + +echo "✓ AKS kubectl context: hub-${HUB_REGION}" + +# Wait for k3s VMs to be ready and get kubeconfig via Run Command +echo "" +echo "Waiting for k3s clusters to be ready (using Azure VM Run Command)..." +echo "This avoids SSH and works through corporate firewalls." + +IFS=',' read -ra K3S_IP_ARRAY <<< "$K3S_PUBLIC_IPS" + +for i in "${!K3S_REGION_ARRAY[@]}"; do + region="${K3S_REGION_ARRAY[$i]}" + vm_name="k3s-${region}" + + echo "" + echo "Configuring k3s-${region}..." + + # Get public IP for kubeconfig + public_ip=$(az vm show -g "$RESOURCE_GROUP" -n "$vm_name" -d --query publicIps -o tsv 2>/dev/null || echo "") + K3S_IP_ARRAY[$i]="$public_ip" + + if [ -z "$public_ip" ]; then + echo "⚠ Could not get IP for $vm_name, skipping..." + continue + fi + + echo " VM Public IP: $public_ip" + + # Wait for k3s to be ready using Run Command + echo " Waiting for k3s to be ready..." + k3s_ready=false + for attempt in {1..30}; do + result=$(az vm run-command invoke \ + --resource-group "$RESOURCE_GROUP" \ + --name "$vm_name" \ + --command-id RunShellScript \ + --scripts "sudo k3s kubectl get nodes 2>/dev/null && echo K3S_READY" \ + --query 'value[0].message' -o tsv 2>/dev/null || echo "") + + if echo "$result" | grep -q "K3S_READY"; then + echo " ✓ k3s ready" + k3s_ready=true + break + fi + echo " Waiting for k3s... (attempt $attempt/30)" + sleep 10 + done + + if [ "$k3s_ready" = "false" ]; then + echo " ✗ ERROR: k3s failed to become ready on $vm_name after 5 minutes" + echo " Check VM status: az vm run-command invoke -g $RESOURCE_GROUP -n $vm_name --command-id RunShellScript --scripts 'systemctl status k3s'" + continue + fi + + # Get kubeconfig via Run Command + echo " Retrieving kubeconfig via Run Command..." + RAW_OUTPUT=$(az vm run-command invoke \ + --resource-group "$RESOURCE_GROUP" \ + --name "$vm_name" \ + --command-id RunShellScript \ + --scripts "sudo cat /etc/rancher/k3s/k3s.yaml" \ + --query 'value[0].message' -o tsv 2>/dev/null || echo "") + + # Extract the YAML from the Run Command output + # The output format is: [stdout]\n\n[stderr]\n + # We need to extract just the content between [stdout] and [stderr] + KUBECONFIG_CONTENT=$(echo "$RAW_OUTPUT" | awk '/^\[stdout\]/{flag=1; next} /^\[stderr\]/{flag=0} flag') + + # Fallback: try to find apiVersion line and extract from there + if [ -z "$KUBECONFIG_CONTENT" ] || ! echo "$KUBECONFIG_CONTENT" | grep -q "apiVersion"; then + KUBECONFIG_CONTENT=$(echo "$RAW_OUTPUT" | sed -n '/^apiVersion:/,/^current-context:/p') + # Add the current-context line if we have it + CURRENT_CTX=$(echo "$RAW_OUTPUT" | grep "^current-context:" | head -1) + if [ -n "$CURRENT_CTX" ]; then + KUBECONFIG_CONTENT="$KUBECONFIG_CONTENT"$'\n'"$CURRENT_CTX" + fi + fi + + if [ -n "$KUBECONFIG_CONTENT" ] && echo "$KUBECONFIG_CONTENT" | grep -q "apiVersion"; then + # Replace localhost/127.0.0.1 with public IP and set context name + KUBECONFIG_FILE="$HOME/.kube/k3s-${region}.yaml" + echo "$KUBECONFIG_CONTENT" | \ + sed "s|127.0.0.1|${public_ip}|g" | \ + sed "s|server: https://[^:]*:|server: https://${public_ip}:|g" | \ + sed "s|name: default|name: k3s-${region}|g" | \ + sed "s|cluster: default|cluster: k3s-${region}|g" | \ + sed "s|user: default|user: k3s-${region}|g" | \ + sed "s|current-context: default|current-context: k3s-${region}|g" \ + > "$KUBECONFIG_FILE" + + chmod 600 "$KUBECONFIG_FILE" + + # Delete existing context if present (avoids merge conflicts) + kubectl config delete-context "k3s-${region}" 2>/dev/null || true + kubectl config delete-cluster "k3s-${region}" 2>/dev/null || true + kubectl config delete-user "k3s-${region}" 2>/dev/null || true + + # Merge into main kubeconfig + export KUBECONFIG="$HOME/.kube/config:$KUBECONFIG_FILE" + kubectl config view --flatten > "$HOME/.kube/config.new" + mv "$HOME/.kube/config.new" "$HOME/.kube/config" + chmod 600 "$HOME/.kube/config" + unset KUBECONFIG + + echo " ✓ Context added: k3s-${region}" + else + echo " ⚠ Could not retrieve kubeconfig for k3s-${region}" + echo " Debug: Run Command output was:" + echo "$KUBECONFIG_CONTENT" | head -5 + fi +done + +# Create kubectl aliases +echo "" +echo "Setting up kubectl aliases..." + +ALIAS_FILE="$HOME/.bashrc" +if [[ "$OSTYPE" == "darwin"* ]]; then + ALIAS_FILE="$HOME/.zshrc" +fi + +# Remove old aliases (use markers for clean removal) +if [ -f "$ALIAS_FILE" ]; then + awk '/# BEGIN k3s-fleet aliases/,/# END k3s-fleet aliases/ {next} {print}' "$ALIAS_FILE" > "$ALIAS_FILE.tmp" 2>/dev/null || true + mv "$ALIAS_FILE.tmp" "$ALIAS_FILE" 2>/dev/null || true +fi + +# Add new aliases with markers +{ + echo "" + echo "# BEGIN k3s-fleet aliases" + echo "alias k-hub='kubectl --context hub-${HUB_REGION}'" + echo "alias k-${HUB_REGION}='kubectl --context hub-${HUB_REGION}'" + for region in "${K3S_REGION_ARRAY[@]}"; do + echo "alias k-${region}='kubectl --context k3s-${region}'" + done + echo "# END k3s-fleet aliases" +} >> "$ALIAS_FILE" + +echo "✓ Aliases added to $ALIAS_FILE" + +# Save deployment info (quote values with spaces) +DEPLOYMENT_INFO_FILE="${SCRIPT_DIR}/.deployment-info" +{ + echo "RESOURCE_GROUP=\"$RESOURCE_GROUP\"" + echo "HUB_REGION=\"$HUB_REGION\"" + echo "HUB_CLUSTER_NAME=\"hub-${HUB_REGION}\"" + echo "AKS_CLUSTER_NAME=\"$AKS_CLUSTER_NAME\"" + echo "K3S_REGIONS=\"${K3S_REGION_ARRAY[*]}\"" + echo "K3S_PUBLIC_IPS=\"${K3S_IP_ARRAY[*]}\"" +} > "$DEPLOYMENT_INFO_FILE" + +echo "" +echo "=======================================" +echo "Infrastructure Deployment Complete!" +echo "=======================================" +echo "" +echo "Clusters:" +echo " - hub-${HUB_REGION} (AKS)" +for i in "${!K3S_REGION_ARRAY[@]}"; do + echo " - k3s-${K3S_REGION_ARRAY[$i]} (VM: ${K3S_IP_ARRAY[$i]})" +done +echo "" +echo "Next steps:" +echo " 1. Source your shell config: source $ALIAS_FILE" +echo " 2. Install Istio: ./install-istio.sh" +echo " 3. Setup Fleet: ./setup-fleet.sh" +echo " 4. Install cert-manager: ./install-cert-manager.sh" +echo " 5. Install DocumentDB operator: ./install-documentdb-operator.sh" +echo " 6. Deploy DocumentDB: ./deploy-documentdb.sh" +echo "" +echo "Quick test:" +echo " kubectl --context hub-${HUB_REGION} get nodes" +for region in "${K3S_REGION_ARRAY[@]}"; do + echo " kubectl --context k3s-${region} get nodes" +done +echo "" diff --git a/documentdb-playground/k3s-azure-fleet/documentdb-operator-crp.yaml b/documentdb-playground/k3s-azure-fleet/documentdb-operator-crp.yaml new file mode 100644 index 00000000..b0fa5b1e --- /dev/null +++ b/documentdb-playground/k3s-azure-fleet/documentdb-operator-crp.yaml @@ -0,0 +1,113 @@ +# ClusterResourcePlacement for DocumentDB operator propagation via Fleet. +# Note: The operator is installed directly on each cluster (Helm on AKS, Run Command on k3s) +# because CRP-based propagation of complex charts with CRDs causes Helm ownership conflicts. +# This CRP is kept for reference but is NOT applied by install-documentdb-operator.sh. +apiVersion: placement.kubernetes-fleet.io/v1beta1 +kind: ClusterResourcePlacement +metadata: + name: documentdb-operator-crp +spec: + resourceSelectors: + - group: "" + version: v1 + kind: Namespace + name: documentdb-operator + - group: "" + version: v1 + kind: Namespace + name: cnpg-system + - group: "apiextensions.k8s.io" + version: v1 + kind: CustomResourceDefinition + labelSelector: + matchLabels: + app: documentdb-operator + - group: "apiextensions.k8s.io" + version: v1 + kind: CustomResourceDefinition + name: publications.postgresql.cnpg.io + - group: "apiextensions.k8s.io" + version: v1 + kind: CustomResourceDefinition + name: failoverquorums.postgresql.cnpg.io + - group: "apiextensions.k8s.io" + version: v1 + kind: CustomResourceDefinition + name: poolers.postgresql.cnpg.io + - group: "apiextensions.k8s.io" + version: v1 + kind: CustomResourceDefinition + name: clusterimagecatalogs.postgresql.cnpg.io + - group: "apiextensions.k8s.io" + version: v1 + kind: CustomResourceDefinition + name: imagecatalogs.postgresql.cnpg.io + - group: "apiextensions.k8s.io" + version: v1 + kind: CustomResourceDefinition + name: backups.postgresql.cnpg.io + - group: "apiextensions.k8s.io" + version: v1 + kind: CustomResourceDefinition + name: scheduledbackups.postgresql.cnpg.io + - group: "apiextensions.k8s.io" + version: v1 + kind: CustomResourceDefinition + name: subscriptions.postgresql.cnpg.io + - group: "apiextensions.k8s.io" + version: v1 + kind: CustomResourceDefinition + name: databases.postgresql.cnpg.io + - group: "apiextensions.k8s.io" + version: v1 + kind: CustomResourceDefinition + name: clusters.postgresql.cnpg.io + # RBAC roles and bindings + - group: "rbac.authorization.k8s.io" + version: v1 + kind: ClusterRole + labelSelector: + matchLabels: + app.kubernetes.io/name: documentdb-operator + - group: "rbac.authorization.k8s.io" + version: v1 + kind: ClusterRole + name: documentdb-operator-cloudnative-pg + - group: "rbac.authorization.k8s.io" + version: v1 + kind: ClusterRole + name: documentdb-operator-cloudnative-pg-edit + - group: "rbac.authorization.k8s.io" + version: v1 + kind: ClusterRole + name: documentdb-operator-cloudnative-pg-view + - group: "rbac.authorization.k8s.io" + version: v1 + kind: ClusterRoleBinding + labelSelector: + matchLabels: + app.kubernetes.io/name: documentdb-operator + - group: "rbac.authorization.k8s.io" + version: v1 + kind: ClusterRoleBinding + name: documentdb-operator-cloudnative-pg + - group: "admissionregistration.k8s.io" + version: v1 + kind: MutatingWebhookConfiguration + name: cnpg-mutating-webhook-configuration + - group: "admissionregistration.k8s.io" + version: v1 + kind: ValidatingWebhookConfiguration + name: cnpg-validating-webhook-configuration + - group: "rbac.authorization.k8s.io" + version: v1 + kind: ClusterRole + name: wal-replica-manager + - group: "rbac.authorization.k8s.io" + version: v1 + kind: ClusterRoleBinding + name: wal-replica-manager-binding + policy: + placementType: PickAll + strategy: + type: RollingUpdate diff --git a/documentdb-playground/k3s-azure-fleet/documentdb-resource-crp.yaml b/documentdb-playground/k3s-azure-fleet/documentdb-resource-crp.yaml new file mode 100644 index 00000000..44e25b51 --- /dev/null +++ b/documentdb-playground/k3s-azure-fleet/documentdb-resource-crp.yaml @@ -0,0 +1,88 @@ +# Namespace definition with Istio injection enabled +apiVersion: v1 +kind: Namespace +metadata: + name: documentdb-preview-ns + labels: + istio-injection: enabled + +--- + +apiVersion: v1 +kind: Secret +metadata: + name: documentdb-credentials + namespace: documentdb-preview-ns +type: Opaque +stringData: + username: default_user + password: {{DOCUMENTDB_PASSWORD}} + +--- + +apiVersion: documentdb.io/preview +kind: DocumentDB +metadata: + name: documentdb-preview + namespace: documentdb-preview-ns +spec: + nodeCount: 1 + instancesPerNode: 1 + documentDBImage: ghcr.io/microsoft/documentdb/documentdb-local:16 + gatewayImage: ghcr.io/microsoft/documentdb/documentdb-local:16 + resource: + storage: + pvcSize: 10Gi + # Note: k3s clusters use 'aks' environment (only aks/eks/gke are supported) + environment: aks + clusterReplication: + highAvailability: true + # Use Istio for cross-cluster communication + crossCloudNetworkingStrategy: Istio + primary: {{PRIMARY_CLUSTER}} + clusterList: +{{CLUSTER_LIST}} + exposeViaService: + serviceType: LoadBalancer + logLevel: info + +--- + +apiVersion: placement.kubernetes-fleet.io/v1beta1 +kind: ClusterResourcePlacement +metadata: + name: documentdb-namespace-crp +spec: + resourceSelectors: + - group: "" + version: v1 + kind: Namespace + name: documentdb-preview-ns + selectionScope: NamespaceOnly + policy: + placementType: PickAll + strategy: + type: RollingUpdate + +--- + +# ResourcePlacement for DocumentDB resources within the namespace +apiVersion: placement.kubernetes-fleet.io/v1beta1 +kind: ResourcePlacement +metadata: + name: documentdb-resource-rp + namespace: documentdb-preview-ns +spec: + resourceSelectors: + - group: documentdb.io + kind: DocumentDB + version: preview + name: documentdb-preview + - group: "" + version: v1 + kind: Secret + name: documentdb-credentials + policy: + placementType: PickAll + strategy: + type: RollingUpdate diff --git a/documentdb-playground/k3s-azure-fleet/install-cert-manager.sh b/documentdb-playground/k3s-azure-fleet/install-cert-manager.sh new file mode 100755 index 00000000..e4f4ec0e --- /dev/null +++ b/documentdb-playground/k3s-azure-fleet/install-cert-manager.sh @@ -0,0 +1,106 @@ +#!/usr/bin/env bash +set -euo pipefail + +# Install cert-manager on all clusters (AKS hub via kubectl, k3s via kubectl context) + +SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" + +# Load deployment info +if [ -f "$SCRIPT_DIR/.deployment-info" ]; then + source "$SCRIPT_DIR/.deployment-info" +else + echo "Error: Deployment info not found. Run deploy-infrastructure.sh first." + exit 1 +fi + +CERT_MANAGER_VERSION="${CERT_MANAGER_VERSION:-v1.14.4}" +HUB_CLUSTER_NAME="${HUB_CLUSTER_NAME:-hub-${HUB_REGION}}" + +echo "=======================================" +echo "cert-manager Installation" +echo "=======================================" +echo "Version: $CERT_MANAGER_VERSION" +echo "Hub Cluster: $HUB_CLUSTER_NAME" +echo "=======================================" + +# Get all member clusters +ALL_MEMBERS="$HUB_CLUSTER_NAME" + +# Add k3s clusters from deployment info +IFS=' ' read -ra K3S_REGION_ARRAY <<< "${K3S_REGIONS:-}" +for region in "${K3S_REGION_ARRAY[@]}"; do + if kubectl config get-contexts "k3s-$region" &>/dev/null; then + ALL_MEMBERS="$ALL_MEMBERS k3s-$region" + fi +done + +echo "Installing on: $ALL_MEMBERS" + +# Add Jetstack Helm repo +echo "" +echo "Adding Jetstack Helm repository..." +helm repo add jetstack https://charts.jetstack.io --force-update +helm repo update + +# Install cert-manager on each member cluster +for cluster in $ALL_MEMBERS; do + echo "" + echo "=======================================" + echo "Installing cert-manager on $cluster" + echo "=======================================" + + kubectl config use-context "$cluster" + + # Check if already installed + if helm list -n cert-manager 2>/dev/null | grep -q cert-manager; then + echo "cert-manager already installed on $cluster, upgrading..." + HELM_CMD="upgrade" + else + HELM_CMD="install" + fi + + # Apply CRDs explicitly (helm crds.enabled can fail silently) + echo "Applying cert-manager CRDs..." + kubectl apply -f "https://github.com/cert-manager/cert-manager/releases/download/${CERT_MANAGER_VERSION}/cert-manager.crds.yaml" + + # Install/upgrade cert-manager + helm $HELM_CMD cert-manager jetstack/cert-manager \ + --namespace cert-manager \ + --create-namespace \ + --version "$CERT_MANAGER_VERSION" \ + --set crds.enabled=true \ + --set prometheus.enabled=false \ + --set webhook.timeoutSeconds=30 \ + --set startupapicheck.enabled=false \ + --wait --timeout 5m || echo "Warning: cert-manager may not be fully ready on $cluster" + + echo "✓ cert-manager installed on $cluster" +done + +# Apply ClusterResourcePlacement on hub for future clusters +echo "" +echo "Applying cert-manager ClusterResourcePlacement on hub..." +kubectl config use-context "$HUB_CLUSTER_NAME" +kubectl apply -f "$SCRIPT_DIR/cert-manager-crp.yaml" + +# Verify installation +echo "" +echo "=======================================" +echo "Verification" +echo "=======================================" + +for cluster in $ALL_MEMBERS; do + echo "" + echo "=== $cluster ===" + kubectl --context "$cluster" get pods -n cert-manager 2>/dev/null || echo " Pods not ready" +done + +echo "" +echo "=======================================" +echo "✅ cert-manager Installation Complete!" +echo "=======================================" +echo "" +echo "Next steps:" +echo " 1. ./install-documentdb-operator.sh" +echo " 2. ./deploy-documentdb.sh" +echo "=======================================" diff --git a/documentdb-playground/k3s-azure-fleet/install-documentdb-operator.sh b/documentdb-playground/k3s-azure-fleet/install-documentdb-operator.sh new file mode 100755 index 00000000..6becedba --- /dev/null +++ b/documentdb-playground/k3s-azure-fleet/install-documentdb-operator.sh @@ -0,0 +1,179 @@ +#!/usr/bin/env bash +set -euo pipefail + +# Install DocumentDB operator on all clusters +# - AKS hub: installed via Helm from local chart package +# - k3s VMs: installed via Azure VM Run Command (CNPG from upstream, operator manifests via base64) + +SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" + +# Load deployment info +if [ -f "$SCRIPT_DIR/.deployment-info" ]; then + source "$SCRIPT_DIR/.deployment-info" +else + echo "Error: Deployment info not found. Run deploy-infrastructure.sh first." + exit 1 +fi + +CHART_DIR="$(cd "$SCRIPT_DIR/../.." && pwd)/operator/documentdb-helm-chart" +VERSION="${VERSION:-200}" +VALUES_FILE="${VALUES_FILE:-}" +HUB_CLUSTER_NAME="${HUB_CLUSTER_NAME:-hub-${HUB_REGION}}" + +echo "=======================================" +echo "DocumentDB Operator Installation" +echo "=======================================" +echo "Hub Cluster: $HUB_CLUSTER_NAME" +echo "Chart Directory: $CHART_DIR" +echo "=======================================" + +# Check prerequisites +for cmd in kubectl helm; do + if ! command -v "$cmd" &>/dev/null; then + echo "Error: Required command '$cmd' not found." + exit 1 + fi +done + +# ─── Step 1: Install on AKS hub via Helm ─── +echo "" +echo "=======================================" +echo "Step 1: Installing operator on AKS hub ($HUB_CLUSTER_NAME)" +echo "=======================================" + +kubectl config use-context "$HUB_CLUSTER_NAME" + +CHART_PKG="$SCRIPT_DIR/documentdb-operator-0.0.${VERSION}.tgz" +rm -f "$CHART_PKG" + +echo "Packaging Helm chart..." +helm dependency update "$CHART_DIR" +helm package "$CHART_DIR" --version "0.0.${VERSION}" --destination "$SCRIPT_DIR" + +echo "" +echo "Installing operator..." +HELM_ARGS=( + --namespace documentdb-operator + --create-namespace + --wait --timeout 10m +) +if [ -n "$VALUES_FILE" ] && [ -f "$VALUES_FILE" ]; then + HELM_ARGS+=(--values "$VALUES_FILE") +fi +helm upgrade --install documentdb-operator "$CHART_PKG" "${HELM_ARGS[@]}" +echo "✓ Operator installed on $HUB_CLUSTER_NAME" + +# ─── Step 2: Install on k3s clusters via Run Command ─── +echo "" +echo "=======================================" +echo "Step 2: Installing operator on k3s clusters via Run Command" +echo "=======================================" + +# Generate DocumentDB-specific manifests (excluding CNPG subchart) +echo "Generating DocumentDB operator manifests..." +DOCDB_MANIFESTS=$(mktemp) + +# Add documentdb-operator namespace +cat > "$DOCDB_MANIFESTS" << 'NSEOF' +--- +apiVersion: v1 +kind: Namespace +metadata: + name: documentdb-operator +NSEOF + +# Extract DocumentDB-specific templates (non-CNPG) +helm template documentdb-operator "$CHART_PKG" \ + --namespace documentdb-operator \ + --include-crds 2>/dev/null | \ + awk ' + /^# Source: documentdb-operator\/crds\/documentdb\.io/{p=1} + /^# Source: documentdb-operator\/templates\//{p=1} + /^# Source: documentdb-operator\/charts\//{p=0} + p + ' >> "$DOCDB_MANIFESTS" + +MANIFEST_B64=$(base64 < "$DOCDB_MANIFESTS") +MANIFEST_SIZE=$(wc -c < "$DOCDB_MANIFESTS" | tr -d ' ') +rm -f "$DOCDB_MANIFESTS" + +if [ "$MANIFEST_SIZE" -lt 100 ]; then + echo "Error: Generated manifest is too small (${MANIFEST_SIZE} bytes) — Helm template may have failed." + exit 1 +fi + +echo "Manifest size: $(echo "$MANIFEST_B64" | wc -c | tr -d ' ') bytes (base64), ${MANIFEST_SIZE} bytes (raw)" + +IFS=' ' read -ra K3S_REGION_ARRAY <<< "${K3S_REGIONS:-}" +for region in "${K3S_REGION_ARRAY[@]}"; do + VM_NAME="k3s-$region" + echo "" + echo "--- Installing on $VM_NAME ---" + + # Step 2a: Ensure Helm is installed + echo " Ensuring Helm is available..." + az vm run-command invoke -g "$RESOURCE_GROUP" -n "$VM_NAME" --command-id RunShellScript \ + --scripts 'which helm || (curl -fsSL https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash)' \ + --query 'value[0].message' -o tsv 2>/dev/null | awk '/^\[stdout\]/{flag=1; next} /^\[stderr\]/{flag=0} flag' + + # Step 2b: Install CNPG from upstream release manifest + echo " Installing CloudNative-PG..." + az vm run-command invoke -g "$RESOURCE_GROUP" -n "$VM_NAME" --command-id RunShellScript \ + --scripts ' +export KUBECONFIG=/etc/rancher/k3s/k3s.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/cloudnative-pg/cloudnative-pg/main/releases/cnpg-1.27.1.yaml 2>&1 | tail -3 +echo "Waiting for CNPG..." +kubectl -n cnpg-system rollout status deployment/cnpg-controller-manager --timeout=120s 2>&1 || true +echo "CNPG ready" +' \ + --query 'value[0].message' -o tsv 2>/dev/null | awk '/^\[stdout\]/{flag=1; next} /^\[stderr\]/{flag=0} flag' + + # Step 2c: Apply DocumentDB operator manifests + echo " Applying DocumentDB operator manifests..." + az vm run-command invoke -g "$RESOURCE_GROUP" -n "$VM_NAME" --command-id RunShellScript \ + --scripts " +export KUBECONFIG=/etc/rancher/k3s/k3s.yaml +echo '${MANIFEST_B64}' | base64 -d > /tmp/docdb-manifests.yaml +kubectl apply --server-side -f /tmp/docdb-manifests.yaml 2>&1 | tail -5 +rm -f /tmp/docdb-manifests.yaml +echo 'Waiting for operator...' +kubectl -n documentdb-operator rollout status deployment/documentdb-operator --timeout=120s 2>&1 || true +echo 'Done' +" \ + --query 'value[0].message' -o tsv 2>/dev/null | awk '/^\[stdout\]/{flag=1; next} /^\[stderr\]/{flag=0} flag' + + echo " ✓ Operator installed on $VM_NAME" +done + +# ─── Step 3: Verify ─── +echo "" +echo "=======================================" +echo "Verification" +echo "=======================================" + +echo "" +echo "=== $HUB_CLUSTER_NAME ===" +kubectl --context "$HUB_CLUSTER_NAME" get pods -n documentdb-operator -o wide 2>/dev/null || echo " No pods" +kubectl --context "$HUB_CLUSTER_NAME" get pods -n cnpg-system -o wide 2>/dev/null || echo " No pods" + +for region in "${K3S_REGION_ARRAY[@]}"; do + VM_NAME="k3s-$region" + echo "" + echo "=== $VM_NAME ===" + az vm run-command invoke -g "$RESOURCE_GROUP" -n "$VM_NAME" --command-id RunShellScript \ + --scripts ' +export KUBECONFIG=/etc/rancher/k3s/k3s.yaml +kubectl get pods -n documentdb-operator +kubectl get pods -n cnpg-system +' \ + --query 'value[0].message' -o tsv 2>/dev/null | awk '/^\[stdout\]/{flag=1; next} /^\[stderr\]/{flag=0} flag' +done + +echo "" +echo "=======================================" +echo "✅ DocumentDB Operator Installation Complete!" +echo "=======================================" +echo "" +echo "Next step:" +echo " ./deploy-documentdb.sh" +echo "=======================================" diff --git a/documentdb-playground/k3s-azure-fleet/install-istio.sh b/documentdb-playground/k3s-azure-fleet/install-istio.sh new file mode 100755 index 00000000..3bd550b0 --- /dev/null +++ b/documentdb-playground/k3s-azure-fleet/install-istio.sh @@ -0,0 +1,309 @@ +#!/bin/bash +set -e + +# ================================ +# Install Istio Service Mesh across all clusters +# ================================ +# - AKS hub: installed via istioctl (standard approach) +# - k3s VMs: installed via Helm + istioctl (for east-west gateway) +# +# Uses multi-primary, multi-network mesh configuration +# with shared root CA for cross-cluster mTLS trust. + +SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" +ISTIO_VERSION="${ISTIO_VERSION:-1.24.0}" + +# Load deployment info +if [ -f "${SCRIPT_DIR}/.deployment-info" ]; then + source "${SCRIPT_DIR}/.deployment-info" +else + echo "Error: .deployment-info not found. Run deploy-infrastructure.sh first." + exit 1 +fi + +# Build cluster list +ALL_CLUSTERS=("hub-${HUB_REGION}") +IFS=' ' read -ra K3S_REGION_ARRAY <<< "$K3S_REGIONS" +IFS=' ' read -ra K3S_IP_ARRAY <<< "$K3S_PUBLIC_IPS" +for region in "${K3S_REGION_ARRAY[@]}"; do + ALL_CLUSTERS+=("k3s-${region}") +done + +echo "=======================================" +echo "Istio Service Mesh Installation" +echo "=======================================" +echo "Version: $ISTIO_VERSION" +echo "Clusters: ${ALL_CLUSTERS[*]}" +echo "=======================================" +echo "" + +# Download istioctl if not present +if ! command -v istioctl &> /dev/null; then + echo "Installing istioctl..." + curl -L https://istio.io/downloadIstio | ISTIO_VERSION=${ISTIO_VERSION} sh - + export PATH="$PWD/istio-${ISTIO_VERSION}/bin:$PATH" + echo "✓ istioctl installed" +fi + +ISTIO_INSTALLED_VERSION=$(istioctl version --remote=false 2>/dev/null | head -1 || echo "unknown") +echo "Using istioctl: $ISTIO_INSTALLED_VERSION" + +# ─── Generate shared root CA ─── +CERT_DIR="${SCRIPT_DIR}/.istio-certs" +mkdir -p "$CERT_DIR" + +if [ ! -f "$CERT_DIR/root-cert.pem" ]; then + echo "" + echo "Generating shared root CA..." + pushd "$CERT_DIR" > /dev/null + if [ ! -d "istio-${ISTIO_VERSION}" ]; then + curl -sL "https://github.com/istio/istio/archive/refs/tags/${ISTIO_VERSION}.tar.gz" | tar xz + fi + make -f "istio-${ISTIO_VERSION}/tools/certs/Makefile.selfsigned.mk" root-ca + echo "✓ Root CA generated" + popd > /dev/null +fi + +# ─── Install Istio on each cluster ─── +for i in "${!ALL_CLUSTERS[@]}"; do + cluster="${ALL_CLUSTERS[$i]}" + network_id="network$((i + 1))" + + echo "" + echo "=======================================" + echo "Installing Istio on $cluster (${network_id})" + echo "=======================================" + + # Verify cluster access + if ! kubectl --context "$cluster" get nodes --request-timeout=10s &>/dev/null; then + echo "⚠ Cannot access $cluster via kubectl, trying Run Command..." + fi + + # Create istio-system namespace and label + kubectl --context "$cluster" create namespace istio-system --dry-run=client -o yaml | \ + kubectl --context "$cluster" apply -f - 2>/dev/null || true + kubectl --context "$cluster" label namespace istio-system topology.istio.io/network="${network_id}" --overwrite 2>/dev/null || true + + # Generate and apply cluster-specific certificates + echo "Generating certificates for $cluster..." + pushd "$CERT_DIR" > /dev/null + make -f "istio-${ISTIO_VERSION}/tools/certs/Makefile.selfsigned.mk" "${cluster}-cacerts" + popd > /dev/null + + kubectl --context "$cluster" create secret generic cacerts -n istio-system \ + --from-file="${CERT_DIR}/${cluster}/ca-cert.pem" \ + --from-file="${CERT_DIR}/${cluster}/ca-key.pem" \ + --from-file="${CERT_DIR}/${cluster}/root-cert.pem" \ + --from-file="${CERT_DIR}/${cluster}/cert-chain.pem" \ + --dry-run=client -o yaml | kubectl --context "$cluster" apply -f - 2>/dev/null || true + echo "✓ Certificates configured" + + if [[ "$cluster" == k3s-* ]]; then + # ─── k3s clusters: use Helm for base + istiod, istioctl for gateway ─── + echo "Installing Istio via Helm (k3s-optimized)..." + + # Add Istio Helm repo + helm repo add istio https://istio-release.storage.googleapis.com/charts 2>/dev/null || true + helm repo update istio 2>/dev/null || true + + # Install istio-base + helm upgrade --install istio-base istio/base \ + --kube-context "$cluster" \ + --namespace istio-system \ + --version "$ISTIO_VERSION" \ + --wait --timeout 2m 2>/dev/null || echo " istio-base may already be installed" + + # Install istiod (single replica, no autoscale for k3s) + helm upgrade --install istiod istio/istiod \ + --kube-context "$cluster" \ + --namespace istio-system \ + --version "$ISTIO_VERSION" \ + --set global.meshID=mesh1 \ + --set global.multiCluster.clusterName="$cluster" \ + --set global.network="$network_id" \ + --set pilot.autoscaleEnabled=false \ + --set pilot.replicaCount=1 \ + --set meshConfig.defaultConfig.proxyMetadata.ISTIO_META_DNS_CAPTURE="true" \ + --set meshConfig.defaultConfig.proxyMetadata.ISTIO_META_DNS_AUTO_ALLOCATE="true" \ + --wait --timeout 5m 2>/dev/null || echo " istiod may already be installed" + + echo "✓ Istio control plane installed via Helm" + + # Install east-west gateway via istioctl + echo "Installing east-west gateway..." + cat </dev/null || true +apiVersion: install.istio.io/v1alpha1 +kind: IstioOperator +metadata: + name: eastwest +spec: + revision: "" + profile: empty + components: + ingressGateways: + - name: istio-eastwestgateway + label: + istio: eastwestgateway + app: istio-eastwestgateway + topology.istio.io/network: ${network_id} + enabled: true + k8s: + env: + - name: ISTIO_META_ROUTER_MODE + value: "sni-dnat" + - name: ISTIO_META_REQUESTED_NETWORK_VIEW + value: ${network_id} + service: + ports: + - name: status-port + port: 15021 + targetPort: 15021 + - name: tls + port: 15443 + targetPort: 15443 + - name: tls-istiod + port: 15012 + targetPort: 15012 + - name: tls-webhook + port: 15017 + targetPort: 15017 + values: + gateways: + istio-ingressgateway: + injectionTemplate: gateway + global: + network: ${network_id} +EOF + + # Patch east-west gateway with VM public IP + # k3s servicelb assigns node internal IPs, not public IPs + region="${cluster#k3s-}" + for idx in "${!K3S_REGION_ARRAY[@]}"; do + if [ "${K3S_REGION_ARRAY[$idx]}" = "$region" ]; then + public_ip="${K3S_IP_ARRAY[$idx]}" + if [ -n "$public_ip" ]; then + echo "Patching east-west gateway with public IP: $public_ip" + kubectl --context "$cluster" patch svc istio-eastwestgateway -n istio-system \ + --type='json' -p="[{\"op\": \"add\", \"path\": \"/spec/externalIPs\", \"value\": [\"$public_ip\"]}]" 2>/dev/null || true + fi + break + fi + done + else + # ─── AKS hub: use istioctl (standard approach) ─── + echo "Installing Istio via istioctl..." + cat </dev/null || echo "") + if [ -n "$GATEWAY_IP" ]; then + echo "✓ Gateway IP: $GATEWAY_IP" + break + fi + sleep 10 + done + [ -z "$GATEWAY_IP" ] && echo "⚠ Gateway IP not yet assigned" +done + +# ─── Create remote secrets ─── +echo "" +echo "=======================================" +echo "Creating remote secrets for cross-cluster discovery" +echo "=======================================" + +for source_cluster in "${ALL_CLUSTERS[@]}"; do + for target_cluster in "${ALL_CLUSTERS[@]}"; do + if [ "$source_cluster" != "$target_cluster" ]; then + echo "Creating secret: $source_cluster -> $target_cluster" + istioctl create-remote-secret --context="$source_cluster" --name="$source_cluster" | \ + kubectl --context="$target_cluster" apply -f - 2>/dev/null || \ + echo " ⚠ Could not create remote secret (may already exist)" + fi + done +done + +echo "✓ Remote secrets configured" + +# ─── Verify ─── +echo "" +echo "=======================================" +echo "Verifying Istio Installation" +echo "=======================================" + +for cluster in "${ALL_CLUSTERS[@]}"; do + echo "" + echo "=== $cluster ===" + kubectl --context "$cluster" get pods -n istio-system -o wide 2>/dev/null | head -10 || echo " Could not get pods" + kubectl --context "$cluster" get svc -n istio-system istio-eastwestgateway 2>/dev/null || echo " Gateway not found" +done + +echo "" +echo "=======================================" +echo "✅ Istio Installation Complete!" +echo "=======================================" +echo "" +echo "Mesh: mesh1" +echo "Networks:" +for i in "${!ALL_CLUSTERS[@]}"; do + echo " - ${ALL_CLUSTERS[$i]}: network$((i + 1))" +done +echo "" +echo "Next steps:" +echo " 1. Setup Fleet: ./setup-fleet.sh" +echo " 2. Install cert-manager: ./install-cert-manager.sh" +echo " 3. Install DocumentDB operator: ./install-documentdb-operator.sh" +echo "" diff --git a/documentdb-playground/k3s-azure-fleet/main.bicep b/documentdb-playground/k3s-azure-fleet/main.bicep new file mode 100644 index 00000000..c14cba61 --- /dev/null +++ b/documentdb-playground/k3s-azure-fleet/main.bicep @@ -0,0 +1,329 @@ +// k3s on Azure VMs with AKS Hub - Istio for cross-cluster networking +// No VNet peering required - Istio handles all cross-cluster traffic +// Uses Azure VM Run Command for all VM operations (no SSH required) + +@description('Location for AKS hub cluster') +param hubLocation string = 'westus3' + +@description('Regions for k3s VMs') +param k3sRegions array = ['eastus2', 'uksouth'] + +@description('Resource group name') +param resourceGroupName string = resourceGroup().name + +@description('VM size for k3s nodes') +param vmSize string = 'Standard_D2s_v3' + +@description('AKS node VM size') +param aksVmSize string = 'Standard_DS2_v2' + +@description('SSH public key for VM access (required by Azure but not used - we use Run Command)') +param sshPublicKey string + +@description('Admin username for VMs') +param adminUsername string = 'azureuser' + +@description('k3s version') +param k3sVersion string = 'v1.30.4+k3s1' + +// Variables +var aksClusterName = 'hub-${hubLocation}' +var aksVnetName = 'aks-${hubLocation}-vnet' +var aksSubnetName = 'aks-subnet' + +// ================================ +// AKS Hub Cluster VNet +// ================================ +resource aksVnet 'Microsoft.Network/virtualNetworks@2023-05-01' = { + name: aksVnetName + location: hubLocation + properties: { + addressSpace: { + addressPrefixes: ['10.1.0.0/16'] + } + subnets: [ + { + name: aksSubnetName + properties: { + addressPrefix: '10.1.0.0/20' + } + } + ] + } +} + +// ================================ +// AKS Hub Cluster +// ================================ +resource aksCluster 'Microsoft.ContainerService/managedClusters@2024-01-01' = { + name: aksClusterName + location: hubLocation + identity: { + type: 'SystemAssigned' + } + properties: { + dnsPrefix: aksClusterName + kubernetesVersion: '1.32' + enableRBAC: true + networkProfile: { + networkPlugin: 'azure' + networkPolicy: 'azure' + serviceCidr: '10.100.0.0/16' + dnsServiceIP: '10.100.0.10' + } + agentPoolProfiles: [ + { + name: 'nodepool1' + count: 2 + vmSize: aksVmSize + mode: 'System' + osType: 'Linux' + vnetSubnetID: resourceId('Microsoft.Network/virtualNetworks/subnets', aksVnetName, aksSubnetName) + enableAutoScaling: false + } + ] + aadProfile: { + managed: true + enableAzureRBAC: true + } + } + dependsOn: [ + aksVnet + ] +} + +// ================================ +// k3s VMs - one per region +// ================================ + +// k3s VNets +resource k3sVnets 'Microsoft.Network/virtualNetworks@2023-05-01' = [for (region, i) in k3sRegions: { + name: 'k3s-${region}-vnet' + location: region + properties: { + addressSpace: { + addressPrefixes: ['10.${i + 2}.0.0/16'] + } + subnets: [ + { + name: 'k3s-subnet' + properties: { + addressPrefix: '10.${i + 2}.0.0/24' + } + } + ] + } +}] + +// Network Security Groups for k3s VMs +// Note: SSH (port 22) not needed - using Azure VM Run Command for all operations +resource k3sNsgs 'Microsoft.Network/networkSecurityGroups@2023-05-01' = [for (region, i) in k3sRegions: { + name: 'k3s-${region}-nsg' + location: region + properties: { + securityRules: [ + { + name: 'AllowKubeAPI' + properties: { + priority: 100 + direction: 'Inbound' + access: 'Allow' + protocol: 'Tcp' + sourceAddressPrefix: '*' + sourcePortRange: '*' + destinationAddressPrefix: '*' + destinationPortRange: '6443' + } + } + { + name: 'AllowIstioEastWest' + properties: { + priority: 110 + direction: 'Inbound' + access: 'Allow' + protocol: 'Tcp' + sourceAddressPrefix: '*' + sourcePortRange: '*' + destinationAddressPrefix: '*' + destinationPortRange: '15443' + } + } + { + name: 'AllowIstioStatus' + properties: { + priority: 120 + direction: 'Inbound' + access: 'Allow' + protocol: 'Tcp' + sourceAddressPrefix: '*' + sourcePortRange: '*' + destinationAddressPrefix: '*' + destinationPortRange: '15021' + } + } + { + name: 'AllowHTTP' + properties: { + priority: 130 + direction: 'Inbound' + access: 'Allow' + protocol: 'Tcp' + sourceAddressPrefix: '*' + sourcePortRange: '*' + destinationAddressPrefix: '*' + destinationPortRange: '80' + } + } + { + name: 'AllowHTTPS' + properties: { + priority: 140 + direction: 'Inbound' + access: 'Allow' + protocol: 'Tcp' + sourceAddressPrefix: '*' + sourcePortRange: '*' + destinationAddressPrefix: '*' + destinationPortRange: '443' + } + } + ] + } +}] + +// Public IPs for k3s VMs +resource k3sPublicIps 'Microsoft.Network/publicIPAddresses@2023-05-01' = [for (region, i) in k3sRegions: { + name: 'k3s-${region}-ip' + location: region + sku: { + name: 'Standard' + } + properties: { + publicIPAllocationMethod: 'Static' + dnsSettings: { + domainNameLabel: 'k3s-${region}-${uniqueString(resourceGroup().id)}' + } + } +}] + +// NICs for k3s VMs +resource k3sNics 'Microsoft.Network/networkInterfaces@2023-05-01' = [for (region, i) in k3sRegions: { + name: 'k3s-${region}-nic' + location: region + properties: { + ipConfigurations: [ + { + name: 'ipconfig1' + properties: { + subnet: { + id: k3sVnets[i].properties.subnets[0].id + } + privateIPAllocationMethod: 'Dynamic' + publicIPAddress: { + id: k3sPublicIps[i].id + } + } + } + ] + networkSecurityGroup: { + id: k3sNsgs[i].id + } + } +}] + +// k3s VMs with cloud-init +resource k3sVms 'Microsoft.Compute/virtualMachines@2023-07-01' = [for (region, i) in k3sRegions: { + name: 'k3s-${region}' + location: region + properties: { + hardwareProfile: { + vmSize: vmSize + } + osProfile: { + computerName: 'k3s-${region}' + adminUsername: adminUsername + linuxConfiguration: { + disablePasswordAuthentication: true + ssh: { + publicKeys: [ + { + path: '/home/${adminUsername}/.ssh/authorized_keys' + keyData: sshPublicKey + } + ] + } + } + customData: base64(format('''#cloud-config +package_update: true +package_upgrade: true + +packages: + - curl + - jq + +runcmd: + # Get public IP via IMDS (retry in case metadata service isn't ready) + - for i in $(seq 1 10); do PUBLIC_IP=$(curl -s -H Metadata:true "http://169.254.169.254/metadata/instance/network/interface/0/ipv4/ipAddress/0/publicIpAddress?api-version=2021-02-01&format=text" 2>/dev/null); [ -n "$PUBLIC_IP" ] && break; sleep 5; done + # Get private IP via IMDS + - PRIVATE_IP=$(curl -s -H Metadata:true "http://169.254.169.254/metadata/instance/network/interface/0/ipv4/ipAddress/0/privateIpAddress?api-version=2021-02-01&format=text" 2>/dev/null) + # Write k3s config: tls-san for external kubectl, advertise-address so pods reach API via ClusterIP + - mkdir -p /etc/rancher/k3s + - | + cat > /etc/rancher/k3s/config.yaml </dev/null; then + echo "Error: Required command '$cmd' not found." + exit 1 + fi +done + +# Get all member clusters (hub is also a member + k3s clusters) +ALL_MEMBERS="$HUB_CLUSTER_NAME" + +# Add k3s clusters from deployment info +IFS=' ' read -ra K3S_REGION_ARRAY <<< "$K3S_REGIONS" +for region in "${K3S_REGION_ARRAY[@]}"; do + if kubectl config get-contexts "k3s-$region" &>/dev/null; then + ALL_MEMBERS="$ALL_MEMBERS k3s-$region" + fi +done + +echo "Members to join: $ALL_MEMBERS" + +# Clone KubeFleet repository +KUBFLEET_DIR=$(mktemp -d) +FLEET_NET_DIR="" +trap 'rm -rf "$KUBFLEET_DIR" "$FLEET_NET_DIR"' EXIT + +echo "" +echo "Cloning KubeFleet repository..." +if ! git clone --quiet https://github.com/kubefleet-dev/kubefleet.git "$KUBFLEET_DIR"; then + echo "ERROR: Failed to clone KubeFleet repository" + exit 1 +fi + +pushd "$KUBFLEET_DIR" > /dev/null + +# Get latest tag +FLEET_TAG=$(curl -s "https://api.github.com/repos/kubefleet-dev/kubefleet/tags" | jq -r '.[0].name') +echo "Using KubeFleet version: $FLEET_TAG" + +# Switch to hub context +kubectl config use-context "$HUB_CLUSTER_NAME" + +# Install hub-agent on the hub cluster +echo "" +echo "Installing KubeFleet hub-agent on $HUB_CLUSTER_NAME..." +export REGISTRY="ghcr.io/kubefleet-dev/kubefleet" +export TAG="$FLEET_TAG" + +helm upgrade --install hub-agent ./charts/hub-agent/ \ + --set image.pullPolicy=Always \ + --set image.repository=$REGISTRY/hub-agent \ + --set image.tag=$TAG \ + --set logVerbosity=5 \ + --set enableGuardRail=false \ + --set forceDeleteWaitTime="3m0s" \ + --set clusterUnhealthyThreshold="5m0s" \ + --set logFileMaxSize=100000 \ + --set MaxConcurrentClusterPlacement=200 \ + --set namespace=fleet-system-hub \ + --set enableWorkload=true \ + --wait + +echo "✓ Hub-agent installed" + +# Join member clusters using KubeFleet's script +# Known issue: joinMC.sh passes extra args to `kubectl config use-context`. +# If a member fails to join, see README troubleshooting for manual join steps. +echo "" +echo "Joining member clusters to fleet..." +chmod +x ./hack/membership/joinMC.sh +./hack/membership/joinMC.sh "$TAG" "$HUB_CLUSTER_NAME" $ALL_MEMBERS + +popd > /dev/null + +# Install fleet-networking +echo "" +echo "Setting up fleet-networking..." +FLEET_NET_DIR=$(mktemp -d) +if ! git clone --quiet https://github.com/Azure/fleet-networking.git "$FLEET_NET_DIR"; then + echo "ERROR: Failed to clone fleet-networking repository" + exit 1 +fi + +pushd "$FLEET_NET_DIR" > /dev/null + +NETWORKING_TAG=$(curl -s "https://api.github.com/repos/Azure/fleet-networking/tags" | jq -r '.[0].name') +echo "Using fleet-networking version: $NETWORKING_TAG" + +# Install hub-net-controller-manager +kubectl config use-context "$HUB_CLUSTER_NAME" +echo "Installing hub-net-controller-manager..." + +helm upgrade --install hub-net-controller-manager ./charts/hub-net-controller-manager/ \ + --set fleetSystemNamespace=fleet-system-hub \ + --set leaderElectionNamespace=fleet-system-hub \ + --set image.tag=$NETWORKING_TAG \ + --wait || echo "Warning: hub-net-controller-manager installation may have issues" + +HUB_CLUSTER_ADDRESS=$(kubectl config view -o jsonpath="{.clusters[?(@.name==\"$HUB_CLUSTER_NAME\")].cluster.server}") + +# Install networking on each member +for MEMBER_CLUSTER in $ALL_MEMBERS; do + echo "" + echo "Installing fleet-networking on $MEMBER_CLUSTER..." + + kubectl config use-context "$MEMBER_CLUSTER" + + # Apply CRDs + kubectl apply -f config/crd/ 2>/dev/null || true + + # Install mcs-controller-manager + helm upgrade --install mcs-controller-manager ./charts/mcs-controller-manager/ \ + --set refreshtoken.repository=$REGISTRY/refresh-token \ + --set refreshtoken.tag=$FLEET_TAG \ + --set image.tag=$NETWORKING_TAG \ + --set image.pullPolicy=Always \ + --set refreshtoken.pullPolicy=Always \ + --set config.hubURL=$HUB_CLUSTER_ADDRESS \ + --set config.memberClusterName=$MEMBER_CLUSTER \ + --set enableV1Beta1APIs=true \ + --set logVerbosity=5 || echo "Warning: mcs-controller-manager may have issues on $MEMBER_CLUSTER" + + # Install member-net-controller-manager + helm upgrade --install member-net-controller-manager ./charts/member-net-controller-manager/ \ + --set refreshtoken.repository=$REGISTRY/refresh-token \ + --set refreshtoken.tag=$FLEET_TAG \ + --set image.tag=$NETWORKING_TAG \ + --set image.pullPolicy=Always \ + --set refreshtoken.pullPolicy=Always \ + --set config.hubURL=$HUB_CLUSTER_ADDRESS \ + --set config.memberClusterName=$MEMBER_CLUSTER \ + --set enableV1Beta1APIs=true \ + --set logVerbosity=5 || echo "Warning: member-net-controller-manager may have issues on $MEMBER_CLUSTER" +done + +popd > /dev/null + +# Verify fleet status +echo "" +echo "=======================================" +echo "Fleet Status" +echo "=======================================" +kubectl config use-context "$HUB_CLUSTER_NAME" + +echo "" +echo "Member clusters:" +kubectl get membercluster 2>/dev/null || echo "No member clusters found yet (may take a moment)" + +echo "" +echo "Fleet system pods on hub:" +kubectl get pods -n fleet-system-hub 2>/dev/null || echo "Fleet system not ready" + +echo "" +echo "=======================================" +echo "✅ KubeFleet Setup Complete!" +echo "=======================================" +echo "" +echo "Hub: $HUB_CLUSTER_NAME" +echo "Members: $ALL_MEMBERS" +echo "" +echo "Commands:" +echo " kubectl --context $HUB_CLUSTER_NAME get membercluster" +echo " kubectl --context $HUB_CLUSTER_NAME get clusterresourceplacement" +echo "" +echo "Next steps:" +echo " 1. ./install-cert-manager.sh" +echo " 2. ./install-documentdb-operator.sh" +echo " 3. ./deploy-documentdb.sh" +echo "=======================================" diff --git a/documentdb-playground/k3s-azure-fleet/test-connection.sh b/documentdb-playground/k3s-azure-fleet/test-connection.sh new file mode 100755 index 00000000..ae1e46fe --- /dev/null +++ b/documentdb-playground/k3s-azure-fleet/test-connection.sh @@ -0,0 +1,139 @@ +#!/usr/bin/env bash +set -euo pipefail + +# Test DocumentDB connectivity across all clusters + +SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" + +# Load deployment info +if [ -f "$SCRIPT_DIR/.deployment-info" ]; then + source "$SCRIPT_DIR/.deployment-info" +else + echo "Error: Deployment info not found. Run deploy-infrastructure.sh first." + exit 1 +fi + +echo "=======================================" +echo "DocumentDB Connectivity Test" +echo "=======================================" + +# Get all clusters +HUB_CLUSTER_NAME="${HUB_CLUSTER_NAME:-hub-${HUB_REGION}}" +ALL_CLUSTERS="$HUB_CLUSTER_NAME" + +IFS=' ' read -ra K3S_REGION_ARRAY <<< "${K3S_REGIONS:-}" +for region in "${K3S_REGION_ARRAY[@]}"; do + if kubectl config get-contexts "k3s-$region" &>/dev/null; then + ALL_CLUSTERS="$ALL_CLUSTERS k3s-$region" + fi +done + +CLUSTER_ARRAY=($ALL_CLUSTERS) + +echo "Testing ${#CLUSTER_ARRAY[@]} clusters..." +echo "" + +# Test each cluster +PASSED=0 +FAILED=0 + +for cluster in "${CLUSTER_ARRAY[@]}"; do + echo "=======================================" + echo "Testing: $cluster" + echo "=======================================" + + if ! kubectl config get-contexts "$cluster" &>/dev/null; then + echo " ✗ Context not found" + ((FAILED++)) + continue + fi + + # Check namespace + echo -n " Namespace: " + if kubectl --context "$cluster" get namespace documentdb-preview-ns &>/dev/null; then + echo "✓" + else + echo "✗ Not found" + ((FAILED++)) + continue + fi + + # Check DocumentDB resource + echo -n " DocumentDB resource: " + if kubectl --context "$cluster" get documentdb documentdb-preview -n documentdb-preview-ns &>/dev/null; then + STATUS=$(kubectl --context "$cluster" get documentdb documentdb-preview -n documentdb-preview-ns -o jsonpath='{.status.phase}' 2>/dev/null || echo "Unknown") + echo "✓ (Status: $STATUS)" + else + echo "✗ Not found" + fi + + # Check pods + echo -n " Pods: " + PODS=$(kubectl --context "$cluster" get pods -n documentdb-preview-ns --no-headers 2>/dev/null | wc -l | tr -d ' ') + READY_PODS=$(kubectl --context "$cluster" get pods -n documentdb-preview-ns --no-headers 2>/dev/null | grep -c "Running" || echo "0") + echo "$READY_PODS/$PODS running" + + # Check service (try common naming patterns) + echo -n " Service: " + SVC_NAME="" + for name in "documentdb-preview" "documentdb-service-documentdb-preview"; do + if kubectl --context "$cluster" get svc "$name" -n documentdb-preview-ns &>/dev/null; then + SVC_NAME="$name" + break + fi + done + if [ -n "$SVC_NAME" ]; then + SVC_TYPE=$(kubectl --context "$cluster" get svc "$SVC_NAME" -n documentdb-preview-ns -o jsonpath='{.spec.type}') + if [ "$SVC_TYPE" = "LoadBalancer" ]; then + EXTERNAL_IP=$(kubectl --context "$cluster" get svc "$SVC_NAME" -n documentdb-preview-ns -o jsonpath='{.status.loadBalancer.ingress[0].ip}' 2>/dev/null || echo "") + if [ -n "$EXTERNAL_IP" ] && [ "$EXTERNAL_IP" != "" ]; then + echo "✓ ($SVC_TYPE: $EXTERNAL_IP)" + else + echo "✓ ($SVC_TYPE: IP pending)" + fi + else + echo "✓ ($SVC_TYPE)" + fi + else + echo "✗ Not found" + fi + + # Check secret + echo -n " Credentials secret: " + if kubectl --context "$cluster" get secret documentdb-credentials -n documentdb-preview-ns &>/dev/null; then + echo "✓" + else + echo "✗ Not found" + fi + + # Check operator + echo -n " Operator: " + OPERATOR_READY=$(kubectl --context "$cluster" get deploy documentdb-operator -n documentdb-operator -o jsonpath='{.status.readyReplicas}' 2>/dev/null || echo "0") + OPERATOR_DESIRED=$(kubectl --context "$cluster" get deploy documentdb-operator -n documentdb-operator -o jsonpath='{.spec.replicas}' 2>/dev/null || echo "0") + if [ "$OPERATOR_READY" = "$OPERATOR_DESIRED" ] && [ "$OPERATOR_READY" != "0" ]; then + echo "✓ ($OPERATOR_READY/$OPERATOR_DESIRED)" + ((PASSED++)) + else + echo "✗ ($OPERATOR_READY/$OPERATOR_DESIRED)" + ((FAILED++)) + fi + + echo "" +done + +# Summary +echo "=======================================" +echo "Summary" +echo "=======================================" +echo "Total clusters: ${#CLUSTER_ARRAY[@]}" +echo "Passed: $PASSED" +echo "Failed: $FAILED" +echo "" + +if [ $FAILED -eq 0 ]; then + echo "✅ All tests passed!" + exit 0 +else + echo "⚠️ Some tests failed. Check the output above." + exit 1 +fi From b59b867dde44ebbe4814eade73af214883fc125c Mon Sep 17 00:00:00 2001 From: German Date: Mon, 9 Feb 2026 09:37:27 -0800 Subject: [PATCH 2/9] Adds a k3s playground This deploys k3s in Azure and adds scripts to install documentdb-operator, etc. --- .../reserving-nodes-for-documentdb.md | 156 ++++++++++++++++++ 1 file changed, 156 insertions(+) create mode 100644 docs/operator-public-documentation/reserving-nodes-for-documentdb.md diff --git a/docs/operator-public-documentation/reserving-nodes-for-documentdb.md b/docs/operator-public-documentation/reserving-nodes-for-documentdb.md new file mode 100644 index 00000000..7a57f112 --- /dev/null +++ b/docs/operator-public-documentation/reserving-nodes-for-documentdb.md @@ -0,0 +1,156 @@ +# Reserving Nodes for DocumentDB Workloads + +This guide explains how to dedicate Kubernetes worker nodes exclusively to DocumentDB (PostgreSQL) workloads for optimal performance and isolation in production environments. + +## Overview + +By reserving specific nodes for DocumentDB, you ensure: + +- **Resource isolation**: Database workloads don't compete with other applications +- **Predictable performance**: Dedicated CPU, memory, and I/O resources +- **Better fault tolerance**: Database instances spread across dedicated nodes + +> **Best Practice**: Deploy dedicated nodes in multiples of three—ideally one per availability zone. This ensures a 3-instance DocumentDB cluster (1 primary + 2 replicas) is distributed across different nodes. + +## Step 1: Label Your Nodes + +Apply the `postgres` role label to nodes designated for DocumentDB. This reserved label can only be applied after the node is created: + +```bash +kubectl label node node-role.kubernetes.io/postgres= +``` + +Verify the label: + +```bash +kubectl get nodes -l node-role.kubernetes.io/postgres +``` + +## Step 2: Taint Your Nodes + +Prevent non-database workloads from being scheduled on these nodes. Use a custom taint key (cloud providers may restrict `kubernetes.io` namespace taints): + +```bash +kubectl taint node workload=postgres:NoSchedule +``` + +This ensures only pods that explicitly tolerate this taint can run on these nodes. + +## Step 3: Configure DocumentDB Scheduling + +> **Note**: The DocumentDB operator currently does not expose `nodeSelector` or `tolerations` directly in the `DocumentDBSpec`. You can configure scheduling by patching the underlying CNPG Cluster resource after creation, or request this feature be added to the operator. + +### Patching the CNPG Cluster + +After deploying DocumentDB, patch the underlying CNPG Cluster: + +```bash +kubectl patch cluster -n --type=merge -p ' +{ + "spec": { + "affinity": { + "nodeSelector": { + "node-role.kubernetes.io/postgres": "" + }, + "tolerations": [ + { + "key": "workload", + "operator": "Equal", + "value": "postgres", + "effect": "NoSchedule" + } + ] + } + } +}' +``` + +### Example: Full Affinity Configuration + +For production deployments with anti-affinity (instances on different nodes/zones): + +```yaml +spec: + affinity: + nodeSelector: + node-role.kubernetes.io/postgres: "" + tolerations: + - key: workload + operator: Equal + value: postgres + effect: NoSchedule + enablePodAntiAffinity: true + topologyKey: topology.kubernetes.io/zone # Spread across AZs +``` + +## Cloud Provider Node Pools + +### Azure AKS + +Create a dedicated node pool. AKS restricts `kubernetes.io` namespace labels during creation, so use a custom label and apply the reserved label after: + +```bash +# Create node pool with custom label and taint +az aks nodepool add \ + --resource-group \ + --cluster-name \ + --name postgrespool \ + --node-count 3 \ + --node-vm-size Standard_D8s_v3 \ + --labels workload=postgres \ + --node-taints workload=postgres:NoSchedule \ + --zones 1 2 3 + +# Apply the reserved postgres label after node creation +for node in $(kubectl get nodes -l workload=postgres -o name); do + kubectl label $node node-role.kubernetes.io/postgres= +done +``` + +### AWS EKS + +```bash +eksctl create nodegroup \ + --cluster \ + --name postgres-nodes \ + --node-type m5.2xlarge \ + --nodes 3 \ + --node-labels "workload=postgres" \ + --node-taints "workload=postgres:NoSchedule" + +# Apply the reserved postgres label after node creation +for node in $(kubectl get nodes -l workload=postgres -o name); do + kubectl label $node node-role.kubernetes.io/postgres= +done +``` + +### GCP GKE + +```bash +gcloud container node-pools create postgres-pool \ + --cluster \ + --num-nodes 3 \ + --machine-type n2-standard-8 \ + --node-labels workload=postgres \ + --node-taints workload=postgres:NoSchedule + +# Apply the reserved postgres label after node creation +for node in $(kubectl get nodes -l workload=postgres -o name); do + kubectl label $node node-role.kubernetes.io/postgres= +done +``` + +## Recommended Node Sizing + +| Workload | vCPU | Memory | Storage | +|----------|------|--------|---------| +| Development | 2 | 8 GB | 50 GB SSD | +| Production (small) | 4 | 16 GB | 200 GB SSD | +| Production (medium) | 8 | 32 GB | 500 GB SSD | +| Production (large) | 16+ | 64+ GB | 1+ TB NVMe | + +## References + +- [CloudNativePG Architecture - Reserving Nodes](https://cloudnative-pg.io/docs/1.27/architecture/#reserving-nodes-for-postgresql-workloads) +- [Kubernetes Node Affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/) +- [Kubernetes Taints and Tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) From 35d0d032939fc09d3c8b19cbc348bf09cba8fe3e Mon Sep 17 00:00:00 2001 From: German Date: Mon, 9 Feb 2026 10:44:21 -0800 Subject: [PATCH 3/9] fix: address PR review comments for k3s-azure-fleet playground - Fix parameters.bicepparam: align param names with main.bicep, remove unused params - Parameterize kubernetesVersion in main.bicep (was hardcoded to 1.32) - Add allowedSourceIP param to NSG rule for Kube API (was open to *) - Add missing prerequisite checks: curl in setup-fleet.sh, make/openssl in install-istio.sh, az/base64/awk/curl in install-documentdb-operator.sh - Fix test-connection.sh: increment FAILED counter for missing DocumentDB resource, service, and credentials secret - Escape password for sed substitution in deploy-documentdb.sh - Document intentional word-splitting in setup-fleet.sh joinMC.sh call --- documentdb-playground/k3s-azure-fleet/README.md | 6 ++---- .../k3s-azure-fleet/deploy-documentdb.sh | 7 ++++++- .../install-documentdb-operator.sh | 2 +- .../k3s-azure-fleet/install-istio.sh | 8 ++++++++ documentdb-playground/k3s-azure-fleet/main.bicep | 10 ++++++++-- .../k3s-azure-fleet/parameters.bicepparam | 15 +++------------ .../k3s-azure-fleet/setup-fleet.sh | 3 ++- .../k3s-azure-fleet/test-connection.sh | 4 ++++ 8 files changed, 34 insertions(+), 21 deletions(-) diff --git a/documentdb-playground/k3s-azure-fleet/README.md b/documentdb-playground/k3s-azure-fleet/README.md index 54ceaac9..2a36a33e 100644 --- a/documentdb-playground/k3s-azure-fleet/README.md +++ b/documentdb-playground/k3s-azure-fleet/README.md @@ -483,10 +483,8 @@ This playground uses Azure VM Run Command instead of SSH for all VM operations: - Apply CRDs explicitly with `kubectl apply -f` before Helm install (the `crds.enabled=true` flag can silently fail) ### Corporate Network (NRMS) -- Azure NRMS policies auto-add deny rules at priority 105-109 on NSGs -- Port 22 is denied by NRMS-Rule-106; to enable SSH, add allow rule at priority 100 -- Port 6443 is not in NRMS deny lists but corporate VPN/firewall may block it -- NSG minimum priority is 100 (cannot go lower) +- Port 22 could be denied by the corporate firewall; to enable SSH, add allow rule +- Port 6443 might be blocked by corporate VPN/firewall ### Bicep Deployment Tips - Use `resourceId()` function for subnet references to avoid race conditions diff --git a/documentdb-playground/k3s-azure-fleet/deploy-documentdb.sh b/documentdb-playground/k3s-azure-fleet/deploy-documentdb.sh index 2d539b32..2486603f 100755 --- a/documentdb-playground/k3s-azure-fleet/deploy-documentdb.sh +++ b/documentdb-playground/k3s-azure-fleet/deploy-documentdb.sh @@ -144,7 +144,12 @@ fi # Generate manifest with substitutions TEMP_YAML=$(mktemp) -sed -e "s/{{DOCUMENTDB_PASSWORD}}/$DOCUMENTDB_PASSWORD/g" \ +# Escape password for safe use in sed (handle /, &, \ characters) +ESCAPED_PASSWORD="${DOCUMENTDB_PASSWORD//\\/\\\\}" +ESCAPED_PASSWORD="${ESCAPED_PASSWORD//&/\\&}" +ESCAPED_PASSWORD="${ESCAPED_PASSWORD//\//\\/}" + +sed -e "s/{{DOCUMENTDB_PASSWORD}}/$ESCAPED_PASSWORD/g" \ -e "s/{{PRIMARY_CLUSTER}}/$PRIMARY_CLUSTER/g" \ "$SCRIPT_DIR/documentdb-resource-crp.yaml" | \ while IFS= read -r line; do diff --git a/documentdb-playground/k3s-azure-fleet/install-documentdb-operator.sh b/documentdb-playground/k3s-azure-fleet/install-documentdb-operator.sh index 6becedba..1596ca68 100755 --- a/documentdb-playground/k3s-azure-fleet/install-documentdb-operator.sh +++ b/documentdb-playground/k3s-azure-fleet/install-documentdb-operator.sh @@ -28,7 +28,7 @@ echo "Chart Directory: $CHART_DIR" echo "=======================================" # Check prerequisites -for cmd in kubectl helm; do +for cmd in kubectl helm az base64 awk curl; do if ! command -v "$cmd" &>/dev/null; then echo "Error: Required command '$cmd' not found." exit 1 diff --git a/documentdb-playground/k3s-azure-fleet/install-istio.sh b/documentdb-playground/k3s-azure-fleet/install-istio.sh index 3bd550b0..9a50d845 100755 --- a/documentdb-playground/k3s-azure-fleet/install-istio.sh +++ b/documentdb-playground/k3s-azure-fleet/install-istio.sh @@ -37,6 +37,14 @@ echo "Clusters: ${ALL_CLUSTERS[*]}" echo "=======================================" echo "" +# Check prerequisites +for cmd in kubectl helm make openssl curl; do + if ! command -v "$cmd" &>/dev/null; then + echo "Error: Required command '$cmd' not found." + exit 1 + fi +done + # Download istioctl if not present if ! command -v istioctl &> /dev/null; then echo "Installing istioctl..." diff --git a/documentdb-playground/k3s-azure-fleet/main.bicep b/documentdb-playground/k3s-azure-fleet/main.bicep index c14cba61..673e7d94 100644 --- a/documentdb-playground/k3s-azure-fleet/main.bicep +++ b/documentdb-playground/k3s-azure-fleet/main.bicep @@ -23,9 +23,15 @@ param sshPublicKey string @description('Admin username for VMs') param adminUsername string = 'azureuser' +@description('Kubernetes version for AKS (empty string uses region default)') +param kubernetesVersion string = '1.32' + @description('k3s version') param k3sVersion string = 'v1.30.4+k3s1' +@description('Allowed source IP for Kube API access (default: any). Set to your IP/CIDR for security.') +param allowedSourceIP string = '*' + // Variables var aksClusterName = 'hub-${hubLocation}' var aksVnetName = 'aks-${hubLocation}-vnet' @@ -63,7 +69,7 @@ resource aksCluster 'Microsoft.ContainerService/managedClusters@2024-01-01' = { } properties: { dnsPrefix: aksClusterName - kubernetesVersion: '1.32' + kubernetesVersion: kubernetesVersion enableRBAC: true networkProfile: { networkPlugin: 'azure' @@ -129,7 +135,7 @@ resource k3sNsgs 'Microsoft.Network/networkSecurityGroups@2023-05-01' = [for (re direction: 'Inbound' access: 'Allow' protocol: 'Tcp' - sourceAddressPrefix: '*' + sourceAddressPrefix: allowedSourceIP sourcePortRange: '*' destinationAddressPrefix: '*' destinationPortRange: '6443' diff --git a/documentdb-playground/k3s-azure-fleet/parameters.bicepparam b/documentdb-playground/k3s-azure-fleet/parameters.bicepparam index cfeec2af..6b65a2ba 100644 --- a/documentdb-playground/k3s-azure-fleet/parameters.bicepparam +++ b/documentdb-playground/k3s-azure-fleet/parameters.bicepparam @@ -1,24 +1,15 @@ using './main.bicep' -param aksRegions = [ - 'westus3' - 'eastus2' -] +param hubLocation = 'westus3' param k3sRegions = [ + 'eastus2' 'uksouth' - 'northeurope' ] -param hubRegion = 'westus3' - -param kubernetesVersion = '' - param aksVmSize = 'Standard_DS2_v2' -param aksNodeCount = 2 - -param k3sVmSize = 'Standard_D2s_v3' +param vmSize = 'Standard_D2s_v3' // SSH key will be provided at deployment time param sshPublicKey = '' diff --git a/documentdb-playground/k3s-azure-fleet/setup-fleet.sh b/documentdb-playground/k3s-azure-fleet/setup-fleet.sh index 3735082b..71362c09 100755 --- a/documentdb-playground/k3s-azure-fleet/setup-fleet.sh +++ b/documentdb-playground/k3s-azure-fleet/setup-fleet.sh @@ -25,7 +25,7 @@ echo "Hub Cluster: $HUB_CLUSTER_NAME" echo "=======================================" # Check prerequisites -for cmd in kubectl helm git jq; do +for cmd in kubectl helm git jq curl; do if ! command -v "$cmd" &>/dev/null; then echo "Error: Required command '$cmd' not found." exit 1 @@ -94,6 +94,7 @@ echo "✓ Hub-agent installed" echo "" echo "Joining member clusters to fleet..." chmod +x ./hack/membership/joinMC.sh +# Note: $ALL_MEMBERS is intentionally unquoted — joinMC.sh expects individual context names as separate args ./hack/membership/joinMC.sh "$TAG" "$HUB_CLUSTER_NAME" $ALL_MEMBERS popd > /dev/null diff --git a/documentdb-playground/k3s-azure-fleet/test-connection.sh b/documentdb-playground/k3s-azure-fleet/test-connection.sh index ae1e46fe..268cb392 100755 --- a/documentdb-playground/k3s-azure-fleet/test-connection.sh +++ b/documentdb-playground/k3s-azure-fleet/test-connection.sh @@ -65,6 +65,8 @@ for cluster in "${CLUSTER_ARRAY[@]}"; do echo "✓ (Status: $STATUS)" else echo "✗ Not found" + ((FAILED++)) + continue fi # Check pods @@ -96,6 +98,7 @@ for cluster in "${CLUSTER_ARRAY[@]}"; do fi else echo "✗ Not found" + ((FAILED++)) fi # Check secret @@ -104,6 +107,7 @@ for cluster in "${CLUSTER_ARRAY[@]}"; do echo "✓" else echo "✗ Not found" + ((FAILED++)) fi # Check operator From bc076aab5fa34609f5e16d32bf72e35d18d41e18 Mon Sep 17 00:00:00 2001 From: German Date: Tue, 10 Feb 2026 14:56:33 -0800 Subject: [PATCH 4/9] feat: pre-generate Istio certs and remote secrets, add NSGs, update README - Pre-generate Istio CA certificates locally (openssl) and inject via cloud-init - Auto-generate Istio remote secrets on k3s VMs via cloud-init runcmd - Add NSGs to Bicep for AKS and k3s subnets (prevents NRMS auto-creation) - Open all required Istio ports (15010/15012/15017/15021/15443) - Use all-Helm approach for k3s Istio install with --skip-schema-validation - Use istio-remote-reader SA (avoids conflict with Helm istio-base chart) - Remove main.json (Bicep is the source of truth) - Update README with deployment architecture details and lessons learned --- .../k3s-azure-fleet/README.md | 28 +- .../k3s-azure-fleet/deploy-infrastructure.sh | 56 +++ .../k3s-azure-fleet/install-istio.sh | 419 +++++++++++++----- .../k3s-azure-fleet/main.bicep | 335 ++++++++++++-- .../k3s-azure-fleet/main.json | 382 ---------------- 5 files changed, 676 insertions(+), 544 deletions(-) delete mode 100644 documentdb-playground/k3s-azure-fleet/main.json diff --git a/documentdb-playground/k3s-azure-fleet/README.md b/documentdb-playground/k3s-azure-fleet/README.md index 2a36a33e..8eec07d0 100644 --- a/documentdb-playground/k3s-azure-fleet/README.md +++ b/documentdb-playground/k3s-azure-fleet/README.md @@ -60,12 +60,16 @@ This playground demonstrates deploying DocumentDB on **k3s clusters running on A ## Network Requirements -> **Important**: The k3s VMs require the following network access: +> **Important**: The deployment creates NSGs (Network Security Groups) for both AKS and k3s subnets to prevent Azure NRMS from auto-creating restrictive rules. The k3s VMs require the following network access: > > | Port | Protocol | Direction | Purpose | > |------|----------|-----------|---------| > | 6443 | TCP | Inbound | Kubernetes API server (kubectl access) | -> | 15443 | TCP | Inbound | Istio east-west gateway | +> | 15443 | TCP | Inbound | Istio east-west gateway (cross-cluster mTLS) | +> | 15012 | TCP | Inbound | Istio xDS secure gRPC (cross-cluster discovery) | +> | 15017 | TCP | Inbound | Istio webhook (sidecar injection) | +> | 15021 | TCP | Inbound | Istio health/status | +> | 15010 | TCP | Inbound | Istio xDS plaintext gRPC | > | 80, 443 | TCP | Inbound | HTTP/HTTPS traffic | > > **Corporate Environment Considerations**: @@ -122,6 +126,9 @@ Deploys Azure infrastructure: - AKS hub cluster in westus3 (also serves as a member) - Azure VMs with k3s in eastus2 and uksouth - Each cluster in its own VNet (no peering required - Istio handles connectivity) +- NSGs on all subnets (prevents Azure NRMS auto-creation of restrictive rules) +- **Istio CA certificates**: Pre-generated locally via openssl (zero cluster dependency) and injected into k3s VMs via cloud-init `write_files` +- **Istio remote secrets**: Auto-generated on k3s VMs via cloud-init `runcmd` (creates service account, extracts token, builds remote-secret YAML) ```bash # With defaults @@ -138,11 +145,11 @@ export K3S_REGIONS_CSV="eastus2,uksouth,northeurope" ### 2. `install-istio.sh` Installs Istio service mesh on all clusters: -- Generates shared root CA for cross-cluster trust -- AKS hub: installs via `istioctl` (standard approach) -- k3s VMs: installs via **Helm** (`istio-base` + `istiod`) to avoid ownership conflicts, plus `istioctl` for east-west gateway only +- **Shared root CA**: Pre-generated during `deploy-infrastructure.sh` and injected into k3s VMs via cloud-init (zero cluster dependency) +- **AKS hub**: installs via `istioctl` (standard approach) +- **k3s VMs**: installs entirely via **Helm** (`istio-base` + `istiod` + `istio/gateway`) with `--skip-schema-validation` to avoid ownership conflicts with `istioctl` +- **Remote secrets**: Pre-generated on k3s VMs via cloud-init, then distributed to other clusters - Patches k3s east-west gateways with VM public IPs (k3s `servicelb` only assigns internal IPs) -- Creates remote secrets for cross-cluster service discovery ```bash ./install-istio.sh @@ -465,6 +472,9 @@ This playground uses Azure VM Run Command instead of SSH for all VM operations: ### Istio on k3s - **Use Helm**, not `istioctl install`, for k3s clusters — `istioctl` creates resources without Helm annotations, causing ownership conflicts if you later use Helm +- **`--skip-schema-validation`** is required for all Helm installs (`istio-base`, `istiod`, `istio/gateway`) — the gateway chart's JSON schema rejects documented values like `labels`, `env`, `service`, `networkGateway` +- **Istio CA certs are pre-generated** during infrastructure deploy (pure `openssl` operations, no cluster needed) and injected via cloud-init `write_files` with `encoding: b64` — the k3s cloud-init `runcmd` creates the `cacerts` Kubernetes secret from these files +- **Remote secrets are pre-generated** on each k3s VM via cloud-init — creates an `istio-remote-reader` service account (NOT `istio-reader-service-account` which conflicts with Helm's `istio-base` chart), extracts token and CA, and builds the complete remote-secret YAML at `/etc/istio-remote/remote-secret.yaml` - k3s uses `servicelb` (klipper) for LoadBalancer services which assigns node IPs, not public IPs - Patch east-west gateway services with `externalIPs` pointing to the node's public IP: ```bash @@ -484,13 +494,17 @@ This playground uses Azure VM Run Command instead of SSH for all VM operations: ### Corporate Network (NRMS) - Port 22 could be denied by the corporate firewall; to enable SSH, add allow rule -- Port 6443 might be blocked by corporate VPN/firewall +- Port 6443 might be blocked by corporate VPN/firewall +- **NSGs are deployed in Bicep** and associated at the subnet level to prevent Azure NRMS from auto-creating restrictive NSGs — without pre-created NSGs, NRMS may block ports needed for Istio and k3s +- Both AKS and k3s NSGs include all required ports (SSH, K8s API, all Istio control/data plane ports, HTTP/HTTPS) ### Bicep Deployment Tips - Use `resourceId()` function for subnet references to avoid race conditions - Add explicit `dependsOn` for AKS clusters referencing VNets - Check AKS supported Kubernetes versions: `az aks get-versions --location ` - Azure VMs require SSH key even when not using SSH; changing key on existing VM causes "PropertyChangeNotAllowed" error +- **`format()` escaping for cloud-init**: In Bicep `format()` templates, `{{` produces literal `{` and `}}` produces literal `}` — critical when embedding bash `${VAR}` or jsonpath `{.data.token}` in cloud-init scripts +- **`@secure()` does not work with Bicep `array` type** (BCP124) — Istio cert data is passed as a plain array parameter ## Related Playgrounds diff --git a/documentdb-playground/k3s-azure-fleet/deploy-infrastructure.sh b/documentdb-playground/k3s-azure-fleet/deploy-infrastructure.sh index 0a0113c4..daea7c53 100755 --- a/documentdb-playground/k3s-azure-fleet/deploy-infrastructure.sh +++ b/documentdb-playground/k3s-azure-fleet/deploy-infrastructure.sh @@ -40,6 +40,61 @@ if [ ! -f "$SSH_KEY_PATH" ]; then fi SSH_PUBLIC_KEY=$(cat "${SSH_KEY_PATH}.pub") +# ─── Generate Istio CA certificates (pre-deploy) ─── +ISTIO_VERSION="${ISTIO_VERSION:-1.24.0}" +CERT_DIR="${SCRIPT_DIR}/.istio-certs" +mkdir -p "$CERT_DIR" + +echo "Generating Istio CA certificates..." + +# Download Istio cert tools if not present +if [ ! -d "$CERT_DIR/istio-${ISTIO_VERSION}" ]; then + echo " Downloading Istio ${ISTIO_VERSION} cert tools..." + curl -sL "https://github.com/istio/istio/archive/refs/tags/${ISTIO_VERSION}.tar.gz" | tar xz -C "$CERT_DIR" +fi + +# Generate root CA (shared across all clusters) +if [ ! -f "$CERT_DIR/root-cert.pem" ]; then + echo " Generating shared root CA..." + pushd "$CERT_DIR" > /dev/null + make -f "istio-${ISTIO_VERSION}/tools/certs/Makefile.selfsigned.mk" root-ca + popd > /dev/null +fi + +# Generate per-cluster intermediate certs and build JSON array for Bicep +ISTIO_CERTS_JSON="[" +for i in "${!K3S_REGION_ARRAY[@]}"; do + region="${K3S_REGION_ARRAY[$i]}" + cluster_name="k3s-${region}" + + if [ ! -f "$CERT_DIR/${cluster_name}/ca-cert.pem" ]; then + echo " Generating certificates for ${cluster_name}..." + pushd "$CERT_DIR" > /dev/null + make -f "istio-${ISTIO_VERSION}/tools/certs/Makefile.selfsigned.mk" "${cluster_name}-cacerts" + popd > /dev/null + fi + + # Base64-encode each PEM file for cloud-init write_files (encoding: b64) + ROOT_CERT_B64=$(base64 < "$CERT_DIR/${cluster_name}/root-cert.pem" | tr -d '\n') + CA_CERT_B64=$(base64 < "$CERT_DIR/${cluster_name}/ca-cert.pem" | tr -d '\n') + CA_KEY_B64=$(base64 < "$CERT_DIR/${cluster_name}/ca-key.pem" | tr -d '\n') + CERT_CHAIN_B64=$(base64 < "$CERT_DIR/${cluster_name}/cert-chain.pem" | tr -d '\n') + + [ "$i" -gt 0 ] && ISTIO_CERTS_JSON+="," + ISTIO_CERTS_JSON+="{\"rootCert\":\"${ROOT_CERT_B64}\",\"caCert\":\"${CA_CERT_B64}\",\"caKey\":\"${CA_KEY_B64}\",\"certChain\":\"${CERT_CHAIN_B64}\"}" +done +ISTIO_CERTS_JSON+="]" + +echo "✓ Istio certificates generated for ${#K3S_REGION_ARRAY[@]} k3s cluster(s)" + +# Also generate certs for AKS hub (applied later by install-istio.sh via kubectl) +if [ ! -f "$CERT_DIR/hub-${HUB_REGION}/ca-cert.pem" ]; then + echo " Generating certificates for hub-${HUB_REGION}..." + pushd "$CERT_DIR" > /dev/null + make -f "istio-${ISTIO_VERSION}/tools/certs/Makefile.selfsigned.mk" "hub-${HUB_REGION}-cacerts" + popd > /dev/null +fi + # Create resource group echo "Creating/verifying resource group..." if az group show --name "$RESOURCE_GROUP" &>/dev/null; then @@ -85,6 +140,7 @@ if [ "$SKIP_BICEP" = "false" ]; then --parameters hubLocation="$HUB_REGION" \ --parameters k3sRegions="$K3S_REGIONS_JSON" \ --parameters sshPublicKey="$SSH_PUBLIC_KEY" \ + --parameters istioCerts="$ISTIO_CERTS_JSON" \ --output none echo "✓ Infrastructure deployed" diff --git a/documentdb-playground/k3s-azure-fleet/install-istio.sh b/documentdb-playground/k3s-azure-fleet/install-istio.sh index 9a50d845..21d6f693 100755 --- a/documentdb-playground/k3s-azure-fleet/install-istio.sh +++ b/documentdb-playground/k3s-azure-fleet/install-istio.sh @@ -83,14 +83,31 @@ for i in "${!ALL_CLUSTERS[@]}"; do echo "=======================================" # Verify cluster access - if ! kubectl --context "$cluster" get nodes --request-timeout=10s &>/dev/null; then - echo "⚠ Cannot access $cluster via kubectl, trying Run Command..." + if [[ "$cluster" != k3s-* ]]; then + if ! kubectl --context "$cluster" get nodes --request-timeout=10s &>/dev/null; then + echo "⚠ Cannot access $cluster via kubectl" + continue + fi fi - # Create istio-system namespace and label - kubectl --context "$cluster" create namespace istio-system --dry-run=client -o yaml | \ - kubectl --context "$cluster" apply -f - 2>/dev/null || true - kubectl --context "$cluster" label namespace istio-system topology.istio.io/network="${network_id}" --overwrite 2>/dev/null || true + if [[ "$cluster" == k3s-* ]]; then + # ─── k3s clusters: namespace label + certs via Run Command ─── + region="${cluster#k3s-}" + vm_name="k3s-${region}" + + echo "Labeling istio-system namespace on $vm_name..." + az vm run-command invoke \ + --resource-group "$RESOURCE_GROUP" \ + --name "$vm_name" \ + --command-id RunShellScript \ + --scripts "k3s kubectl create namespace istio-system --dry-run=client -o yaml | k3s kubectl apply -f - && k3s kubectl label namespace istio-system topology.istio.io/network=${network_id} --overwrite && echo NS_LABELED" \ + --query 'value[0].message' -o tsv 2>/dev/null | tail -1 + else + # AKS: direct kubectl + kubectl --context "$cluster" create namespace istio-system --dry-run=client -o yaml | \ + kubectl --context "$cluster" apply -f - 2>/dev/null || true + kubectl --context "$cluster" label namespace istio-system topology.istio.io/network="${network_id}" --overwrite 2>/dev/null || true + fi # Generate and apply cluster-specific certificates echo "Generating certificates for $cluster..." @@ -98,105 +115,196 @@ for i in "${!ALL_CLUSTERS[@]}"; do make -f "istio-${ISTIO_VERSION}/tools/certs/Makefile.selfsigned.mk" "${cluster}-cacerts" popd > /dev/null - kubectl --context "$cluster" create secret generic cacerts -n istio-system \ - --from-file="${CERT_DIR}/${cluster}/ca-cert.pem" \ - --from-file="${CERT_DIR}/${cluster}/ca-key.pem" \ - --from-file="${CERT_DIR}/${cluster}/root-cert.pem" \ - --from-file="${CERT_DIR}/${cluster}/cert-chain.pem" \ - --dry-run=client -o yaml | kubectl --context "$cluster" apply -f - 2>/dev/null || true + if [[ "$cluster" == k3s-* ]]; then + # k3s certs are pre-injected via cloud-init during VM deployment. + # Verify the cacerts secret exists on the VM. + region="${cluster#k3s-}" + vm_name="k3s-${region}" + echo "Verifying pre-injected cacerts secret on $vm_name..." + result=$(az vm run-command invoke \ + --resource-group "$RESOURCE_GROUP" \ + --name "$vm_name" \ + --command-id RunShellScript \ + --scripts 'k3s kubectl get secret cacerts -n istio-system -o name 2>/dev/null && echo CERTS_OK || echo CERTS_MISSING' \ + --query 'value[0].message' -o tsv 2>/dev/null || echo "") + + if echo "$result" | grep -q "CERTS_OK"; then + echo "✓ Cacerts secret verified (pre-injected via cloud-init)" + else + echo "⚠ Cacerts secret not found — applying via Run Command..." + # Fallback: create from locally-generated certs via Run Command + ROOT_CERT_CONTENT=$(cat "${CERT_DIR}/${cluster}/root-cert.pem") + CA_CERT_CONTENT=$(cat "${CERT_DIR}/${cluster}/ca-cert.pem") + CA_KEY_CONTENT=$(cat "${CERT_DIR}/${cluster}/ca-key.pem") + CERT_CHAIN_CONTENT=$(cat "${CERT_DIR}/${cluster}/cert-chain.pem") + az vm run-command invoke \ + --resource-group "$RESOURCE_GROUP" \ + --name "$vm_name" \ + --command-id RunShellScript \ + --scripts " +k3s kubectl create namespace istio-system --dry-run=client -o yaml | k3s kubectl apply -f - +cat > /tmp/root-cert.pem <<'CERTEOF' +${ROOT_CERT_CONTENT} +CERTEOF +cat > /tmp/ca-cert.pem <<'CERTEOF' +${CA_CERT_CONTENT} +CERTEOF +cat > /tmp/ca-key.pem <<'CERTEOF' +${CA_KEY_CONTENT} +CERTEOF +cat > /tmp/cert-chain.pem <<'CERTEOF' +${CERT_CHAIN_CONTENT} +CERTEOF +k3s kubectl create secret generic cacerts -n istio-system \ + --from-file=ca-cert.pem=/tmp/ca-cert.pem \ + --from-file=ca-key.pem=/tmp/ca-key.pem \ + --from-file=root-cert.pem=/tmp/root-cert.pem \ + --from-file=cert-chain.pem=/tmp/cert-chain.pem \ + --dry-run=client -o yaml | k3s kubectl apply -f - +echo CERTS_APPLIED" \ + --query 'value[0].message' -o tsv 2>/dev/null || echo " ⚠ Failed to apply certs via Run Command" + fi + else + # AKS: apply certs via kubectl (direct access works) + kubectl --context "$cluster" create secret generic cacerts -n istio-system \ + --from-file="${CERT_DIR}/${cluster}/ca-cert.pem" \ + --from-file="${CERT_DIR}/${cluster}/ca-key.pem" \ + --from-file="${CERT_DIR}/${cluster}/root-cert.pem" \ + --from-file="${CERT_DIR}/${cluster}/cert-chain.pem" \ + --dry-run=client -o yaml | kubectl --context "$cluster" apply -f - 2>/dev/null || true + fi echo "✓ Certificates configured" if [[ "$cluster" == k3s-* ]]; then - # ─── k3s clusters: use Helm for base + istiod, istioctl for gateway ─── - echo "Installing Istio via Helm (k3s-optimized)..." + # ─── k3s clusters: install via Helm through Run Command ─── + region="${cluster#k3s-}" + vm_name="k3s-${region}" + + # Look up public IP for this region + public_ip="" + for idx in "${!K3S_REGION_ARRAY[@]}"; do + if [ "${K3S_REGION_ARRAY[$idx]}" = "$region" ]; then + public_ip="${K3S_IP_ARRAY[$idx]}" + break + fi + done - # Add Istio Helm repo - helm repo add istio https://istio-release.storage.googleapis.com/charts 2>/dev/null || true - helm repo update istio 2>/dev/null || true + echo "Installing Istio via Helm on $vm_name (Run Command)..." - # Install istio-base - helm upgrade --install istio-base istio/base \ - --kube-context "$cluster" \ - --namespace istio-system \ - --version "$ISTIO_VERSION" \ - --wait --timeout 2m 2>/dev/null || echo " istio-base may already be installed" + # Step 1: Install istio-base via Helm + echo " Installing istio-base..." + az vm run-command invoke \ + --resource-group "$RESOURCE_GROUP" \ + --name "$vm_name" \ + --command-id RunShellScript \ + --scripts " +export KUBECONFIG=/etc/rancher/k3s/k3s.yaml +helm repo add istio https://istio-release.storage.googleapis.com/charts +helm repo update istio +helm upgrade --install istio-base istio/base \ + --namespace istio-system \ + --version ${ISTIO_VERSION} \ + --skip-schema-validation \ + --wait --timeout 2m && echo ISTIO_BASE_OK || echo ISTIO_BASE_FAIL" \ + --query 'value[0].message' -o tsv 2>/dev/null | tail -3 - # Install istiod (single replica, no autoscale for k3s) - helm upgrade --install istiod istio/istiod \ - --kube-context "$cluster" \ - --namespace istio-system \ - --version "$ISTIO_VERSION" \ - --set global.meshID=mesh1 \ - --set global.multiCluster.clusterName="$cluster" \ - --set global.network="$network_id" \ - --set pilot.autoscaleEnabled=false \ - --set pilot.replicaCount=1 \ - --set meshConfig.defaultConfig.proxyMetadata.ISTIO_META_DNS_CAPTURE="true" \ - --set meshConfig.defaultConfig.proxyMetadata.ISTIO_META_DNS_AUTO_ALLOCATE="true" \ - --wait --timeout 5m 2>/dev/null || echo " istiod may already be installed" + # Step 2: Install istiod via Helm + echo " Installing istiod..." + az vm run-command invoke \ + --resource-group "$RESOURCE_GROUP" \ + --name "$vm_name" \ + --command-id RunShellScript \ + --scripts " +export KUBECONFIG=/etc/rancher/k3s/k3s.yaml +helm repo add istio https://istio-release.storage.googleapis.com/charts +helm upgrade --install istiod istio/istiod \ + --namespace istio-system \ + --version ${ISTIO_VERSION} \ + --set global.meshID=mesh1 \ + --set global.multiCluster.clusterName=${cluster} \ + --set global.network=${network_id} \ + --set pilot.autoscaleEnabled=false \ + --set pilot.replicaCount=1 \ + --set meshConfig.defaultConfig.proxyMetadata.ISTIO_META_DNS_CAPTURE=true \ + --set meshConfig.defaultConfig.proxyMetadata.ISTIO_META_DNS_AUTO_ALLOCATE=true \ + --wait --timeout 5m && echo ISTIOD_OK || echo ISTIOD_FAIL" \ + --query 'value[0].message' -o tsv 2>/dev/null | tail -3 echo "✓ Istio control plane installed via Helm" - # Install east-west gateway via istioctl - echo "Installing east-west gateway..." - cat </dev/null || true -apiVersion: install.istio.io/v1alpha1 -kind: IstioOperator + # Step 3: Install east-west gateway via Helm (use values file for dot-containing labels) + echo " Installing east-west gateway..." + az vm run-command invoke \ + --resource-group "$RESOURCE_GROUP" \ + --name "$vm_name" \ + --command-id RunShellScript \ + --scripts " +export KUBECONFIG=/etc/rancher/k3s/k3s.yaml +cat > /tmp/eastwest-values.yaml <<'VALEOF' +labels: + istio: eastwestgateway + app: istio-eastwestgateway + topology.istio.io/network: ${network_id} +env: + ISTIO_META_ROUTER_MODE: sni-dnat + ISTIO_META_REQUESTED_NETWORK_VIEW: ${network_id} +service: + ports: + - name: status-port + port: 15021 + targetPort: 15021 + - name: tls + port: 15443 + targetPort: 15443 + - name: tls-istiod + port: 15012 + targetPort: 15012 + - name: tls-webhook + port: 15017 + targetPort: 15017 +VALEOF +helm repo add istio https://istio-release.storage.googleapis.com/charts +helm upgrade --install istio-eastwestgateway istio/gateway \ + -n istio-system \ + --version ${ISTIO_VERSION} \ + -f /tmp/eastwest-values.yaml \ + --skip-schema-validation \ + --wait --timeout 5m && echo EW_GW_OK || echo EW_GW_FAIL" \ + --query 'value[0].message' -o tsv 2>/dev/null | tail -3 + + # Step 4: Patch east-west gateway with public IP + apply Gateway resource + if [ -n "$public_ip" ]; then + echo " Patching east-west gateway with public IP: $public_ip" + az vm run-command invoke \ + --resource-group "$RESOURCE_GROUP" \ + --name "$vm_name" \ + --command-id RunShellScript \ + --scripts " +k3s kubectl patch svc istio-eastwestgateway -n istio-system \ + --type=json -p='[{\"op\": \"add\", \"path\": \"/spec/externalIPs\", \"value\": [\"${public_ip}\"]}]' +cat <<'GWEOF' | k3s kubectl apply -n istio-system -f - +apiVersion: networking.istio.io/v1beta1 +kind: Gateway metadata: - name: eastwest + name: cross-network-gateway spec: - revision: "" - profile: empty - components: - ingressGateways: - - name: istio-eastwestgateway - label: - istio: eastwestgateway - app: istio-eastwestgateway - topology.istio.io/network: ${network_id} - enabled: true - k8s: - env: - - name: ISTIO_META_ROUTER_MODE - value: "sni-dnat" - - name: ISTIO_META_REQUESTED_NETWORK_VIEW - value: ${network_id} - service: - ports: - - name: status-port - port: 15021 - targetPort: 15021 - - name: tls - port: 15443 - targetPort: 15443 - - name: tls-istiod - port: 15012 - targetPort: 15012 - - name: tls-webhook - port: 15017 - targetPort: 15017 - values: - gateways: - istio-ingressgateway: - injectionTemplate: gateway - global: - network: ${network_id} -EOF + selector: + istio: eastwestgateway + servers: + - port: + number: 15443 + name: tls + protocol: TLS + tls: + mode: AUTO_PASSTHROUGH + hosts: + - '*.local' +GWEOF +echo GW_PATCHED" \ + --query 'value[0].message' -o tsv 2>/dev/null | tail -3 + fi - # Patch east-west gateway with VM public IP - # k3s servicelb assigns node internal IPs, not public IPs - region="${cluster#k3s-}" - for idx in "${!K3S_REGION_ARRAY[@]}"; do - if [ "${K3S_REGION_ARRAY[$idx]}" = "$region" ]; then - public_ip="${K3S_IP_ARRAY[$idx]}" - if [ -n "$public_ip" ]; then - echo "Patching east-west gateway with public IP: $public_ip" - kubectl --context "$cluster" patch svc istio-eastwestgateway -n istio-system \ - --type='json' -p="[{\"op\": \"add\", \"path\": \"/spec/externalIPs\", \"value\": [\"$public_ip\"]}]" 2>/dev/null || true - fi - break - fi - done + echo "✓ East-west gateway installed on $vm_name" else # ─── AKS hub: use istioctl (standard approach) ─── echo "Installing Istio via istioctl..." @@ -228,11 +336,10 @@ EOF fi fi - echo "✓ East-west gateway installed" - - # Expose services via east-west gateway - echo "Exposing services..." - cat </dev/null || echo "") - if [ -n "$GATEWAY_IP" ]; then - echo "✓ Gateway IP: $GATEWAY_IP" - break - fi - sleep 10 - done - [ -z "$GATEWAY_IP" ] && echo "⚠ Gateway IP not yet assigned" + echo "✓ Services exposed" + + echo "Waiting for east-west gateway external IP..." + GATEWAY_IP="" + for attempt in {1..30}; do + GATEWAY_IP=$(kubectl --context "$cluster" get svc istio-eastwestgateway -n istio-system -o jsonpath='{.status.loadBalancer.ingress[0].ip}' 2>/dev/null || echo "") + if [ -n "$GATEWAY_IP" ]; then + echo "✓ Gateway IP: $GATEWAY_IP" + break + fi + sleep 10 + done + [ -z "$GATEWAY_IP" ] && echo "⚠ Gateway IP not yet assigned" + fi done # ─── Create remote secrets ─── +# Remote secrets allow each cluster's Istio to discover services on other clusters. +# For k3s clusters, we use Run Command since direct kubectl may not work. echo "" echo "=======================================" echo "Creating remote secrets for cross-cluster discovery" echo "=======================================" +# Helper: apply a secret YAML to a target cluster (handles k3s via Run Command) +apply_secret_to_target() { + local target="$1" + local secret_yaml="$2" + + if [[ "$target" == k3s-* ]]; then + local region="${target#k3s-}" + local vm_name="k3s-${region}" + # Escape the YAML for embedding in Run Command script + az vm run-command invoke \ + --resource-group "$RESOURCE_GROUP" \ + --name "$vm_name" \ + --command-id RunShellScript \ + --scripts "cat <<'SECRETEOF' | k3s kubectl apply -f - +${secret_yaml} +SECRETEOF +echo SECRET_APPLIED" \ + --query 'value[0].message' -o tsv 2>/dev/null | tail -1 + else + echo "$secret_yaml" | kubectl --context "$target" apply -f - 2>/dev/null + fi +} + for source_cluster in "${ALL_CLUSTERS[@]}"; do - for target_cluster in "${ALL_CLUSTERS[@]}"; do - if [ "$source_cluster" != "$target_cluster" ]; then - echo "Creating secret: $source_cluster -> $target_cluster" - istioctl create-remote-secret --context="$source_cluster" --name="$source_cluster" | \ - kubectl --context="$target_cluster" apply -f - 2>/dev/null || \ - echo " ⚠ Could not create remote secret (may already exist)" + if [[ "$source_cluster" == k3s-* ]]; then + # k3s source: read the pre-built remote secret from the VM + # (auto-generated during cloud-init — see main.bicep runcmd) + source_region="${source_cluster#k3s-}" + source_vm="k3s-${source_region}" + + echo "Reading pre-built remote secret from $source_vm..." + RAW_OUTPUT=$(az vm run-command invoke \ + --resource-group "$RESOURCE_GROUP" \ + --name "$source_vm" \ + --command-id RunShellScript \ + --scripts "cat /etc/istio-remote/remote-secret.yaml 2>/dev/null || echo REMOTE_SECRET_NOT_FOUND" \ + --query 'value[0].message' -o tsv 2>/dev/null || echo "") + SECRET_YAML=$(echo "$RAW_OUTPUT" | awk '/^\[stdout\]/{flag=1; next} /^\[stderr\]/{flag=0} flag') + + if [ -z "$SECRET_YAML" ] || ! echo "$SECRET_YAML" | grep -q "apiVersion"; then + echo " ⚠ Remote secret not ready on $source_vm, skipping" + echo " (Cloud-init may still be running. Re-run this script to retry.)" + continue fi - done + + for target_cluster in "${ALL_CLUSTERS[@]}"; do + if [ "$source_cluster" != "$target_cluster" ]; then + echo " Applying: $source_cluster -> $target_cluster" + apply_secret_to_target "$target_cluster" "$SECRET_YAML" + fi + done + else + # AKS source: use istioctl (direct access works) + for target_cluster in "${ALL_CLUSTERS[@]}"; do + if [ "$source_cluster" != "$target_cluster" ]; then + echo "Creating secret: $source_cluster -> $target_cluster" + SECRET_YAML=$(istioctl create-remote-secret --context="$source_cluster" --name="$source_cluster" 2>/dev/null || echo "") + if [ -n "$SECRET_YAML" ]; then + apply_secret_to_target "$target_cluster" "$SECRET_YAML" + else + echo " ⚠ Could not create remote secret for $source_cluster" + fi + fi + done + fi done echo "✓ Remote secrets configured" @@ -295,8 +459,19 @@ echo "=======================================" for cluster in "${ALL_CLUSTERS[@]}"; do echo "" echo "=== $cluster ===" - kubectl --context "$cluster" get pods -n istio-system -o wide 2>/dev/null | head -10 || echo " Could not get pods" - kubectl --context "$cluster" get svc -n istio-system istio-eastwestgateway 2>/dev/null || echo " Gateway not found" + if [[ "$cluster" == k3s-* ]]; then + region="${cluster#k3s-}" + vm_name="k3s-${region}" + az vm run-command invoke \ + --resource-group "$RESOURCE_GROUP" \ + --name "$vm_name" \ + --command-id RunShellScript \ + --scripts "k3s kubectl get pods -n istio-system -o wide 2>/dev/null | head -10; echo '---'; k3s kubectl get svc -n istio-system istio-eastwestgateway 2>/dev/null || echo 'Gateway not found'" \ + --query 'value[0].message' -o tsv 2>/dev/null | awk '/^\[stdout\]/{flag=1; next} /^\[stderr\]/{flag=0} flag' + else + kubectl --context "$cluster" get pods -n istio-system -o wide 2>/dev/null | head -10 || echo " Could not get pods" + kubectl --context "$cluster" get svc -n istio-system istio-eastwestgateway 2>/dev/null || echo " Gateway not found" + fi done echo "" diff --git a/documentdb-playground/k3s-azure-fleet/main.bicep b/documentdb-playground/k3s-azure-fleet/main.bicep index 673e7d94..7ebcb282 100644 --- a/documentdb-playground/k3s-azure-fleet/main.bicep +++ b/documentdb-playground/k3s-azure-fleet/main.bicep @@ -32,14 +32,124 @@ param k3sVersion string = 'v1.30.4+k3s1' @description('Allowed source IP for Kube API access (default: any). Set to your IP/CIDR for security.') param allowedSourceIP string = '*' +@description('Per-cluster Istio CA certificates (base64-encoded PEM). Array of objects with rootCert, caCert, caKey, certChain.') +param istioCerts array = [] + // Variables var aksClusterName = 'hub-${hubLocation}' var aksVnetName = 'aks-${hubLocation}-vnet' var aksSubnetName = 'aks-subnet' // ================================ -// AKS Hub Cluster VNet +// AKS Hub Cluster VNet + NSG // ================================ +resource aksNsg 'Microsoft.Network/networkSecurityGroups@2023-05-01' = { + name: 'aks-${hubLocation}-nsg' + location: hubLocation + properties: { + securityRules: [ + { + name: 'AllowKubeAPI' + properties: { + priority: 100 + direction: 'Inbound' + access: 'Allow' + protocol: 'Tcp' + sourceAddressPrefix: allowedSourceIP + sourcePortRange: '*' + destinationAddressPrefix: '*' + destinationPortRange: '443' + description: 'Kubernetes API server access' + } + } + { + name: 'AllowHTTP' + properties: { + priority: 105 + direction: 'Inbound' + access: 'Allow' + protocol: 'Tcp' + sourceAddressPrefix: '*' + sourcePortRange: '*' + destinationAddressPrefix: '*' + destinationPortRange: '80' + description: 'HTTP ingress traffic' + } + } + { + name: 'AllowIstioEastWest' + properties: { + priority: 110 + direction: 'Inbound' + access: 'Allow' + protocol: 'Tcp' + sourceAddressPrefix: '*' + sourcePortRange: '*' + destinationAddressPrefix: '*' + destinationPortRange: '15443' + description: 'Istio east-west gateway for cross-cluster mTLS traffic' + } + } + { + name: 'AllowIstioStatus' + properties: { + priority: 120 + direction: 'Inbound' + access: 'Allow' + protocol: 'Tcp' + sourceAddressPrefix: '*' + sourcePortRange: '*' + destinationAddressPrefix: '*' + destinationPortRange: '15021' + description: 'Istio health check / status port' + } + } + { + name: 'AllowIstioControlPlane' + properties: { + priority: 130 + direction: 'Inbound' + access: 'Allow' + protocol: 'Tcp' + sourceAddressPrefix: '*' + sourcePortRange: '*' + destinationAddressPrefix: '*' + destinationPortRange: '15012' + description: 'Istio xDS (secure gRPC) for cross-cluster discovery' + } + } + { + name: 'AllowIstioWebhook' + properties: { + priority: 131 + direction: 'Inbound' + access: 'Allow' + protocol: 'Tcp' + sourceAddressPrefix: '*' + sourcePortRange: '*' + destinationAddressPrefix: '*' + destinationPortRange: '15017' + description: 'Istio webhook for sidecar injection' + } + } + { + name: 'AllowIstioGRPC' + properties: { + priority: 132 + direction: 'Inbound' + access: 'Allow' + protocol: 'Tcp' + sourceAddressPrefix: '*' + sourcePortRange: '*' + destinationAddressPrefix: '*' + destinationPortRange: '15010' + description: 'Istio xDS (plaintext gRPC) for proxy config distribution' + } + } + ] + } +} + resource aksVnet 'Microsoft.Network/virtualNetworks@2023-05-01' = { name: aksVnetName location: hubLocation @@ -52,6 +162,9 @@ resource aksVnet 'Microsoft.Network/virtualNetworks@2023-05-01' = { name: aksSubnetName properties: { addressPrefix: '10.1.0.0/20' + networkSecurityGroup: { + id: aksNsg.id + } } } ] @@ -102,7 +215,7 @@ resource aksCluster 'Microsoft.ContainerService/managedClusters@2024-01-01' = { // k3s VMs - one per region // ================================ -// k3s VNets +// k3s VNets — subnet references the NSG so Azure won't auto-create NRMS NSGs resource k3sVnets 'Microsoft.Network/virtualNetworks@2023-05-01' = [for (region, i) in k3sRegions: { name: 'k3s-${region}-vnet' location: region @@ -115,21 +228,27 @@ resource k3sVnets 'Microsoft.Network/virtualNetworks@2023-05-01' = [for (region, name: 'k3s-subnet' properties: { addressPrefix: '10.${i + 2}.0.0/24' + networkSecurityGroup: { + id: k3sNsgs[i].id + } } } ] } + dependsOn: [ + k3sNsgs[i] + ] }] // Network Security Groups for k3s VMs -// Note: SSH (port 22) not needed - using Azure VM Run Command for all operations +// Attached to both NIC and subnet to prevent Azure from auto-creating NRMS NSGs resource k3sNsgs 'Microsoft.Network/networkSecurityGroups@2023-05-01' = [for (region, i) in k3sRegions: { name: 'k3s-${region}-nsg' location: region properties: { securityRules: [ { - name: 'AllowKubeAPI' + name: 'AllowSSH' properties: { priority: 100 direction: 'Inbound' @@ -138,13 +257,26 @@ resource k3sNsgs 'Microsoft.Network/networkSecurityGroups@2023-05-01' = [for (re sourceAddressPrefix: allowedSourceIP sourcePortRange: '*' destinationAddressPrefix: '*' + destinationPortRange: '22' + } + } + { + name: 'AllowKubeAPI' + properties: { + priority: 110 + direction: 'Inbound' + access: 'Allow' + protocol: 'Tcp' + sourceAddressPrefix: allowedSourceIP + sourcePortRange: '*' + destinationAddressPrefix: '*' destinationPortRange: '6443' } } { name: 'AllowIstioEastWest' properties: { - priority: 110 + priority: 120 direction: 'Inbound' access: 'Allow' protocol: 'Tcp' @@ -154,10 +286,52 @@ resource k3sNsgs 'Microsoft.Network/networkSecurityGroups@2023-05-01' = [for (re destinationPortRange: '15443' } } + { + name: 'AllowIstioControlPlane' + properties: { + priority: 130 + direction: 'Inbound' + access: 'Allow' + protocol: 'Tcp' + sourceAddressPrefix: '*' + sourcePortRange: '*' + destinationAddressPrefix: '*' + destinationPortRange: '15012' + description: 'Istio control plane (istiod) for cross-cluster discovery' + } + } + { + name: 'AllowIstioWebhook' + properties: { + priority: 131 + direction: 'Inbound' + access: 'Allow' + protocol: 'Tcp' + sourceAddressPrefix: '*' + sourcePortRange: '*' + destinationAddressPrefix: '*' + destinationPortRange: '15017' + description: 'Istio webhook port for sidecar injection' + } + } + { + name: 'AllowIstioGRPC' + properties: { + priority: 132 + direction: 'Inbound' + access: 'Allow' + protocol: 'Tcp' + sourceAddressPrefix: '*' + sourcePortRange: '*' + destinationAddressPrefix: '*' + destinationPortRange: '15010' + description: 'Istio xDS (plaintext gRPC) for proxy config distribution' + } + } { name: 'AllowIstioStatus' properties: { - priority: 120 + priority: 140 direction: 'Inbound' access: 'Allow' protocol: 'Tcp' @@ -170,7 +344,7 @@ resource k3sNsgs 'Microsoft.Network/networkSecurityGroups@2023-05-01' = [for (re { name: 'AllowHTTP' properties: { - priority: 130 + priority: 150 direction: 'Inbound' access: 'Allow' protocol: 'Tcp' @@ -183,7 +357,7 @@ resource k3sNsgs 'Microsoft.Network/networkSecurityGroups@2023-05-01' = [for (re { name: 'AllowHTTPS' properties: { - priority: 140 + priority: 160 direction: 'Inbound' access: 'Allow' protocol: 'Tcp' @@ -266,38 +440,133 @@ package_upgrade: true packages: - curl - jq - +{2} runcmd: - # Get public IP via IMDS (retry in case metadata service isn't ready) - - for i in $(seq 1 10); do PUBLIC_IP=$(curl -s -H Metadata:true "http://169.254.169.254/metadata/instance/network/interface/0/ipv4/ipAddress/0/publicIpAddress?api-version=2021-02-01&format=text" 2>/dev/null); [ -n "$PUBLIC_IP" ] && break; sleep 5; done - # Get private IP via IMDS - - PRIVATE_IP=$(curl -s -H Metadata:true "http://169.254.169.254/metadata/instance/network/interface/0/ipv4/ipAddress/0/privateIpAddress?api-version=2021-02-01&format=text" 2>/dev/null) - # Write k3s config: tls-san for external kubectl, advertise-address so pods reach API via ClusterIP - - mkdir -p /etc/rancher/k3s + # All setup in one block so shell variables persist across commands. + # IMDS does not expose the VM public IP; use ifconfig.me instead. - | - cat > /etc/rancher/k3s/config.yaml < /etc/rancher/k3s/config.yaml </dev/null; do sleep 5; done + k3s kubectl create namespace istio-system --dry-run=client -o yaml | k3s kubectl apply -f - + k3s kubectl create secret generic cacerts -n istio-system \ + --from-file=ca-cert.pem=/etc/istio-certs/ca-cert.pem \ + --from-file=ca-key.pem=/etc/istio-certs/ca-key.pem \ + --from-file=root-cert.pem=/etc/istio-certs/root-cert.pem \ + --from-file=cert-chain.pem=/etc/istio-certs/cert-chain.pem \ + --dry-run=client -o yaml | k3s kubectl apply -f - + echo "Istio cacerts secret created successfully" + else + echo "No Istio certs found at /etc/istio-certs/, skipping cacerts secret" + fi + # Build Istio remote-secret YAML for cross-cluster discovery (auto-generated at boot). + # install-istio.sh reads this file instead of doing multi-step token extraction via Run Command. + - | + CLUSTER_NAME=$(hostname) + PUBLIC_IP=$(curl -s --retry 5 --retry-delay 3 ifconfig.me) + k3s kubectl create namespace istio-system --dry-run=client -o yaml | k3s kubectl apply -f - 2>/dev/null + echo "Setting up Istio remote access service account on $CLUSTER_NAME..." + k3s kubectl apply -f - </dev/null || true + k3s kubectl apply -f - </dev/null) + CA=$(k3s kubectl get secret istio-remote-reader-token -n istio-system -o jsonpath='{{.data.ca\.crt}}' 2>/dev/null) + TOKEN_DECODED=$(echo "$TOKEN" | base64 -d) + if [ -n "$TOKEN" ] && [ -n "$CA" ] && [ -n "$PUBLIC_IP" ]; then + mkdir -p /etc/istio-remote + cat > /etc/istio-remote/remote-secret.yaml < i ? format(''' +write_files: + - path: /etc/istio-certs/root-cert.pem + permissions: '0644' + encoding: b64 + content: {0} + - path: /etc/istio-certs/ca-cert.pem + permissions: '0644' + encoding: b64 + content: {1} + - path: /etc/istio-certs/ca-key.pem + permissions: '0600' + encoding: b64 + content: {2} + - path: /etc/istio-certs/cert-chain.pem + permissions: '0644' + encoding: b64 + content: {3} +''', istioCerts[i].rootCert, istioCerts[i].caCert, istioCerts[i].caKey, istioCerts[i].certChain) : '')) } storageProfile: { imageReference: { diff --git a/documentdb-playground/k3s-azure-fleet/main.json b/documentdb-playground/k3s-azure-fleet/main.json deleted file mode 100644 index 7519fa64..00000000 --- a/documentdb-playground/k3s-azure-fleet/main.json +++ /dev/null @@ -1,382 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.37.4.10188", - "templateHash": "2755652574334991722" - } - }, - "parameters": { - "hubLocation": { - "type": "string", - "defaultValue": "westus3", - "metadata": { - "description": "Location for AKS hub cluster" - } - }, - "k3sRegions": { - "type": "array", - "defaultValue": [ - "eastus2", - "uksouth" - ], - "metadata": { - "description": "Regions for k3s VMs" - } - }, - "resourceGroupName": { - "type": "string", - "defaultValue": "[resourceGroup().name]", - "metadata": { - "description": "Resource group name" - } - }, - "vmSize": { - "type": "string", - "defaultValue": "Standard_D2s_v3", - "metadata": { - "description": "VM size for k3s nodes" - } - }, - "aksVmSize": { - "type": "string", - "defaultValue": "Standard_DS2_v2", - "metadata": { - "description": "AKS node VM size" - } - }, - "sshPublicKey": { - "type": "string", - "metadata": { - "description": "SSH public key for VM access (required by Azure but not used - we use Run Command)" - } - }, - "adminUsername": { - "type": "string", - "defaultValue": "azureuser", - "metadata": { - "description": "Admin username for VMs" - } - }, - "k3sVersion": { - "type": "string", - "defaultValue": "v1.30.4+k3s1", - "metadata": { - "description": "k3s version" - } - } - }, - "variables": { - "aksClusterName": "[format('hub-{0}', parameters('hubLocation'))]", - "aksVnetName": "[format('aks-{0}-vnet', parameters('hubLocation'))]", - "aksSubnetName": "aks-subnet" - }, - "resources": [ - { - "type": "Microsoft.Network/virtualNetworks", - "apiVersion": "2023-05-01", - "name": "[variables('aksVnetName')]", - "location": "[parameters('hubLocation')]", - "properties": { - "addressSpace": { - "addressPrefixes": [ - "10.1.0.0/16" - ] - }, - "subnets": [ - { - "name": "[variables('aksSubnetName')]", - "properties": { - "addressPrefix": "10.1.0.0/20" - } - } - ] - } - }, - { - "type": "Microsoft.ContainerService/managedClusters", - "apiVersion": "2024-01-01", - "name": "[variables('aksClusterName')]", - "location": "[parameters('hubLocation')]", - "identity": { - "type": "SystemAssigned" - }, - "properties": { - "dnsPrefix": "[variables('aksClusterName')]", - "kubernetesVersion": "1.32", - "enableRBAC": true, - "networkProfile": { - "networkPlugin": "azure", - "networkPolicy": "azure", - "serviceCidr": "10.100.0.0/16", - "dnsServiceIP": "10.100.0.10" - }, - "agentPoolProfiles": [ - { - "name": "nodepool1", - "count": 2, - "vmSize": "[parameters('aksVmSize')]", - "mode": "System", - "osType": "Linux", - "vnetSubnetID": "[resourceId('Microsoft.Network/virtualNetworks/subnets', variables('aksVnetName'), variables('aksSubnetName'))]", - "enableAutoScaling": false - } - ], - "aadProfile": { - "managed": true, - "enableAzureRBAC": true - } - }, - "dependsOn": [ - "[resourceId('Microsoft.Network/virtualNetworks', variables('aksVnetName'))]" - ] - }, - { - "copy": { - "name": "k3sVnets", - "count": "[length(parameters('k3sRegions'))]" - }, - "type": "Microsoft.Network/virtualNetworks", - "apiVersion": "2023-05-01", - "name": "[format('k3s-{0}-vnet', parameters('k3sRegions')[copyIndex()])]", - "location": "[parameters('k3sRegions')[copyIndex()]]", - "properties": { - "addressSpace": { - "addressPrefixes": [ - "[format('10.{0}.0.0/16', add(copyIndex(), 2))]" - ] - }, - "subnets": [ - { - "name": "k3s-subnet", - "properties": { - "addressPrefix": "[format('10.{0}.0.0/24', add(copyIndex(), 2))]" - } - } - ] - } - }, - { - "copy": { - "name": "k3sNsgs", - "count": "[length(parameters('k3sRegions'))]" - }, - "type": "Microsoft.Network/networkSecurityGroups", - "apiVersion": "2023-05-01", - "name": "[format('k3s-{0}-nsg', parameters('k3sRegions')[copyIndex()])]", - "location": "[parameters('k3sRegions')[copyIndex()]]", - "properties": { - "securityRules": [ - { - "name": "AllowKubeAPI", - "properties": { - "priority": 100, - "direction": "Inbound", - "access": "Allow", - "protocol": "Tcp", - "sourceAddressPrefix": "*", - "sourcePortRange": "*", - "destinationAddressPrefix": "*", - "destinationPortRange": "6443" - } - }, - { - "name": "AllowIstioEastWest", - "properties": { - "priority": 110, - "direction": "Inbound", - "access": "Allow", - "protocol": "Tcp", - "sourceAddressPrefix": "*", - "sourcePortRange": "*", - "destinationAddressPrefix": "*", - "destinationPortRange": "15443" - } - }, - { - "name": "AllowIstioStatus", - "properties": { - "priority": 120, - "direction": "Inbound", - "access": "Allow", - "protocol": "Tcp", - "sourceAddressPrefix": "*", - "sourcePortRange": "*", - "destinationAddressPrefix": "*", - "destinationPortRange": "15021" - } - }, - { - "name": "AllowHTTP", - "properties": { - "priority": 130, - "direction": "Inbound", - "access": "Allow", - "protocol": "Tcp", - "sourceAddressPrefix": "*", - "sourcePortRange": "*", - "destinationAddressPrefix": "*", - "destinationPortRange": "80" - } - }, - { - "name": "AllowHTTPS", - "properties": { - "priority": 140, - "direction": "Inbound", - "access": "Allow", - "protocol": "Tcp", - "sourceAddressPrefix": "*", - "sourcePortRange": "*", - "destinationAddressPrefix": "*", - "destinationPortRange": "443" - } - } - ] - } - }, - { - "copy": { - "name": "k3sPublicIps", - "count": "[length(parameters('k3sRegions'))]" - }, - "type": "Microsoft.Network/publicIPAddresses", - "apiVersion": "2023-05-01", - "name": "[format('k3s-{0}-ip', parameters('k3sRegions')[copyIndex()])]", - "location": "[parameters('k3sRegions')[copyIndex()]]", - "sku": { - "name": "Standard" - }, - "properties": { - "publicIPAllocationMethod": "Static", - "dnsSettings": { - "domainNameLabel": "[format('k3s-{0}-{1}', parameters('k3sRegions')[copyIndex()], uniqueString(resourceGroup().id))]" - } - } - }, - { - "copy": { - "name": "k3sNics", - "count": "[length(parameters('k3sRegions'))]" - }, - "type": "Microsoft.Network/networkInterfaces", - "apiVersion": "2023-05-01", - "name": "[format('k3s-{0}-nic', parameters('k3sRegions')[copyIndex()])]", - "location": "[parameters('k3sRegions')[copyIndex()]]", - "properties": { - "ipConfigurations": [ - { - "name": "ipconfig1", - "properties": { - "subnet": { - "id": "[reference(resourceId('Microsoft.Network/virtualNetworks', format('k3s-{0}-vnet', parameters('k3sRegions')[copyIndex()])), '2023-05-01').subnets[0].id]" - }, - "privateIPAllocationMethod": "Dynamic", - "publicIPAddress": { - "id": "[resourceId('Microsoft.Network/publicIPAddresses', format('k3s-{0}-ip', parameters('k3sRegions')[copyIndex()]))]" - } - } - } - ], - "networkSecurityGroup": { - "id": "[resourceId('Microsoft.Network/networkSecurityGroups', format('k3s-{0}-nsg', parameters('k3sRegions')[copyIndex()]))]" - } - }, - "dependsOn": [ - "[resourceId('Microsoft.Network/networkSecurityGroups', format('k3s-{0}-nsg', parameters('k3sRegions')[copyIndex()]))]", - "[resourceId('Microsoft.Network/publicIPAddresses', format('k3s-{0}-ip', parameters('k3sRegions')[copyIndex()]))]", - "[resourceId('Microsoft.Network/virtualNetworks', format('k3s-{0}-vnet', parameters('k3sRegions')[copyIndex()]))]" - ] - }, - { - "copy": { - "name": "k3sVms", - "count": "[length(parameters('k3sRegions'))]" - }, - "type": "Microsoft.Compute/virtualMachines", - "apiVersion": "2023-07-01", - "name": "[format('k3s-{0}', parameters('k3sRegions')[copyIndex()])]", - "location": "[parameters('k3sRegions')[copyIndex()]]", - "properties": { - "hardwareProfile": { - "vmSize": "[parameters('vmSize')]" - }, - "osProfile": { - "computerName": "[format('k3s-{0}', parameters('k3sRegions')[copyIndex()])]", - "adminUsername": "[parameters('adminUsername')]", - "linuxConfiguration": { - "disablePasswordAuthentication": true, - "ssh": { - "publicKeys": [ - { - "path": "[format('/home/{0}/.ssh/authorized_keys', parameters('adminUsername'))]", - "keyData": "[parameters('sshPublicKey')]" - } - ] - } - }, - "customData": "[base64(format('#cloud-config\npackage_update: true\npackage_upgrade: true\n\npackages:\n - curl\n - jq\n\nruncmd:\n # Install k3s with TLS SANs for remote access (public IP)\n - curl -sfL https://get.k3s.io | INSTALL_K3S_VERSION=\"{0}\" PUBLIC_IP=$(curl -s ifconfig.me) sh -s - server --tls-san $(hostname) --tls-san $PUBLIC_IP --node-external-ip $PUBLIC_IP\n \n # Wait for k3s to be ready\n - sleep 30\n - until /usr/local/bin/k3s kubectl get nodes; do sleep 5; done\n \n # Make kubeconfig accessible (keep localhost - deploy script will handle remote access)\n - mkdir -p /home/{1}/.kube\n - cp /etc/rancher/k3s/k3s.yaml /home/{1}/.kube/config\n - chown -R {1}:{1} /home/{1}/.kube\n - chmod 600 /home/{1}/.kube/config\n', parameters('k3sVersion'), parameters('adminUsername')))]" - }, - "storageProfile": { - "imageReference": { - "publisher": "Canonical", - "offer": "0001-com-ubuntu-server-jammy", - "sku": "22_04-lts-gen2", - "version": "latest" - }, - "osDisk": { - "createOption": "FromImage", - "managedDisk": { - "storageAccountType": "Premium_LRS" - }, - "diskSizeGB": 64 - } - }, - "networkProfile": { - "networkInterfaces": [ - { - "id": "[resourceId('Microsoft.Network/networkInterfaces', format('k3s-{0}-nic', parameters('k3sRegions')[copyIndex()]))]" - } - ] - } - }, - "dependsOn": [ - "[resourceId('Microsoft.Network/networkInterfaces', format('k3s-{0}-nic', parameters('k3sRegions')[copyIndex()]))]" - ] - } - ], - "outputs": { - "aksClusterName": { - "type": "string", - "value": "[variables('aksClusterName')]" - }, - "aksClusterResourceGroup": { - "type": "string", - "value": "[parameters('resourceGroupName')]" - }, - "k3sVmNames": { - "type": "array", - "copy": { - "count": "[length(parameters('k3sRegions'))]", - "input": "[format('k3s-{0}', parameters('k3sRegions')[copyIndex()])]" - } - }, - "k3sVmPublicIps": { - "type": "array", - "copy": { - "count": "[length(parameters('k3sRegions'))]", - "input": "[reference(resourceId('Microsoft.Network/publicIPAddresses', format('k3s-{0}-ip', parameters('k3sRegions')[copyIndex()])), '2023-05-01').ipAddress]" - } - }, - "k3sRegions": { - "type": "array", - "value": "[parameters('k3sRegions')]" - }, - "hubRegion": { - "type": "string", - "value": "[parameters('hubLocation')]" - } - } -} \ No newline at end of file From c638a5b54b66fc0563e2a441d36930a65bb10939 Mon Sep 17 00:00:00 2001 From: German Date: Fri, 13 Feb 2026 10:03:23 -0800 Subject: [PATCH 5/9] fix: address PR review comments for k3s-azure-fleet playground - Make kubernetesVersion optional in main.bicep (empty = region default) - Add security warning for allowedSourceIP NSG default - Support official OCI Helm chart install via BUILD_CHART=false --- demo-multi-region-backup-restore.sh | 618 +++++++++ .../reserving-nodes-for-documentdb.md | 156 --- .../install-documentdb-operator.sh | 37 +- .../k3s-azure-fleet/main.bicep | 12 +- istio-1.24.3/LICENSE | 202 +++ istio-1.24.3/README.md | 123 ++ istio-1.24.3/manifest.yaml | 36 + istio-1.24.3/manifests/profiles/ambient.yaml | 13 + istio-1.24.3/manifests/profiles/default.yaml | 32 + istio-1.24.3/manifests/profiles/demo.yaml | 9 + istio-1.24.3/manifests/profiles/empty.yaml | 13 + istio-1.24.3/manifests/profiles/minimal.yaml | 8 + .../manifests/profiles/openshift-ambient.yaml | 18 + .../manifests/profiles/openshift.yaml | 10 + istio-1.24.3/manifests/profiles/preview.yaml | 8 + istio-1.24.3/manifests/profiles/remote.yaml | 15 + istio-1.24.3/manifests/profiles/stable.yaml | 5 + istio-1.24.3/samples/README.md | 3 + istio-1.24.3/samples/addons/README.md | 102 ++ .../addons/extras/prometheus-operator.yaml | 66 + .../samples/addons/extras/skywalking.yaml | 133 ++ .../samples/addons/extras/zipkin.yaml | 61 + istio-1.24.3/samples/addons/grafana.yaml | 1112 +++++++++++++++++ istio-1.24.3/samples/addons/jaeger.yaml | 121 ++ istio-1.24.3/samples/addons/kiali.yaml | 425 +++++++ istio-1.24.3/samples/addons/loki.yaml | 382 ++++++ istio-1.24.3/samples/addons/prometheus.yaml | 570 +++++++++ istio-1.24.3/samples/ambient-argo/README.md | 99 ++ .../ambient-argo/application/application.yaml | 22 + .../application/bookinfo-versions.yaml | 72 ++ .../application/details-waypoint.yaml | 12 + .../ambient-argo/application/details.yaml | 50 + .../application/ingress-gateway.yaml | 41 + .../ambient-argo/application/namespace.yaml | 4 + .../ambient-argo/application/productpage.yaml | 60 + .../ambient-argo/application/ratings.yaml | 50 + .../application/reviews-waypoint.yaml | 12 + .../ambient-argo/application/reviews.yaml | 143 +++ .../application/route-reviews-90-10.yaml | 17 + .../samples/ambient-argo/istio/cni.yaml | 33 + .../istio/control-plane-appset.yaml | 39 + .../samples/ambient-argo/istio/extras.yaml | 24 + .../samples/ambient-argo/istio/tags.yaml | 33 + .../samples/ambient-argo/istio/ztunnel.yaml | 25 + .../ambient-argo/meta-application.yaml | 31 + .../samples/ambient-argo/tag-chart/Chart.yaml | 11 + .../tag-chart/templates/mutatingwebhooks.yaml | 109 ++ .../tag-chart/templates/shimservice.yaml | 31 + .../templates/validatingwebhook.yaml | 48 + .../ambient-argo/tag-chart/values.yaml | 41 + istio-1.24.3/samples/bookinfo/README.md | 234 ++++ .../bookinfo/demo-profile-no-gateways.yaml | 12 + .../gateway-api/bookinfo-gateway.yaml | 41 + .../bookinfo/gateway-api/route-all-v1.yaml | 60 + .../gateway-api/route-reviews-50-v3.yaml | 18 + .../gateway-api/route-reviews-90-10.yaml | 18 + .../gateway-api/route-reviews-v1.yaml | 14 + .../gateway-api/route-reviews-v3.yaml | 14 + .../bookinfo/networking/bookinfo-gateway.yaml | 43 + .../networking/certmanager-gateway.yaml | 35 + .../networking/destination-rule-all-mtls.yaml | 74 ++ .../networking/destination-rule-all.yaml | 62 + .../networking/destination-rule-reviews.yaml | 19 + .../networking/egress-rule-google-apis.yaml | 46 + .../fault-injection-details-v1.yaml | 32 + .../networking/virtual-service-all-v1.yaml | 52 + .../virtual-service-details-v2.yaml | 12 + .../virtual-service-ratings-db.yaml | 26 + .../virtual-service-ratings-mysql-vm.yaml | 26 + .../virtual-service-ratings-mysql.yaml | 26 + .../virtual-service-ratings-test-abort.yaml | 25 + .../virtual-service-ratings-test-delay.yaml | 25 + .../virtual-service-reviews-50-v3.yaml | 17 + .../virtual-service-reviews-80-20.yaml | 17 + .../virtual-service-reviews-90-10.yaml | 17 + .../virtual-service-reviews-jason-v2-v3.yaml | 20 + .../virtual-service-reviews-test-v2.yaml | 20 + .../virtual-service-reviews-v2-v3.yaml | 17 + .../virtual-service-reviews-v3.yaml | 12 + .../samples/bookinfo/platform/kube/README.md | 2 + .../platform/kube/bookinfo-certificate.yaml | 37 + .../bookinfo/platform/kube/bookinfo-db.yaml | 63 + .../kube/bookinfo-details-dualstack.yaml | 59 + .../platform/kube/bookinfo-details-v2.yaml | 46 + .../platform/kube/bookinfo-details.yaml | 57 + .../platform/kube/bookinfo-dualstack.yaml | 343 +++++ .../platform/kube/bookinfo-ingress.yaml | 63 + .../platform/kube/bookinfo-mysql.yaml | 79 ++ .../bookinfo/platform/kube/bookinfo-psa.yaml | 363 ++++++ .../bookinfo-ratings-discovery-dualstack.yaml | 33 + .../kube/bookinfo-ratings-discovery.yaml | 31 + .../kube/bookinfo-ratings-dualstack.yaml | 59 + .../kube/bookinfo-ratings-v2-mysql-vm.yaml | 53 + .../kube/bookinfo-ratings-v2-mysql.yaml | 56 + .../platform/kube/bookinfo-ratings-v2.yaml | 63 + .../platform/kube/bookinfo-ratings.yaml | 57 + .../platform/kube/bookinfo-reviews-v2.yaml | 56 + .../platform/kube/bookinfo-versions.yaml | 72 ++ .../bookinfo/platform/kube/bookinfo.yaml | 335 +++++ .../samples/bookinfo/platform/kube/cleanup.sh | 85 ++ .../platform/kube/productpage-nodeport.yaml | 32 + .../policy/productpage_envoy_ratelimit.yaml | 88 ++ .../samples/bookinfo/src/build-services.sh | 42 + .../bookinfo/src/mongodb/ratings_data.json | 2 + .../samples/bookinfo/src/mongodb/script.sh | 18 + .../bookinfo/src/productpage/requirements.txt | 633 ++++++++++ .../src/productpage/test-requirements.txt | 122 ++ .../samples/bookinfo/src/ratings/package.json | 11 + istio-1.24.3/samples/bookinfo/swagger.yaml | 248 ++++ istio-1.24.3/samples/builder/README.md | 31 + istio-1.24.3/samples/certs/README.md | 38 + istio-1.24.3/samples/certs/ca-cert-alt-2.pem | 32 + istio-1.24.3/samples/certs/ca-cert-alt.pem | 32 + istio-1.24.3/samples/certs/ca-cert.pem | 22 + istio-1.24.3/samples/certs/ca-key-alt-2.pem | 52 + istio-1.24.3/samples/certs/ca-key-alt.pem | 52 + istio-1.24.3/samples/certs/ca-key.pem | 27 + .../samples/certs/cert-chain-alt-2.pem | 62 + istio-1.24.3/samples/certs/cert-chain-alt.pem | 62 + istio-1.24.3/samples/certs/cert-chain.pem | 22 + .../samples/certs/generate-workload.sh | 111 ++ .../samples/certs/leaf-workload-bar-cert.pem | 21 + .../samples/certs/leaf-workload-foo-cert.pem | 21 + istio-1.24.3/samples/certs/root-cert-alt.pem | 30 + .../samples/certs/root-cert-combined-2.pem | 84 ++ .../samples/certs/root-cert-combined.pem | 54 + istio-1.24.3/samples/certs/root-cert.pem | 24 + .../samples/certs/workload-bar-cert.pem | 43 + .../samples/certs/workload-bar-key.pem | 27 + .../samples/certs/workload-bar-root-certs.pem | 46 + .../samples/certs/workload-foo-cert.pem | 43 + .../samples/certs/workload-foo-key.pem | 27 + .../samples/certs/workload-foo-root-certs.pem | 46 + istio-1.24.3/samples/cicd/skaffold/README.md | 45 + .../samples/cicd/skaffold/skaffold.yaml | 145 +++ istio-1.24.3/samples/curl/README.md | 28 + istio-1.24.3/samples/curl/curl.yaml | 66 + .../samples/custom-bootstrap/README.md | 57 + .../custom-bootstrap/custom-bootstrap.yaml | 20 + .../samples/custom-bootstrap/example-app.yaml | 30 + istio-1.24.3/samples/extauthz/README.md | 99 ++ istio-1.24.3/samples/extauthz/ext-authz.yaml | 55 + .../samples/extauthz/local-ext-authz.yaml | 111 ++ istio-1.24.3/samples/external/README.md | 34 + istio-1.24.3/samples/external/aptget.yaml | 20 + istio-1.24.3/samples/external/github.yaml | 53 + istio-1.24.3/samples/external/pypi.yaml | 44 + istio-1.24.3/samples/grpc-echo/README.md | 7 + istio-1.24.3/samples/grpc-echo/grpc-echo.yaml | 191 +++ .../health-check/liveness-command.yaml | 58 + .../health-check/liveness-http-same-port.yaml | 40 + istio-1.24.3/samples/helloworld/README.md | 110 ++ .../samples/helloworld/gateway-api/README.md | 74 ++ .../gateway-api/helloworld-gateway.yaml | 29 + .../gateway-api/helloworld-route.yaml | 19 + .../gateway-api/helloworld-versions.yaml | 23 + .../samples/helloworld/gen-helloworld.sh | 131 ++ .../helloworld/helloworld-dual-stack.yaml | 75 ++ .../helloworld/helloworld-gateway.yaml | 33 + .../samples/helloworld/helloworld.yaml | 71 ++ istio-1.24.3/samples/helloworld/loadgen.sh | 17 + .../samples/helloworld/src/requirements.txt | 467 +++++++ istio-1.24.3/samples/httpbin/README.md | 41 + .../httpbin/gateway-api/httpbin-gateway.yaml | 25 + .../samples/httpbin/httpbin-gateway.yaml | 30 + .../samples/httpbin/httpbin-nodeport.yaml | 55 + istio-1.24.3/samples/httpbin/httpbin.yaml | 60 + .../httpbin/sample-client/fortio-deploy.yaml | 49 + .../samples/jwt-server/jwt-server.yaml | 125 ++ istio-1.24.3/samples/jwt-server/src/Makefile | 19 + istio-1.24.3/samples/kind-lb/README.md | 59 + istio-1.24.3/samples/kind-lb/setupkind.sh | 271 ++++ istio-1.24.3/samples/multicluster/README.md | 47 + .../multicluster/expose-istiod-https.yaml | 76 ++ .../samples/multicluster/expose-istiod.yaml | 54 + .../samples/multicluster/expose-services.yaml | 16 + .../multicluster/gen-eastwest-gateway.sh | 146 +++ .../samples/open-telemetry/als/README.md | 79 ++ .../samples/open-telemetry/loki/REAME.md | 99 ++ .../samples/open-telemetry/loki/iop.yaml | 15 + .../samples/open-telemetry/loki/otel.yaml | 122 ++ .../open-telemetry/loki/telemetry.yaml | 9 + istio-1.24.3/samples/open-telemetry/otel.yaml | 143 +++ .../samples/open-telemetry/tracing/README.md | 145 +++ .../open-telemetry/tracing/telemetry.yaml | 9 + istio-1.24.3/samples/proxy-coredump/README.md | 16 + .../samples/proxy-coredump/daemonset.yaml | 45 + .../ratelimit/local-rate-limit-service.yaml | 87 ++ .../samples/ratelimit/rate-limit-service.yaml | 151 +++ .../samples/security/psp/sidecar-psp.yaml | 46 + istio-1.24.3/samples/security/spire/README.md | 90 ++ .../security/spire/clusterspiffeid.yaml | 9 + .../samples/security/spire/curl-spire.yaml | 70 ++ .../security/spire/istio-spire-config.yaml | 70 ++ .../samples/security/spire/sleep-spire.yaml | 70 ++ .../security/spire/spire-quickstart.yaml | 985 +++++++++++++++ istio-1.24.3/samples/sleep/README.md | 6 + istio-1.24.3/samples/sleep/sleep.yaml | 66 + istio-1.24.3/samples/tcp-echo/README.md | 38 + .../tcp-echo/gateway-api/tcp-echo-20-v2.yaml | 16 + .../tcp-echo/gateway-api/tcp-echo-all-v1.yaml | 50 + .../samples/tcp-echo/tcp-echo-20-v2.yaml | 39 + .../samples/tcp-echo/tcp-echo-all-v1.yaml | 61 + .../samples/tcp-echo/tcp-echo-dual-stack.yaml | 62 + .../samples/tcp-echo/tcp-echo-ipv4.yaml | 61 + .../samples/tcp-echo/tcp-echo-ipv6.yaml | 61 + .../samples/tcp-echo/tcp-echo-services.yaml | 86 ++ istio-1.24.3/samples/tcp-echo/tcp-echo.yaml | 58 + istio-1.24.3/samples/wasm_modules/README.md | 3 + .../wasm_modules/header_injector/Makefile | 22 + istio-1.24.3/samples/websockets/README.md | 48 + istio-1.24.3/samples/websockets/app.yaml | 37 + istio-1.24.3/samples/websockets/route.yaml | 32 + istio-1.24.3/tools/_istioctl | 212 ++++ istio-1.24.3/tools/certs/Makefile.k8s.mk | 102 ++ .../tools/certs/Makefile.selfsigned.mk | 98 ++ istio-1.24.3/tools/certs/README.md | 46 + istio-1.24.3/tools/certs/common.mk | 101 ++ istio-1.24.3/tools/istioctl.bash | 338 +++++ 219 files changed, 17509 insertions(+), 167 deletions(-) create mode 100755 demo-multi-region-backup-restore.sh delete mode 100644 docs/operator-public-documentation/reserving-nodes-for-documentdb.md create mode 100644 istio-1.24.3/LICENSE create mode 100644 istio-1.24.3/README.md create mode 100644 istio-1.24.3/manifest.yaml create mode 100644 istio-1.24.3/manifests/profiles/ambient.yaml create mode 100644 istio-1.24.3/manifests/profiles/default.yaml create mode 100644 istio-1.24.3/manifests/profiles/demo.yaml create mode 100644 istio-1.24.3/manifests/profiles/empty.yaml create mode 100644 istio-1.24.3/manifests/profiles/minimal.yaml create mode 100644 istio-1.24.3/manifests/profiles/openshift-ambient.yaml create mode 100644 istio-1.24.3/manifests/profiles/openshift.yaml create mode 100644 istio-1.24.3/manifests/profiles/preview.yaml create mode 100644 istio-1.24.3/manifests/profiles/remote.yaml create mode 100644 istio-1.24.3/manifests/profiles/stable.yaml create mode 100644 istio-1.24.3/samples/README.md create mode 100644 istio-1.24.3/samples/addons/README.md create mode 100644 istio-1.24.3/samples/addons/extras/prometheus-operator.yaml create mode 100644 istio-1.24.3/samples/addons/extras/skywalking.yaml create mode 100644 istio-1.24.3/samples/addons/extras/zipkin.yaml create mode 100644 istio-1.24.3/samples/addons/grafana.yaml create mode 100644 istio-1.24.3/samples/addons/jaeger.yaml create mode 100644 istio-1.24.3/samples/addons/kiali.yaml create mode 100644 istio-1.24.3/samples/addons/loki.yaml create mode 100644 istio-1.24.3/samples/addons/prometheus.yaml create mode 100644 istio-1.24.3/samples/ambient-argo/README.md create mode 100644 istio-1.24.3/samples/ambient-argo/application/application.yaml create mode 100644 istio-1.24.3/samples/ambient-argo/application/bookinfo-versions.yaml create mode 100644 istio-1.24.3/samples/ambient-argo/application/details-waypoint.yaml create mode 100644 istio-1.24.3/samples/ambient-argo/application/details.yaml create mode 100644 istio-1.24.3/samples/ambient-argo/application/ingress-gateway.yaml create mode 100644 istio-1.24.3/samples/ambient-argo/application/namespace.yaml create mode 100644 istio-1.24.3/samples/ambient-argo/application/productpage.yaml create mode 100644 istio-1.24.3/samples/ambient-argo/application/ratings.yaml create mode 100644 istio-1.24.3/samples/ambient-argo/application/reviews-waypoint.yaml create mode 100644 istio-1.24.3/samples/ambient-argo/application/reviews.yaml create mode 100644 istio-1.24.3/samples/ambient-argo/application/route-reviews-90-10.yaml create mode 100644 istio-1.24.3/samples/ambient-argo/istio/cni.yaml create mode 100644 istio-1.24.3/samples/ambient-argo/istio/control-plane-appset.yaml create mode 100644 istio-1.24.3/samples/ambient-argo/istio/extras.yaml create mode 100644 istio-1.24.3/samples/ambient-argo/istio/tags.yaml create mode 100644 istio-1.24.3/samples/ambient-argo/istio/ztunnel.yaml create mode 100644 istio-1.24.3/samples/ambient-argo/meta-application.yaml create mode 100644 istio-1.24.3/samples/ambient-argo/tag-chart/Chart.yaml create mode 100644 istio-1.24.3/samples/ambient-argo/tag-chart/templates/mutatingwebhooks.yaml create mode 100644 istio-1.24.3/samples/ambient-argo/tag-chart/templates/shimservice.yaml create mode 100644 istio-1.24.3/samples/ambient-argo/tag-chart/templates/validatingwebhook.yaml create mode 100644 istio-1.24.3/samples/ambient-argo/tag-chart/values.yaml create mode 100644 istio-1.24.3/samples/bookinfo/README.md create mode 100644 istio-1.24.3/samples/bookinfo/demo-profile-no-gateways.yaml create mode 100644 istio-1.24.3/samples/bookinfo/gateway-api/bookinfo-gateway.yaml create mode 100644 istio-1.24.3/samples/bookinfo/gateway-api/route-all-v1.yaml create mode 100644 istio-1.24.3/samples/bookinfo/gateway-api/route-reviews-50-v3.yaml create mode 100644 istio-1.24.3/samples/bookinfo/gateway-api/route-reviews-90-10.yaml create mode 100644 istio-1.24.3/samples/bookinfo/gateway-api/route-reviews-v1.yaml create mode 100644 istio-1.24.3/samples/bookinfo/gateway-api/route-reviews-v3.yaml create mode 100644 istio-1.24.3/samples/bookinfo/networking/bookinfo-gateway.yaml create mode 100644 istio-1.24.3/samples/bookinfo/networking/certmanager-gateway.yaml create mode 100644 istio-1.24.3/samples/bookinfo/networking/destination-rule-all-mtls.yaml create mode 100644 istio-1.24.3/samples/bookinfo/networking/destination-rule-all.yaml create mode 100644 istio-1.24.3/samples/bookinfo/networking/destination-rule-reviews.yaml create mode 100644 istio-1.24.3/samples/bookinfo/networking/egress-rule-google-apis.yaml create mode 100644 istio-1.24.3/samples/bookinfo/networking/fault-injection-details-v1.yaml create mode 100644 istio-1.24.3/samples/bookinfo/networking/virtual-service-all-v1.yaml create mode 100644 istio-1.24.3/samples/bookinfo/networking/virtual-service-details-v2.yaml create mode 100644 istio-1.24.3/samples/bookinfo/networking/virtual-service-ratings-db.yaml create mode 100644 istio-1.24.3/samples/bookinfo/networking/virtual-service-ratings-mysql-vm.yaml create mode 100644 istio-1.24.3/samples/bookinfo/networking/virtual-service-ratings-mysql.yaml create mode 100644 istio-1.24.3/samples/bookinfo/networking/virtual-service-ratings-test-abort.yaml create mode 100644 istio-1.24.3/samples/bookinfo/networking/virtual-service-ratings-test-delay.yaml create mode 100644 istio-1.24.3/samples/bookinfo/networking/virtual-service-reviews-50-v3.yaml create mode 100644 istio-1.24.3/samples/bookinfo/networking/virtual-service-reviews-80-20.yaml create mode 100644 istio-1.24.3/samples/bookinfo/networking/virtual-service-reviews-90-10.yaml create mode 100644 istio-1.24.3/samples/bookinfo/networking/virtual-service-reviews-jason-v2-v3.yaml create mode 100644 istio-1.24.3/samples/bookinfo/networking/virtual-service-reviews-test-v2.yaml create mode 100644 istio-1.24.3/samples/bookinfo/networking/virtual-service-reviews-v2-v3.yaml create mode 100644 istio-1.24.3/samples/bookinfo/networking/virtual-service-reviews-v3.yaml create mode 100644 istio-1.24.3/samples/bookinfo/platform/kube/README.md create mode 100644 istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-certificate.yaml create mode 100644 istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-db.yaml create mode 100644 istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-details-dualstack.yaml create mode 100644 istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-details-v2.yaml create mode 100644 istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-details.yaml create mode 100644 istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-dualstack.yaml create mode 100644 istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-ingress.yaml create mode 100644 istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-mysql.yaml create mode 100644 istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-psa.yaml create mode 100644 istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-ratings-discovery-dualstack.yaml create mode 100644 istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-ratings-discovery.yaml create mode 100644 istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-ratings-dualstack.yaml create mode 100644 istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-ratings-v2-mysql-vm.yaml create mode 100644 istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-ratings-v2-mysql.yaml create mode 100644 istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-ratings-v2.yaml create mode 100644 istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-ratings.yaml create mode 100644 istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-reviews-v2.yaml create mode 100644 istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-versions.yaml create mode 100644 istio-1.24.3/samples/bookinfo/platform/kube/bookinfo.yaml create mode 100755 istio-1.24.3/samples/bookinfo/platform/kube/cleanup.sh create mode 100644 istio-1.24.3/samples/bookinfo/platform/kube/productpage-nodeport.yaml create mode 100644 istio-1.24.3/samples/bookinfo/policy/productpage_envoy_ratelimit.yaml create mode 100755 istio-1.24.3/samples/bookinfo/src/build-services.sh create mode 100644 istio-1.24.3/samples/bookinfo/src/mongodb/ratings_data.json create mode 100644 istio-1.24.3/samples/bookinfo/src/mongodb/script.sh create mode 100644 istio-1.24.3/samples/bookinfo/src/productpage/requirements.txt create mode 100644 istio-1.24.3/samples/bookinfo/src/productpage/test-requirements.txt create mode 100644 istio-1.24.3/samples/bookinfo/src/ratings/package.json create mode 100644 istio-1.24.3/samples/bookinfo/swagger.yaml create mode 100644 istio-1.24.3/samples/builder/README.md create mode 100644 istio-1.24.3/samples/certs/README.md create mode 100644 istio-1.24.3/samples/certs/ca-cert-alt-2.pem create mode 100644 istio-1.24.3/samples/certs/ca-cert-alt.pem create mode 100644 istio-1.24.3/samples/certs/ca-cert.pem create mode 100644 istio-1.24.3/samples/certs/ca-key-alt-2.pem create mode 100644 istio-1.24.3/samples/certs/ca-key-alt.pem create mode 100644 istio-1.24.3/samples/certs/ca-key.pem create mode 100644 istio-1.24.3/samples/certs/cert-chain-alt-2.pem create mode 100644 istio-1.24.3/samples/certs/cert-chain-alt.pem create mode 100644 istio-1.24.3/samples/certs/cert-chain.pem create mode 100755 istio-1.24.3/samples/certs/generate-workload.sh create mode 100644 istio-1.24.3/samples/certs/leaf-workload-bar-cert.pem create mode 100644 istio-1.24.3/samples/certs/leaf-workload-foo-cert.pem create mode 100644 istio-1.24.3/samples/certs/root-cert-alt.pem create mode 100644 istio-1.24.3/samples/certs/root-cert-combined-2.pem create mode 100644 istio-1.24.3/samples/certs/root-cert-combined.pem create mode 100644 istio-1.24.3/samples/certs/root-cert.pem create mode 100644 istio-1.24.3/samples/certs/workload-bar-cert.pem create mode 100644 istio-1.24.3/samples/certs/workload-bar-key.pem create mode 100644 istio-1.24.3/samples/certs/workload-bar-root-certs.pem create mode 100644 istio-1.24.3/samples/certs/workload-foo-cert.pem create mode 100644 istio-1.24.3/samples/certs/workload-foo-key.pem create mode 100644 istio-1.24.3/samples/certs/workload-foo-root-certs.pem create mode 100644 istio-1.24.3/samples/cicd/skaffold/README.md create mode 100644 istio-1.24.3/samples/cicd/skaffold/skaffold.yaml create mode 100644 istio-1.24.3/samples/curl/README.md create mode 100644 istio-1.24.3/samples/curl/curl.yaml create mode 100644 istio-1.24.3/samples/custom-bootstrap/README.md create mode 100644 istio-1.24.3/samples/custom-bootstrap/custom-bootstrap.yaml create mode 100644 istio-1.24.3/samples/custom-bootstrap/example-app.yaml create mode 100644 istio-1.24.3/samples/extauthz/README.md create mode 100644 istio-1.24.3/samples/extauthz/ext-authz.yaml create mode 100644 istio-1.24.3/samples/extauthz/local-ext-authz.yaml create mode 100644 istio-1.24.3/samples/external/README.md create mode 100644 istio-1.24.3/samples/external/aptget.yaml create mode 100644 istio-1.24.3/samples/external/github.yaml create mode 100644 istio-1.24.3/samples/external/pypi.yaml create mode 100644 istio-1.24.3/samples/grpc-echo/README.md create mode 100644 istio-1.24.3/samples/grpc-echo/grpc-echo.yaml create mode 100644 istio-1.24.3/samples/health-check/liveness-command.yaml create mode 100644 istio-1.24.3/samples/health-check/liveness-http-same-port.yaml create mode 100644 istio-1.24.3/samples/helloworld/README.md create mode 100644 istio-1.24.3/samples/helloworld/gateway-api/README.md create mode 100644 istio-1.24.3/samples/helloworld/gateway-api/helloworld-gateway.yaml create mode 100644 istio-1.24.3/samples/helloworld/gateway-api/helloworld-route.yaml create mode 100644 istio-1.24.3/samples/helloworld/gateway-api/helloworld-versions.yaml create mode 100755 istio-1.24.3/samples/helloworld/gen-helloworld.sh create mode 100644 istio-1.24.3/samples/helloworld/helloworld-dual-stack.yaml create mode 100644 istio-1.24.3/samples/helloworld/helloworld-gateway.yaml create mode 100644 istio-1.24.3/samples/helloworld/helloworld.yaml create mode 100755 istio-1.24.3/samples/helloworld/loadgen.sh create mode 100644 istio-1.24.3/samples/helloworld/src/requirements.txt create mode 100644 istio-1.24.3/samples/httpbin/README.md create mode 100644 istio-1.24.3/samples/httpbin/gateway-api/httpbin-gateway.yaml create mode 100644 istio-1.24.3/samples/httpbin/httpbin-gateway.yaml create mode 100644 istio-1.24.3/samples/httpbin/httpbin-nodeport.yaml create mode 100644 istio-1.24.3/samples/httpbin/httpbin.yaml create mode 100644 istio-1.24.3/samples/httpbin/sample-client/fortio-deploy.yaml create mode 100644 istio-1.24.3/samples/jwt-server/jwt-server.yaml create mode 100644 istio-1.24.3/samples/jwt-server/src/Makefile create mode 100644 istio-1.24.3/samples/kind-lb/README.md create mode 100755 istio-1.24.3/samples/kind-lb/setupkind.sh create mode 100644 istio-1.24.3/samples/multicluster/README.md create mode 100644 istio-1.24.3/samples/multicluster/expose-istiod-https.yaml create mode 100644 istio-1.24.3/samples/multicluster/expose-istiod.yaml create mode 100644 istio-1.24.3/samples/multicluster/expose-services.yaml create mode 100755 istio-1.24.3/samples/multicluster/gen-eastwest-gateway.sh create mode 100644 istio-1.24.3/samples/open-telemetry/als/README.md create mode 100644 istio-1.24.3/samples/open-telemetry/loki/REAME.md create mode 100644 istio-1.24.3/samples/open-telemetry/loki/iop.yaml create mode 100644 istio-1.24.3/samples/open-telemetry/loki/otel.yaml create mode 100644 istio-1.24.3/samples/open-telemetry/loki/telemetry.yaml create mode 100644 istio-1.24.3/samples/open-telemetry/otel.yaml create mode 100644 istio-1.24.3/samples/open-telemetry/tracing/README.md create mode 100644 istio-1.24.3/samples/open-telemetry/tracing/telemetry.yaml create mode 100644 istio-1.24.3/samples/proxy-coredump/README.md create mode 100644 istio-1.24.3/samples/proxy-coredump/daemonset.yaml create mode 100644 istio-1.24.3/samples/ratelimit/local-rate-limit-service.yaml create mode 100644 istio-1.24.3/samples/ratelimit/rate-limit-service.yaml create mode 100644 istio-1.24.3/samples/security/psp/sidecar-psp.yaml create mode 100644 istio-1.24.3/samples/security/spire/README.md create mode 100644 istio-1.24.3/samples/security/spire/clusterspiffeid.yaml create mode 100644 istio-1.24.3/samples/security/spire/curl-spire.yaml create mode 100644 istio-1.24.3/samples/security/spire/istio-spire-config.yaml create mode 100644 istio-1.24.3/samples/security/spire/sleep-spire.yaml create mode 100644 istio-1.24.3/samples/security/spire/spire-quickstart.yaml create mode 100644 istio-1.24.3/samples/sleep/README.md create mode 100644 istio-1.24.3/samples/sleep/sleep.yaml create mode 100644 istio-1.24.3/samples/tcp-echo/README.md create mode 100644 istio-1.24.3/samples/tcp-echo/gateway-api/tcp-echo-20-v2.yaml create mode 100644 istio-1.24.3/samples/tcp-echo/gateway-api/tcp-echo-all-v1.yaml create mode 100644 istio-1.24.3/samples/tcp-echo/tcp-echo-20-v2.yaml create mode 100644 istio-1.24.3/samples/tcp-echo/tcp-echo-all-v1.yaml create mode 100644 istio-1.24.3/samples/tcp-echo/tcp-echo-dual-stack.yaml create mode 100644 istio-1.24.3/samples/tcp-echo/tcp-echo-ipv4.yaml create mode 100644 istio-1.24.3/samples/tcp-echo/tcp-echo-ipv6.yaml create mode 100644 istio-1.24.3/samples/tcp-echo/tcp-echo-services.yaml create mode 100644 istio-1.24.3/samples/tcp-echo/tcp-echo.yaml create mode 100644 istio-1.24.3/samples/wasm_modules/README.md create mode 100644 istio-1.24.3/samples/wasm_modules/header_injector/Makefile create mode 100644 istio-1.24.3/samples/websockets/README.md create mode 100644 istio-1.24.3/samples/websockets/app.yaml create mode 100644 istio-1.24.3/samples/websockets/route.yaml create mode 100644 istio-1.24.3/tools/_istioctl create mode 100644 istio-1.24.3/tools/certs/Makefile.k8s.mk create mode 100644 istio-1.24.3/tools/certs/Makefile.selfsigned.mk create mode 100644 istio-1.24.3/tools/certs/README.md create mode 100644 istio-1.24.3/tools/certs/common.mk create mode 100644 istio-1.24.3/tools/istioctl.bash diff --git a/demo-multi-region-backup-restore.sh b/demo-multi-region-backup-restore.sh new file mode 100755 index 00000000..0962cfab --- /dev/null +++ b/demo-multi-region-backup-restore.sh @@ -0,0 +1,618 @@ +#!/bin/bash +# ============================================================================= +# DocumentDB Multi-Region Cluster Demo +# ============================================================================= +# This script demonstrates: +# 1. Deploying a multi-region DocumentDB cluster +# 2. Writing sample documents using Python/PyMongo +# 3. Creating a backup +# 4. Deleting the original cluster +# 5. Restoring into a new cluster from backup +# +# Prerequisites: +# - kubectl configured with cluster access +# - CSI driver with snapshot support (run ./operator/src/scripts/test-scripts/deploy-csi-driver.sh for Kind/Minikube) +# - DocumentDB operator installed +# - Python3 with pymongo installed (pip3 install pymongo) +# ============================================================================= + +set -e + +# Configuration +NAMESPACE="documentdb-demo-ns" +CLUSTER_NAME="multi-region-demo" +RESTORED_CLUSTER_NAME="restored-demo" +BACKUP_NAME="demo-backup" +PASSWORD="DemoPassword123!" +USERNAME="default_user" +PORT=10260 + +# Colors for output +RED='\033[0;31m' +GREEN='\033[0;32m' +YELLOW='\033[1;33m' +BLUE='\033[0;34m' +NC='\033[0m' # No Color + +log_step() { + echo -e "\n${BLUE}===================================================================${NC}" + echo -e "${BLUE}$1${NC}" + echo -e "${BLUE}===================================================================${NC}\n" +} + +log_success() { + echo -e "${GREEN}✓ $1${NC}" +} + +log_info() { + echo -e "${YELLOW}ℹ $1${NC}" +} + +log_error() { + echo -e "${RED}✗ $1${NC}" +} + +wait_for_cluster_ready() { + local cluster_name=$1 + local max_wait=300 + local waited=0 + + log_info "Waiting for cluster '$cluster_name' to be ready (max ${max_wait}s)..." + + while [ $waited -lt $max_wait ]; do + STATUS=$(kubectl get documentdb $cluster_name -n $NAMESPACE -o jsonpath='{.status.phase}' 2>/dev/null || echo "NotFound") + if [ "$STATUS" == "Ready" ]; then + log_success "Cluster '$cluster_name' is Ready!" + return 0 + fi + echo " Current status: $STATUS (waited ${waited}s)" + sleep 10 + waited=$((waited + 10)) + done + + log_error "Timeout waiting for cluster to be ready" + return 1 +} + +wait_for_backup_complete() { + local backup_name=$1 + local max_wait=180 + local waited=0 + + log_info "Waiting for backup '$backup_name' to complete (max ${max_wait}s)..." + + while [ $waited -lt $max_wait ]; do + STATUS=$(kubectl get backup $backup_name -n $NAMESPACE -o jsonpath='{.status.phase}' 2>/dev/null || echo "NotFound") + if [ "$STATUS" == "Completed" ]; then + log_success "Backup '$backup_name' completed!" + return 0 + fi + echo " Current status: $STATUS (waited ${waited}s)" + sleep 10 + waited=$((waited + 10)) + done + + log_error "Timeout waiting for backup to complete" + return 1 +} + +cleanup_port_forward() { + if [ -f /tmp/demo_pf.pid ]; then + PID=$(cat /tmp/demo_pf.pid) + kill $PID 2>/dev/null || true + rm -f /tmp/demo_pf.pid + fi +} + +# Cleanup on exit +trap cleanup_port_forward EXIT + +# ============================================================================= +# STEP 1: Create Namespace and Credentials +# ============================================================================= +log_step "STEP 1: Creating Namespace and Credentials" + +cat < /tmp/demo_pf.log 2>&1 & +PF_PID=$! +echo $PF_PID > /tmp/demo_pf.pid +sleep 10 + +# Check if port forward is working +if ! nc -z 127.0.0.1 $PORT 2>/dev/null; then + log_error "Port forwarding failed. Trying pod-based forwarding..." + cleanup_port_forward + POD_NAME="${CLUSTER_NAME}-1" + kubectl port-forward pod/$POD_NAME $PORT:$PORT -n $NAMESPACE > /tmp/demo_pf.log 2>&1 & + PF_PID=$! + echo $PF_PID > /tmp/demo_pf.pid + sleep 10 +fi + +# Create Python script for writing documents +cat > /tmp/write_documents.py << 'PYTHON_SCRIPT' +#!/usr/bin/env python3 +""" +Demo script to write documents to DocumentDB cluster. +Demonstrates various MongoDB operations. +""" + +import sys +from datetime import datetime +from pymongo import MongoClient +from pymongo.errors import ConnectionFailure + +def main(): + if len(sys.argv) != 4: + print(f"Usage: {sys.argv[0]} ") + sys.exit(1) + + host_port = sys.argv[1] + username = sys.argv[2] + password = sys.argv[3] + + # Connection string with TLS + connection_string = f"mongodb://{username}:{password}@{host_port}/?authMechanism=SCRAM-SHA-256&tls=true&tlsAllowInvalidCertificates=true" + + print("Connecting to DocumentDB cluster...") + try: + client = MongoClient(connection_string, serverSelectionTimeoutMS=30000) + # Test connection + client.admin.command('ping') + print("✓ Connected successfully!") + except ConnectionFailure as e: + print(f"✗ Connection failed: {e}") + sys.exit(1) + + # Use demo database + db = client.demo_database + + # ================================================================= + # Insert sample data into various collections + # ================================================================= + + print("\n--- Creating 'users' collection ---") + users = db.users + users.drop() # Clean start + + user_docs = [ + {"name": "Alice Johnson", "email": "alice@example.com", "department": "Engineering", + "role": "Senior Developer", "salary": 95000, "joined": datetime(2021, 3, 15)}, + {"name": "Bob Smith", "email": "bob@example.com", "department": "Marketing", + "role": "Marketing Manager", "salary": 85000, "joined": datetime(2020, 6, 1)}, + {"name": "Carol Williams", "email": "carol@example.com", "department": "Engineering", + "role": "Tech Lead", "salary": 110000, "joined": datetime(2019, 1, 10)}, + {"name": "David Brown", "email": "david@example.com", "department": "Sales", + "role": "Sales Representative", "salary": 65000, "joined": datetime(2022, 8, 20)}, + {"name": "Eve Davis", "email": "eve@example.com", "department": "Engineering", + "role": "DevOps Engineer", "salary": 90000, "joined": datetime(2021, 11, 5)} + ] + + result = users.insert_many(user_docs) + print(f"✓ Inserted {len(result.inserted_ids)} users") + + print("\n--- Creating 'products' collection ---") + products = db.products + products.drop() + + product_docs = [ + {"name": "Cloud Database", "category": "Database", "price": 299.99, + "features": ["Auto-scaling", "Multi-region", "Backup"], "in_stock": True}, + {"name": "API Gateway", "category": "Networking", "price": 149.99, + "features": ["Rate limiting", "Authentication", "Logging"], "in_stock": True}, + {"name": "ML Platform", "category": "AI/ML", "price": 499.99, + "features": ["Model training", "Inference", "AutoML"], "in_stock": True}, + {"name": "Container Registry", "category": "DevOps", "price": 99.99, + "features": ["Image scanning", "Geo-replication"], "in_stock": True} + ] + + result = products.insert_many(product_docs) + print(f"✓ Inserted {len(result.inserted_ids)} products") + + print("\n--- Creating 'orders' collection ---") + orders = db.orders + orders.drop() + + order_docs = [ + {"order_id": "ORD-001", "customer": "alice@example.com", "product": "Cloud Database", + "quantity": 1, "total": 299.99, "status": "completed", "date": datetime(2024, 1, 15)}, + {"order_id": "ORD-002", "customer": "bob@example.com", "product": "API Gateway", + "quantity": 2, "total": 299.98, "status": "processing", "date": datetime(2024, 1, 20)}, + {"order_id": "ORD-003", "customer": "carol@example.com", "product": "ML Platform", + "quantity": 1, "total": 499.99, "status": "completed", "date": datetime(2024, 1, 22)}, + {"order_id": "ORD-004", "customer": "alice@example.com", "product": "Container Registry", + "quantity": 3, "total": 299.97, "status": "pending", "date": datetime(2024, 1, 25)} + ] + + result = orders.insert_many(order_docs) + print(f"✓ Inserted {len(result.inserted_ids)} orders") + + # ================================================================= + # Demonstrate query operations + # ================================================================= + + print("\n--- Running sample queries ---") + + # Count documents + user_count = users.count_documents({}) + print(f"Total users: {user_count}") + + # Find with filter + engineers = list(users.find({"department": "Engineering"})) + print(f"Engineers: {len(engineers)}") + for eng in engineers: + print(f" - {eng['name']} ({eng['role']})") + + # Aggregation: Average salary by department + pipeline = [ + {"$group": { + "_id": "$department", + "avg_salary": {"$avg": "$salary"}, + "count": {"$sum": 1} + }}, + {"$sort": {"avg_salary": -1}} + ] + dept_stats = list(users.aggregate(pipeline)) + print("\nSalary by department:") + for stat in dept_stats: + print(f" {stat['_id']}: ${stat['avg_salary']:,.2f} avg ({stat['count']} employees)") + + # Order statistics + completed_orders = orders.count_documents({"status": "completed"}) + total_revenue = sum(order['total'] for order in orders.find({"status": "completed"})) + print(f"\nCompleted orders: {completed_orders}") + print(f"Total revenue: ${total_revenue:,.2f}") + + print("\n" + "="*60) + print("✓ All demo documents written successfully!") + print("="*60) + + # Summary + print(f"\nDatabase: demo_database") + print(f"Collections created:") + print(f" - users: {users.count_documents({})} documents") + print(f" - products: {products.count_documents({})} documents") + print(f" - orders: {orders.count_documents({})} documents") + + client.close() + +if __name__ == "__main__": + main() +PYTHON_SCRIPT + +# Run the Python script +python3 /tmp/write_documents.py "127.0.0.1:$PORT" "$USERNAME" "$PASSWORD" + +log_success "Demo documents written to the cluster" + +# Cleanup port forward +cleanup_port_forward + +# ============================================================================= +# STEP 4: Create Backup +# ============================================================================= +log_step "STEP 4: Creating Backup of the Cluster" + +cat </dev/null; then + log_error "Cluster still exists!" + exit 1 +else + log_success "Cluster successfully deleted" +fi + +# Show backup still exists +echo "" +log_info "Backup still available for restore:" +kubectl get backup $BACKUP_NAME -n $NAMESPACE + +# ============================================================================= +# STEP 6: Restore into New Cluster +# ============================================================================= +log_step "STEP 6: Restoring Backup into New Cluster" + +cat < /tmp/demo_pf.log 2>&1 & +PF_PID=$! +echo $PF_PID > /tmp/demo_pf.pid +sleep 10 + +# Create verification script +cat > /tmp/verify_restore.py << 'PYTHON_SCRIPT' +#!/usr/bin/env python3 +""" +Verify that restored data matches original data. +""" + +import sys +from pymongo import MongoClient +from pymongo.errors import ConnectionFailure + +def main(): + if len(sys.argv) != 4: + print(f"Usage: {sys.argv[0]} ") + sys.exit(1) + + host_port = sys.argv[1] + username = sys.argv[2] + password = sys.argv[3] + + connection_string = f"mongodb://{username}:{password}@{host_port}/?authMechanism=SCRAM-SHA-256&tls=true&tlsAllowInvalidCertificates=true" + + print("Connecting to restored cluster...") + try: + client = MongoClient(connection_string, serverSelectionTimeoutMS=30000) + client.admin.command('ping') + print("✓ Connected successfully!") + except ConnectionFailure as e: + print(f"✗ Connection failed: {e}") + sys.exit(1) + + db = client.demo_database + + print("\n" + "="*60) + print("VERIFYING RESTORED DATA") + print("="*60) + + # Verify users collection + users = db.users + user_count = users.count_documents({}) + print(f"\n✓ Users collection: {user_count} documents") + + if user_count == 5: + print(" Expected: 5, Found: 5 - PASS") + else: + print(f" Expected: 5, Found: {user_count} - FAIL") + + # Show sample user + sample_user = users.find_one({"name": "Alice Johnson"}) + if sample_user: + print(f" Sample user: {sample_user['name']} - {sample_user['role']}") + + # Verify products collection + products = db.products + product_count = products.count_documents({}) + print(f"\n✓ Products collection: {product_count} documents") + + if product_count == 4: + print(" Expected: 4, Found: 4 - PASS") + else: + print(f" Expected: 4, Found: {product_count} - FAIL") + + # Verify orders collection + orders = db.orders + order_count = orders.count_documents({}) + print(f"\n✓ Orders collection: {order_count} documents") + + if order_count == 4: + print(" Expected: 4, Found: 4 - PASS") + else: + print(f" Expected: 4, Found: {order_count} - FAIL") + + # Run same aggregation as before to verify data integrity + pipeline = [ + {"$group": { + "_id": "$department", + "avg_salary": {"$avg": "$salary"}, + "count": {"$sum": 1} + }}, + {"$sort": {"avg_salary": -1}} + ] + dept_stats = list(users.aggregate(pipeline)) + + print("\n✓ Aggregation results (should match original):") + for stat in dept_stats: + print(f" {stat['_id']}: ${stat['avg_salary']:,.2f} avg ({stat['count']} employees)") + + print("\n" + "="*60) + print("✓ DATA RESTORATION VERIFIED SUCCESSFULLY!") + print("="*60) + + client.close() + +if __name__ == "__main__": + main() +PYTHON_SCRIPT + +# Run verification +python3 /tmp/verify_restore.py "127.0.0.1:$PORT" "$USERNAME" "$PASSWORD" + +# Cleanup +cleanup_port_forward +rm -f /tmp/write_documents.py /tmp/verify_restore.py + +# ============================================================================= +# Summary +# ============================================================================= +log_step "DEMO COMPLETE!" + +echo -e "${GREEN}" +echo "============================================================" +echo " Multi-Region Backup & Restore Demo Completed Successfully!" +echo "============================================================" +echo "" +echo " What was demonstrated:" +echo " 1. ✓ Created namespace and credentials" +echo " 2. ✓ Deployed multi-region DocumentDB cluster (3 nodes, HA)" +echo " 3. ✓ Wrote demo documents (users, products, orders)" +echo " 4. ✓ Created backup of the cluster" +echo " 5. ✓ Deleted original cluster" +echo " 6. ✓ Restored from backup to new cluster" +echo " 7. ✓ Verified restored data integrity" +echo "" +echo " Resources created:" +echo " - Namespace: $NAMESPACE" +echo " - Restored Cluster: $RESTORED_CLUSTER_NAME" +echo " - Backup: $BACKUP_NAME" +echo "" +echo " Cleanup command:" +echo " kubectl delete namespace $NAMESPACE" +echo -e "${NC}" diff --git a/docs/operator-public-documentation/reserving-nodes-for-documentdb.md b/docs/operator-public-documentation/reserving-nodes-for-documentdb.md deleted file mode 100644 index 7a57f112..00000000 --- a/docs/operator-public-documentation/reserving-nodes-for-documentdb.md +++ /dev/null @@ -1,156 +0,0 @@ -# Reserving Nodes for DocumentDB Workloads - -This guide explains how to dedicate Kubernetes worker nodes exclusively to DocumentDB (PostgreSQL) workloads for optimal performance and isolation in production environments. - -## Overview - -By reserving specific nodes for DocumentDB, you ensure: - -- **Resource isolation**: Database workloads don't compete with other applications -- **Predictable performance**: Dedicated CPU, memory, and I/O resources -- **Better fault tolerance**: Database instances spread across dedicated nodes - -> **Best Practice**: Deploy dedicated nodes in multiples of three—ideally one per availability zone. This ensures a 3-instance DocumentDB cluster (1 primary + 2 replicas) is distributed across different nodes. - -## Step 1: Label Your Nodes - -Apply the `postgres` role label to nodes designated for DocumentDB. This reserved label can only be applied after the node is created: - -```bash -kubectl label node node-role.kubernetes.io/postgres= -``` - -Verify the label: - -```bash -kubectl get nodes -l node-role.kubernetes.io/postgres -``` - -## Step 2: Taint Your Nodes - -Prevent non-database workloads from being scheduled on these nodes. Use a custom taint key (cloud providers may restrict `kubernetes.io` namespace taints): - -```bash -kubectl taint node workload=postgres:NoSchedule -``` - -This ensures only pods that explicitly tolerate this taint can run on these nodes. - -## Step 3: Configure DocumentDB Scheduling - -> **Note**: The DocumentDB operator currently does not expose `nodeSelector` or `tolerations` directly in the `DocumentDBSpec`. You can configure scheduling by patching the underlying CNPG Cluster resource after creation, or request this feature be added to the operator. - -### Patching the CNPG Cluster - -After deploying DocumentDB, patch the underlying CNPG Cluster: - -```bash -kubectl patch cluster -n --type=merge -p ' -{ - "spec": { - "affinity": { - "nodeSelector": { - "node-role.kubernetes.io/postgres": "" - }, - "tolerations": [ - { - "key": "workload", - "operator": "Equal", - "value": "postgres", - "effect": "NoSchedule" - } - ] - } - } -}' -``` - -### Example: Full Affinity Configuration - -For production deployments with anti-affinity (instances on different nodes/zones): - -```yaml -spec: - affinity: - nodeSelector: - node-role.kubernetes.io/postgres: "" - tolerations: - - key: workload - operator: Equal - value: postgres - effect: NoSchedule - enablePodAntiAffinity: true - topologyKey: topology.kubernetes.io/zone # Spread across AZs -``` - -## Cloud Provider Node Pools - -### Azure AKS - -Create a dedicated node pool. AKS restricts `kubernetes.io` namespace labels during creation, so use a custom label and apply the reserved label after: - -```bash -# Create node pool with custom label and taint -az aks nodepool add \ - --resource-group \ - --cluster-name \ - --name postgrespool \ - --node-count 3 \ - --node-vm-size Standard_D8s_v3 \ - --labels workload=postgres \ - --node-taints workload=postgres:NoSchedule \ - --zones 1 2 3 - -# Apply the reserved postgres label after node creation -for node in $(kubectl get nodes -l workload=postgres -o name); do - kubectl label $node node-role.kubernetes.io/postgres= -done -``` - -### AWS EKS - -```bash -eksctl create nodegroup \ - --cluster \ - --name postgres-nodes \ - --node-type m5.2xlarge \ - --nodes 3 \ - --node-labels "workload=postgres" \ - --node-taints "workload=postgres:NoSchedule" - -# Apply the reserved postgres label after node creation -for node in $(kubectl get nodes -l workload=postgres -o name); do - kubectl label $node node-role.kubernetes.io/postgres= -done -``` - -### GCP GKE - -```bash -gcloud container node-pools create postgres-pool \ - --cluster \ - --num-nodes 3 \ - --machine-type n2-standard-8 \ - --node-labels workload=postgres \ - --node-taints workload=postgres:NoSchedule - -# Apply the reserved postgres label after node creation -for node in $(kubectl get nodes -l workload=postgres -o name); do - kubectl label $node node-role.kubernetes.io/postgres= -done -``` - -## Recommended Node Sizing - -| Workload | vCPU | Memory | Storage | -|----------|------|--------|---------| -| Development | 2 | 8 GB | 50 GB SSD | -| Production (small) | 4 | 16 GB | 200 GB SSD | -| Production (medium) | 8 | 32 GB | 500 GB SSD | -| Production (large) | 16+ | 64+ GB | 1+ TB NVMe | - -## References - -- [CloudNativePG Architecture - Reserving Nodes](https://cloudnative-pg.io/docs/1.27/architecture/#reserving-nodes-for-postgresql-workloads) -- [Kubernetes Node Affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/) -- [Kubernetes Taints and Tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) diff --git a/documentdb-playground/k3s-azure-fleet/install-documentdb-operator.sh b/documentdb-playground/k3s-azure-fleet/install-documentdb-operator.sh index 1596ca68..622b7900 100755 --- a/documentdb-playground/k3s-azure-fleet/install-documentdb-operator.sh +++ b/documentdb-playground/k3s-azure-fleet/install-documentdb-operator.sh @@ -2,8 +2,15 @@ set -euo pipefail # Install DocumentDB operator on all clusters -# - AKS hub: installed via Helm from local chart package +# - AKS hub: installed via Helm (from OCI registry or local chart) # - k3s VMs: installed via Azure VM Run Command (CNPG from upstream, operator manifests via base64) +# +# Environment variables: +# BUILD_CHART - "true" (default) builds from local source; "false" pulls from OCI registry +# CHART_REGISTRY - OCI registry URL (default: oci://ghcr.io/microsoft/documentdb-kubernetes-operator/documentdb-operator) +# CHART_VERSION - Chart version when using OCI registry (default: 0.0.1) +# VERSION - Local chart version number (default: 200) +# VALUES_FILE - Optional Helm values file path SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" @@ -18,6 +25,9 @@ fi CHART_DIR="$(cd "$SCRIPT_DIR/../.." && pwd)/operator/documentdb-helm-chart" VERSION="${VERSION:-200}" VALUES_FILE="${VALUES_FILE:-}" +BUILD_CHART="${BUILD_CHART:-true}" +CHART_REGISTRY="${CHART_REGISTRY:-oci://ghcr.io/microsoft/documentdb-kubernetes-operator/documentdb-operator}" +CHART_VERSION="${CHART_VERSION:-0.0.1}" HUB_CLUSTER_NAME="${HUB_CLUSTER_NAME:-hub-${HUB_REGION}}" echo "=======================================" @@ -44,11 +54,17 @@ echo "=======================================" kubectl config use-context "$HUB_CLUSTER_NAME" CHART_PKG="$SCRIPT_DIR/documentdb-operator-0.0.${VERSION}.tgz" -rm -f "$CHART_PKG" -echo "Packaging Helm chart..." -helm dependency update "$CHART_DIR" -helm package "$CHART_DIR" --version "0.0.${VERSION}" --destination "$SCRIPT_DIR" +if [ "$BUILD_CHART" = "true" ]; then + rm -f "$CHART_PKG" + echo "Packaging Helm chart from local source..." + helm dependency update "$CHART_DIR" + helm package "$CHART_DIR" --version "0.0.${VERSION}" --destination "$SCRIPT_DIR" + CHART_REF="$CHART_PKG" +else + echo "Installing from OCI registry: $CHART_REGISTRY (version $CHART_VERSION)..." + CHART_REF="$CHART_REGISTRY --version $CHART_VERSION" +fi echo "" echo "Installing operator..." @@ -60,7 +76,8 @@ HELM_ARGS=( if [ -n "$VALUES_FILE" ] && [ -f "$VALUES_FILE" ]; then HELM_ARGS+=(--values "$VALUES_FILE") fi -helm upgrade --install documentdb-operator "$CHART_PKG" "${HELM_ARGS[@]}" +# shellcheck disable=SC2086 +helm upgrade --install documentdb-operator $CHART_REF "${HELM_ARGS[@]}" echo "✓ Operator installed on $HUB_CLUSTER_NAME" # ─── Step 2: Install on k3s clusters via Run Command ─── @@ -71,6 +88,14 @@ echo "=======================================" # Generate DocumentDB-specific manifests (excluding CNPG subchart) echo "Generating DocumentDB operator manifests..." + +# k3s VMs need a local chart package for helm template, even when AKS uses OCI +if [ "$BUILD_CHART" != "true" ] && [ ! -f "$CHART_PKG" ]; then + echo "Building local chart package for k3s manifest generation..." + helm dependency update "$CHART_DIR" + helm package "$CHART_DIR" --version "0.0.${VERSION}" --destination "$SCRIPT_DIR" +fi + DOCDB_MANIFESTS=$(mktemp) # Add documentdb-operator namespace diff --git a/documentdb-playground/k3s-azure-fleet/main.bicep b/documentdb-playground/k3s-azure-fleet/main.bicep index 7ebcb282..05f12a07 100644 --- a/documentdb-playground/k3s-azure-fleet/main.bicep +++ b/documentdb-playground/k3s-azure-fleet/main.bicep @@ -24,17 +24,20 @@ param sshPublicKey string param adminUsername string = 'azureuser' @description('Kubernetes version for AKS (empty string uses region default)') -param kubernetesVersion string = '1.32' +param kubernetesVersion string = '' @description('k3s version') param k3sVersion string = 'v1.30.4+k3s1' -@description('Allowed source IP for Kube API access (default: any). Set to your IP/CIDR for security.') +@description('Allowed source IP for Kube API (port 6443) access. WARNING: Default \'*\' opens the Kubernetes API to the public internet. For production, restrict to your IP/CIDR (e.g., \'203.0.113.0/24\').') param allowedSourceIP string = '*' @description('Per-cluster Istio CA certificates (base64-encoded PEM). Array of objects with rootCert, caCert, caKey, certChain.') param istioCerts array = [] +// Optionally include kubernetesVersion in cluster properties +var maybeK8sVersion = empty(kubernetesVersion) ? {} : { kubernetesVersion: kubernetesVersion } + // Variables var aksClusterName = 'hub-${hubLocation}' var aksVnetName = 'aks-${hubLocation}-vnet' @@ -180,9 +183,8 @@ resource aksCluster 'Microsoft.ContainerService/managedClusters@2024-01-01' = { identity: { type: 'SystemAssigned' } - properties: { + properties: union({ dnsPrefix: aksClusterName - kubernetesVersion: kubernetesVersion enableRBAC: true networkProfile: { networkPlugin: 'azure' @@ -205,7 +207,7 @@ resource aksCluster 'Microsoft.ContainerService/managedClusters@2024-01-01' = { managed: true enableAzureRBAC: true } - } + }, maybeK8sVersion) dependsOn: [ aksVnet ] diff --git a/istio-1.24.3/LICENSE b/istio-1.24.3/LICENSE new file mode 100644 index 00000000..75bfd113 --- /dev/null +++ b/istio-1.24.3/LICENSE @@ -0,0 +1,202 @@ + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "{}" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright {yyyy} {name of copyright owner} + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/istio-1.24.3/README.md b/istio-1.24.3/README.md new file mode 100644 index 00000000..3e1c9ad3 --- /dev/null +++ b/istio-1.24.3/README.md @@ -0,0 +1,123 @@ +# Istio + +[![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/1395/badge)](https://bestpractices.coreinfrastructure.org/projects/1395) +[![Go Report Card](https://goreportcard.com/badge/github.com/istio/istio)](https://goreportcard.com/report/github.com/istio/istio) +[![GoDoc](https://godoc.org/istio.io/istio?status.svg)](https://godoc.org/istio.io/istio) + + + Istio logo + + +--- + +Istio is an open source service mesh that layers transparently onto existing distributed applications. Istio’s powerful features provide a uniform and more efficient way to secure, connect, and monitor services. Istio is the path to load balancing, service-to-service authentication, and monitoring – with few or no service code changes. + +- For in-depth information about how to use Istio, visit [istio.io](https://istio.io) +- To ask questions and get assistance from our community, visit [Github Discussions](https://github.com/istio/istio/discussions) +- To learn how to participate in our overall community, visit [our community page](https://istio.io/about/community) + +In this README: + +- [Introduction](#introduction) +- [Repositories](#repositories) +- [Issue management](#issue-management) + +In addition, here are some other documents you may wish to read: + +- [Istio Community](https://github.com/istio/community#istio-community) - describes how to get involved and contribute to the Istio project +- [Istio Developer's Guide](https://github.com/istio/istio/wiki/Preparing-for-Development) - explains how to set up and use an Istio development environment +- [Project Conventions](https://github.com/istio/istio/wiki/Development-Conventions) - describes the conventions we use within the code base +- [Creating Fast and Lean Code](https://github.com/istio/istio/wiki/Writing-Fast-and-Lean-Code) - performance-oriented advice and guidelines for the code base + +You'll find many other useful documents on our [Wiki](https://github.com/istio/istio/wiki). + +## Introduction + +[Istio](https://istio.io/latest/docs/concepts/what-is-istio/) is an open platform for providing a uniform way to [integrate +microservices](https://istio.io/latest/docs/examples/microservices-istio/), manage [traffic flow](https://istio.io/latest/docs/concepts/traffic-management/) across microservices, enforce policies +and aggregate telemetry data. Istio's control plane provides an abstraction +layer over the underlying cluster management platform, such as Kubernetes. + +Istio is composed of these components: + +- **Envoy** - Sidecar proxies per microservice to handle ingress/egress traffic + between services in the cluster and from a service to external + services. The proxies form a _secure microservice mesh_ providing a rich + set of functions like discovery, rich layer-7 routing, circuit breakers, + policy enforcement and telemetry recording/reporting + functions. + + > Note: The service mesh is not an overlay network. It + > simplifies and enhances how microservices in an application talk to each + > other over the network provided by the underlying platform. + +- **Istiod** - The Istio control plane. It provides service discovery, configuration and certificate management. It consists of the following sub-components: + + - **Pilot** - Responsible for configuring the proxies at runtime. + + - **Citadel** - Responsible for certificate issuance and rotation. + + - **Galley** - Responsible for validating, ingesting, aggregating, transforming and distributing config within Istio. + +- **Operator** - The component provides user friendly options to operate the Istio service mesh. + +## Repositories + +The Istio project is divided across a few GitHub repositories: + +- [istio/api](https://github.com/istio/api). This repository defines +component-level APIs and common configuration formats for the Istio platform. + +- [istio/community](https://github.com/istio/community). This repository contains +information on the Istio community, including the various documents that govern +the Istio open source project. + +- [istio/istio](README.md). This is the main code repository. It hosts Istio's +core components, install artifacts, and sample programs. It includes: + + - [istioctl](istioctl/). This directory contains code for the +[_istioctl_](https://istio.io/latest/docs/reference/commands/istioctl/) command line utility. + + - [pilot](pilot/). This directory +contains platform-specific code to populate the +[abstract service model](https://istio.io/docs/concepts/traffic-management/#pilot), dynamically reconfigure the proxies +when the application topology changes, as well as translate +[routing rules](https://istio.io/latest/docs/reference/config/networking/) into proxy specific configuration. + + - [security](security/). This directory contains [security](https://istio.io/latest/docs/concepts/security/) related code, +including Citadel (acting as Certificate Authority), citadel agent, etc. + +- [istio/proxy](https://github.com/istio/proxy). The Istio proxy contains +extensions to the [Envoy proxy](https://github.com/envoyproxy/envoy) (in the form of +Envoy filters) that support authentication, authorization, and telemetry collection. + +- [istio/ztunnel](https://github.com/istio/ztunnel). The repository contains the Rust implementation of the ztunnel +component of Ambient mesh. + +- [istio/client-go](https://github.com/istio/client-go). This repository defines + auto-generated Kubernetes clients for interacting with Istio resources programmatically. + +> [!NOTE] +> Only the `istio/api` and `istio/client-go` repositories expose stable interfaces intended for direct usage as libraries. + +## Issue management + +We use GitHub to track all of our bugs and feature requests. Each issue we track has a variety of metadata: + +- **Epic**. An epic represents a feature area for Istio as a whole. Epics are fairly broad in scope and are basically product-level things. +Each issue is ultimately part of an epic. + +- **Milestone**. Each issue is assigned a milestone. This is 0.1, 0.2, ..., or 'Nebulous Future'. The milestone indicates when we +think the issue should get addressed. + +- **Priority**. Each issue has a priority which is represented by the column in the [Prioritization](https://github.com/orgs/istio/projects/6) project. Priority can be one of +P0, P1, P2, or >P2. The priority indicates how important it is to address the issue within the milestone. P0 says that the +milestone cannot be considered achieved if the issue isn't resolved. + +--- + +
+ Cloud Native Computing Foundation logo +

Istio is a Cloud Native Computing Foundation project.

+
diff --git a/istio-1.24.3/manifest.yaml b/istio-1.24.3/manifest.yaml new file mode 100644 index 00000000..3423f03b --- /dev/null +++ b/istio-1.24.3/manifest.yaml @@ -0,0 +1,36 @@ +architectures: +- linux/amd64 +- linux/arm64 +dashboards: + istio-extension-dashboard: 13277 + istio-mesh-dashboard: 7639 + istio-performance-dashboard: 11829 + istio-service-dashboard: 7636 + istio-workload-dashboard: 7630 + pilot-dashboard: 7645 + ztunnel-dashboard: 21306 +dependencies: + api: + goversionenabled: true + sha: fef7700e8ddfc6489ebbf6376e0c2fd65e593630 + client-go: + goversionenabled: true + sha: e8de2e86eed8b60c035b955f896cdb725c3a4041 + envoy: + sha: 35c166bb5c90573151afbd94a0936741f9fab8bc + istio: + sha: 44d0e58e49d0dc89e27fc4f8679c68132d46b887 + proxy: + sha: 1c795e96d02ca3ddac6b8610b8368a65b91f990a + release-builder: + sha: dbfedb6f3a69e0192fa1b252b068b01c05dfc9c2 + test-infra: + sha: 144e6559bd90520b8d3e79ad7b27b98abfb3ecca + tools: + sha: 6abbfc29dd6ec45f2d0c9f8771b5ca702b83906a + ztunnel: + sha: 1ddf2f33fbbe75688a54c60fab2b805b2405f861 +docker: docker.io/istio +dockerOutput: tar +skipGenerateBillOfMaterials: false +version: 1.24.3 diff --git a/istio-1.24.3/manifests/profiles/ambient.yaml b/istio-1.24.3/manifests/profiles/ambient.yaml new file mode 100644 index 00000000..fbdbf3a3 --- /dev/null +++ b/istio-1.24.3/manifests/profiles/ambient.yaml @@ -0,0 +1,13 @@ +apiVersion: install.istio.io/v1alpha1 +kind: IstioOperator +spec: + components: + cni: + enabled: true + ztunnel: + enabled: true + ingressGateways: + - name: istio-ingressgateway + enabled: false + values: + profile: ambient diff --git a/istio-1.24.3/manifests/profiles/default.yaml b/istio-1.24.3/manifests/profiles/default.yaml new file mode 100644 index 00000000..f8108eb3 --- /dev/null +++ b/istio-1.24.3/manifests/profiles/default.yaml @@ -0,0 +1,32 @@ +apiVersion: install.istio.io/v1alpha1 +kind: IstioOperator +metadata: + namespace: istio-system +spec: + hub: docker.io/istio + tag: 1.24.3 + + # Turn on default components: base, pilot, and ingress gateway + components: + base: + enabled: true + pilot: + enabled: true + # Istio Gateway feature + ingressGateways: + - name: istio-ingressgateway + enabled: true + egressGateways: + - name: istio-egressgateway + enabled: false + + # Most default values come from the helm chart's values.yaml + # Below are the things that differ + values: + defaultRevision: "" + global: + istioNamespace: istio-system + configValidation: true + gateways: + istio-ingressgateway: {} + istio-egressgateway: {} diff --git a/istio-1.24.3/manifests/profiles/demo.yaml b/istio-1.24.3/manifests/profiles/demo.yaml new file mode 100644 index 00000000..e5de1182 --- /dev/null +++ b/istio-1.24.3/manifests/profiles/demo.yaml @@ -0,0 +1,9 @@ +apiVersion: install.istio.io/v1alpha1 +kind: IstioOperator +spec: + components: + egressGateways: + - name: istio-egressgateway + enabled: true + values: + profile: demo \ No newline at end of file diff --git a/istio-1.24.3/manifests/profiles/empty.yaml b/istio-1.24.3/manifests/profiles/empty.yaml new file mode 100644 index 00000000..07de5b1e --- /dev/null +++ b/istio-1.24.3/manifests/profiles/empty.yaml @@ -0,0 +1,13 @@ +# The empty profile has everything disabled +# This is useful as a base for custom user configuration +apiVersion: install.istio.io/v1alpha1 +kind: IstioOperator +spec: + components: + base: + enabled: false + pilot: + enabled: false + ingressGateways: + - name: istio-ingressgateway + enabled: false diff --git a/istio-1.24.3/manifests/profiles/minimal.yaml b/istio-1.24.3/manifests/profiles/minimal.yaml new file mode 100644 index 00000000..075881ee --- /dev/null +++ b/istio-1.24.3/manifests/profiles/minimal.yaml @@ -0,0 +1,8 @@ +# The minimal profile will install just the core control plane +apiVersion: install.istio.io/v1alpha1 +kind: IstioOperator +spec: + components: + ingressGateways: + - name: istio-ingressgateway + enabled: false diff --git a/istio-1.24.3/manifests/profiles/openshift-ambient.yaml b/istio-1.24.3/manifests/profiles/openshift-ambient.yaml new file mode 100644 index 00000000..6e00707f --- /dev/null +++ b/istio-1.24.3/manifests/profiles/openshift-ambient.yaml @@ -0,0 +1,18 @@ +apiVersion: install.istio.io/v1alpha1 +kind: IstioOperator +spec: + components: + cni: + enabled: true + namespace: kube-system + ztunnel: + enabled: true + namespace: kube-system + ingressGateways: + - name: istio-ingressgateway + enabled: false + values: + profile: ambient + global: + platform: openshift + diff --git a/istio-1.24.3/manifests/profiles/openshift.yaml b/istio-1.24.3/manifests/profiles/openshift.yaml new file mode 100644 index 00000000..2304deda --- /dev/null +++ b/istio-1.24.3/manifests/profiles/openshift.yaml @@ -0,0 +1,10 @@ +apiVersion: install.istio.io/v1alpha1 +kind: IstioOperator +spec: + components: + cni: + enabled: true + namespace: kube-system + values: + global: + platform: openshift diff --git a/istio-1.24.3/manifests/profiles/preview.yaml b/istio-1.24.3/manifests/profiles/preview.yaml new file mode 100644 index 00000000..d48d8412 --- /dev/null +++ b/istio-1.24.3/manifests/profiles/preview.yaml @@ -0,0 +1,8 @@ +# The preview profile contains features that are experimental. +# This is intended to explore new features coming to Istio. +# Stability, security, and performance are not guaranteed - use at your own risk. +apiVersion: install.istio.io/v1alpha1 +kind: IstioOperator +spec: + values: + profile: preview diff --git a/istio-1.24.3/manifests/profiles/remote.yaml b/istio-1.24.3/manifests/profiles/remote.yaml new file mode 100644 index 00000000..46be8baa --- /dev/null +++ b/istio-1.24.3/manifests/profiles/remote.yaml @@ -0,0 +1,15 @@ +# The remote profile is used to configure a mesh cluster without a locally deployed control plane. +# Only the injector mutating webhook configuration is installed. +apiVersion: install.istio.io/v1alpha1 +kind: IstioOperator +spec: + components: + base: + enabled: true + pilot: + enabled: true + ingressGateways: + - name: istio-ingressgateway + enabled: false + values: + profile: remote diff --git a/istio-1.24.3/manifests/profiles/stable.yaml b/istio-1.24.3/manifests/profiles/stable.yaml new file mode 100644 index 00000000..f4c4ef1f --- /dev/null +++ b/istio-1.24.3/manifests/profiles/stable.yaml @@ -0,0 +1,5 @@ +apiVersion: install.istio.io/v1alpha1 +kind: IstioOperator +spec: + values: + profile: stable diff --git a/istio-1.24.3/samples/README.md b/istio-1.24.3/samples/README.md new file mode 100644 index 00000000..a1a140f8 --- /dev/null +++ b/istio-1.24.3/samples/README.md @@ -0,0 +1,3 @@ +# Istio Samples + +This directory contains sample applications highlighting various Istio features. diff --git a/istio-1.24.3/samples/addons/README.md b/istio-1.24.3/samples/addons/README.md new file mode 100644 index 00000000..6259c014 --- /dev/null +++ b/istio-1.24.3/samples/addons/README.md @@ -0,0 +1,102 @@ +# Telemetry Addons + +This directory contains sample deployments of various addons that integrate with Istio. While these applications +are not a part of Istio, they are essential to making the most of Istio's observability features. + +The deployments here are meant to quickly get up and running, and are optimized for this case. As a result, +they may not be suitable for production. See below for more info on integrating a production grade version of each +addon. + +## Getting started + +To quickly deploy all addons: + +```shell script +kubectl apply -f samples/addons +``` + +Alternatively, you can deploy individual addons: + +```shell script +kubectl apply -f samples/addons/prometheus.yaml +``` + +## Addons + +### Prometheus + +[Prometheus](https://prometheus.io/) is an open source monitoring system and time series database. +You can use Prometheus with Istio to record metrics that track the health of Istio and of applications within the service mesh. +You can visualize metrics using tools like [Grafana](#grafana) and [Kiali](#kiali). + +For more information about integrating with Prometheus, please see the [Prometheus integration page](https://istio.io/docs/ops/integrations/prometheus/). + +### Grafana + +[Grafana](http://grafana.com/) is an open source monitoring solution that can be used to configure dashboards for Istio. +You can use Grafana to monitor the health of Istio and of applications within the service mesh. + +This sample provides the following dashboards: + +* [Mesh Dashboard](https://grafana.com/grafana/dashboards/7639) provides an overview of all services in the mesh. +* [Service Dashboard](https://grafana.com/grafana/dashboards/7636) provides a detailed breakdown of metrics for a service. +* [Workload Dashboard](https://grafana.com/grafana/dashboards/7630) provides a detailed breakdown of metrics for a workload. +* [Performance Dashboard](https://grafana.com/grafana/dashboards/11829) monitors the resource usage of the mesh. +* [Control Plane Dashboard](https://grafana.com/grafana/dashboards/7645) monitors the health and performance of the control plane. +* [WASM Extension Dashboard](https://grafana.com/grafana/dashboards/13277) provides an overview of mesh wide WebAssembly extension runtime and loading state. + +For more information about integrating with Grafana, please see the [Grafana integration page](https://istio.io/docs/ops/integrations/grafana/). + +### Kiali + +[Kiali](https://kiali.io/) is an observability console for Istio with service mesh configuration capabilities. +It helps you to understand the structure of your service mesh by inferring the topology, and also provides the health of your mesh. +Kiali provides detailed metrics, and a basic [Grafana](#grafana) integration is available for advanced queries. +Distributed tracing is provided by integrating [Jaeger](#jaeger). + +For more information about using Kiali, see the [Visualizing Your Mesh](https://istio.io/docs/tasks/observability/kiali/) task. + +### Jaeger + +[Jaeger](https://www.jaegertracing.io/) is an open source end to end distributed tracing system, allowing users to monitor and troubleshoot transactions in complex distributed systems. + +Jaeger helps in a variety of tasks including: + +* Distributed context propagation +* Distributed transaction monitoring +* Root cause analysis +* Service dependency analysis +* Performance / latency optimization + +For more information about integrating with Jaeger, please see the [Jaeger integration page](https://istio.io/docs/tasks/observability/distributed-tracing/jaeger/). + +### Zipkin + +[Zipkin](https://zipkin.io/) is a distributed tracing system. It helps gather timing data needed to troubleshoot latency problems in service architectures. Features include both the collection and lookup of this data. + +Zipkin is an alternative to Jaeger and is not deployed by default. To replace Jaeger with Zipkin, run `kubectl apply -f samples/addons/extras/zipkin.yaml`. +You may also want to remove the Jaeger deployment, which will not be used, with `kubectl delete deployment jaeger`, or avoid installing it +to begin with by following the selective installation steps in [Getting Started](#getting-started). + +For more information about integrating with Zipkin, please see the [Zipkin integration page](https://istio.io/docs/tasks/observability/distributed-tracing/zipkin/). + +### Prometheus Operator + +The [Prometheus Operator](https://github.com/coreos/prometheus-operator) manages and operators a Prometheus instance. + +As an alternative to the standard Prometheus deployment, we provide a `ServiceMonitor` to monitor the Istio control plane and `PodMonitor` +Envoy proxies. To use these, make sure you have the Prometheus operator deployed, then run `kubectl apply -f samples/addons/extras/prometheus-operator.yaml`. + +> **Note** +> +> The example `PodMonitor` requires [metrics merging](https://istio.io/latest/docs/ops/integrations/prometheus/#option-1-metrics-merging) to be enabled. This is enabled by default. +> +> **Note** +> +> The configurations here are only for Istio deployments, and do not scrape metrics from the Kubernetes components. +> See the [Cluster Monitoring](https://coreos.com/operators/prometheus/docs/latest/user-guides/cluster-monitoring.html) documentation for configuring this. +> +> **Warning** +> +> When the example `PodMonitor` is used with OpenShift Monitoring, it must be created in all namespaces where istio-proxies exist. +> This is because `namespaceSelector` is ignored for tenancy isolation. diff --git a/istio-1.24.3/samples/addons/extras/prometheus-operator.yaml b/istio-1.24.3/samples/addons/extras/prometheus-operator.yaml new file mode 100644 index 00000000..73a926ef --- /dev/null +++ b/istio-1.24.3/samples/addons/extras/prometheus-operator.yaml @@ -0,0 +1,66 @@ +apiVersion: monitoring.coreos.com/v1 +kind: PodMonitor +metadata: + name: envoy-stats-monitor + namespace: istio-system + labels: + monitoring: istio-proxies + release: istio +spec: + selector: + matchExpressions: + - {key: istio-prometheus-ignore, operator: DoesNotExist} + namespaceSelector: + any: true + jobLabel: envoy-stats + podMetricsEndpoints: + - path: /stats/prometheus + interval: 15s + relabelings: + - action: keep + sourceLabels: [__meta_kubernetes_pod_container_name] + regex: "istio-proxy" + - action: keep + sourceLabels: [__meta_kubernetes_pod_annotationpresent_prometheus_io_scrape] + - action: replace + regex: (\d+);(([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}) + replacement: '[$2]:$1' + sourceLabels: + - __meta_kubernetes_pod_annotation_prometheus_io_port + - __meta_kubernetes_pod_ip + targetLabel: __address__ + - action: replace + regex: (\d+);((([0-9]+?)(\.|$)){4}) + replacement: $2:$1 + sourceLabels: + - __meta_kubernetes_pod_annotation_prometheus_io_port + - __meta_kubernetes_pod_ip + targetLabel: __address__ + - action: labeldrop + regex: "__meta_kubernetes_pod_label_(.+)" + - sourceLabels: [__meta_kubernetes_namespace] + action: replace + targetLabel: namespace + - sourceLabels: [__meta_kubernetes_pod_name] + action: replace + targetLabel: pod_name +--- +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: istio-component-monitor + namespace: istio-system + labels: + monitoring: istio-components + release: istio +spec: + jobLabel: istio + targetLabels: [app] + selector: + matchExpressions: + - {key: istio, operator: In, values: [pilot]} + namespaceSelector: + any: true + endpoints: + - port: http-monitoring + interval: 15s diff --git a/istio-1.24.3/samples/addons/extras/skywalking.yaml b/istio-1.24.3/samples/addons/extras/skywalking.yaml new file mode 100644 index 00000000..2bc0c4df --- /dev/null +++ b/istio-1.24.3/samples/addons/extras/skywalking.yaml @@ -0,0 +1,133 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: skywalking-oap + namespace: istio-system + labels: + app: skywalking-oap +spec: + selector: + matchLabels: + app: skywalking-oap + template: + metadata: + labels: + app: skywalking-oap + sidecar.istio.io/inject: "false" + spec: + containers: + - name: skywalking-oap + image: apache/skywalking-oap-server:9.7.0 + env: + - name: SW_HEALTH_CHECKER + value: default + readinessProbe: + exec: + command: + - /skywalking/bin/swctl + - health + initialDelaySeconds: 30 + periodSeconds: 5 + +--- +apiVersion: v1 +kind: Service +metadata: + name: tracing + namespace: istio-system + labels: + app: skywalking-oap +spec: + type: ClusterIP + ports: + - name: grpc + port: 11800 + protocol: TCP + targetPort: 11800 + - name: http-query + port: 12800 + protocol: TCP + targetPort: 12800 + selector: + app: skywalking-oap +--- +apiVersion: v1 +kind: Service +metadata: + labels: + name: skywalking-oap + name: skywalking-oap + namespace: istio-system +spec: + ports: + - port: 11800 + targetPort: 11800 + name: grpc + - port: 12800 + targetPort: 12800 + name: http-query + selector: + app: skywalking-oap +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: skywalking-ui + namespace: istio-system + labels: + app: skywalking-ui +spec: + selector: + matchLabels: + app: skywalking-ui + template: + metadata: + labels: + app: skywalking-ui + annotations: + sidecar.istio.io/inject: "false" + spec: + containers: + - name: skywalking-ui + image: apache/skywalking-ui:9.1.0 + env: + - name: SW_OAP_ADDRESS + value: http://skywalking-oap:12800 + readinessProbe: + httpGet: + path: / + port: 8080 + initialDelaySeconds: 30 + periodSeconds: 5 +--- +apiVersion: v1 +kind: Service +metadata: + name: tracing-ui + namespace: istio-system + labels: + app: skywalking-ui +spec: + type: ClusterIP + ports: + - name: http + port: 8080 + protocol: TCP + targetPort: 8080 + selector: + app: skywalking-ui +--- +apiVersion: v1 +kind: Service +metadata: + labels: + name: skywalking-ui + name: skywalking-ui + namespace: istio-system +spec: + ports: + - port: 8080 + targetPort: 8080 + name: http + selector: + app: skywalking-ui diff --git a/istio-1.24.3/samples/addons/extras/zipkin.yaml b/istio-1.24.3/samples/addons/extras/zipkin.yaml new file mode 100644 index 00000000..3a9d259b --- /dev/null +++ b/istio-1.24.3/samples/addons/extras/zipkin.yaml @@ -0,0 +1,61 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: zipkin + namespace: istio-system + labels: + app: zipkin +spec: + selector: + matchLabels: + app: zipkin + template: + metadata: + labels: + app: zipkin + sidecar.istio.io/inject: "false" + spec: + containers: + - name: zipkin + image: openzipkin/zipkin-slim:3.4.0 + env: + - name: STORAGE_METHOD + value: "mem" + readinessProbe: + httpGet: + path: /health + port: 9411 + initialDelaySeconds: 5 + periodSeconds: 5 +--- +apiVersion: v1 +kind: Service +metadata: + name: tracing + namespace: istio-system + labels: + app: zipkin +spec: + type: ClusterIP + ports: + - name: http-query + port: 80 + protocol: TCP + targetPort: 9411 + selector: + app: zipkin +--- +apiVersion: v1 +kind: Service +metadata: + labels: + name: zipkin + name: zipkin + namespace: istio-system +spec: + ports: + - port: 9411 + targetPort: 9411 + name: http-query + selector: + app: zipkin diff --git a/istio-1.24.3/samples/addons/grafana.yaml b/istio-1.24.3/samples/addons/grafana.yaml new file mode 100644 index 00000000..c19ae7d1 --- /dev/null +++ b/istio-1.24.3/samples/addons/grafana.yaml @@ -0,0 +1,1112 @@ +--- +# Source: grafana/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +automountServiceAccountToken: false +metadata: + labels: + helm.sh/chart: grafana-8.5.8 + app.kubernetes.io/name: grafana + app.kubernetes.io/instance: grafana + app.kubernetes.io/version: "11.2.2-security-01" + app.kubernetes.io/managed-by: Helm + name: grafana + namespace: istio-system +--- +# Source: grafana/templates/configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: grafana + namespace: istio-system + labels: + helm.sh/chart: grafana-8.5.8 + app.kubernetes.io/name: grafana + app.kubernetes.io/instance: grafana + app.kubernetes.io/version: "11.2.2-security-01" + app.kubernetes.io/managed-by: Helm +data: + + grafana.ini: | + [analytics] + check_for_updates = true + [grafana_net] + url = https://grafana.net + [log] + mode = console + [paths] + data = /var/lib/grafana/ + logs = /var/log/grafana + plugins = /var/lib/grafana/plugins + provisioning = /etc/grafana/provisioning + [server] + domain = '' + datasources.yaml: | + apiVersion: 1 + datasources: + - access: proxy + editable: true + isDefault: true + jsonData: + timeInterval: 15s + name: Prometheus + orgId: 1 + type: prometheus + url: http://prometheus:9090 + - access: proxy + editable: true + isDefault: false + jsonData: + timeInterval: 5s + name: Loki + orgId: 1 + type: loki + url: http://loki:3100 + dashboardproviders.yaml: | + apiVersion: 1 + providers: + - disableDeletion: false + folder: istio + name: istio + options: + path: /var/lib/grafana/dashboards/istio + orgId: 1 + type: file + - disableDeletion: false + folder: istio + name: istio-services + options: + path: /var/lib/grafana/dashboards/istio-services + orgId: 1 + type: file +--- +# Source: grafana/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: grafana + namespace: istio-system + labels: + helm.sh/chart: grafana-8.5.8 + app.kubernetes.io/name: grafana + app.kubernetes.io/instance: grafana + app.kubernetes.io/version: "11.2.2-security-01" + app.kubernetes.io/managed-by: Helm +spec: + type: ClusterIP + ports: + - name: service + port: 3000 + protocol: TCP + targetPort: 3000 + selector: + app.kubernetes.io/name: grafana + app.kubernetes.io/instance: grafana +--- +# Source: grafana/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: grafana + namespace: istio-system + labels: + helm.sh/chart: grafana-8.5.8 + app.kubernetes.io/name: grafana + app.kubernetes.io/instance: grafana + app.kubernetes.io/version: "11.2.2-security-01" + app.kubernetes.io/managed-by: Helm +spec: + replicas: 1 + revisionHistoryLimit: 10 + selector: + matchLabels: + app.kubernetes.io/name: grafana + app.kubernetes.io/instance: grafana + strategy: + type: RollingUpdate + template: + metadata: + labels: + app.kubernetes.io/name: grafana + app.kubernetes.io/instance: grafana + sidecar.istio.io/inject: "false" + annotations: + checksum/config: 68c00ea91b7ba5c04efc55555ef2307f52aaf738b04e9665e91bb756c8f32b22 + checksum/sc-dashboard-provider-config: e70bf6a851099d385178a76de9757bb0bef8299da6d8443602590e44f05fdf24 + kubectl.kubernetes.io/default-container: grafana + spec: + + serviceAccountName: grafana + automountServiceAccountToken: true + enableServiceLinks: true + containers: + - name: grafana + image: "docker.io/grafana/grafana:11.2.2-security-01" + imagePullPolicy: IfNotPresent + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + volumeMounts: + - name: config + mountPath: "/etc/grafana/grafana.ini" + subPath: grafana.ini + - name: storage + mountPath: "/var/lib/grafana" + - name: dashboards-istio + mountPath: "/var/lib/grafana/dashboards/istio" + - name: dashboards-istio-services + mountPath: "/var/lib/grafana/dashboards/istio-services" + - name: config + mountPath: "/etc/grafana/provisioning/datasources/datasources.yaml" + subPath: "datasources.yaml" + - name: config + mountPath: "/etc/grafana/provisioning/dashboards/dashboardproviders.yaml" + subPath: "dashboardproviders.yaml" + ports: + - name: grafana + containerPort: 3000 + protocol: TCP + - name: gossip-tcp + containerPort: 9094 + protocol: TCP + - name: gossip-udp + containerPort: 9094 + protocol: UDP + env: + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: GF_PATHS_DATA + value: /var/lib/grafana/ + - name: GF_PATHS_LOGS + value: /var/log/grafana + - name: GF_PATHS_PLUGINS + value: /var/lib/grafana/plugins + - name: GF_PATHS_PROVISIONING + value: /etc/grafana/provisioning + - name: "GF_AUTH_ANONYMOUS_ENABLED" + value: "true" + - name: "GF_AUTH_ANONYMOUS_ORG_ROLE" + value: "Admin" + - name: "GF_AUTH_BASIC_ENABLED" + value: "false" + - name: "GF_SECURITY_ADMIN_PASSWORD" + value: "admin" + - name: "GF_SECURITY_ADMIN_USER" + value: "admin" + livenessProbe: + failureThreshold: 10 + httpGet: + path: /api/health + port: 3000 + initialDelaySeconds: 60 + timeoutSeconds: 30 + readinessProbe: + httpGet: + path: /api/health + port: 3000 + volumes: + - name: config + configMap: + name: grafana + - name: dashboards-istio + configMap: + name: istio-grafana-dashboards + - name: dashboards-istio-services + configMap: + name: istio-services-grafana-dashboards + - name: storage + emptyDir: {} + +--- + +apiVersion: v1 +data: + istio-performance-dashboard.json: | + {"annotations":{"list":[{"builtIn":1,"datasource":{"type":"datasource","uid":"grafana"},"enable":true,"hide":true,"iconColor":"rgba(0, 211, 255, 1)","name":"Annotations & Alerts","type":"dashboard"}]},"editable":true,"fiscalYearStartMonth":0,"graphTooltip":0,"links":[],"liveNow":false,"panels":[{"collapsed":false,"datasource":{"type":"prometheus","uid":"${datasource}"},"gridPos":{"h":1,"w":24,"x":0,"y":0},"id":21,"panels":[],"targets":[{"datasource":{"type":"prometheus","uid":"${datasource}"},"refId":"A"}],"title":"Performance Dashboard Notes","type":"row"},{"gridPos":{"h":6,"w":24,"x":0,"y":1},"id":19,"links":[],"options":{"code":{"language":"plaintext","showLineNumbers":false,"showMiniMap":false},"content":"The charts on this dashboard are intended to show Istio main components cost in terms of resources utilization under steady load.\n\n- **vCPU / 1k rps:** shows vCPU utilization by the main Istio components normalized by 1000 requests/second. When idle or low traffic, this chart will be blank. The curve for istio-proxy refers to the services sidecars only.\n- **vCPU:** vCPU utilization by Istio components, not normalized.\n- **Memory:** memory footprint for the components. Telemetry and policy are normalized by 1k rps, and no data is shown when there is no traffic. For ingress and istio-proxy, the data is per instance.\n- **Bytes transferred / sec:** shows the number of bytes flowing through each Istio component.\n\n\n","mode":"markdown"},"pluginVersion":"10.1.5","title":"Performance Dashboard README","transparent":true,"type":"text"},{"collapsed":false,"datasource":{"type":"prometheus","uid":"${datasource}"},"gridPos":{"h":1,"w":24,"x":0,"y":7},"id":6,"panels":[],"targets":[{"datasource":{"type":"prometheus","uid":"${datasource}"},"refId":"A"}],"title":"vCPU Usage","type":"row"},{"datasource":{"type":"prometheus","uid":"${datasource}"},"fieldConfig":{"defaults":{"color":{"mode":"palette-classic"},"custom":{"axisCenteredZero":false,"axisColorMode":"text","axisLabel":"","axisPlacement":"auto","barAlignment":0,"drawStyle":"line","fillOpacity":10,"gradientMode":"none","hideFrom":{"legend":false,"tooltip":false,"viz":false},"insertNulls":false,"lineInterpolation":"linear","lineWidth":1,"pointSize":5,"scaleDistribution":{"type":"linear"},"showPoints":"never","spanNulls":false,"stacking":{"group":"A","mode":"none"},"thresholdsStyle":{"mode":"off"}},"mappings":[],"thresholds":{"mode":"absolute","steps":[{"color":"green","value":null},{"color":"red","value":80}]},"unit":"short"},"overrides":[]},"gridPos":{"h":8,"w":12,"x":0,"y":8},"id":4,"links":[],"options":{"legend":{"calcs":[],"displayMode":"list","placement":"bottom","showLegend":true},"tooltip":{"mode":"multi","sort":"none"}},"pluginVersion":"10.1.5","targets":[{"datasource":{"type":"prometheus","uid":"${datasource}"},"expr":"(sum(irate(container_cpu_usage_seconds_total{pod=~\"istio-ingressgateway-.*\",container=\"istio-proxy\"}[1m])) / (round(sum(irate(istio_requests_total{source_workload=\"istio-ingressgateway\", reporter=\"source\"}[1m])), 0.001)/1000))","format":"time_series","hide":false,"intervalFactor":1,"legendFormat":"istio-ingressgateway","refId":"A"},{"datasource":{"type":"prometheus","uid":"${datasource}"},"expr":"(sum(irate(container_cpu_usage_seconds_total{namespace!=\"istio-system\",container=\"istio-proxy\"}[1m]))/ (round(sum(irate(istio_requests_total[1m])), 0.001)/1000))/ (sum(irate(istio_requests_total{source_workload=\"istio-ingressgateway\"}[1m])) >bool 10)","format":"time_series","intervalFactor":1,"legendFormat":"istio-proxy","refId":"B"}],"title":"vCPU / 1k rps","type":"timeseries"},{"datasource":{"type":"prometheus","uid":"${datasource}"},"fieldConfig":{"defaults":{"color":{"mode":"palette-classic"},"custom":{"axisCenteredZero":false,"axisColorMode":"text","axisLabel":"","axisPlacement":"auto","barAlignment":0,"drawStyle":"line","fillOpacity":10,"gradientMode":"none","hideFrom":{"legend":false,"tooltip":false,"viz":false},"insertNulls":false,"lineInterpolation":"linear","lineWidth":1,"pointSize":5,"scaleDistribution":{"type":"linear"},"showPoints":"never","spanNulls":false,"stacking":{"group":"A","mode":"none"},"thresholdsStyle":{"mode":"off"}},"mappings":[],"thresholds":{"mode":"absolute","steps":[{"color":"green","value":null},{"color":"red","value":80}]},"unit":"short"},"overrides":[]},"gridPos":{"h":8,"w":12,"x":12,"y":8},"id":7,"links":[],"options":{"legend":{"calcs":[],"displayMode":"list","placement":"bottom","showLegend":true},"tooltip":{"mode":"multi","sort":"none"}},"pluginVersion":"10.1.5","targets":[{"datasource":{"type":"prometheus","uid":"${datasource}"},"expr":"sum(rate(container_cpu_usage_seconds_total{pod=~\"istio-ingressgateway-.*\",container=\"istio-proxy\"}[1m]))","format":"time_series","intervalFactor":1,"legendFormat":"istio-ingressgateway","refId":"A"},{"datasource":{"type":"prometheus","uid":"${datasource}"},"expr":"sum(rate(container_cpu_usage_seconds_total{namespace!=\"istio-system\",container=\"istio-proxy\"}[1m]))","format":"time_series","intervalFactor":1,"legendFormat":"istio-proxy","refId":"B"}],"title":"vCPU","type":"timeseries"},{"collapsed":false,"datasource":{"type":"prometheus","uid":"${datasource}"},"gridPos":{"h":1,"w":24,"x":0,"y":16},"id":13,"panels":[],"targets":[{"datasource":{"type":"prometheus","uid":"${datasource}"},"refId":"A"}],"title":"Memory and Data Rates","type":"row"},{"datasource":{"type":"prometheus","uid":"${datasource}"},"fieldConfig":{"defaults":{"color":{"mode":"palette-classic"},"custom":{"axisCenteredZero":false,"axisColorMode":"text","axisLabel":"","axisPlacement":"auto","barAlignment":0,"drawStyle":"line","fillOpacity":10,"gradientMode":"none","hideFrom":{"legend":false,"tooltip":false,"viz":false},"insertNulls":false,"lineInterpolation":"linear","lineWidth":1,"pointSize":5,"scaleDistribution":{"type":"linear"},"showPoints":"never","spanNulls":false,"stacking":{"group":"A","mode":"none"},"thresholdsStyle":{"mode":"off"}},"mappings":[],"thresholds":{"mode":"absolute","steps":[{"color":"green","value":null},{"color":"red","value":80}]},"unit":"bytes"},"overrides":[]},"gridPos":{"h":8,"w":12,"x":0,"y":17},"id":902,"links":[],"options":{"legend":{"calcs":[],"displayMode":"list","placement":"bottom","showLegend":true},"tooltip":{"mode":"multi","sort":"none"}},"pluginVersion":"10.1.5","targets":[{"datasource":{"type":"prometheus","uid":"${datasource}"},"expr":"sum(container_memory_working_set_bytes{pod=~\"istio-ingressgateway-.*\"}) / count(container_memory_working_set_bytes{pod=~\"istio-ingressgateway-.*\",container!=\"POD\"})","format":"time_series","intervalFactor":1,"legendFormat":"per istio-ingressgateway","refId":"A"},{"datasource":{"type":"prometheus","uid":"${datasource}"},"expr":"sum(container_memory_working_set_bytes{namespace!=\"istio-system\",container=\"istio-proxy\"}) / count(container_memory_working_set_bytes{namespace!=\"istio-system\",container=\"istio-proxy\"})","format":"time_series","intervalFactor":1,"legendFormat":"per istio proxy","refId":"B"}],"title":"Memory Usage","type":"timeseries"},{"datasource":{"type":"prometheus","uid":"${datasource}"},"fieldConfig":{"defaults":{"color":{"mode":"palette-classic"},"custom":{"axisCenteredZero":false,"axisColorMode":"text","axisLabel":"","axisPlacement":"auto","barAlignment":0,"drawStyle":"line","fillOpacity":10,"gradientMode":"none","hideFrom":{"legend":false,"tooltip":false,"viz":false},"insertNulls":false,"lineInterpolation":"linear","lineWidth":1,"pointSize":5,"scaleDistribution":{"type":"linear"},"showPoints":"never","spanNulls":false,"stacking":{"group":"A","mode":"none"},"thresholdsStyle":{"mode":"off"}},"mappings":[],"thresholds":{"mode":"absolute","steps":[{"color":"green","value":null},{"color":"red","value":80}]},"unit":"Bps"},"overrides":[]},"gridPos":{"h":8,"w":12,"x":12,"y":17},"id":11,"links":[],"options":{"legend":{"calcs":[],"displayMode":"list","placement":"bottom","showLegend":true},"tooltip":{"mode":"multi","sort":"none"}},"pluginVersion":"10.1.5","targets":[{"datasource":{"type":"prometheus","uid":"${datasource}"},"expr":"sum(irate(istio_response_bytes_sum{source_workload=\"istio-ingressgateway\", reporter=\"source\"}[1m]))","format":"time_series","intervalFactor":1,"legendFormat":"istio-ingressgateway","refId":"A"},{"datasource":{"type":"prometheus","uid":"${datasource}"},"expr":"sum(irate(istio_response_bytes_sum{source_workload_namespace!=\"istio-system\", reporter=\"source\"}[1m])) + sum(irate(istio_request_bytes_sum{source_workload_namespace!=\"istio-system\", reporter=\"source\"}[1m]))","format":"time_series","intervalFactor":1,"legendFormat":"istio-proxy","refId":"B"}],"title":"Bytes transferred / sec","type":"timeseries"},{"collapsed":false,"datasource":{"type":"prometheus","uid":"${datasource}"},"gridPos":{"h":1,"w":24,"x":0,"y":25},"id":17,"panels":[],"targets":[{"datasource":{"type":"prometheus","uid":"${datasource}"},"refId":"A"}],"title":"Istio Component Versions","type":"row"},{"datasource":{"type":"prometheus","uid":"${datasource}"},"fieldConfig":{"defaults":{"color":{"mode":"palette-classic"},"custom":{"axisCenteredZero":false,"axisColorMode":"text","axisLabel":"","axisPlacement":"auto","barAlignment":0,"drawStyle":"line","fillOpacity":10,"gradientMode":"none","hideFrom":{"legend":false,"tooltip":false,"viz":false},"insertNulls":false,"lineInterpolation":"linear","lineWidth":1,"pointSize":5,"scaleDistribution":{"type":"linear"},"showPoints":"never","spanNulls":false,"stacking":{"group":"A","mode":"none"},"thresholdsStyle":{"mode":"off"}},"mappings":[],"thresholds":{"mode":"absolute","steps":[{"color":"green","value":null},{"color":"red","value":80}]},"unit":"short"},"overrides":[]},"gridPos":{"h":8,"w":24,"x":0,"y":26},"id":15,"links":[],"options":{"legend":{"calcs":[],"displayMode":"list","placement":"bottom","showLegend":true},"tooltip":{"mode":"multi","sort":"none"}},"pluginVersion":"10.1.5","targets":[{"datasource":{"type":"prometheus","uid":"${datasource}"},"expr":"sum(istio_build) by (component, tag)","format":"time_series","intervalFactor":1,"legendFormat":"{{ component }}: {{ tag }}","refId":"A"}],"title":"Istio Components by Version","type":"timeseries"},{"collapsed":false,"datasource":{"type":"prometheus","uid":"${datasource}"},"gridPos":{"h":1,"w":24,"x":0,"y":34},"id":71,"panels":[],"targets":[{"datasource":{"type":"prometheus","uid":"${datasource}"},"refId":"A"}],"title":"Proxy Resource Usage","type":"row"},{"datasource":{"type":"prometheus","uid":"${datasource}"},"fieldConfig":{"defaults":{"color":{"mode":"palette-classic"},"custom":{"axisCenteredZero":false,"axisColorMode":"text","axisLabel":"","axisPlacement":"auto","barAlignment":0,"drawStyle":"line","fillOpacity":10,"gradientMode":"none","hideFrom":{"legend":false,"tooltip":false,"viz":false},"insertNulls":false,"lineInterpolation":"linear","lineWidth":1,"pointSize":5,"scaleDistribution":{"type":"linear"},"showPoints":"never","spanNulls":false,"stacking":{"group":"A","mode":"none"},"thresholdsStyle":{"mode":"off"}},"mappings":[],"thresholds":{"mode":"absolute","steps":[{"color":"green","value":null},{"color":"red","value":80}]},"unit":"bytes"},"overrides":[]},"gridPos":{"h":7,"w":6,"x":0,"y":35},"id":72,"links":[],"options":{"legend":{"calcs":[],"displayMode":"list","placement":"bottom","showLegend":true},"tooltip":{"mode":"multi","sort":"none"}},"pluginVersion":"10.1.5","targets":[{"datasource":{"type":"prometheus","uid":"${datasource}"},"expr":"sum(container_memory_working_set_bytes{container=\"istio-proxy\"})","format":"time_series","hide":false,"intervalFactor":2,"legendFormat":"Total (k8s)","refId":"A","step":2}],"title":"Memory","type":"timeseries"},{"datasource":{"type":"prometheus","uid":"${datasource}"},"fieldConfig":{"defaults":{"color":{"mode":"palette-classic"},"custom":{"axisCenteredZero":false,"axisColorMode":"text","axisLabel":"","axisPlacement":"auto","barAlignment":0,"drawStyle":"line","fillOpacity":10,"gradientMode":"none","hideFrom":{"legend":false,"tooltip":false,"viz":false},"insertNulls":false,"lineInterpolation":"linear","lineWidth":1,"pointSize":5,"scaleDistribution":{"type":"linear"},"showPoints":"never","spanNulls":false,"stacking":{"group":"A","mode":"none"},"thresholdsStyle":{"mode":"off"}},"mappings":[],"thresholds":{"mode":"absolute","steps":[{"color":"green","value":null},{"color":"red","value":80}]},"unit":"short"},"overrides":[]},"gridPos":{"h":7,"w":6,"x":6,"y":35},"id":73,"links":[],"options":{"legend":{"calcs":[],"displayMode":"list","placement":"bottom","showLegend":true},"tooltip":{"mode":"multi","sort":"none"}},"pluginVersion":"10.1.5","targets":[{"datasource":{"type":"prometheus","uid":"${datasource}"},"expr":"sum(rate(container_cpu_usage_seconds_total{container=\"istio-proxy\"}[1m]))","format":"time_series","hide":false,"intervalFactor":2,"legendFormat":"Total (k8s)","refId":"A","step":2}],"title":"vCPU","type":"timeseries"},{"datasource":{"type":"prometheus","uid":"${datasource}"},"fieldConfig":{"defaults":{"color":{"mode":"palette-classic"},"custom":{"axisCenteredZero":false,"axisColorMode":"text","axisLabel":"","axisPlacement":"auto","barAlignment":0,"drawStyle":"line","fillOpacity":10,"gradientMode":"none","hideFrom":{"legend":false,"tooltip":false,"viz":false},"insertNulls":false,"lineInterpolation":"linear","lineWidth":1,"pointSize":5,"scaleDistribution":{"type":"linear"},"showPoints":"never","spanNulls":false,"stacking":{"group":"A","mode":"none"},"thresholdsStyle":{"mode":"off"}},"mappings":[],"thresholds":{"mode":"absolute","steps":[{"color":"green","value":null},{"color":"red","value":80}]},"unit":"bytes"},"overrides":[]},"gridPos":{"h":7,"w":6,"x":12,"y":35},"id":702,"links":[],"options":{"legend":{"calcs":[],"displayMode":"list","placement":"bottom","showLegend":true},"tooltip":{"mode":"multi","sort":"none"}},"pluginVersion":"10.1.5","targets":[{"datasource":{"type":"prometheus","uid":"${datasource}"},"expr":"sum(container_fs_usage_bytes{container=\"istio-proxy\"})","format":"time_series","intervalFactor":2,"legendFormat":"Total (k8s)","refId":"A","step":2}],"title":"Disk","type":"timeseries"},{"collapsed":false,"datasource":{"type":"prometheus","uid":"${datasource}"},"gridPos":{"h":1,"w":24,"x":0,"y":42},"id":69,"panels":[],"targets":[{"datasource":{"type":"prometheus","uid":"${datasource}"},"refId":"A"}],"title":"Istiod Resource Usage","type":"row"},{"datasource":{"type":"prometheus","uid":"${datasource}"},"fieldConfig":{"defaults":{"color":{"mode":"palette-classic"},"custom":{"axisCenteredZero":false,"axisColorMode":"text","axisLabel":"","axisPlacement":"auto","barAlignment":0,"drawStyle":"line","fillOpacity":10,"gradientMode":"none","hideFrom":{"legend":false,"tooltip":false,"viz":false},"insertNulls":false,"lineInterpolation":"linear","lineWidth":1,"pointSize":5,"scaleDistribution":{"type":"linear"},"showPoints":"never","spanNulls":false,"stacking":{"group":"A","mode":"none"},"thresholdsStyle":{"mode":"off"}},"mappings":[],"thresholds":{"mode":"absolute","steps":[{"color":"green","value":null},{"color":"red","value":80}]},"unit":"bytes"},"overrides":[]},"gridPos":{"h":7,"w":6,"x":0,"y":43},"id":5,"links":[],"options":{"legend":{"calcs":[],"displayMode":"list","placement":"bottom","showLegend":true},"tooltip":{"mode":"multi","sort":"none"}},"pluginVersion":"10.1.5","targets":[{"datasource":{"type":"prometheus","uid":"${datasource}"},"expr":"process_virtual_memory_bytes{app=\"istiod\"}","format":"time_series","instant":false,"intervalFactor":2,"legendFormat":"Virtual Memory","refId":"I","step":2},{"datasource":{"type":"prometheus","uid":"${datasource}"},"expr":"process_resident_memory_bytes{app=\"istiod\"}","format":"time_series","intervalFactor":2,"legendFormat":"Resident Memory","refId":"H","step":2},{"datasource":{"type":"prometheus","uid":"${datasource}"},"expr":"go_memstats_heap_sys_bytes{app=\"istiod\"}","format":"time_series","hide":true,"intervalFactor":2,"legendFormat":"heap sys","refId":"A"},{"datasource":{"type":"prometheus","uid":"${datasource}"},"expr":"go_memstats_heap_alloc_bytes{app=\"istiod\"}","format":"time_series","hide":true,"intervalFactor":2,"legendFormat":"heap alloc","refId":"D"},{"datasource":{"type":"prometheus","uid":"${datasource}"},"expr":"go_memstats_alloc_bytes{app=\"istiod\"}","format":"time_series","intervalFactor":2,"legendFormat":"Alloc","refId":"F","step":2},{"datasource":{"type":"prometheus","uid":"${datasource}"},"expr":"go_memstats_heap_inuse_bytes{app=\"istiod\"}","format":"time_series","hide":false,"intervalFactor":2,"legendFormat":"Heap in-use","refId":"E","step":2},{"datasource":{"type":"prometheus","uid":"${datasource}"},"expr":"go_memstats_stack_inuse_bytes{app=\"istiod\"}","format":"time_series","intervalFactor":2,"legendFormat":"Stack in-use","refId":"G","step":2},{"datasource":{"type":"prometheus","uid":"${datasource}"},"expr":"sum(container_memory_working_set_bytes{container=~\"discovery|istio-proxy\", pod=~\"istiod-.*\"})","format":"time_series","hide":false,"intervalFactor":2,"legendFormat":"Total (k8s)","refId":"C","step":2},{"datasource":{"type":"prometheus","uid":"${datasource}"},"expr":"container_memory_working_set_bytes{container=~\"discovery|istio-proxy\", pod=~\"istiod-.*\"}","format":"time_series","hide":false,"intervalFactor":2,"legendFormat":"{{ container }} (k8s)","refId":"B","step":2}],"title":"Memory","type":"timeseries"},{"datasource":{"type":"prometheus","uid":"${datasource}"},"fieldConfig":{"defaults":{"color":{"mode":"palette-classic"},"custom":{"axisCenteredZero":false,"axisColorMode":"text","axisLabel":"","axisPlacement":"auto","barAlignment":0,"drawStyle":"line","fillOpacity":10,"gradientMode":"none","hideFrom":{"legend":false,"tooltip":false,"viz":false},"insertNulls":false,"lineInterpolation":"linear","lineWidth":1,"pointSize":5,"scaleDistribution":{"type":"linear"},"showPoints":"never","spanNulls":false,"stacking":{"group":"A","mode":"none"},"thresholdsStyle":{"mode":"off"}},"mappings":[],"thresholds":{"mode":"absolute","steps":[{"color":"green","value":null},{"color":"red","value":80}]},"unit":"short"},"overrides":[]},"gridPos":{"h":7,"w":6,"x":6,"y":43},"id":602,"links":[],"options":{"legend":{"calcs":[],"displayMode":"list","placement":"bottom","showLegend":true},"tooltip":{"mode":"multi","sort":"none"}},"pluginVersion":"10.1.5","targets":[{"datasource":{"type":"prometheus","uid":"${datasource}"},"expr":"sum(rate(container_cpu_usage_seconds_total{container=~\"discovery|istio-proxy\", pod=~\"istiod-.*\"}[1m]))","format":"time_series","hide":false,"intervalFactor":2,"legendFormat":"Total (k8s)","refId":"A","step":2},{"datasource":{"type":"prometheus","uid":"${datasource}"},"expr":"sum(rate(container_cpu_usage_seconds_total{container=~\"discovery|istio-proxy\", pod=~\"istiod-.*\"}[1m])) by (container)","format":"time_series","hide":false,"intervalFactor":2,"legendFormat":"{{ container }} (k8s)","refId":"B","step":2},{"datasource":{"type":"prometheus","uid":"${datasource}"},"expr":"irate(process_cpu_seconds_total{app=\"istiod\"}[1m])","format":"time_series","hide":false,"intervalFactor":2,"legendFormat":"pilot (self-reported)","refId":"C","step":2}],"title":"vCPU","type":"timeseries"},{"datasource":{"type":"prometheus","uid":"${datasource}"},"fieldConfig":{"defaults":{"color":{"mode":"palette-classic"},"custom":{"axisCenteredZero":false,"axisColorMode":"text","axisLabel":"","axisPlacement":"auto","barAlignment":0,"drawStyle":"line","fillOpacity":10,"gradientMode":"none","hideFrom":{"legend":false,"tooltip":false,"viz":false},"insertNulls":false,"lineInterpolation":"linear","lineWidth":1,"pointSize":5,"scaleDistribution":{"type":"linear"},"showPoints":"never","spanNulls":false,"stacking":{"group":"A","mode":"none"},"thresholdsStyle":{"mode":"off"}},"mappings":[],"thresholds":{"mode":"absolute","steps":[{"color":"green","value":null},{"color":"red","value":80}]},"unit":"bytes"},"overrides":[]},"gridPos":{"h":7,"w":6,"x":12,"y":43},"id":74,"links":[],"options":{"legend":{"calcs":[],"displayMode":"list","placement":"bottom","showLegend":true},"tooltip":{"mode":"multi","sort":"none"}},"pluginVersion":"10.1.5","targets":[{"datasource":{"type":"prometheus","uid":"${datasource}"},"expr":"process_open_fds{app=\"istiod\"}","format":"time_series","hide":true,"instant":false,"interval":"","intervalFactor":2,"legendFormat":"Open FDs (pilot)","refId":"A"},{"datasource":{"type":"prometheus","uid":"${datasource}"},"expr":"container_fs_usage_bytes{ container=~\"discovery|istio-proxy\", pod=~\"istiod-.*\"}","format":"time_series","intervalFactor":2,"legendFormat":"{{ container }}","refId":"B","step":2}],"title":"Disk","type":"timeseries"},{"datasource":{"type":"prometheus","uid":"${datasource}"},"fieldConfig":{"defaults":{"color":{"mode":"palette-classic"},"custom":{"axisCenteredZero":false,"axisColorMode":"text","axisLabel":"","axisPlacement":"auto","barAlignment":0,"drawStyle":"line","fillOpacity":10,"gradientMode":"none","hideFrom":{"legend":false,"tooltip":false,"viz":false},"insertNulls":false,"lineInterpolation":"linear","lineWidth":1,"pointSize":5,"scaleDistribution":{"type":"linear"},"showPoints":"never","spanNulls":false,"stacking":{"group":"A","mode":"none"},"thresholdsStyle":{"mode":"off"}},"mappings":[],"thresholds":{"mode":"absolute","steps":[{"color":"green","value":null},{"color":"red","value":80}]},"unit":"short"},"overrides":[]},"gridPos":{"h":7,"w":6,"x":18,"y":43},"id":402,"links":[],"options":{"legend":{"calcs":[],"displayMode":"list","placement":"bottom","showLegend":false},"tooltip":{"mode":"multi","sort":"none"}},"pluginVersion":"10.1.5","targets":[{"datasource":{"type":"prometheus","uid":"${datasource}"},"expr":"go_goroutines{app=\"istiod\"}","format":"time_series","intervalFactor":2,"legendFormat":"Number of Goroutines","refId":"A","step":2}],"title":"Goroutines","type":"timeseries"}],"refresh":"","schemaVersion":38,"style":"dark","tags":[],"templating":{"list":[{"hide":0,"includeAll":false,"multi":false,"name":"datasource","options":[],"query":"prometheus","queryValue":"","refresh":1,"regex":"","skipUrlSync":false,"type":"datasource"}]},"time":{"from":"now-30m","to":"now"},"timepicker":{"refresh_intervals":["30s","1m","5m","15m","30m","1h","2h","1d"],"time_options":["5m","15m","1h","6h","12h","24h","2d","7d","30d"]},"timezone":"","title":"Istio Performance Dashboard","version":1,"weekStart":""} + pilot-dashboard.json: | + {"graphTooltip":1,"panels":[{"collapsed":false,"gridPos":{"h":1,"w":24,"x":0,"y":0},"id":1,"panels":[],"title":"Deployed Versions","type":"row"},{"datasource":{"type":"datasource","uid":"-- Mixed --"},"description":"Version number of each running instance","fieldConfig":{"defaults":{"custom":{"fillOpacity":10,"gradientMode":"hue","showPoints":"never"}}},"gridPos":{"h":5,"w":24,"x":0,"y":1},"id":2,"interval":"5s","options":{"legend":{"calcs":[],"displayMode":"list"}},"pluginVersion":"v11.0.0","targets":[{"datasource":{"type":"prometheus","uid":"$datasource"},"expr":"sum by (tag) (istio_build{component=\"pilot\"})","legendFormat":"Version ({{tag}})"}],"title":"Pilot Versions","type":"timeseries"},{"collapsed":false,"gridPos":{"h":1,"w":24,"x":0,"y":1},"id":3,"panels":[],"title":"Resource Usage","type":"row"},{"datasource":{"type":"datasource","uid":"-- Mixed --"},"description":"Memory usage of each running instance","fieldConfig":{"defaults":{"custom":{"fillOpacity":10,"gradientMode":"hue","showPoints":"never"},"unit":"bytes"}},"gridPos":{"h":10,"w":6,"x":0,"y":2},"id":4,"interval":"5s","options":{"legend":{"calcs":["last","max"],"displayMode":"table"}},"pluginVersion":"v11.0.0","targets":[{"datasource":{"type":"prometheus","uid":"$datasource"},"expr":"sum by (pod) (container_memory_working_set_bytes{container=\"discovery\",pod=~\"istiod-.*\"})","legendFormat":"Container ({{pod}})"},{"datasource":{"type":"prometheus","uid":"$datasource"},"expr":"sum by (pod) (go_memstats_stack_inuse_bytes{app=\"istiod\"})","legendFormat":"Stack ({{pod}})"},{"datasource":{"type":"prometheus","uid":"$datasource"},"expr":"sum by (pod) (go_memstats_heap_inuse_bytes{app=\"istiod\"})","legendFormat":"Heap (In Use) ({{pod}})"},{"datasource":{"type":"prometheus","uid":"$datasource"},"expr":"sum by (pod) (go_memstats_heap_alloc_bytes{app=\"istiod\"})","legendFormat":"Heap (Allocated) ({{pod}})"}],"title":"Memory Usage","type":"timeseries"},{"datasource":{"type":"datasource","uid":"-- Mixed --"},"description":"Details about memory allocations","fieldConfig":{"defaults":{"custom":{"fillOpacity":10,"gradientMode":"hue","showPoints":"never"},"unit":"Bps"},"overrides":[{"matcher":{"id":"byFrameRefID","options":"B"},"properties":[{"id":"custom.axisPlacement","value":"right"},{"id":"unit","value":"c/s"}]}]},"gridPos":{"h":10,"w":6,"x":6,"y":2},"id":5,"interval":"5s","options":{"legend":{"calcs":["last","max"],"displayMode":"table"}},"pluginVersion":"v11.0.0","targets":[{"datasource":{"type":"prometheus","uid":"$datasource"},"expr":"sum by (pod) (rate(go_memstats_alloc_bytes_total{app=\"istiod\"}[$__rate_interval]))","legendFormat":"Bytes ({{pod}})"},{"datasource":{"type":"prometheus","uid":"$datasource"},"expr":"sum by (pod) (rate(go_memstats_mallocs_total{app=\"istiod\"}[$__rate_interval]))","legendFormat":"Objects ({{pod}})"}],"title":"Memory Allocations","type":"timeseries"},{"datasource":{"type":"datasource","uid":"-- Mixed --"},"description":"CPU usage of each running instance","fieldConfig":{"defaults":{"custom":{"fillOpacity":10,"gradientMode":"hue","showPoints":"never"}}},"gridPos":{"h":10,"w":6,"x":12,"y":2},"id":6,"interval":"5s","options":{"legend":{"calcs":["last","max"],"displayMode":"table"}},"pluginVersion":"v11.0.0","targets":[{"datasource":{"type":"prometheus","uid":"$datasource"},"expr":"sum by (pod) (irate(container_cpu_usage_seconds_total{container=\"discovery\",pod=~\"istiod-.*\"}[$__rate_interval]))","legendFormat":"Container ({{pod}})"}],"title":"CPU Usage","type":"timeseries"},{"datasource":{"type":"datasource","uid":"-- Mixed --"},"description":"Goroutine count for each running instance","fieldConfig":{"defaults":{"custom":{"fillOpacity":10,"gradientMode":"hue","showPoints":"never"}}},"gridPos":{"h":10,"w":6,"x":18,"y":2},"id":7,"interval":"5s","options":{"legend":{"calcs":["last","max"],"displayMode":"table"}},"pluginVersion":"v11.0.0","targets":[{"datasource":{"type":"prometheus","uid":"$datasource"},"expr":"sum by (pod) (go_goroutines{app=\"istiod\"})","legendFormat":"Goroutines ({{pod}})"}],"title":"Goroutines","type":"timeseries"},{"collapsed":false,"gridPos":{"h":1,"w":24,"x":0,"y":3},"id":8,"panels":[],"title":"Push Information","type":"row"},{"datasource":{"type":"datasource","uid":"-- Mixed --"},"fieldConfig":{"defaults":{"custom":{"drawStyle":"bars","fillOpacity":100,"gradientMode":"none","showPoints":"never","stacking":{"mode":"normal"}},"unit":"ops"},"overrides":[{"matcher":{"id":"byName","options":"cds"},"properties":[{"id":"displayName","value":"Clusters"}]},{"matcher":{"id":"byName","options":"eds"},"properties":[{"id":"displayName","value":"Endpoints"}]},{"matcher":{"id":"byName","options":"lds"},"properties":[{"id":"displayName","value":"Listeners"}]},{"matcher":{"id":"byName","options":"rds"},"properties":[{"id":"displayName","value":"Routes"}]},{"matcher":{"id":"byName","options":"nds"},"properties":[{"id":"displayName","value":"DNS Tables"}]},{"matcher":{"id":"byName","options":"istio.io/debug"},"properties":[{"id":"displayName","value":"Debug"}]},{"matcher":{"id":"byName","options":"istio.io/debug/syncz"},"properties":[{"id":"displayName","value":"Debug"}]},{"matcher":{"id":"byName","options":"wads"},"properties":[{"id":"displayName","value":"Authorization"}]},{"matcher":{"id":"byName","options":"wds"},"properties":[{"id":"displayName","value":"Workloads"}]},{"matcher":{"id":"byName","options":"type.googleapis.com/istio.security.Authorization"},"properties":[{"id":"displayName","value":"Authorizations"}]},{"matcher":{"id":"byName","options":"type.googleapis.com/istio.workload.Address"},"properties":[{"id":"displayName","value":"Addresses"}]}]},"gridPos":{"h":10,"w":8,"x":0,"y":4},"id":9,"interval":"15s","options":{"legend":{"calcs":[],"displayMode":"list"}},"pluginVersion":"v11.0.0","targets":[{"datasource":{"type":"prometheus","uid":"$datasource"},"expr":"sum by (type) (irate(pilot_xds_pushes[$__rate_interval]))","legendFormat":"{{type}}"}],"title":"XDS Pushes","type":"timeseries"},{"datasource":{"type":"datasource","uid":"-- Mixed --"},"description":"Size of each xDS push.\n","fieldConfig":{"defaults":{"custom":{"fillOpacity":10,"gradientMode":"hue","showPoints":"never"}}},"gridPos":{"h":10,"w":8,"x":8,"y":4},"id":10,"interval":"5s","options":{"legend":{"calcs":["last","max"],"displayMode":"table"}},"pluginVersion":"v11.0.0","targets":[{"datasource":{"type":"prometheus","uid":"$datasource"},"expr":"sum by (type,event) (rate(pilot_k8s_reg_events[$__rate_interval]))","legendFormat":"{{event}} {{type}}"},{"datasource":{"type":"prometheus","uid":"$datasource"},"expr":"sum by (type,event) (rate(pilot_k8s_cfg_events[$__rate_interval]))","legendFormat":"{{event}} {{type}}"},{"datasource":{"type":"prometheus","uid":"$datasource"},"expr":"sum by (type) (rate(pilot_push_triggers[$__rate_interval]))","legendFormat":"Push {{type}}"}],"title":"Events","type":"timeseries"},{"datasource":{"type":"datasource","uid":"-- Mixed --"},"description":"Total number of XDS connections\n","fieldConfig":{"defaults":{"custom":{"fillOpacity":10,"gradientMode":"hue","showPoints":"never"}}},"gridPos":{"h":10,"w":8,"x":16,"y":4},"id":11,"interval":"5s","options":{"legend":{"calcs":["last","max"],"displayMode":"table"}},"pluginVersion":"v11.0.0","targets":[{"datasource":{"type":"prometheus","uid":"$datasource"},"expr":"sum(envoy_cluster_upstream_cx_active{cluster_name=\"xds-grpc\"})","legendFormat":"Connections (client reported)"},{"datasource":{"type":"prometheus","uid":"$datasource"},"expr":"sum (pilot_xds)","legendFormat":"Connections (server reported)"}],"title":"Connections","type":"timeseries"},{"datasource":{"type":"datasource","uid":"-- Mixed --"},"description":"Number of push errors. Many of these are at least potentional fatal and should be explored in-depth via Istiod logs.\nNote: metrics here do not use rate() to avoid missing transition from \"No series\"; series are not reported if there are no errors at all.\n","fieldConfig":{"defaults":{"custom":{"fillOpacity":10,"gradientMode":"hue","showPoints":"never"}}},"gridPos":{"h":10,"w":8,"x":0,"y":14},"id":12,"interval":"5s","options":{"legend":{"calcs":["last","max"],"displayMode":"table"}},"pluginVersion":"v11.0.0","targets":[{"datasource":{"type":"prometheus","uid":"$datasource"},"expr":"sum by (type) (pilot_total_xds_rejects)","legendFormat":"Rejected Config ({{type}})"},{"datasource":{"type":"prometheus","uid":"$datasource"},"expr":"pilot_total_xds_internal_errors","legendFormat":"Internal Errors"},{"datasource":{"type":"prometheus","uid":"$datasource"},"expr":"pilot_xds_push_context_errors","legendFormat":"Push Context Errors"}],"title":"Push Errors","type":"timeseries"},{"datasource":{"type":"datasource","uid":"-- Mixed --"},"description":"Count of active and pending proxies managed by each instance.\nPending is expected to converge to zero.\n","gridPos":{"h":10,"w":8,"x":8,"y":14},"id":13,"interval":"1m","options":{"calculation":{"xBuckets":{"mode":"size","value":"1min"}},"cellGap":0,"color":{"mode":"scheme","scheme":"Spectral","steps":128},"yAxis":{"decimals":0,"unit":"s"}},"pluginVersion":"v11.0.0","targets":[{"datasource":{"type":"prometheus","uid":"$datasource"},"expr":"sum(rate(pilot_xds_push_time_bucket{}[1m])) by (le)","format":"heatmap","legendFormat":"{{le}}"}],"title":"Push Time","type":"heatmap"},{"datasource":{"type":"datasource","uid":"-- Mixed --"},"description":"Size of each xDS push.\n","gridPos":{"h":10,"w":8,"x":16,"y":14},"id":14,"interval":"1m","options":{"calculation":{"xBuckets":{"mode":"size","value":"1min"}},"cellGap":0,"color":{"mode":"scheme","scheme":"Spectral","steps":128},"yAxis":{"decimals":0,"unit":"bytes"}},"pluginVersion":"v11.0.0","targets":[{"datasource":{"type":"prometheus","uid":"$datasource"},"expr":"sum(rate(pilot_xds_config_size_bytes_bucket{}[1m])) by (le)","format":"heatmap","legendFormat":"{{le}}"}],"title":"Push Size","type":"heatmap"},{"collapsed":false,"gridPos":{"h":1,"w":24,"x":0,"y":100},"id":15,"panels":[],"title":"Webhooks","type":"row"},{"datasource":{"type":"datasource","uid":"-- Mixed --"},"description":"Rate of XDS push operations, by type. This is incremented on a per-proxy basis.\n","fieldConfig":{"defaults":{"custom":{"fillOpacity":10,"gradientMode":"hue","showPoints":"never"}}},"gridPos":{"h":8,"w":12,"x":0,"y":101},"id":16,"interval":"5s","options":{"legend":{"calcs":[],"displayMode":"list"}},"pluginVersion":"v11.0.0","targets":[{"datasource":{"type":"prometheus","uid":"$datasource"},"expr":"sum (rate(galley_validation_passed[$__rate_interval]))","legendFormat":"Success"},{"datasource":{"type":"prometheus","uid":"$datasource"},"expr":"sum (rate(galley_validation_failed[$__rate_interval]))","legendFormat":"Failure"}],"title":"Validation","type":"timeseries"},{"datasource":{"type":"datasource","uid":"-- Mixed --"},"description":"Size of each xDS push.\n","fieldConfig":{"defaults":{"custom":{"fillOpacity":10,"gradientMode":"hue","showPoints":"never"}}},"gridPos":{"h":8,"w":12,"x":12,"y":101},"id":17,"interval":"5s","options":{"legend":{"calcs":[],"displayMode":"list"}},"pluginVersion":"v11.0.0","targets":[{"datasource":{"type":"prometheus","uid":"$datasource"},"expr":"sum (rate(sidecar_injection_success_total[$__rate_interval]))","legendFormat":"Success"},{"datasource":{"type":"prometheus","uid":"$datasource"},"expr":"sum (rate(sidecar_injection_failure_total[$__rate_interval]))","legendFormat":"Failure"}],"title":"Injection","type":"timeseries"}],"refresh":"15s","schemaVersion":39,"templating":{"list":[{"name":"datasource","query":"prometheus","type":"datasource"}]},"time":{"from":"now-30m","to":"now"},"timezone":"utc","title":"Istio Control Plane Dashboard","uid":"1813f692a8e4ac77155348d4c7d2fba8"} + ztunnel-dashboard.json: | + {"graphTooltip":1,"panels":[{"collapsed":false,"gridPos":{"h":1,"w":24,"x":0,"y":0},"id":1,"panels":[],"title":"Process","type":"row"},{"datasource":{"type":"datasource","uid":"-- Mixed --"},"description":"Version number of each running instance","fieldConfig":{"defaults":{"custom":{"fillOpacity":10,"gradientMode":"hue","showPoints":"never"}}},"gridPos":{"h":8,"w":8,"x":0,"y":1},"id":2,"interval":"5s","options":{"legend":{"calcs":["last","max"],"displayMode":"table"}},"pluginVersion":"v11.0.0","targets":[{"datasource":{"type":"prometheus","uid":"$datasource"},"expr":"sum by (tag) (istio_build{component=\"ztunnel\"})","legendFormat":"Version ({{tag}})"}],"title":"Ztunnel Versions","type":"timeseries"},{"datasource":{"type":"datasource","uid":"-- Mixed --"},"description":"Memory usage of each running instance","fieldConfig":{"defaults":{"custom":{"fillOpacity":10,"gradientMode":"hue","showPoints":"never"},"unit":"bytes"}},"gridPos":{"h":8,"w":8,"x":8,"y":1},"id":3,"interval":"5s","options":{"legend":{"calcs":["last","max"],"displayMode":"table"}},"pluginVersion":"v11.0.0","targets":[{"datasource":{"type":"prometheus","uid":"$datasource"},"expr":"sum by (pod) (container_memory_working_set_bytes{container=\"istio-proxy\",pod=~\"ztunnel-.*\"})","legendFormat":"Container ({{pod}})"}],"title":"Memory Usage","type":"timeseries"},{"datasource":{"type":"datasource","uid":"-- Mixed --"},"description":"CPU usage of each running instance","fieldConfig":{"defaults":{"custom":{"fillOpacity":10,"gradientMode":"hue","showPoints":"never"}}},"gridPos":{"h":8,"w":8,"x":16,"y":1},"id":4,"interval":"5s","options":{"legend":{"calcs":["last","max"],"displayMode":"table"}},"pluginVersion":"v11.0.0","targets":[{"datasource":{"type":"prometheus","uid":"$datasource"},"expr":"sum by (pod) (irate(container_cpu_usage_seconds_total{container=\"istio-proxy\",pod=~\"ztunnel-.*\"}[$__rate_interval]))","legendFormat":"Container ({{pod}})"}],"title":"CPU Usage","type":"timeseries"},{"collapsed":false,"gridPos":{"h":1,"w":24,"x":0,"y":9},"id":5,"panels":[],"title":"Network","type":"row"},{"datasource":{"type":"datasource","uid":"-- Mixed --"},"description":"Connections opened and closed per instance","fieldConfig":{"defaults":{"custom":{"fillOpacity":10,"gradientMode":"hue","showPoints":"never"},"unit":"cps"}},"gridPos":{"h":8,"w":8,"x":0,"y":10},"id":6,"interval":"5s","options":{"legend":{"calcs":["last","max"],"displayMode":"table"}},"pluginVersion":"v11.0.0","targets":[{"datasource":{"type":"prometheus","uid":"$datasource"},"expr":"sum by (pod) (rate(istio_tcp_connections_opened_total{pod=~\"ztunnel-.*\"}[$__rate_interval]))","legendFormat":"Opened ({{pod}})"},{"datasource":{"type":"prometheus","uid":"$datasource"},"expr":"-sum by (pod) (rate(istio_tcp_connections_closed_total{pod=~\"ztunnel-.*\"}[$__rate_interval]))","legendFormat":"Closed ({{pod}})"}],"title":"Connections","type":"timeseries"},{"datasource":{"type":"datasource","uid":"-- Mixed --"},"description":"Bytes sent and received per instance","fieldConfig":{"defaults":{"custom":{"fillOpacity":10,"gradientMode":"hue","showPoints":"never"},"unit":"Bps"}},"gridPos":{"h":8,"w":8,"x":8,"y":10},"id":7,"interval":"5s","options":{"legend":{"calcs":["last","max"],"displayMode":"table"}},"pluginVersion":"v11.0.0","targets":[{"datasource":{"type":"prometheus","uid":"$datasource"},"expr":"sum by (pod) (rate(istio_tcp_sent_bytes_total{pod=~\"ztunnel-.*\"}[$__rate_interval]))","legendFormat":"Sent ({{pod}})"},{"datasource":{"type":"prometheus","uid":"$datasource"},"expr":"sum by (pod) (rate(istio_tcp_received_bytes_total{pod=~\"ztunnel-.*\"}[$__rate_interval]))","legendFormat":"Received ({{pod}})"}],"title":"Bytes Transmitted","type":"timeseries"},{"datasource":{"type":"datasource","uid":"-- Mixed --"},"description":"DNS queries received per instance","fieldConfig":{"defaults":{"custom":{"fillOpacity":10,"gradientMode":"hue","showPoints":"never"},"unit":"qps"}},"gridPos":{"h":8,"w":8,"x":16,"y":10},"id":8,"interval":"5s","options":{"legend":{"calcs":["last","max"],"displayMode":"table"}},"pluginVersion":"v11.0.0","targets":[{"datasource":{"type":"prometheus","uid":"$datasource"},"expr":"sum by (pod) (rate(istio_dns_requests_total{pod=~\"ztunnel-.*\"}[$__rate_interval]))","legendFormat":"Request ({{pod}})"}],"title":"DNS Request","type":"timeseries"},{"collapsed":false,"gridPos":{"h":1,"w":24,"x":0,"y":18},"id":9,"panels":[],"title":"Operations","type":"row"},{"datasource":{"type":"datasource","uid":"-- Mixed --"},"description":"Count of XDS connection terminations.\nThis will typically spike every 30min for each instance.\n","fieldConfig":{"defaults":{"custom":{"fillOpacity":10,"gradientMode":"hue","showPoints":"never"}}},"gridPos":{"h":8,"w":8,"x":0,"y":19},"id":10,"interval":"5s","options":{"legend":{"calcs":["last","max"],"displayMode":"table"}},"pluginVersion":"v11.0.0","targets":[{"datasource":{"type":"prometheus","uid":"$datasource"},"expr":"sum by (pod) (rate(istio_xds_connection_terminations_total{pod=~\"ztunnel-.*\"}[$__rate_interval]))","legendFormat":"XDS Connection Terminations ({{pod}})"}],"title":"XDS Connections","type":"timeseries"},{"datasource":{"type":"datasource","uid":"-- Mixed --"},"fieldConfig":{"defaults":{"custom":{"drawStyle":"bars","fillOpacity":100,"gradientMode":"none","showPoints":"never","stacking":{"mode":"normal"}},"unit":"ops"},"overrides":[{"matcher":{"id":"byName","options":"cds"},"properties":[{"id":"displayName","value":"Clusters"}]},{"matcher":{"id":"byName","options":"eds"},"properties":[{"id":"displayName","value":"Endpoints"}]},{"matcher":{"id":"byName","options":"lds"},"properties":[{"id":"displayName","value":"Listeners"}]},{"matcher":{"id":"byName","options":"rds"},"properties":[{"id":"displayName","value":"Routes"}]},{"matcher":{"id":"byName","options":"nds"},"properties":[{"id":"displayName","value":"DNS Tables"}]},{"matcher":{"id":"byName","options":"istio.io/debug"},"properties":[{"id":"displayName","value":"Debug"}]},{"matcher":{"id":"byName","options":"istio.io/debug/syncz"},"properties":[{"id":"displayName","value":"Debug"}]},{"matcher":{"id":"byName","options":"wads"},"properties":[{"id":"displayName","value":"Authorization"}]},{"matcher":{"id":"byName","options":"wds"},"properties":[{"id":"displayName","value":"Workloads"}]},{"matcher":{"id":"byName","options":"type.googleapis.com/istio.security.Authorization"},"properties":[{"id":"displayName","value":"Authorizations"}]},{"matcher":{"id":"byName","options":"type.googleapis.com/istio.workload.Address"},"properties":[{"id":"displayName","value":"Addresses"}]}]},"gridPos":{"h":8,"w":8,"x":8,"y":19},"id":11,"interval":"15s","options":{"legend":{"calcs":[],"displayMode":"list"}},"pluginVersion":"v11.0.0","targets":[{"datasource":{"type":"prometheus","uid":"$datasource"},"expr":"sum by (url) (irate(istio_xds_message_total{pod=~\"ztunnel-.*\"}[$__rate_interval]))","legendFormat":"{{url}}"}],"title":"XDS Pushes","type":"timeseries"},{"datasource":{"type":"datasource","uid":"-- Mixed --"},"description":"Count of active and pending proxies managed by each instance.\nPending is expected to converge to zero.\n","fieldConfig":{"defaults":{"custom":{"fillOpacity":10,"gradientMode":"hue","showPoints":"never"}}},"gridPos":{"h":8,"w":8,"x":16,"y":19},"id":12,"interval":"5s","options":{"legend":{"calcs":["last","max"],"displayMode":"table"}},"pluginVersion":"v11.0.0","targets":[{"datasource":{"type":"prometheus","uid":"$datasource"},"expr":"sum by (pod) (workload_manager_active_proxy_count{pod=~\"ztunnel-.*\"})","legendFormat":"Active Proxies ({{pod}})"},{"datasource":{"type":"prometheus","uid":"$datasource"},"expr":"sum by (pod) (workload_manager_pending_proxy_count{pod=~\"ztunnel-.*\"})","legendFormat":"Pending Proxies ({{pod}})"}],"title":"Workload Manager","type":"timeseries"}],"refresh":"15s","schemaVersion":39,"templating":{"list":[{"name":"datasource","query":"prometheus","type":"datasource"}]},"time":{"from":"now-30m","to":"now"},"timezone":"utc","title":"Istio Ztunnel Dashboard","uid":"12c58766acc81a1c835dd5059eaf2741"} +kind: ConfigMap +metadata: + creationTimestamp: null + name: istio-grafana-dashboards + namespace: istio-system + +--- + +apiVersion: v1 +data: + istio-extension-dashboard.json: | + {"annotations":{"list":[{"builtIn":1,"datasource":{"type":"datasource","uid":"grafana"},"enable":true,"hide":true,"iconColor":"rgba(0, 211, 255, 1)","name":"Annotations & Alerts","type":"dashboard"}]},"editable":true,"fiscalYearStartMonth":0,"graphTooltip":0,"links":[],"liveNow":false,"panels":[{"collapsed":false,"datasource":{"type":"prometheus","uid":"${datasource}"},"gridPos":{"h":1,"w":24,"x":0,"y":0},"id":3,"panels":[],"targets":[{"datasource":{"type":"prometheus","uid":"${datasource}"},"refId":"A"}],"title":"Wasm VMs","type":"row"},{"datasource":{"type":"prometheus","uid":"${datasource}"},"description":"","fieldConfig":{"defaults":{"color":{"mode":"palette-classic"},"custom":{"axisCenteredZero":false,"axisColorMode":"text","axisLabel":"","axisPlacement":"auto","barAlignment":0,"drawStyle":"line","fillOpacity":10,"gradientMode":"none","hideFrom":{"legend":false,"tooltip":false,"viz":false},"insertNulls":false,"lineInterpolation":"linear","lineWidth":1,"pointSize":5,"scaleDistribution":{"type":"linear"},"showPoints":"never","spanNulls":false,"stacking":{"group":"A","mode":"none"},"thresholdsStyle":{"mode":"off"}},"links":[],"mappings":[],"thresholds":{"mode":"absolute","steps":[{"color":"green","value":null},{"color":"red","value":80}]},"unit":"short"},"overrides":[]},"gridPos":{"h":8,"w":12,"x":0,"y":1},"id":2,"options":{"legend":{"calcs":[],"displayMode":"list","placement":"bottom","showLegend":true},"tooltip":{"mode":"multi","sort":"none"}},"pluginVersion":"10.1.5","targets":[{"datasource":{"type":"prometheus","uid":"${datasource}"},"expr":"avg(envoy_wasm_envoy_wasm_runtime_null_active)","interval":"","legendFormat":"native","refId":"A"},{"datasource":{"type":"prometheus","uid":"${datasource}"},"expr":"avg(envoy_wasm_envoy_wasm_runtime_v8_active)","interval":"","legendFormat":"v8","refId":"B"}],"title":"Active","type":"timeseries"},{"datasource":{"type":"prometheus","uid":"${datasource}"},"fieldConfig":{"defaults":{"color":{"mode":"palette-classic"},"custom":{"axisCenteredZero":false,"axisColorMode":"text","axisLabel":"","axisPlacement":"auto","barAlignment":0,"drawStyle":"line","fillOpacity":10,"gradientMode":"none","hideFrom":{"legend":false,"tooltip":false,"viz":false},"insertNulls":false,"lineInterpolation":"linear","lineWidth":1,"pointSize":5,"scaleDistribution":{"type":"linear"},"showPoints":"never","spanNulls":false,"stacking":{"group":"A","mode":"none"},"thresholdsStyle":{"mode":"off"}},"links":[],"mappings":[],"thresholds":{"mode":"absolute","steps":[{"color":"green","value":null},{"color":"red","value":80}]},"unit":"short"},"overrides":[]},"gridPos":{"h":8,"w":12,"x":12,"y":1},"id":6,"options":{"legend":{"calcs":[],"displayMode":"list","placement":"bottom","showLegend":true},"tooltip":{"mode":"multi","sort":"none"}},"pluginVersion":"10.1.5","targets":[{"datasource":{"type":"prometheus","uid":"${datasource}"},"expr":"avg(envoy_wasm_envoy_wasm_runtime_null_created)","interval":"","legendFormat":"native","refId":"A"},{"datasource":{"type":"prometheus","uid":"${datasource}"},"expr":"avg(envoy_wasm_envoy_wasm_runtime_v8_created)","interval":"","legendFormat":"v8","refId":"B"}],"title":"Created","type":"timeseries"},{"collapsed":false,"datasource":{"type":"prometheus","uid":"${datasource}"},"gridPos":{"h":1,"w":24,"x":0,"y":9},"id":7,"panels":[],"targets":[{"datasource":{"type":"prometheus","uid":"${datasource}"},"refId":"A"}],"title":"Wasm Module Remote Load","type":"row"},{"datasource":{"type":"prometheus","uid":"${datasource}"},"fieldConfig":{"defaults":{"color":{"mode":"palette-classic"},"custom":{"axisCenteredZero":false,"axisColorMode":"text","axisLabel":"","axisPlacement":"auto","barAlignment":0,"drawStyle":"line","fillOpacity":10,"gradientMode":"none","hideFrom":{"legend":false,"tooltip":false,"viz":false},"insertNulls":false,"lineInterpolation":"linear","lineWidth":1,"pointSize":5,"scaleDistribution":{"type":"linear"},"showPoints":"never","spanNulls":false,"stacking":{"group":"A","mode":"none"},"thresholdsStyle":{"mode":"off"}},"links":[],"mappings":[],"thresholds":{"mode":"absolute","steps":[{"color":"green","value":null},{"color":"red","value":80}]},"unit":"short"},"overrides":[]},"gridPos":{"h":8,"w":8,"x":0,"y":10},"id":11,"options":{"legend":{"calcs":[],"displayMode":"list","placement":"bottom","showLegend":true},"tooltip":{"mode":"multi","sort":"none"}},"pluginVersion":"10.1.5","targets":[{"datasource":{"type":"prometheus","uid":"${datasource}"},"expr":"avg(envoy_wasm_remote_load_cache_entries)","interval":"","legendFormat":"entries","refId":"A"}],"title":"Cache Entry","type":"timeseries"},{"datasource":{"type":"prometheus","uid":"${datasource}"},"fieldConfig":{"defaults":{"color":{"mode":"palette-classic"},"custom":{"axisCenteredZero":false,"axisColorMode":"text","axisLabel":"","axisPlacement":"auto","barAlignment":0,"drawStyle":"line","fillOpacity":10,"gradientMode":"none","hideFrom":{"legend":false,"tooltip":false,"viz":false},"insertNulls":false,"lineInterpolation":"linear","lineWidth":1,"pointSize":5,"scaleDistribution":{"type":"linear"},"showPoints":"never","spanNulls":false,"stacking":{"group":"A","mode":"none"},"thresholdsStyle":{"mode":"off"}},"links":[],"mappings":[],"thresholds":{"mode":"absolute","steps":[{"color":"green","value":null},{"color":"red","value":80}]},"unit":"short"},"overrides":[]},"gridPos":{"h":8,"w":8,"x":8,"y":10},"id":8,"options":{"legend":{"calcs":[],"displayMode":"list","placement":"bottom","showLegend":true},"tooltip":{"mode":"multi","sort":"none"}},"pluginVersion":"10.1.5","targets":[{"datasource":{"type":"prometheus","uid":"${datasource}"},"expr":"avg(envoy_wasm_remote_load_cache_hits)","interval":"","legendFormat":"hits","refId":"A"},{"datasource":{"type":"prometheus","uid":"${datasource}"},"expr":"avg(envoy_wasm_remote_load_cache_misses)","interval":"","legendFormat":"misses","refId":"B"},{"datasource":{"type":"prometheus","uid":"${datasource}"},"expr":"avg(envoy_wasm_remote_load_cache_negative_hits)","interval":"","legendFormat":"negative hits","refId":"C"}],"title":"Cache Visit","type":"timeseries"},{"datasource":{"type":"prometheus","uid":"${datasource}"},"fieldConfig":{"defaults":{"color":{"mode":"palette-classic"},"custom":{"axisCenteredZero":false,"axisColorMode":"text","axisLabel":"","axisPlacement":"auto","barAlignment":0,"drawStyle":"line","fillOpacity":10,"gradientMode":"none","hideFrom":{"legend":false,"tooltip":false,"viz":false},"insertNulls":false,"lineInterpolation":"linear","lineWidth":1,"pointSize":5,"scaleDistribution":{"type":"linear"},"showPoints":"never","spanNulls":false,"stacking":{"group":"A","mode":"none"},"thresholdsStyle":{"mode":"off"}},"links":[],"mappings":[],"thresholds":{"mode":"absolute","steps":[{"color":"green","value":null},{"color":"red","value":80}]},"unit":"short"},"overrides":[]},"gridPos":{"h":8,"w":8,"x":16,"y":10},"id":10,"options":{"legend":{"calcs":[],"displayMode":"list","placement":"bottom","showLegend":true},"tooltip":{"mode":"multi","sort":"none"}},"pluginVersion":"10.1.5","targets":[{"datasource":{"type":"prometheus","uid":"${datasource}"},"expr":"avg(envoy_wasm_remote_load_fetch_failures)","interval":"","legendFormat":"failures","refId":"A"},{"datasource":{"type":"prometheus","uid":"${datasource}"},"expr":"avg(envoy_wasm_remote_load_fetch_successes)","interval":"","legendFormat":"successes","refId":"B"}],"title":"Remote Fetch","type":"timeseries"},{"collapsed":false,"datasource":{"type":"prometheus","uid":"${datasource}"},"gridPos":{"h":1,"w":24,"x":0,"y":18},"id":71,"panels":[],"targets":[{"datasource":{"type":"prometheus","uid":"${datasource}"},"refId":"A"}],"title":"Proxy Resource Usage","type":"row"},{"datasource":{"type":"prometheus","uid":"${datasource}"},"fieldConfig":{"defaults":{"color":{"mode":"palette-classic"},"custom":{"axisCenteredZero":false,"axisColorMode":"text","axisLabel":"","axisPlacement":"auto","barAlignment":0,"drawStyle":"line","fillOpacity":10,"gradientMode":"none","hideFrom":{"legend":false,"tooltip":false,"viz":false},"insertNulls":false,"lineInterpolation":"linear","lineWidth":1,"pointSize":5,"scaleDistribution":{"type":"linear"},"showPoints":"never","spanNulls":false,"stacking":{"group":"A","mode":"none"},"thresholdsStyle":{"mode":"off"}},"mappings":[],"thresholds":{"mode":"absolute","steps":[{"color":"green","value":null},{"color":"red","value":80}]},"unit":"bytes"},"overrides":[]},"gridPos":{"h":8,"w":12,"x":0,"y":19},"id":72,"links":[],"options":{"legend":{"calcs":[],"displayMode":"list","placement":"bottom","showLegend":true},"tooltip":{"mode":"multi","sort":"none"}},"pluginVersion":"10.1.5","targets":[{"datasource":{"type":"prometheus","uid":"${datasource}"},"expr":"sum(container_memory_working_set_bytes{container=\"istio-proxy\"})","format":"time_series","hide":false,"intervalFactor":2,"legendFormat":"Total (k8s)","refId":"A","step":2}],"title":"Memory","type":"timeseries"},{"datasource":{"type":"prometheus","uid":"${datasource}"},"fieldConfig":{"defaults":{"color":{"mode":"palette-classic"},"custom":{"axisCenteredZero":false,"axisColorMode":"text","axisLabel":"","axisPlacement":"auto","barAlignment":0,"drawStyle":"line","fillOpacity":10,"gradientMode":"none","hideFrom":{"legend":false,"tooltip":false,"viz":false},"insertNulls":false,"lineInterpolation":"linear","lineWidth":1,"pointSize":5,"scaleDistribution":{"type":"linear"},"showPoints":"never","spanNulls":false,"stacking":{"group":"A","mode":"none"},"thresholdsStyle":{"mode":"off"}},"mappings":[],"thresholds":{"mode":"absolute","steps":[{"color":"green","value":null},{"color":"red","value":80}]},"unit":"short"},"overrides":[]},"gridPos":{"h":8,"w":12,"x":12,"y":19},"id":73,"links":[],"options":{"legend":{"calcs":[],"displayMode":"list","placement":"bottom","showLegend":true},"tooltip":{"mode":"multi","sort":"none"}},"pluginVersion":"10.1.5","targets":[{"datasource":{"type":"prometheus","uid":"${datasource}"},"expr":"sum(rate(container_cpu_usage_seconds_total{container=\"istio-proxy\"}[1m]))","format":"time_series","hide":false,"intervalFactor":2,"legendFormat":"Total (k8s)","refId":"A","step":2}],"title":"vCPU","type":"timeseries"}],"refresh":"","schemaVersion":38,"style":"dark","tags":[],"templating":{"list":[{"current":{"selected":false,"text":"default","value":"default"},"hide":0,"includeAll":false,"multi":false,"name":"datasource","options":[],"query":"prometheus","queryValue":"","refresh":1,"regex":"","skipUrlSync":false,"type":"datasource"}]},"time":{"from":"now-5m","to":"now"},"timepicker":{"refresh_intervals":["30s","1m","5m","15m","30m","1h","2h","1d"]},"timezone":"","title":"Istio Wasm Extension Dashboard","version":1,"weekStart":""} + istio-mesh-dashboard.json: | + {"graphTooltip":1,"panels":[{"collapsed":false,"gridPos":{"h":1,"w":24,"x":0,"y":0},"id":1,"panels":[],"title":"Global Traffic","type":"row"},{"datasource":{"type":"datasource","uid":"-- Mixed --"},"description":"Total requests in the cluster","fieldConfig":{"defaults":{"color":{"fixedColor":"blue","mode":"fixed"},"custom":{"fillOpacity":10,"gradientMode":"hue","showPoints":"never"},"unit":"reqps"}},"gridPos":{"h":5,"w":6,"x":0,"y":1},"id":2,"interval":"5s","options":{"legend":{"calcs":["last","max"],"displayMode":"table"}},"pluginVersion":"v11.0.0","targets":[{"datasource":{"type":"prometheus","uid":"$datasource"},"expr":"round(sum (rate(istio_requests_total{reporter=~\"source|waypoint\"}[$__rate_interval])), 0.01)"}],"title":"Traffic Volume","type":"stat"},{"datasource":{"type":"datasource","uid":"-- Mixed --"},"description":"Total success rate of requests in the cluster","fieldConfig":{"defaults":{"color":{"fixedColor":"blue","mode":"fixed"},"custom":{"fillOpacity":10,"gradientMode":"hue","showPoints":"never"},"unit":"percentunit"}},"gridPos":{"h":5,"w":6,"x":6,"y":1},"id":3,"interval":"5s","options":{"legend":{"calcs":["last","max"],"displayMode":"table"}},"pluginVersion":"v11.0.0","targets":[{"datasource":{"type":"prometheus","uid":"$datasource"},"expr":"sum (rate(istio_requests_total{reporter=~\"source|waypoint\",response_code!~\"5..\"}[$__rate_interval])) / sum (rate(istio_requests_total{reporter=~\"source|waypoint\"}[$__rate_interval]))"}],"title":"Success Rate","type":"stat"},{"datasource":{"type":"datasource","uid":"-- Mixed --"},"description":"Total 4xx requests in in the cluster","fieldConfig":{"defaults":{"color":{"fixedColor":"blue","mode":"fixed"},"custom":{"fillOpacity":10,"gradientMode":"hue","showPoints":"never"},"unit":"reqps"}},"gridPos":{"h":5,"w":6,"x":12,"y":1},"id":4,"interval":"5s","options":{"legend":{"calcs":["last","max"],"displayMode":"table"}},"pluginVersion":"v11.0.0","targets":[{"datasource":{"type":"prometheus","uid":"$datasource"},"expr":"round(sum (rate(istio_requests_total{reporter=~\"source|waypoint\",response_code=~\"4..\"}[$__rate_interval])), 0.01)or vector(0)"}],"title":"4xxs","type":"stat"},{"datasource":{"type":"datasource","uid":"-- Mixed --"},"description":"Total 5xx requests in in the cluster","fieldConfig":{"defaults":{"color":{"fixedColor":"blue","mode":"fixed"},"custom":{"fillOpacity":10,"gradientMode":"hue","showPoints":"never"},"unit":"reqps"}},"gridPos":{"h":5,"w":6,"x":18,"y":1},"id":5,"interval":"5s","options":{"legend":{"calcs":["last","max"],"displayMode":"table"}},"pluginVersion":"v11.0.0","targets":[{"datasource":{"type":"prometheus","uid":"$datasource"},"expr":"round(sum (rate(istio_requests_total{reporter=~\"source|waypoint\",response_code=~\"5..\"}[$__rate_interval])), 0.01)or vector(0)"}],"title":"5xxs","type":"stat"},{"datasource":{"type":"datasource","uid":"-- Mixed --"},"description":"Request information for HTTP services","fieldConfig":{"overrides":[{"matcher":{"id":"byName","options":"Value #requests"},"properties":[{"id":"displayName","value":"Requests"},{"id":"decimals","value":2},{"id":"unit","value":"reqps"}]},{"matcher":{"id":"byName","options":"Value #p50"},"properties":[{"id":"displayName","value":"P50 Latency"},{"id":"decimals","value":2},{"id":"unit","value":"ms"}]},{"matcher":{"id":"byName","options":"Value #p90"},"properties":[{"id":"displayName","value":"P90 Latency"},{"id":"decimals","value":2},{"id":"unit","value":"ms"}]},{"matcher":{"id":"byName","options":"Value #p99"},"properties":[{"id":"displayName","value":"P99 Latency"},{"id":"decimals","value":2},{"id":"unit","value":"ms"}]},{"matcher":{"id":"byName","options":"Value #success"},"properties":[{"id":"displayName","value":"Success Rate"},{"id":"decimals","value":2},{"id":"unit","value":"percentunit"},{"id":"custom.cellOptions","value":{"type":"color-background"}},{"id":"thresholds","value":{"mode":"absolute","steps":[{"color":"red","value":null},{"color":"yellow","value":"0.95"},{"color":"green","value":1}]}}]},{"matcher":{"id":"byName","options":"destination_workload_var"},"properties":[{"id":"displayName","value":"Workload"}]},{"matcher":{"id":"byName","options":"destination_service"},"properties":[{"id":"displayName","value":"Service"},{"id":"custom.minWidth","value":400}]},{"matcher":{"id":"byName","options":"destination_workload_namespace"},"properties":[{"id":"custom.hidden","value":true}]},{"matcher":{"id":"byName","options":"destination_workload"},"properties":[{"id":"custom.hidden","value":true}]},{"matcher":{"id":"byName","options":"Time"},"properties":[{"id":"custom.hidden","value":true}]}]},"gridPos":{"h":16,"w":24,"y":10},"id":6,"interval":"5s","pluginVersion":"v11.0.0","targets":[{"datasource":{"type":"prometheus","uid":"$datasource"},"expr":"label_join(sum by (destination_workload,destination_workload_namespace,destination_service) (rate(istio_requests_total{reporter=~\"source|waypoint\"}[$__rate_interval])), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")","format":"table","instant":true,"legendFormat":"{{ destination_workload}}.{{ destination_workload_namespace }}","refId":"requests"},{"datasource":{"type":"prometheus","uid":"$datasource"},"expr":"label_join(histogram_quantile(0.5, sum by (le,destination_workload,destination_workload_namespace) (rate(istio_request_duration_milliseconds_bucket{reporter=~\"source|waypoint\"}[$__rate_interval]))), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")","format":"table","instant":true,"legendFormat":"{{ destination_workload}}.{{ destination_workload_namespace }}","refId":"p50"},{"datasource":{"type":"prometheus","uid":"$datasource"},"expr":"label_join(histogram_quantile(0.9, sum by (le,destination_workload,destination_workload_namespace) (rate(istio_request_duration_milliseconds_bucket{reporter=~\"source|waypoint\"}[$__rate_interval]))), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")","format":"table","instant":true,"legendFormat":"{{ destination_workload}}.{{ destination_workload_namespace }}","refId":"p90"},{"datasource":{"type":"prometheus","uid":"$datasource"},"expr":"label_join(histogram_quantile(0.99, sum by (le,destination_workload,destination_workload_namespace) (rate(istio_request_duration_milliseconds_bucket{reporter=~\"source|waypoint\"}[$__rate_interval]))), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")","format":"table","instant":true,"legendFormat":"{{ destination_workload}}.{{ destination_workload_namespace }}","refId":"p99"},{"datasource":{"type":"prometheus","uid":"$datasource"},"expr":"label_join(sum by (destination_workload,destination_workload_namespace) (rate(istio_requests_total{reporter=~\"source|waypoint\",response_code!~\"5..\"}[$__rate_interval]))/sum by (destination_workload,destination_workload_namespace) (rate(istio_requests_total{reporter=~\"source|waypoint\"}[$__rate_interval])), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")","format":"table","instant":true,"legendFormat":"{{ destination_workload}}.{{ destination_workload_namespace }}","refId":"success"}],"title":"HTTP/gRPC Workloads","transformations":[{"id":"merge"}],"type":"table"},{"datasource":{"type":"datasource","uid":"-- Mixed --"},"description":"Bytes sent and recieived information for TCP services","fieldConfig":{"overrides":[{"matcher":{"id":"byName","options":"Value #recv"},"properties":[{"id":"displayName","value":"Bytes Received"},{"id":"decimals","value":2},{"id":"unit","value":"bps"}]},{"matcher":{"id":"byName","options":"Value #sent"},"properties":[{"id":"displayName","value":"Bytes Sent"},{"id":"decimals","value":2},{"id":"unit","value":"bps"}]},{"matcher":{"id":"byName","options":"destination_workload_var"},"properties":[{"id":"displayName","value":"Workload"}]},{"matcher":{"id":"byName","options":"destination_service"},"properties":[{"id":"displayName","value":"Service"},{"id":"custom.minWidth","value":400}]},{"matcher":{"id":"byName","options":"destination_workload_namespace"},"properties":[{"id":"custom.hidden","value":true}]},{"matcher":{"id":"byName","options":"destination_workload"},"properties":[{"id":"custom.hidden","value":true}]},{"matcher":{"id":"byName","options":"Time"},"properties":[{"id":"custom.hidden","value":true}]}]},"gridPos":{"h":16,"w":24,"y":26},"id":7,"interval":"5s","pluginVersion":"v11.0.0","targets":[{"datasource":{"type":"prometheus","uid":"$datasource"},"expr":"label_join(sum by (destination_workload,destination_workload_namespace,destination_service) (rate(istio_tcp_received_bytes_total{reporter=~\"source|waypoint\"}[$__rate_interval])), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")","format":"table","instant":true,"legendFormat":"{{ destination_workload}}.{{ destination_workload_namespace }}","refId":"recv"},{"datasource":{"type":"prometheus","uid":"$datasource"},"expr":"label_join(sum by (destination_workload,destination_workload_namespace,destination_service) (rate(istio_tcp_sent_bytes_total{reporter=~\"source|waypoint\"}[$__rate_interval])), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")","format":"table","instant":true,"legendFormat":"{{ destination_workload}}.{{ destination_workload_namespace }}","refId":"sent"}],"title":"TCP Workloads","transformations":[{"id":"merge"}],"type":"table"},{"collapsed":false,"gridPos":{"h":1,"w":24,"x":0,"y":42},"id":8,"panels":[],"title":"Istio Component Versions","type":"row"},{"datasource":{"type":"datasource","uid":"-- Mixed --"},"description":"Version number of each running instance","fieldConfig":{"defaults":{"custom":{"fillOpacity":10,"gradientMode":"hue","showPoints":"never"}}},"gridPos":{"h":8,"w":24,"x":0,"y":43},"id":9,"interval":"5s","options":{"legend":{"calcs":[],"displayMode":"list"}},"pluginVersion":"v11.0.0","targets":[{"datasource":{"type":"prometheus","uid":"$datasource"},"expr":"sum by (component,tag) (istio_build)","legendFormat":"{{component}} ({{tag}})"}],"title":"Istio Component Versions","type":"timeseries"}],"refresh":"15s","schemaVersion":39,"templating":{"list":[{"name":"datasource","query":"prometheus","type":"datasource"}]},"time":{"from":"now-30m","to":"now"},"timezone":"utc","title":"Istio Mesh Dashboard","uid":"1a9a8ea49444aae205c7737573e894f9"} + istio-service-dashboard.json: "{\"annotations\":{\"list\":[{\"builtIn\":1,\"datasource\":{\"type\":\"datasource\",\"uid\":\"grafana\"},\"enable\":true,\"hide\":true,\"iconColor\":\"rgba(0, + 211, 255, 1)\",\"name\":\"Annotations & Alerts\",\"type\":\"dashboard\"}]},\"editable\":true,\"fiscalYearStartMonth\":0,\"graphTooltip\":0,\"links\":[],\"liveNow\":false,\"panels\":[{\"collapsed\":false,\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"gridPos\":{\"h\":1,\"w\":24,\"x\":0,\"y\":0},\"id\":106,\"panels\":[],\"targets\":[{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"refId\":\"A\"}],\"title\":\"General\",\"type\":\"row\"},{\"gridPos\":{\"h\":3,\"w\":24,\"x\":0,\"y\":1},\"id\":89,\"links\":[],\"options\":{\"code\":{\"language\":\"plaintext\",\"showLineNumbers\":false,\"showMiniMap\":false},\"content\":\"
\\nSERVICE: $service\\n
\",\"mode\":\"html\"},\"pluginVersion\":\"10.1.5\",\"transparent\":true,\"type\":\"text\"},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"fieldConfig\":{\"defaults\":{\"color\":{\"fixedColor\":\"rgb(31, + 120, 193)\",\"mode\":\"fixed\"},\"mappings\":[{\"options\":{\"match\":\"null\",\"result\":{\"text\":\"N/A\"}},\"type\":\"special\"}],\"thresholds\":{\"mode\":\"absolute\",\"steps\":[{\"color\":\"green\",\"value\":null},{\"color\":\"red\",\"value\":80}]},\"unit\":\"ops\"},\"overrides\":[]},\"gridPos\":{\"h\":4,\"w\":6,\"x\":0,\"y\":4},\"id\":12,\"links\":[],\"maxDataPoints\":100,\"options\":{\"colorMode\":\"none\",\"graphMode\":\"area\",\"justifyMode\":\"auto\",\"orientation\":\"horizontal\",\"reduceOptions\":{\"calcs\":[\"lastNotNull\"],\"fields\":\"\",\"values\":false},\"textMode\":\"auto\"},\"pluginVersion\":\"10.1.5\",\"targets\":[{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"round(sum(irate(istio_requests_total{reporter=~\\\"$qrep\\\",destination_service=~\\\"$service\\\"}[5m])), + 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"refId\":\"A\",\"step\":4}],\"title\":\"Client + Request Volume\",\"type\":\"stat\"},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"fieldConfig\":{\"defaults\":{\"color\":{\"fixedColor\":\"rgb(31, + 120, 193)\",\"mode\":\"fixed\"},\"mappings\":[],\"noValue\":\"0\",\"thresholds\":{\"mode\":\"absolute\",\"steps\":[{\"color\":\"dark-red\",\"value\":null},{\"color\":\"dark-yellow\",\"value\":0.95},{\"color\":\"dark-green\",\"value\":0.99}]},\"unit\":\"percentunit\"},\"overrides\":[]},\"gridPos\":{\"h\":4,\"w\":6,\"x\":6,\"y\":4},\"id\":14,\"links\":[],\"maxDataPoints\":100,\"options\":{\"colorMode\":\"none\",\"graphMode\":\"area\",\"justifyMode\":\"auto\",\"orientation\":\"horizontal\",\"reduceOptions\":{\"calcs\":[\"lastNotNull\"],\"fields\":\"\",\"values\":false},\"textMode\":\"auto\"},\"pluginVersion\":\"10.1.5\",\"targets\":[{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"editorMode\":\"code\",\"expr\":\"sum(irate(istio_requests_total{reporter=~\\\"$qrep\\\",destination_service=~\\\"$service\\\",response_code!~\\\"5.*\\\"}[5m])) + / (sum(irate(istio_requests_total{reporter=~\\\"$qrep\\\",destination_service=~\\\"$service\\\"}[5m])) + or on () vector(1))\",\"format\":\"time_series\",\"intervalFactor\":1,\"range\":true,\"refId\":\"A\"}],\"title\":\"Client + Success Rate (non-5xx responses)\",\"type\":\"stat\"},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"fieldConfig\":{\"defaults\":{\"color\":{\"mode\":\"palette-classic\"},\"custom\":{\"axisCenteredZero\":false,\"axisColorMode\":\"text\",\"axisLabel\":\"\",\"axisPlacement\":\"auto\",\"barAlignment\":0,\"drawStyle\":\"line\",\"fillOpacity\":10,\"gradientMode\":\"none\",\"hideFrom\":{\"legend\":false,\"tooltip\":false,\"viz\":false},\"insertNulls\":false,\"lineInterpolation\":\"linear\",\"lineWidth\":1,\"pointSize\":5,\"scaleDistribution\":{\"type\":\"linear\"},\"showPoints\":\"never\",\"spanNulls\":false,\"stacking\":{\"group\":\"A\",\"mode\":\"none\"},\"thresholdsStyle\":{\"mode\":\"off\"}},\"mappings\":[],\"thresholds\":{\"mode\":\"absolute\",\"steps\":[{\"color\":\"green\",\"value\":null},{\"color\":\"red\",\"value\":80}]},\"unit\":\"s\"},\"overrides\":[]},\"gridPos\":{\"h\":4,\"w\":6,\"x\":12,\"y\":4},\"id\":87,\"links\":[],\"options\":{\"legend\":{\"calcs\":[],\"displayMode\":\"list\",\"placement\":\"right\",\"showLegend\":true},\"tooltip\":{\"mode\":\"multi\",\"sort\":\"none\"}},\"pluginVersion\":\"10.1.5\",\"targets\":[{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"(histogram_quantile(0.50, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\",destination_service=~\\\"$service\\\"}[1m])) + by (le)) / 1000) or histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\",destination_service=~\\\"$service\\\"}[1m])) + by (le))\",\"format\":\"time_series\",\"interval\":\"\",\"intervalFactor\":1,\"legendFormat\":\"P50\",\"refId\":\"A\"},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"(histogram_quantile(0.90, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\",destination_service=~\\\"$service\\\"}[1m])) + by (le)) / 1000) or histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\",destination_service=~\\\"$service\\\"}[1m])) + by (le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"P90\",\"refId\":\"B\"},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"(histogram_quantile(0.99, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\",destination_service=~\\\"$service\\\"}[1m])) + by (le)) / 1000) or histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\",destination_service=~\\\"$service\\\"}[1m])) + by (le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"P99\",\"refId\":\"C\"}],\"title\":\"Client + Request Duration\",\"type\":\"timeseries\"},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"fieldConfig\":{\"defaults\":{\"color\":{\"fixedColor\":\"rgb(31, + 120, 193)\",\"mode\":\"fixed\"},\"mappings\":[{\"options\":{\"match\":\"null\",\"result\":{\"text\":\"N/A\"}},\"type\":\"special\"}],\"thresholds\":{\"mode\":\"absolute\",\"steps\":[{\"color\":\"green\",\"value\":null},{\"color\":\"red\",\"value\":80}]},\"unit\":\"Bps\"},\"overrides\":[]},\"gridPos\":{\"h\":4,\"w\":6,\"x\":18,\"y\":4},\"id\":84,\"links\":[],\"maxDataPoints\":100,\"options\":{\"colorMode\":\"none\",\"graphMode\":\"area\",\"justifyMode\":\"auto\",\"orientation\":\"horizontal\",\"reduceOptions\":{\"calcs\":[\"mean\"],\"fields\":\"\",\"values\":false},\"textMode\":\"auto\"},\"pluginVersion\":\"10.1.5\",\"targets\":[{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"sum(irate(istio_tcp_received_bytes_total{reporter=~\\\"$qrep\\\", + destination_service=~\\\"$service\\\"}[1m]))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"\",\"refId\":\"A\"}],\"title\":\"TCP + Received Bytes\",\"type\":\"stat\"},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"fieldConfig\":{\"defaults\":{\"color\":{\"fixedColor\":\"rgb(31, + 120, 193)\",\"mode\":\"fixed\"},\"mappings\":[{\"options\":{\"match\":\"null\",\"result\":{\"text\":\"N/A\"}},\"type\":\"special\"}],\"thresholds\":{\"mode\":\"absolute\",\"steps\":[{\"color\":\"green\",\"value\":null},{\"color\":\"red\",\"value\":80}]},\"unit\":\"ops\"},\"overrides\":[]},\"gridPos\":{\"h\":4,\"w\":6,\"x\":0,\"y\":8},\"id\":97,\"links\":[],\"maxDataPoints\":100,\"options\":{\"colorMode\":\"none\",\"graphMode\":\"area\",\"justifyMode\":\"auto\",\"orientation\":\"horizontal\",\"reduceOptions\":{\"calcs\":[\"lastNotNull\"],\"fields\":\"\",\"values\":false},\"textMode\":\"auto\"},\"pluginVersion\":\"10.1.5\",\"targets\":[{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"round(sum(irate(istio_requests_total{reporter=\\\"destination\\\",destination_service=~\\\"$service\\\"}[5m])), + 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"refId\":\"A\",\"step\":4}],\"title\":\"Server + Request Volume\",\"type\":\"stat\"},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"fieldConfig\":{\"defaults\":{\"color\":{\"fixedColor\":\"rgb(31, + 120, 193)\",\"mode\":\"fixed\"},\"mappings\":[],\"noValue\":\"0\",\"thresholds\":{\"mode\":\"absolute\",\"steps\":[{\"color\":\"rgba(50, + 172, 45, 0.97)\",\"value\":null},{\"color\":\"rgba(237, 129, 40, 0.89)\",\"value\":95},{\"color\":\"rgba(245, + 54, 54, 0.9)\",\"value\":99}]},\"unit\":\"percentunit\"},\"overrides\":[]},\"gridPos\":{\"h\":4,\"w\":6,\"x\":6,\"y\":8},\"id\":98,\"links\":[],\"maxDataPoints\":100,\"options\":{\"colorMode\":\"none\",\"graphMode\":\"area\",\"justifyMode\":\"auto\",\"orientation\":\"horizontal\",\"reduceOptions\":{\"calcs\":[\"lastNotNull\"],\"fields\":\"\",\"values\":false},\"textMode\":\"auto\"},\"pluginVersion\":\"10.1.5\",\"targets\":[{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"editorMode\":\"code\",\"expr\":\"sum(irate(istio_requests_total{reporter=\\\"destination\\\",destination_service=~\\\"$service\\\",response_code!~\\\"5.*\\\"}[5m])) + / (sum(irate(istio_requests_total{reporter=\\\"destination\\\",destination_service=~\\\"$service\\\"}[5m])) + or on () vector(1))\",\"format\":\"time_series\",\"intervalFactor\":1,\"range\":true,\"refId\":\"A\"}],\"title\":\"Server + Success Rate (non-5xx responses)\",\"type\":\"stat\"},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"fieldConfig\":{\"defaults\":{\"color\":{\"mode\":\"palette-classic\"},\"custom\":{\"axisCenteredZero\":false,\"axisColorMode\":\"text\",\"axisLabel\":\"\",\"axisPlacement\":\"auto\",\"barAlignment\":0,\"drawStyle\":\"line\",\"fillOpacity\":10,\"gradientMode\":\"none\",\"hideFrom\":{\"legend\":false,\"tooltip\":false,\"viz\":false},\"insertNulls\":false,\"lineInterpolation\":\"linear\",\"lineWidth\":1,\"pointSize\":5,\"scaleDistribution\":{\"type\":\"linear\"},\"showPoints\":\"never\",\"spanNulls\":false,\"stacking\":{\"group\":\"A\",\"mode\":\"none\"},\"thresholdsStyle\":{\"mode\":\"off\"}},\"mappings\":[],\"thresholds\":{\"mode\":\"absolute\",\"steps\":[{\"color\":\"green\",\"value\":null},{\"color\":\"red\",\"value\":80}]},\"unit\":\"s\"},\"overrides\":[]},\"gridPos\":{\"h\":4,\"w\":6,\"x\":12,\"y\":8},\"id\":99,\"links\":[],\"options\":{\"legend\":{\"calcs\":[],\"displayMode\":\"list\",\"placement\":\"right\",\"showLegend\":true},\"tooltip\":{\"mode\":\"multi\",\"sort\":\"none\"}},\"pluginVersion\":\"10.1.5\",\"targets\":[{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"(histogram_quantile(0.50, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"destination\\\",destination_service=~\\\"$service\\\"}[1m])) + by (le)) / 1000) or histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"destination\\\",destination_service=~\\\"$service\\\"}[1m])) + by (le))\",\"format\":\"time_series\",\"interval\":\"\",\"intervalFactor\":1,\"legendFormat\":\"P50\",\"refId\":\"A\"},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"(histogram_quantile(0.90, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"destination\\\",destination_service=~\\\"$service\\\"}[1m])) + by (le)) / 1000) or histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"destination\\\",destination_service=~\\\"$service\\\"}[1m])) + by (le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"P90\",\"refId\":\"B\"},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"(histogram_quantile(0.99, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"destination\\\",destination_service=~\\\"$service\\\"}[1m])) + by (le)) / 1000) or histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"destination\\\",destination_service=~\\\"$service\\\"}[1m])) + by (le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"P99\",\"refId\":\"C\"}],\"title\":\"Server + Request Duration\",\"type\":\"timeseries\"},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"fieldConfig\":{\"defaults\":{\"color\":{\"fixedColor\":\"rgb(31, + 120, 193)\",\"mode\":\"fixed\"},\"mappings\":[{\"options\":{\"match\":\"null\",\"result\":{\"text\":\"N/A\"}},\"type\":\"special\"}],\"thresholds\":{\"mode\":\"absolute\",\"steps\":[{\"color\":\"green\",\"value\":null},{\"color\":\"red\",\"value\":80}]},\"unit\":\"Bps\"},\"overrides\":[]},\"gridPos\":{\"h\":4,\"w\":6,\"x\":18,\"y\":8},\"id\":100,\"links\":[],\"maxDataPoints\":100,\"options\":{\"colorMode\":\"none\",\"graphMode\":\"area\",\"justifyMode\":\"auto\",\"orientation\":\"horizontal\",\"reduceOptions\":{\"calcs\":[\"mean\"],\"fields\":\"\",\"values\":false},\"textMode\":\"auto\"},\"pluginVersion\":\"10.1.5\",\"targets\":[{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"sum(irate(istio_tcp_sent_bytes_total{reporter=~\\\"$qrep\\\", + destination_service=~\\\"$service\\\"}[1m]))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"\",\"refId\":\"A\"}],\"title\":\"TCP + Sent Bytes\",\"type\":\"stat\"},{\"collapsed\":false,\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"gridPos\":{\"h\":1,\"w\":24,\"x\":0,\"y\":12},\"id\":104,\"panels\":[],\"targets\":[{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"refId\":\"A\"}],\"title\":\"Client + Workloads\",\"type\":\"row\"},{\"gridPos\":{\"h\":3,\"w\":24,\"x\":0,\"y\":13},\"id\":45,\"links\":[],\"options\":{\"code\":{\"language\":\"plaintext\",\"showLineNumbers\":false,\"showMiniMap\":false},\"content\":\"
\\nCLIENT WORKLOADS\\n
\",\"mode\":\"html\"},\"pluginVersion\":\"10.1.5\",\"transparent\":true,\"type\":\"text\"},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"fieldConfig\":{\"defaults\":{\"color\":{\"mode\":\"palette-classic\"},\"custom\":{\"axisCenteredZero\":false,\"axisColorMode\":\"text\",\"axisLabel\":\"\",\"axisPlacement\":\"auto\",\"barAlignment\":0,\"drawStyle\":\"line\",\"fillOpacity\":0,\"gradientMode\":\"none\",\"hideFrom\":{\"legend\":false,\"tooltip\":false,\"viz\":false},\"insertNulls\":false,\"lineInterpolation\":\"linear\",\"lineWidth\":1,\"pointSize\":5,\"scaleDistribution\":{\"type\":\"linear\"},\"showPoints\":\"never\",\"spanNulls\":false,\"stacking\":{\"group\":\"A\",\"mode\":\"none\"},\"thresholdsStyle\":{\"mode\":\"off\"}},\"mappings\":[],\"min\":0,\"thresholds\":{\"mode\":\"absolute\",\"steps\":[{\"color\":\"green\",\"value\":null},{\"color\":\"red\",\"value\":80}]},\"unit\":\"ops\"},\"overrides\":[{\"matcher\":{\"id\":\"byValue\",\"options\":{\"op\":\"gte\",\"reducer\":\"allIsNull\",\"value\":0}},\"properties\":[{\"id\":\"custom.hideFrom\",\"value\":{\"legend\":true,\"tooltip\":true,\"viz\":false}}]}]},\"gridPos\":{\"h\":6,\"w\":12,\"x\":0,\"y\":16},\"id\":25,\"links\":[],\"options\":{\"legend\":{\"calcs\":[],\"displayMode\":\"list\",\"placement\":\"bottom\",\"showLegend\":true},\"tooltip\":{\"mode\":\"single\",\"sort\":\"none\"}},\"pluginVersion\":\"10.1.5\",\"targets\":[{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"round(sum(irate(istio_requests_total{connection_security_policy=\\\"mutual_tls\\\",destination_service=~\\\"$service\\\",reporter=~\\\"$qrep\\\",source_workload=~\\\"$srcwl\\\",source_workload_namespace=~\\\"$srcns\\\"}[5m])) + by (source_workload, source_workload_namespace, response_code), 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{ + source_workload }}.{{ source_workload_namespace }} : {{ response_code }} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"round(sum(irate(istio_requests_total{connection_security_policy!=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", reporter=~\\\"$qrep\\\", source_workload=~\\\"$srcwl\\\", + source_workload_namespace=~\\\"$srcns\\\"}[5m])) by (source_workload, source_workload_namespace, + response_code), 0.001)\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + source_workload }}.{{ source_workload_namespace }} : {{ response_code }}\",\"refId\":\"B\",\"step\":2}],\"title\":\"Incoming + Requests By Source And Response Code\",\"type\":\"timeseries\"},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"fieldConfig\":{\"defaults\":{\"color\":{\"mode\":\"palette-classic\"},\"custom\":{\"axisCenteredZero\":false,\"axisColorMode\":\"text\",\"axisLabel\":\"\",\"axisPlacement\":\"auto\",\"barAlignment\":0,\"drawStyle\":\"line\",\"fillOpacity\":10,\"gradientMode\":\"none\",\"hideFrom\":{\"legend\":false,\"tooltip\":false,\"viz\":false},\"insertNulls\":false,\"lineInterpolation\":\"linear\",\"lineWidth\":1,\"pointSize\":5,\"scaleDistribution\":{\"type\":\"linear\"},\"showPoints\":\"never\",\"spanNulls\":false,\"stacking\":{\"group\":\"A\",\"mode\":\"none\"},\"thresholdsStyle\":{\"mode\":\"off\"}},\"mappings\":[],\"max\":1.01,\"min\":0,\"thresholds\":{\"mode\":\"absolute\",\"steps\":[{\"color\":\"green\",\"value\":null},{\"color\":\"red\",\"value\":80}]},\"unit\":\"percentunit\"},\"overrides\":[{\"matcher\":{\"id\":\"byValue\",\"options\":{\"op\":\"gte\",\"reducer\":\"allIsNull\",\"value\":0}},\"properties\":[{\"id\":\"custom.hideFrom\",\"value\":{\"legend\":true,\"tooltip\":true,\"viz\":false}}]}]},\"gridPos\":{\"h\":6,\"w\":12,\"x\":12,\"y\":16},\"id\":26,\"links\":[],\"options\":{\"legend\":{\"calcs\":[],\"displayMode\":\"list\",\"placement\":\"bottom\",\"showLegend\":true},\"tooltip\":{\"mode\":\"multi\",\"sort\":\"none\"}},\"pluginVersion\":\"10.1.5\",\"targets\":[{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"sum(irate(istio_requests_total{reporter=~\\\"$qrep\\\", + connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\",response_code!~\\\"5.*\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[5m])) + by (source_workload, source_workload_namespace) / sum(irate(istio_requests_total{reporter=~\\\"$qrep\\\", + connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[5m])) + by (source_workload, source_workload_namespace)\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + source_workload }}.{{ source_workload_namespace }} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"sum(irate(istio_requests_total{reporter=~\\\"$qrep\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\",response_code!~\\\"5.*\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[5m])) + by (source_workload, source_workload_namespace) / sum(irate(istio_requests_total{reporter=~\\\"$qrep\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[5m])) + by (source_workload, source_workload_namespace)\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + source_workload }}.{{ source_workload_namespace }}\",\"refId\":\"B\",\"step\":2}],\"title\":\"Incoming + Success Rate (non-5xx responses) By Source\",\"type\":\"timeseries\"},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"description\":\"\",\"fieldConfig\":{\"defaults\":{\"color\":{\"mode\":\"palette-classic\"},\"custom\":{\"axisCenteredZero\":false,\"axisColorMode\":\"text\",\"axisLabel\":\"\",\"axisPlacement\":\"auto\",\"barAlignment\":0,\"drawStyle\":\"line\",\"fillOpacity\":10,\"gradientMode\":\"none\",\"hideFrom\":{\"legend\":false,\"tooltip\":false,\"viz\":false},\"insertNulls\":false,\"lineInterpolation\":\"linear\",\"lineWidth\":1,\"pointSize\":5,\"scaleDistribution\":{\"type\":\"linear\"},\"showPoints\":\"never\",\"spanNulls\":false,\"stacking\":{\"group\":\"A\",\"mode\":\"none\"},\"thresholdsStyle\":{\"mode\":\"off\"}},\"mappings\":[],\"min\":0,\"thresholds\":{\"mode\":\"absolute\",\"steps\":[{\"color\":\"green\",\"value\":null},{\"color\":\"red\",\"value\":80}]},\"unit\":\"s\"},\"overrides\":[{\"matcher\":{\"id\":\"byValue\",\"options\":{\"op\":\"gte\",\"reducer\":\"allIsNull\",\"value\":0}},\"properties\":[{\"id\":\"custom.hideFrom\",\"value\":{\"legend\":true,\"tooltip\":true,\"viz\":false}}]}]},\"gridPos\":{\"h\":6,\"w\":8,\"x\":0,\"y\":22},\"id\":27,\"links\":[],\"options\":{\"legend\":{\"calcs\":[],\"displayMode\":\"list\",\"placement\":\"bottom\",\"showLegend\":true},\"tooltip\":{\"mode\":\"multi\",\"sort\":\"none\"}},\"pluginVersion\":\"10.1.5\",\"targets\":[{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"(histogram_quantile(0.50, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le)) / 1000) or histogram_quantile(0.50, + sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P50 (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"(histogram_quantile(0.90, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le)) / 1000) or histogram_quantile(0.90, + sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P90 (\U0001F510mTLS)\",\"refId\":\"B\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"(histogram_quantile(0.95, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le)) / 1000) or histogram_quantile(0.95, + sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P95 (\U0001F510mTLS)\",\"refId\":\"C\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"(histogram_quantile(0.99, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le)) / 1000) or histogram_quantile(0.99, + sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P99 (\U0001F510mTLS)\",\"refId\":\"D\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"(histogram_quantile(0.50, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le)) / 1000) or histogram_quantile(0.50, + sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\", connection_security_policy!=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P50\",\"refId\":\"E\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"(histogram_quantile(0.90, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le)) / 1000) or histogram_quantile(0.90, + sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\", connection_security_policy!=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P90\",\"refId\":\"F\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"(histogram_quantile(0.95, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le)) / 1000) or histogram_quantile(0.95, + sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\", connection_security_policy!=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P95\",\"refId\":\"G\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"(histogram_quantile(0.99, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le)) / 1000) or histogram_quantile(0.99, + sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\", connection_security_policy!=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P99\",\"refId\":\"H\",\"step\":2}],\"title\":\"Incoming Request Duration By Source\",\"type\":\"timeseries\"},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"fieldConfig\":{\"defaults\":{\"color\":{\"mode\":\"palette-classic\"},\"custom\":{\"axisCenteredZero\":false,\"axisColorMode\":\"text\",\"axisLabel\":\"\",\"axisPlacement\":\"auto\",\"barAlignment\":0,\"drawStyle\":\"line\",\"fillOpacity\":10,\"gradientMode\":\"none\",\"hideFrom\":{\"legend\":false,\"tooltip\":false,\"viz\":false},\"insertNulls\":false,\"lineInterpolation\":\"linear\",\"lineWidth\":1,\"pointSize\":5,\"scaleDistribution\":{\"type\":\"linear\"},\"showPoints\":\"never\",\"spanNulls\":false,\"stacking\":{\"group\":\"A\",\"mode\":\"none\"},\"thresholdsStyle\":{\"mode\":\"off\"}},\"mappings\":[],\"min\":0,\"thresholds\":{\"mode\":\"absolute\",\"steps\":[{\"color\":\"green\",\"value\":null},{\"color\":\"red\",\"value\":80}]},\"unit\":\"decbytes\"},\"overrides\":[{\"matcher\":{\"id\":\"byValue\",\"options\":{\"op\":\"gte\",\"reducer\":\"allIsNull\",\"value\":0}},\"properties\":[{\"id\":\"custom.hideFrom\",\"value\":{\"legend\":true,\"tooltip\":true,\"viz\":false}}]}]},\"gridPos\":{\"h\":6,\"w\":8,\"x\":8,\"y\":22},\"id\":28,\"links\":[],\"options\":{\"legend\":{\"calcs\":[],\"displayMode\":\"list\",\"placement\":\"bottom\",\"showLegend\":true},\"tooltip\":{\"mode\":\"multi\",\"sort\":\"none\"}},\"pluginVersion\":\"10.1.5\",\"targets\":[{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.50, + sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P50 (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.90, + sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + \ P90 (\U0001F510mTLS)\",\"refId\":\"B\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.95, + sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P95 (\U0001F510mTLS)\",\"refId\":\"C\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.99, + sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + \ P99 (\U0001F510mTLS)\",\"refId\":\"D\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.50, + sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy!=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P50\",\"refId\":\"E\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.90, + sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy!=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P90\",\"refId\":\"F\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.95, + sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy!=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P95\",\"refId\":\"G\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.99, + sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy!=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P99\",\"refId\":\"H\",\"step\":2}],\"title\":\"Incoming Request Size By Source\",\"type\":\"timeseries\"},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"fieldConfig\":{\"defaults\":{\"color\":{\"mode\":\"palette-classic\"},\"custom\":{\"axisCenteredZero\":false,\"axisColorMode\":\"text\",\"axisLabel\":\"\",\"axisPlacement\":\"auto\",\"barAlignment\":0,\"drawStyle\":\"line\",\"fillOpacity\":10,\"gradientMode\":\"none\",\"hideFrom\":{\"legend\":false,\"tooltip\":false,\"viz\":false},\"insertNulls\":false,\"lineInterpolation\":\"linear\",\"lineWidth\":1,\"pointSize\":5,\"scaleDistribution\":{\"type\":\"linear\"},\"showPoints\":\"never\",\"spanNulls\":false,\"stacking\":{\"group\":\"A\",\"mode\":\"none\"},\"thresholdsStyle\":{\"mode\":\"off\"}},\"mappings\":[],\"min\":0,\"thresholds\":{\"mode\":\"absolute\",\"steps\":[{\"color\":\"green\",\"value\":null},{\"color\":\"red\",\"value\":80}]},\"unit\":\"decbytes\"},\"overrides\":[{\"matcher\":{\"id\":\"byValue\",\"options\":{\"op\":\"gte\",\"reducer\":\"allIsNull\",\"value\":0}},\"properties\":[{\"id\":\"custom.hideFrom\",\"value\":{\"legend\":true,\"tooltip\":true,\"viz\":false}}]}]},\"gridPos\":{\"h\":6,\"w\":8,\"x\":16,\"y\":22},\"id\":68,\"links\":[],\"options\":{\"legend\":{\"calcs\":[],\"displayMode\":\"list\",\"placement\":\"bottom\",\"showLegend\":true},\"tooltip\":{\"mode\":\"multi\",\"sort\":\"none\"}},\"pluginVersion\":\"10.1.5\",\"targets\":[{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.50, + sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P50 (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.90, + sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + \ P90 (\U0001F510mTLS)\",\"refId\":\"B\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.95, + sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P95 (\U0001F510mTLS)\",\"refId\":\"C\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.99, + sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + \ P99 (\U0001F510mTLS)\",\"refId\":\"D\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.50, + sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy!=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P50\",\"refId\":\"E\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.90, + sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy!=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P90\",\"refId\":\"F\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.95, + sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy!=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P95\",\"refId\":\"G\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.99, + sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy!=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P99\",\"refId\":\"H\",\"step\":2}],\"title\":\"Response Size By Source\",\"type\":\"timeseries\"},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"fieldConfig\":{\"defaults\":{\"color\":{\"mode\":\"palette-classic\"},\"custom\":{\"axisCenteredZero\":false,\"axisColorMode\":\"text\",\"axisLabel\":\"\",\"axisPlacement\":\"auto\",\"barAlignment\":0,\"drawStyle\":\"line\",\"fillOpacity\":10,\"gradientMode\":\"none\",\"hideFrom\":{\"legend\":false,\"tooltip\":false,\"viz\":false},\"insertNulls\":false,\"lineInterpolation\":\"linear\",\"lineWidth\":1,\"pointSize\":5,\"scaleDistribution\":{\"type\":\"linear\"},\"showPoints\":\"never\",\"spanNulls\":false,\"stacking\":{\"group\":\"A\",\"mode\":\"none\"},\"thresholdsStyle\":{\"mode\":\"off\"}},\"mappings\":[],\"min\":0,\"thresholds\":{\"mode\":\"absolute\",\"steps\":[{\"color\":\"green\",\"value\":null},{\"color\":\"red\",\"value\":80}]},\"unit\":\"Bps\"},\"overrides\":[]},\"gridPos\":{\"h\":6,\"w\":12,\"x\":0,\"y\":28},\"id\":80,\"links\":[],\"options\":{\"legend\":{\"calcs\":[],\"displayMode\":\"list\",\"placement\":\"bottom\",\"showLegend\":true},\"tooltip\":{\"mode\":\"multi\",\"sort\":\"none\"}},\"pluginVersion\":\"10.1.5\",\"targets\":[{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"round(sum(irate(istio_tcp_received_bytes_total{reporter=~\\\"$qrep\\\", + connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace), 0.001)\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + source_workload }}.{{ source_workload_namespace}} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"round(sum(irate(istio_tcp_received_bytes_total{reporter=~\\\"$qrep\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace), 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{ + source_workload }}.{{ source_workload_namespace}}\",\"refId\":\"B\",\"step\":2}],\"title\":\"Bytes + Received from Incoming TCP Connection\",\"type\":\"timeseries\"},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"fieldConfig\":{\"defaults\":{\"color\":{\"mode\":\"palette-classic\"},\"custom\":{\"axisCenteredZero\":false,\"axisColorMode\":\"text\",\"axisLabel\":\"\",\"axisPlacement\":\"auto\",\"barAlignment\":0,\"drawStyle\":\"line\",\"fillOpacity\":10,\"gradientMode\":\"none\",\"hideFrom\":{\"legend\":false,\"tooltip\":false,\"viz\":false},\"insertNulls\":false,\"lineInterpolation\":\"linear\",\"lineWidth\":1,\"pointSize\":5,\"scaleDistribution\":{\"type\":\"linear\"},\"showPoints\":\"never\",\"spanNulls\":false,\"stacking\":{\"group\":\"A\",\"mode\":\"none\"},\"thresholdsStyle\":{\"mode\":\"off\"}},\"mappings\":[],\"min\":0,\"thresholds\":{\"mode\":\"absolute\",\"steps\":[{\"color\":\"green\",\"value\":null},{\"color\":\"red\",\"value\":80}]},\"unit\":\"Bps\"},\"overrides\":[]},\"gridPos\":{\"h\":6,\"w\":12,\"x\":12,\"y\":28},\"id\":82,\"links\":[],\"options\":{\"legend\":{\"calcs\":[],\"displayMode\":\"list\",\"placement\":\"bottom\",\"showLegend\":true},\"tooltip\":{\"mode\":\"multi\",\"sort\":\"none\"}},\"pluginVersion\":\"10.1.5\",\"targets\":[{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy=\\\"mutual_tls\\\", + reporter=~\\\"$qrep\\\", destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", + source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace), + 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{ + source_workload }}.{{ source_workload_namespace}} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy!=\\\"mutual_tls\\\", + reporter=~\\\"$qrep\\\", destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", + source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace), + 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{ + source_workload }}.{{ source_workload_namespace}}\",\"refId\":\"B\",\"step\":2}],\"title\":\"Bytes + Sent to Incoming TCP Connection\",\"type\":\"timeseries\"},{\"collapsed\":false,\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"gridPos\":{\"h\":1,\"w\":24,\"x\":0,\"y\":34},\"id\":102,\"panels\":[],\"targets\":[{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"refId\":\"A\"}],\"title\":\"Service + Workloads\",\"type\":\"row\"},{\"gridPos\":{\"h\":3,\"w\":24,\"x\":0,\"y\":35},\"id\":69,\"links\":[],\"options\":{\"code\":{\"language\":\"plaintext\",\"showLineNumbers\":false,\"showMiniMap\":false},\"content\":\"
\\nSERVICE WORKLOADS\\n
\",\"mode\":\"html\"},\"pluginVersion\":\"10.1.5\",\"transparent\":true,\"type\":\"text\"},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"fieldConfig\":{\"defaults\":{\"color\":{\"mode\":\"palette-classic\"},\"custom\":{\"axisCenteredZero\":false,\"axisColorMode\":\"text\",\"axisLabel\":\"\",\"axisPlacement\":\"auto\",\"barAlignment\":0,\"drawStyle\":\"line\",\"fillOpacity\":0,\"gradientMode\":\"none\",\"hideFrom\":{\"legend\":false,\"tooltip\":false,\"viz\":false},\"insertNulls\":false,\"lineInterpolation\":\"linear\",\"lineWidth\":1,\"pointSize\":5,\"scaleDistribution\":{\"type\":\"linear\"},\"showPoints\":\"never\",\"spanNulls\":false,\"stacking\":{\"group\":\"A\",\"mode\":\"none\"},\"thresholdsStyle\":{\"mode\":\"off\"}},\"mappings\":[],\"min\":0,\"thresholds\":{\"mode\":\"absolute\",\"steps\":[{\"color\":\"green\",\"value\":null},{\"color\":\"red\",\"value\":80}]},\"unit\":\"ops\"},\"overrides\":[{\"matcher\":{\"id\":\"byValue\",\"options\":{\"op\":\"gte\",\"reducer\":\"allIsNull\",\"value\":0}},\"properties\":[{\"id\":\"custom.hideFrom\",\"value\":{\"legend\":true,\"tooltip\":true,\"viz\":false}}]}]},\"gridPos\":{\"h\":6,\"w\":12,\"x\":0,\"y\":38},\"id\":90,\"links\":[],\"options\":{\"legend\":{\"calcs\":[],\"displayMode\":\"list\",\"placement\":\"bottom\",\"showLegend\":true},\"tooltip\":{\"mode\":\"single\",\"sort\":\"none\"}},\"pluginVersion\":\"10.1.5\",\"targets\":[{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"round(sum(irate(istio_requests_total{connection_security_policy=\\\"mutual_tls\\\",destination_service=~\\\"$service\\\",reporter=\\\"destination\\\",destination_workload=~\\\"$dstwl\\\",destination_workload_namespace=~\\\"$dstns\\\"}[5m])) + by (destination_workload, destination_workload_namespace, response_code), 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{ destination_workload_namespace }} : {{ response_code + }} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"round(sum(irate(istio_requests_total{connection_security_policy!=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", reporter=\\\"destination\\\", destination_workload=~\\\"$dstwl\\\", + destination_workload_namespace=~\\\"$dstns\\\"}[5m])) by (destination_workload, + destination_workload_namespace, response_code), 0.001)\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{ destination_workload_namespace }} : {{ response_code + }}\",\"refId\":\"B\",\"step\":2}],\"title\":\"Incoming Requests By Destination + Workload And Response Code\",\"type\":\"timeseries\"},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"fieldConfig\":{\"defaults\":{\"color\":{\"mode\":\"palette-classic\"},\"custom\":{\"axisCenteredZero\":false,\"axisColorMode\":\"text\",\"axisLabel\":\"\",\"axisPlacement\":\"auto\",\"barAlignment\":0,\"drawStyle\":\"line\",\"fillOpacity\":10,\"gradientMode\":\"none\",\"hideFrom\":{\"legend\":false,\"tooltip\":false,\"viz\":false},\"insertNulls\":false,\"lineInterpolation\":\"linear\",\"lineWidth\":1,\"pointSize\":5,\"scaleDistribution\":{\"type\":\"linear\"},\"showPoints\":\"never\",\"spanNulls\":false,\"stacking\":{\"group\":\"A\",\"mode\":\"none\"},\"thresholdsStyle\":{\"mode\":\"off\"}},\"mappings\":[],\"max\":1.01,\"min\":0,\"thresholds\":{\"mode\":\"absolute\",\"steps\":[{\"color\":\"green\",\"value\":null},{\"color\":\"red\",\"value\":80}]},\"unit\":\"percentunit\"},\"overrides\":[{\"matcher\":{\"id\":\"byValue\",\"options\":{\"op\":\"gte\",\"reducer\":\"allIsNull\",\"value\":0}},\"properties\":[{\"id\":\"custom.hideFrom\",\"value\":{\"legend\":true,\"tooltip\":true,\"viz\":false}}]}]},\"gridPos\":{\"h\":6,\"w\":12,\"x\":12,\"y\":38},\"id\":91,\"links\":[],\"options\":{\"legend\":{\"calcs\":[],\"displayMode\":\"list\",\"placement\":\"bottom\",\"showLegend\":true},\"tooltip\":{\"mode\":\"multi\",\"sort\":\"none\"}},\"pluginVersion\":\"10.1.5\",\"targets\":[{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"sum(irate(istio_requests_total{reporter=\\\"destination\\\", + connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\",response_code!~\\\"5.*\\\", + destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[5m])) + by (destination_workload, destination_workload_namespace) / sum(irate(istio_requests_total{reporter=\\\"destination\\\", + connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[5m])) + by (destination_workload, destination_workload_namespace)\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{ destination_workload_namespace }} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"sum(irate(istio_requests_total{reporter=\\\"destination\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\",response_code!~\\\"5.*\\\", + destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[5m])) + by (destination_workload, destination_workload_namespace) / sum(irate(istio_requests_total{reporter=\\\"destination\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[5m])) + by (destination_workload, destination_workload_namespace)\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{ destination_workload_namespace }}\",\"refId\":\"B\",\"step\":2}],\"title\":\"Incoming + Success Rate (non-5xx responses) By Destination Workload\",\"type\":\"timeseries\"},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"description\":\"\",\"fieldConfig\":{\"defaults\":{\"color\":{\"mode\":\"palette-classic\"},\"custom\":{\"axisCenteredZero\":false,\"axisColorMode\":\"text\",\"axisLabel\":\"\",\"axisPlacement\":\"auto\",\"barAlignment\":0,\"drawStyle\":\"line\",\"fillOpacity\":10,\"gradientMode\":\"none\",\"hideFrom\":{\"legend\":false,\"tooltip\":false,\"viz\":false},\"insertNulls\":false,\"lineInterpolation\":\"linear\",\"lineWidth\":1,\"pointSize\":5,\"scaleDistribution\":{\"type\":\"linear\"},\"showPoints\":\"never\",\"spanNulls\":false,\"stacking\":{\"group\":\"A\",\"mode\":\"none\"},\"thresholdsStyle\":{\"mode\":\"off\"}},\"mappings\":[],\"min\":0,\"thresholds\":{\"mode\":\"absolute\",\"steps\":[{\"color\":\"green\",\"value\":null},{\"color\":\"red\",\"value\":80}]},\"unit\":\"s\"},\"overrides\":[{\"matcher\":{\"id\":\"byValue\",\"options\":{\"op\":\"gte\",\"reducer\":\"allIsNull\",\"value\":0}},\"properties\":[{\"id\":\"custom.hideFrom\",\"value\":{\"legend\":true,\"tooltip\":true,\"viz\":false}}]}]},\"gridPos\":{\"h\":6,\"w\":8,\"x\":0,\"y\":44},\"id\":94,\"links\":[],\"options\":{\"legend\":{\"calcs\":[],\"displayMode\":\"list\",\"placement\":\"bottom\",\"showLegend\":true},\"tooltip\":{\"mode\":\"multi\",\"sort\":\"none\"}},\"pluginVersion\":\"10.1.5\",\"targets\":[{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"(histogram_quantile(0.50, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"destination\\\", + connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le)) / 1000) or histogram_quantile(0.50, + sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"destination\\\", + connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{ destination_workload_namespace }} P50 (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"(histogram_quantile(0.90, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"destination\\\", + connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le)) / 1000) or histogram_quantile(0.90, + sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"destination\\\", + connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{ destination_workload_namespace }} P90 (\U0001F510mTLS)\",\"refId\":\"B\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"(histogram_quantile(0.95, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"destination\\\", + connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le)) / 1000) or histogram_quantile(0.95, + sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"destination\\\", + connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{ destination_workload_namespace }} P95 (\U0001F510mTLS)\",\"refId\":\"C\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"(histogram_quantile(0.99, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"destination\\\", + connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le)) / 1000) or histogram_quantile(0.99, + sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"destination\\\", + connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{ destination_workload_namespace }} P99 (\U0001F510mTLS)\",\"refId\":\"D\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"(histogram_quantile(0.50, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"destination\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le)) / 1000) or histogram_quantile(0.50, + sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"destination\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{ destination_workload_namespace }} P50\",\"refId\":\"E\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"(histogram_quantile(0.90, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"destination\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le)) / 1000) or histogram_quantile(0.90, + sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"destination\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{ destination_workload_namespace }} P90\",\"refId\":\"F\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"(histogram_quantile(0.95, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"destination\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le)) / 1000) or histogram_quantile(0.95, + sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"destination\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{ destination_workload_namespace }} P95\",\"refId\":\"G\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"(histogram_quantile(0.99, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"destination\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le)) / 1000) or histogram_quantile(0.99, + sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"destination\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{ destination_workload_namespace }} P99\",\"refId\":\"H\",\"step\":2}],\"title\":\"Incoming + Request Duration By Service Workload\",\"type\":\"timeseries\"},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"fieldConfig\":{\"defaults\":{\"color\":{\"mode\":\"palette-classic\"},\"custom\":{\"axisCenteredZero\":false,\"axisColorMode\":\"text\",\"axisLabel\":\"\",\"axisPlacement\":\"auto\",\"barAlignment\":0,\"drawStyle\":\"line\",\"fillOpacity\":10,\"gradientMode\":\"none\",\"hideFrom\":{\"legend\":false,\"tooltip\":false,\"viz\":false},\"insertNulls\":false,\"lineInterpolation\":\"linear\",\"lineWidth\":1,\"pointSize\":5,\"scaleDistribution\":{\"type\":\"linear\"},\"showPoints\":\"never\",\"spanNulls\":false,\"stacking\":{\"group\":\"A\",\"mode\":\"none\"},\"thresholdsStyle\":{\"mode\":\"off\"}},\"mappings\":[],\"min\":0,\"thresholds\":{\"mode\":\"absolute\",\"steps\":[{\"color\":\"green\",\"value\":null},{\"color\":\"red\",\"value\":80}]},\"unit\":\"decbytes\"},\"overrides\":[{\"matcher\":{\"id\":\"byValue\",\"options\":{\"op\":\"gte\",\"reducer\":\"allIsNull\",\"value\":0}},\"properties\":[{\"id\":\"custom.hideFrom\",\"value\":{\"legend\":true,\"tooltip\":true,\"viz\":false}}]}]},\"gridPos\":{\"h\":6,\"w\":8,\"x\":8,\"y\":44},\"id\":95,\"links\":[],\"options\":{\"legend\":{\"calcs\":[],\"displayMode\":\"list\",\"placement\":\"bottom\",\"showLegend\":true},\"tooltip\":{\"mode\":\"multi\",\"sort\":\"none\"}},\"pluginVersion\":\"10.1.5\",\"targets\":[{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.50, + sum(irate(istio_request_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{ destination_workload_namespace }} P50 (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.90, + sum(irate(istio_request_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{ destination_workload_namespace }} P90 (\U0001F510mTLS)\",\"refId\":\"B\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.95, + sum(irate(istio_request_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{ destination_workload_namespace }} P95 (\U0001F510mTLS)\",\"refId\":\"C\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.99, + sum(irate(istio_request_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{ destination_workload_namespace }} P99 (\U0001F510mTLS)\",\"refId\":\"D\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.50, + sum(irate(istio_request_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy!=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{ destination_workload_namespace }} P50\",\"refId\":\"E\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.90, + sum(irate(istio_request_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy!=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{ destination_workload_namespace }} P90\",\"refId\":\"F\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.95, + sum(irate(istio_request_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy!=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{ destination_workload_namespace }} P95\",\"refId\":\"G\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.99, + sum(irate(istio_request_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy!=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{ destination_workload_namespace }} P99\",\"refId\":\"H\",\"step\":2}],\"title\":\"Incoming + Request Size By Service Workload\",\"type\":\"timeseries\"},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"fieldConfig\":{\"defaults\":{\"color\":{\"mode\":\"palette-classic\"},\"custom\":{\"axisCenteredZero\":false,\"axisColorMode\":\"text\",\"axisLabel\":\"\",\"axisPlacement\":\"auto\",\"barAlignment\":0,\"drawStyle\":\"line\",\"fillOpacity\":10,\"gradientMode\":\"none\",\"hideFrom\":{\"legend\":false,\"tooltip\":false,\"viz\":false},\"insertNulls\":false,\"lineInterpolation\":\"linear\",\"lineWidth\":1,\"pointSize\":5,\"scaleDistribution\":{\"type\":\"linear\"},\"showPoints\":\"never\",\"spanNulls\":false,\"stacking\":{\"group\":\"A\",\"mode\":\"none\"},\"thresholdsStyle\":{\"mode\":\"off\"}},\"mappings\":[],\"min\":0,\"thresholds\":{\"mode\":\"absolute\",\"steps\":[{\"color\":\"green\",\"value\":null},{\"color\":\"red\",\"value\":80}]},\"unit\":\"decbytes\"},\"overrides\":[{\"matcher\":{\"id\":\"byValue\",\"options\":{\"op\":\"gte\",\"reducer\":\"allIsNull\",\"value\":0}},\"properties\":[{\"id\":\"custom.hideFrom\",\"value\":{\"legend\":true,\"tooltip\":true,\"viz\":false}}]}]},\"gridPos\":{\"h\":6,\"w\":8,\"x\":16,\"y\":44},\"id\":96,\"links\":[],\"options\":{\"legend\":{\"calcs\":[],\"displayMode\":\"list\",\"placement\":\"bottom\",\"showLegend\":true},\"tooltip\":{\"mode\":\"multi\",\"sort\":\"none\"}},\"pluginVersion\":\"10.1.5\",\"targets\":[{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.50, + sum(irate(istio_response_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{ destination_workload_namespace }} P50 (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.90, + sum(irate(istio_response_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{ destination_workload_namespace }} P90 (\U0001F510mTLS)\",\"refId\":\"B\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.95, + sum(irate(istio_response_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{ destination_workload_namespace }} P95 (\U0001F510mTLS)\",\"refId\":\"C\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.99, + sum(irate(istio_response_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{ destination_workload_namespace }} P99 (\U0001F510mTLS)\",\"refId\":\"D\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.50, + sum(irate(istio_response_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy!=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{ destination_workload_namespace }} P50\",\"refId\":\"E\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.90, + sum(irate(istio_response_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy!=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{ destination_workload_namespace }} P90\",\"refId\":\"F\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.95, + sum(irate(istio_response_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy!=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{ destination_workload_namespace }} P95\",\"refId\":\"G\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.99, + sum(irate(istio_response_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy!=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{ destination_workload_namespace }} P99\",\"refId\":\"H\",\"step\":2}],\"title\":\"Response + Size By Service Workload\",\"type\":\"timeseries\"},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"fieldConfig\":{\"defaults\":{\"color\":{\"mode\":\"palette-classic\"},\"custom\":{\"axisCenteredZero\":false,\"axisColorMode\":\"text\",\"axisLabel\":\"\",\"axisPlacement\":\"auto\",\"barAlignment\":0,\"drawStyle\":\"line\",\"fillOpacity\":10,\"gradientMode\":\"none\",\"hideFrom\":{\"legend\":false,\"tooltip\":false,\"viz\":false},\"insertNulls\":false,\"lineInterpolation\":\"linear\",\"lineWidth\":1,\"pointSize\":5,\"scaleDistribution\":{\"type\":\"linear\"},\"showPoints\":\"never\",\"spanNulls\":false,\"stacking\":{\"group\":\"A\",\"mode\":\"none\"},\"thresholdsStyle\":{\"mode\":\"off\"}},\"mappings\":[],\"min\":0,\"thresholds\":{\"mode\":\"absolute\",\"steps\":[{\"color\":\"green\",\"value\":null},{\"color\":\"red\",\"value\":80}]},\"unit\":\"Bps\"},\"overrides\":[]},\"gridPos\":{\"h\":6,\"w\":12,\"x\":0,\"y\":50},\"id\":92,\"links\":[],\"options\":{\"legend\":{\"calcs\":[],\"displayMode\":\"list\",\"placement\":\"bottom\",\"showLegend\":true},\"tooltip\":{\"mode\":\"multi\",\"sort\":\"none\"}},\"pluginVersion\":\"10.1.5\",\"targets\":[{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"round(sum(irate(istio_tcp_received_bytes_total{reporter=\\\"destination\\\", + connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace), 0.001)\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{ destination_workload_namespace}} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"round(sum(irate(istio_tcp_received_bytes_total{reporter=\\\"destination\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace), 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{ destination_workload_namespace}}\",\"refId\":\"B\",\"step\":2}],\"title\":\"Bytes + Received from Incoming TCP Connection\",\"type\":\"timeseries\"},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"fieldConfig\":{\"defaults\":{\"color\":{\"mode\":\"palette-classic\"},\"custom\":{\"axisCenteredZero\":false,\"axisColorMode\":\"text\",\"axisLabel\":\"\",\"axisPlacement\":\"auto\",\"barAlignment\":0,\"drawStyle\":\"line\",\"fillOpacity\":10,\"gradientMode\":\"none\",\"hideFrom\":{\"legend\":false,\"tooltip\":false,\"viz\":false},\"insertNulls\":false,\"lineInterpolation\":\"linear\",\"lineWidth\":1,\"pointSize\":5,\"scaleDistribution\":{\"type\":\"linear\"},\"showPoints\":\"never\",\"spanNulls\":false,\"stacking\":{\"group\":\"A\",\"mode\":\"none\"},\"thresholdsStyle\":{\"mode\":\"off\"}},\"mappings\":[],\"min\":0,\"thresholds\":{\"mode\":\"absolute\",\"steps\":[{\"color\":\"green\",\"value\":null},{\"color\":\"red\",\"value\":80}]},\"unit\":\"Bps\"},\"overrides\":[]},\"gridPos\":{\"h\":6,\"w\":12,\"x\":12,\"y\":50},\"id\":93,\"links\":[],\"options\":{\"legend\":{\"calcs\":[],\"displayMode\":\"list\",\"placement\":\"bottom\",\"showLegend\":true},\"tooltip\":{\"mode\":\"multi\",\"sort\":\"none\"}},\"pluginVersion\":\"10.1.5\",\"targets\":[{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy=\\\"mutual_tls\\\", + reporter=\\\"destination\\\", destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", + destination_workload_namespace=~\\\"$dstns\\\"}[1m])) by (destination_workload, + destination_workload_namespace), 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{destination_workload_namespace }} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy!=\\\"mutual_tls\\\", + reporter=\\\"destination\\\", destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", + destination_workload_namespace=~\\\"$dstns\\\"}[1m])) by (destination_workload, + destination_workload_namespace), 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{destination_workload_namespace }}\",\"refId\":\"B\",\"step\":2}],\"title\":\"Bytes + Sent to Incoming TCP Connection\",\"type\":\"timeseries\"}],\"refresh\":\"1m\",\"schemaVersion\":38,\"style\":\"dark\",\"tags\":[],\"templating\":{\"list\":[{\"hide\":0,\"includeAll\":false,\"multi\":false,\"name\":\"datasource\",\"options\":[],\"query\":\"prometheus\",\"queryValue\":\"\",\"refresh\":1,\"regex\":\"\",\"skipUrlSync\":false,\"type\":\"datasource\"},{\"current\":{\"selected\":false,\"text\":\"details.default.svc.cluster.local\",\"value\":\"details.default.svc.cluster.local\"},\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"definition\":\"\",\"hide\":0,\"includeAll\":false,\"label\":\"Service\",\"multi\":false,\"name\":\"service\",\"options\":[],\"query\":\"query_result(sum(istio_requests_total{}) + by (destination_service) or sum(istio_tcp_sent_bytes_total{}) by (destination_service))\",\"refresh\":1,\"regex\":\"/.*destination_service=\\\"([^\\\"]*).*/\",\"skipUrlSync\":false,\"sort\":0,\"tagValuesQuery\":\"\",\"tagsQuery\":\"\",\"type\":\"query\",\"useTags\":false},{\"current\":{\"selected\":false,\"text\":\"destination\",\"value\":\"destination\"},\"datasource\":\"Prometheus\",\"definition\":\"\",\"hide\":0,\"includeAll\":false,\"label\":\"Reporter\",\"multi\":true,\"name\":\"qrep\",\"options\":[{\"selected\":false,\"text\":\"source\",\"value\":\"source\"},{\"selected\":true,\"text\":\"destination\",\"value\":\"destination\"}],\"query\":\"source,destination\",\"refresh\":1,\"regex\":\"\",\"skipUrlSync\":false,\"sort\":1,\"tagValuesQuery\":\"\",\"tagsQuery\":\"\",\"type\":\"custom\",\"useTags\":false},{\"current\":{\"selected\":false,\"text\":\"All\",\"value\":\"$__all\"},\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"definition\":\"\",\"hide\":0,\"includeAll\":true,\"label\":\"Client + Cluster\",\"multi\":true,\"name\":\"srccluster\",\"options\":[],\"query\":\"query_result(sum(istio_requests_total{reporter=~\\\"$qrep\\\", + destination_service=\\\"$service\\\"}) by (source_cluster) or sum(istio_tcp_sent_bytes_total{reporter=~\\\"$qrep\\\", + destination_service=~\\\"$service\\\"}) by (source_cluster))\",\"refresh\":1,\"regex\":\"/.*cluster=\\\"([^\\\"]*).*/\",\"skipUrlSync\":false,\"sort\":2,\"tagValuesQuery\":\"\",\"tagsQuery\":\"\",\"type\":\"query\",\"useTags\":false},{\"current\":{\"selected\":false,\"text\":\"All\",\"value\":\"$__all\"},\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"definition\":\"\",\"hide\":0,\"includeAll\":true,\"label\":\"Client + Workload Namespace\",\"multi\":true,\"name\":\"srcns\",\"options\":[],\"query\":\"query_result(sum(istio_requests_total{reporter=~\\\"$qrep\\\", + destination_service=\\\"$service\\\"}) by (source_workload_namespace) or sum(istio_tcp_sent_bytes_total{reporter=~\\\"$qrep\\\", + destination_service=~\\\"$service\\\"}) by (source_workload_namespace))\",\"refresh\":1,\"regex\":\"/.*namespace=\\\"([^\\\"]*).*/\",\"skipUrlSync\":false,\"sort\":3,\"tagValuesQuery\":\"\",\"tagsQuery\":\"\",\"type\":\"query\",\"useTags\":false},{\"current\":{\"selected\":false,\"text\":\"All\",\"value\":\"$__all\"},\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"definition\":\"\",\"hide\":0,\"includeAll\":true,\"label\":\"Client + Workload\",\"multi\":true,\"name\":\"srcwl\",\"options\":[],\"query\":\"query_result(sum(istio_requests_total{reporter=~\\\"$qrep\\\", + destination_service=~\\\"$service\\\", source_workload_namespace=~\\\"$srcns\\\"}) + by (source_workload) or sum(istio_tcp_sent_bytes_total{reporter=~\\\"$qrep\\\", + destination_service=~\\\"$service\\\", source_workload_namespace=~\\\"$srcns\\\"}) + by (source_workload))\",\"refresh\":1,\"regex\":\"/.*workload=\\\"([^\\\"]*).*/\",\"skipUrlSync\":false,\"sort\":4,\"tagValuesQuery\":\"\",\"tagsQuery\":\"\",\"type\":\"query\",\"useTags\":false},{\"current\":{\"selected\":false,\"text\":\"All\",\"value\":\"$__all\"},\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"definition\":\"\",\"hide\":0,\"includeAll\":true,\"label\":\"Service + Workload Cluster\",\"multi\":true,\"name\":\"dstcluster\",\"options\":[],\"query\":\"query_result(sum(istio_requests_total{reporter=\\\"destination\\\", + destination_service=\\\"$service\\\"}) by (destination_cluster) or sum(istio_tcp_sent_bytes_total{reporter=\\\"destination\\\", + destination_service=~\\\"$service\\\"}) by (destination_cluster))\",\"refresh\":1,\"regex\":\"/.*cluster=\\\"([^\\\"]*).*/\",\"skipUrlSync\":false,\"sort\":2,\"tagValuesQuery\":\"\",\"tagsQuery\":\"\",\"type\":\"query\",\"useTags\":false},{\"current\":{\"selected\":false,\"text\":\"All\",\"value\":\"$__all\"},\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"definition\":\"\",\"hide\":0,\"includeAll\":true,\"label\":\"Service + Workload Namespace\",\"multi\":true,\"name\":\"dstns\",\"options\":[],\"query\":\"query_result(sum(istio_requests_total{reporter=\\\"destination\\\", + destination_service=\\\"$service\\\"}) by (destination_workload_namespace) or + sum(istio_tcp_sent_bytes_total{reporter=\\\"destination\\\", destination_service=~\\\"$service\\\"}) + by (destination_workload_namespace))\",\"refresh\":1,\"regex\":\"/.*namespace=\\\"([^\\\"]*).*/\",\"skipUrlSync\":false,\"sort\":3,\"tagValuesQuery\":\"\",\"tagsQuery\":\"\",\"type\":\"query\",\"useTags\":false},{\"current\":{\"selected\":false,\"text\":\"All\",\"value\":\"$__all\"},\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"definition\":\"\",\"hide\":0,\"includeAll\":true,\"label\":\"Service + Workload\",\"multi\":true,\"name\":\"dstwl\",\"options\":[],\"query\":\"query_result( + sum(istio_requests_total{reporter=\\\"destination\\\", destination_service=~\\\"$service\\\", + destination_cluster=~\\\"$dstcluster\\\", destination_workload_namespace=~\\\"$dstns\\\"}) + by (destination_workload) or sum(istio_tcp_sent_bytes_total{reporter=\\\"destination\\\", + destination_service=~\\\"$service\\\", destination_cluster=~\\\"$dstcluster\\\", + destination_workload_namespace=~\\\"$dstns\\\"}) by (destination_workload))\",\"refresh\":1,\"regex\":\"/.*workload=\\\"([^\\\"]*).*/\",\"skipUrlSync\":false,\"sort\":4,\"tagValuesQuery\":\"\",\"tagsQuery\":\"\",\"type\":\"query\",\"useTags\":false}]},\"time\":{\"from\":\"now-15m\",\"to\":\"now\"},\"timepicker\":{\"refresh_intervals\":[\"5m\",\"15m\",\"30m\",\"1h\",\"2h\",\"1d\"],\"time_options\":[\"5m\",\"15m\",\"1h\",\"6h\",\"12h\",\"24h\",\"2d\",\"7d\",\"30d\"]},\"timezone\":\"\",\"title\":\"Istio + Service Dashboard\",\"version\":1,\"weekStart\":\"\"}\n" + istio-workload-dashboard.json: "{\"annotations\":{\"list\":[{\"builtIn\":1,\"datasource\":{\"type\":\"datasource\",\"uid\":\"grafana\"},\"enable\":true,\"hide\":true,\"iconColor\":\"rgba(0, + 211, 255, 1)\",\"name\":\"Annotations & Alerts\",\"type\":\"dashboard\"}]},\"editable\":true,\"fiscalYearStartMonth\":0,\"graphTooltip\":0,\"links\":[],\"liveNow\":false,\"panels\":[{\"collapsed\":false,\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"gridPos\":{\"h\":1,\"w\":24,\"x\":0,\"y\":0},\"id\":95,\"panels\":[],\"targets\":[{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"refId\":\"A\"}],\"title\":\"General\",\"type\":\"row\"},{\"gridPos\":{\"h\":3,\"w\":24,\"x\":0,\"y\":1},\"id\":89,\"links\":[],\"options\":{\"code\":{\"language\":\"plaintext\",\"showLineNumbers\":false,\"showMiniMap\":false},\"content\":\"
\\nWORKLOAD: $workload.$namespace\\n
\",\"mode\":\"html\"},\"pluginVersion\":\"10.1.5\",\"transparent\":true,\"type\":\"text\"},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"fieldConfig\":{\"defaults\":{\"color\":{\"fixedColor\":\"rgb(31, + 120, 193)\",\"mode\":\"fixed\"},\"mappings\":[{\"options\":{\"match\":\"null\",\"result\":{\"text\":\"N/A\"}},\"type\":\"special\"}],\"thresholds\":{\"mode\":\"absolute\",\"steps\":[{\"color\":\"green\",\"value\":null},{\"color\":\"red\",\"value\":80}]},\"unit\":\"ops\"},\"overrides\":[]},\"gridPos\":{\"h\":4,\"w\":8,\"x\":0,\"y\":4},\"id\":12,\"links\":[],\"maxDataPoints\":100,\"options\":{\"colorMode\":\"none\",\"graphMode\":\"area\",\"justifyMode\":\"auto\",\"orientation\":\"horizontal\",\"reduceOptions\":{\"calcs\":[\"lastNotNull\"],\"fields\":\"\",\"values\":false},\"textMode\":\"auto\"},\"pluginVersion\":\"10.1.5\",\"targets\":[{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"round(sum(irate(istio_requests_total{reporter=~\\\"$qrep\\\",destination_workload_namespace=~\\\"$namespace\\\",destination_workload=~\\\"$workload\\\"}[5m])), + 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"refId\":\"A\",\"step\":4}],\"title\":\"Incoming + Request Volume\",\"type\":\"stat\"},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"fieldConfig\":{\"defaults\":{\"color\":{\"fixedColor\":\"rgb(31, + 120, 193)\",\"mode\":\"fixed\"},\"mappings\":[{\"options\":{\"match\":\"null\",\"result\":{\"text\":\"N/A\"}},\"type\":\"special\"}],\"thresholds\":{\"mode\":\"absolute\",\"steps\":[{\"color\":\"rgba(50, + 172, 45, 0.97)\",\"value\":null},{\"color\":\"rgba(237, 129, 40, 0.89)\",\"value\":95},{\"color\":\"rgba(245, + 54, 54, 0.9)\",\"value\":99}]},\"unit\":\"percentunit\"},\"overrides\":[]},\"gridPos\":{\"h\":4,\"w\":8,\"x\":8,\"y\":4},\"id\":14,\"links\":[],\"maxDataPoints\":100,\"options\":{\"colorMode\":\"none\",\"graphMode\":\"area\",\"justifyMode\":\"auto\",\"orientation\":\"horizontal\",\"reduceOptions\":{\"calcs\":[\"mean\"],\"fields\":\"\",\"values\":false},\"textMode\":\"auto\"},\"pluginVersion\":\"10.1.5\",\"targets\":[{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"sum(irate(istio_requests_total{reporter=~\\\"$qrep\\\",destination_workload_namespace=~\\\"$namespace\\\",destination_workload=~\\\"$workload\\\",response_code!~\\\"5.*\\\"}[5m])) + / sum(irate(istio_requests_total{reporter=~\\\"$qrep\\\",destination_workload_namespace=~\\\"$namespace\\\",destination_workload=~\\\"$workload\\\"}[5m]))\",\"format\":\"time_series\",\"intervalFactor\":1,\"refId\":\"A\"}],\"title\":\"Incoming + Success Rate (non-5xx responses)\",\"type\":\"stat\"},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"fieldConfig\":{\"defaults\":{\"color\":{\"mode\":\"palette-classic\"},\"custom\":{\"axisCenteredZero\":false,\"axisColorMode\":\"text\",\"axisLabel\":\"\",\"axisPlacement\":\"auto\",\"barAlignment\":0,\"drawStyle\":\"line\",\"fillOpacity\":10,\"gradientMode\":\"none\",\"hideFrom\":{\"legend\":false,\"tooltip\":false,\"viz\":false},\"insertNulls\":false,\"lineInterpolation\":\"linear\",\"lineWidth\":1,\"pointSize\":5,\"scaleDistribution\":{\"type\":\"linear\"},\"showPoints\":\"never\",\"spanNulls\":false,\"stacking\":{\"group\":\"A\",\"mode\":\"none\"},\"thresholdsStyle\":{\"mode\":\"off\"}},\"mappings\":[],\"thresholds\":{\"mode\":\"absolute\",\"steps\":[{\"color\":\"green\",\"value\":null},{\"color\":\"red\",\"value\":80}]},\"unit\":\"s\"},\"overrides\":[]},\"gridPos\":{\"h\":4,\"w\":8,\"x\":16,\"y\":4},\"id\":87,\"links\":[],\"options\":{\"legend\":{\"calcs\":[],\"displayMode\":\"list\",\"placement\":\"right\",\"showLegend\":true},\"tooltip\":{\"mode\":\"multi\",\"sort\":\"none\"}},\"pluginVersion\":\"10.1.5\",\"targets\":[{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"(histogram_quantile(0.50, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\",destination_workload=~\\\"$workload\\\", + destination_workload_namespace=~\\\"$namespace\\\"}[1m])) by (le)) / 1000) or + histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\",destination_workload=~\\\"$workload\\\", + destination_workload_namespace=~\\\"$namespace\\\"}[1m])) by (le))\",\"format\":\"time_series\",\"interval\":\"\",\"intervalFactor\":1,\"legendFormat\":\"P50\",\"refId\":\"A\"},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"(histogram_quantile(0.90, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\",destination_workload=~\\\"$workload\\\", + destination_workload_namespace=~\\\"$namespace\\\"}[1m])) by (le)) / 1000) or + histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\",destination_workload=~\\\"$workload\\\", + destination_workload_namespace=~\\\"$namespace\\\"}[1m])) by (le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"P90\",\"refId\":\"B\"},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"(histogram_quantile(0.99, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\",destination_workload=~\\\"$workload\\\", + destination_workload_namespace=~\\\"$namespace\\\"}[1m])) by (le)) / 1000) or + histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\",destination_workload=~\\\"$workload\\\", + destination_workload_namespace=~\\\"$namespace\\\"}[1m])) by (le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"P99\",\"refId\":\"C\"}],\"title\":\"Request + Duration\",\"type\":\"timeseries\"},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"fieldConfig\":{\"defaults\":{\"color\":{\"fixedColor\":\"rgb(31, + 120, 193)\",\"mode\":\"fixed\"},\"mappings\":[{\"options\":{\"match\":\"null\",\"result\":{\"text\":\"N/A\"}},\"type\":\"special\"}],\"thresholds\":{\"mode\":\"absolute\",\"steps\":[{\"color\":\"green\",\"value\":null},{\"color\":\"red\",\"value\":80}]},\"unit\":\"Bps\"},\"overrides\":[]},\"gridPos\":{\"h\":4,\"w\":12,\"x\":0,\"y\":8},\"id\":84,\"links\":[],\"maxDataPoints\":100,\"options\":{\"colorMode\":\"none\",\"graphMode\":\"area\",\"justifyMode\":\"auto\",\"orientation\":\"horizontal\",\"reduceOptions\":{\"calcs\":[\"mean\"],\"fields\":\"\",\"values\":false},\"textMode\":\"auto\"},\"pluginVersion\":\"10.1.5\",\"targets\":[{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"sum(irate(istio_tcp_sent_bytes_total{reporter=~\\\"$qrep\\\", + destination_workload_namespace=~\\\"$namespace\\\", destination_workload=~\\\"$workload\\\"}[1m])) + + sum(irate(istio_tcp_received_bytes_total{reporter=~\\\"$qrep\\\", destination_workload_namespace=~\\\"$namespace\\\", + destination_workload=~\\\"$workload\\\"}[1m]))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"\",\"refId\":\"A\"}],\"title\":\"TCP + Server Traffic\",\"type\":\"stat\"},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"fieldConfig\":{\"defaults\":{\"color\":{\"fixedColor\":\"rgb(31, + 120, 193)\",\"mode\":\"fixed\"},\"mappings\":[{\"options\":{\"match\":\"null\",\"result\":{\"text\":\"N/A\"}},\"type\":\"special\"}],\"thresholds\":{\"mode\":\"absolute\",\"steps\":[{\"color\":\"green\",\"value\":null},{\"color\":\"red\",\"value\":80}]},\"unit\":\"Bps\"},\"overrides\":[]},\"gridPos\":{\"h\":4,\"w\":12,\"x\":12,\"y\":8},\"id\":85,\"links\":[],\"maxDataPoints\":100,\"options\":{\"colorMode\":\"none\",\"graphMode\":\"area\",\"justifyMode\":\"auto\",\"orientation\":\"horizontal\",\"reduceOptions\":{\"calcs\":[\"mean\"],\"fields\":\"\",\"values\":false},\"textMode\":\"auto\"},\"pluginVersion\":\"10.1.5\",\"targets\":[{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"sum(irate(istio_tcp_sent_bytes_total{reporter=~\\\"$qrep\\\", + source_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$workload\\\"}[1m])) + + sum(irate(istio_tcp_received_bytes_total{reporter=~\\\"$qrep\\\", source_workload_namespace=~\\\"$namespace\\\", + source_workload=~\\\"$workload\\\"}[1m]))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"\",\"refId\":\"A\"}],\"title\":\"TCP + Client Traffic\",\"type\":\"stat\"},{\"collapsed\":false,\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"gridPos\":{\"h\":1,\"w\":24,\"x\":0,\"y\":12},\"id\":93,\"panels\":[],\"targets\":[{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"refId\":\"A\"}],\"title\":\"Inbound + Workloads\",\"type\":\"row\"},{\"gridPos\":{\"h\":3,\"w\":24,\"x\":0,\"y\":13},\"id\":45,\"links\":[],\"options\":{\"code\":{\"language\":\"plaintext\",\"showLineNumbers\":false,\"showMiniMap\":false},\"content\":\"
\\nINBOUND WORKLOADS\\n
\",\"mode\":\"html\"},\"pluginVersion\":\"10.1.5\",\"transparent\":true,\"type\":\"text\"},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"fieldConfig\":{\"defaults\":{\"color\":{\"mode\":\"palette-classic\"},\"custom\":{\"axisCenteredZero\":false,\"axisColorMode\":\"text\",\"axisLabel\":\"\",\"axisPlacement\":\"auto\",\"barAlignment\":0,\"drawStyle\":\"line\",\"fillOpacity\":0,\"gradientMode\":\"none\",\"hideFrom\":{\"legend\":false,\"tooltip\":false,\"viz\":false},\"insertNulls\":false,\"lineInterpolation\":\"linear\",\"lineWidth\":1,\"pointSize\":5,\"scaleDistribution\":{\"type\":\"linear\"},\"showPoints\":\"never\",\"spanNulls\":false,\"stacking\":{\"group\":\"A\",\"mode\":\"none\"},\"thresholdsStyle\":{\"mode\":\"off\"}},\"mappings\":[],\"min\":0,\"thresholds\":{\"mode\":\"absolute\",\"steps\":[{\"color\":\"green\",\"value\":null},{\"color\":\"red\",\"value\":80}]},\"unit\":\"ops\"},\"overrides\":[{\"matcher\":{\"id\":\"byValue\",\"options\":{\"op\":\"gte\",\"reducer\":\"allIsNull\",\"value\":0}},\"properties\":[{\"id\":\"custom.hideFrom\",\"value\":{\"legend\":true,\"tooltip\":true,\"viz\":false}}]}]},\"gridPos\":{\"h\":6,\"w\":12,\"x\":0,\"y\":16},\"id\":25,\"links\":[],\"options\":{\"legend\":{\"calcs\":[],\"displayMode\":\"list\",\"placement\":\"bottom\",\"showLegend\":true},\"tooltip\":{\"mode\":\"single\",\"sort\":\"none\"}},\"pluginVersion\":\"10.1.5\",\"targets\":[{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"round(sum(irate(istio_requests_total{connection_security_policy=\\\"mutual_tls\\\", + destination_workload_namespace=~\\\"$namespace\\\", destination_workload=~\\\"$workload\\\", + reporter=~\\\"$qrep\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[5m])) + by (source_workload, source_workload_namespace, response_code), 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{ + source_workload }}.{{ source_workload_namespace }} : {{ response_code }} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"round(sum(irate(istio_requests_total{connection_security_policy!=\\\"mutual_tls\\\", + destination_workload_namespace=~\\\"$namespace\\\", destination_workload=~\\\"$workload\\\", + reporter=~\\\"$qrep\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[5m])) + by (source_workload, source_workload_namespace, response_code), 0.001)\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + source_workload }}.{{ source_workload_namespace }} : {{ response_code }}\",\"refId\":\"B\",\"step\":2}],\"title\":\"Incoming + Requests By Source And Response Code\",\"type\":\"timeseries\"},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"fieldConfig\":{\"defaults\":{\"color\":{\"mode\":\"palette-classic\"},\"custom\":{\"axisCenteredZero\":false,\"axisColorMode\":\"text\",\"axisLabel\":\"\",\"axisPlacement\":\"auto\",\"barAlignment\":0,\"drawStyle\":\"line\",\"fillOpacity\":10,\"gradientMode\":\"none\",\"hideFrom\":{\"legend\":false,\"tooltip\":false,\"viz\":false},\"insertNulls\":false,\"lineInterpolation\":\"linear\",\"lineWidth\":1,\"pointSize\":5,\"scaleDistribution\":{\"type\":\"linear\"},\"showPoints\":\"never\",\"spanNulls\":false,\"stacking\":{\"group\":\"A\",\"mode\":\"none\"},\"thresholdsStyle\":{\"mode\":\"off\"}},\"mappings\":[],\"max\":1.01,\"min\":0,\"thresholds\":{\"mode\":\"absolute\",\"steps\":[{\"color\":\"green\",\"value\":null},{\"color\":\"red\",\"value\":80}]},\"unit\":\"percentunit\"},\"overrides\":[{\"matcher\":{\"id\":\"byValue\",\"options\":{\"op\":\"gte\",\"reducer\":\"allIsNull\",\"value\":0}},\"properties\":[{\"id\":\"custom.hideFrom\",\"value\":{\"legend\":true,\"tooltip\":true,\"viz\":false}}]}]},\"gridPos\":{\"h\":6,\"w\":12,\"x\":12,\"y\":16},\"id\":26,\"links\":[],\"options\":{\"legend\":{\"calcs\":[],\"displayMode\":\"list\",\"placement\":\"bottom\",\"showLegend\":true},\"tooltip\":{\"mode\":\"multi\",\"sort\":\"none\"}},\"pluginVersion\":\"10.1.5\",\"targets\":[{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"sum(irate(istio_requests_total{reporter=~\\\"$qrep\\\", + connection_security_policy=\\\"mutual_tls\\\", destination_workload_namespace=~\\\"$namespace\\\", + destination_workload=~\\\"$workload\\\",response_code!~\\\"5.*\\\", source_workload=~\\\"$srcwl\\\", + source_workload_namespace=~\\\"$srcns\\\"}[5m])) by (source_workload, source_workload_namespace) + / sum(irate(istio_requests_total{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", + destination_workload_namespace=~\\\"$namespace\\\", destination_workload=~\\\"$workload\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[5m])) + by (source_workload, source_workload_namespace)\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + source_workload }}.{{ source_workload_namespace }} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"sum(irate(istio_requests_total{reporter=~\\\"$qrep\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_workload_namespace=~\\\"$namespace\\\", + destination_workload=~\\\"$workload\\\",response_code!~\\\"5.*\\\", source_workload=~\\\"$srcwl\\\", + source_workload_namespace=~\\\"$srcns\\\"}[5m])) by (source_workload, source_workload_namespace) + / sum(irate(istio_requests_total{reporter=~\\\"$qrep\\\", connection_security_policy!=\\\"mutual_tls\\\", + destination_workload_namespace=~\\\"$namespace\\\", destination_workload=~\\\"$workload\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[5m])) + by (source_workload, source_workload_namespace)\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + source_workload }}.{{ source_workload_namespace }}\",\"refId\":\"B\",\"step\":2}],\"title\":\"Incoming + Success Rate (non-5xx responses) By Source\",\"type\":\"timeseries\"},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"description\":\"\",\"fieldConfig\":{\"defaults\":{\"color\":{\"mode\":\"palette-classic\"},\"custom\":{\"axisCenteredZero\":false,\"axisColorMode\":\"text\",\"axisLabel\":\"\",\"axisPlacement\":\"auto\",\"barAlignment\":0,\"drawStyle\":\"line\",\"fillOpacity\":10,\"gradientMode\":\"none\",\"hideFrom\":{\"legend\":false,\"tooltip\":false,\"viz\":false},\"insertNulls\":false,\"lineInterpolation\":\"linear\",\"lineWidth\":1,\"pointSize\":5,\"scaleDistribution\":{\"type\":\"linear\"},\"showPoints\":\"never\",\"spanNulls\":false,\"stacking\":{\"group\":\"A\",\"mode\":\"none\"},\"thresholdsStyle\":{\"mode\":\"off\"}},\"mappings\":[],\"min\":0,\"thresholds\":{\"mode\":\"absolute\",\"steps\":[{\"color\":\"green\",\"value\":null},{\"color\":\"red\",\"value\":80}]},\"unit\":\"s\"},\"overrides\":[{\"matcher\":{\"id\":\"byValue\",\"options\":{\"op\":\"gte\",\"reducer\":\"allIsNull\",\"value\":0}},\"properties\":[{\"id\":\"custom.hideFrom\",\"value\":{\"legend\":true,\"tooltip\":true,\"viz\":false}}]}]},\"gridPos\":{\"h\":6,\"w\":8,\"x\":0,\"y\":22},\"id\":27,\"links\":[],\"options\":{\"legend\":{\"calcs\":[],\"displayMode\":\"list\",\"placement\":\"bottom\",\"showLegend\":true},\"tooltip\":{\"mode\":\"multi\",\"sort\":\"none\"}},\"pluginVersion\":\"10.1.5\",\"targets\":[{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"(histogram_quantile(0.50, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", + destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", + source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, + le)) / 1000) or histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", + destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", + source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, + le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P50 (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"(histogram_quantile(0.90, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", + destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", + source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, + le)) / 1000) or histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", + destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", + source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, + le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P90 (\U0001F510mTLS)\",\"refId\":\"B\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"(histogram_quantile(0.95, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", + destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", + source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, + le)) / 1000) or histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", + destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", + source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, + le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P95 (\U0001F510mTLS)\",\"refId\":\"C\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"(histogram_quantile(0.99, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", + destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", + source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, + le)) / 1000) or histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", + destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", + source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, + le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P99 (\U0001F510mTLS)\",\"refId\":\"D\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"(histogram_quantile(0.50, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", + destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", + source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, + le)) / 1000) or histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", + destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", + source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, + le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P50\",\"refId\":\"E\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"(histogram_quantile(0.90, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", + destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", + source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, + le)) / 1000) or histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", + destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", + source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, + le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P90\",\"refId\":\"F\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"(histogram_quantile(0.95, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", + destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", + source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, + le)) / 1000) or histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", + destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", + source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, + le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P95\",\"refId\":\"G\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"(histogram_quantile(0.99, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", + destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", + source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, + le)) / 1000) or histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", + destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", + source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, + le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P99\",\"refId\":\"H\",\"step\":2}],\"title\":\"Incoming Request Duration By Source\",\"type\":\"timeseries\"},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"fieldConfig\":{\"defaults\":{\"color\":{\"mode\":\"palette-classic\"},\"custom\":{\"axisCenteredZero\":false,\"axisColorMode\":\"text\",\"axisLabel\":\"\",\"axisPlacement\":\"auto\",\"barAlignment\":0,\"drawStyle\":\"line\",\"fillOpacity\":10,\"gradientMode\":\"none\",\"hideFrom\":{\"legend\":false,\"tooltip\":false,\"viz\":false},\"insertNulls\":false,\"lineInterpolation\":\"linear\",\"lineWidth\":1,\"pointSize\":5,\"scaleDistribution\":{\"type\":\"linear\"},\"showPoints\":\"never\",\"spanNulls\":false,\"stacking\":{\"group\":\"A\",\"mode\":\"none\"},\"thresholdsStyle\":{\"mode\":\"off\"}},\"mappings\":[],\"min\":0,\"thresholds\":{\"mode\":\"absolute\",\"steps\":[{\"color\":\"green\",\"value\":null},{\"color\":\"red\",\"value\":80}]},\"unit\":\"decbytes\"},\"overrides\":[{\"matcher\":{\"id\":\"byValue\",\"options\":{\"op\":\"gte\",\"reducer\":\"allIsNull\",\"value\":0}},\"properties\":[{\"id\":\"custom.hideFrom\",\"value\":{\"legend\":true,\"tooltip\":true,\"viz\":false}}]}]},\"gridPos\":{\"h\":6,\"w\":8,\"x\":8,\"y\":22},\"id\":28,\"links\":[],\"options\":{\"legend\":{\"calcs\":[],\"displayMode\":\"list\",\"placement\":\"bottom\",\"showLegend\":true},\"tooltip\":{\"mode\":\"multi\",\"sort\":\"none\"}},\"pluginVersion\":\"10.1.5\",\"targets\":[{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.50, + sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", + destination_workload=~\\\"$workload\\\", destination_workload_namespace=~\\\"$namespace\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P50 (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.90, + sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", + destination_workload=~\\\"$workload\\\", destination_workload_namespace=~\\\"$namespace\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + \ P90 (\U0001F510mTLS)\",\"refId\":\"B\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.95, + sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", + destination_workload=~\\\"$workload\\\", destination_workload_namespace=~\\\"$namespace\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P95 (\U0001F510mTLS)\",\"refId\":\"C\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.99, + sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", + destination_workload=~\\\"$workload\\\", destination_workload_namespace=~\\\"$namespace\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + \ P99 (\U0001F510mTLS)\",\"refId\":\"D\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.50, + sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy!=\\\"mutual_tls\\\", + destination_workload=~\\\"$workload\\\", destination_workload_namespace=~\\\"$namespace\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P50\",\"refId\":\"E\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.90, + sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy!=\\\"mutual_tls\\\", + destination_workload=~\\\"$workload\\\", destination_workload_namespace=~\\\"$namespace\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P90\",\"refId\":\"F\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.95, + sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy!=\\\"mutual_tls\\\", + destination_workload=~\\\"$workload\\\", destination_workload_namespace=~\\\"$namespace\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P95\",\"refId\":\"G\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.99, + sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy!=\\\"mutual_tls\\\", + destination_workload=~\\\"$workload\\\", destination_workload_namespace=~\\\"$namespace\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P99\",\"refId\":\"H\",\"step\":2}],\"title\":\"Incoming Request Size By Source\",\"type\":\"timeseries\"},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"fieldConfig\":{\"defaults\":{\"color\":{\"mode\":\"palette-classic\"},\"custom\":{\"axisCenteredZero\":false,\"axisColorMode\":\"text\",\"axisLabel\":\"\",\"axisPlacement\":\"auto\",\"barAlignment\":0,\"drawStyle\":\"line\",\"fillOpacity\":10,\"gradientMode\":\"none\",\"hideFrom\":{\"legend\":false,\"tooltip\":false,\"viz\":false},\"insertNulls\":false,\"lineInterpolation\":\"linear\",\"lineWidth\":1,\"pointSize\":5,\"scaleDistribution\":{\"type\":\"linear\"},\"showPoints\":\"never\",\"spanNulls\":false,\"stacking\":{\"group\":\"A\",\"mode\":\"none\"},\"thresholdsStyle\":{\"mode\":\"off\"}},\"mappings\":[],\"min\":0,\"thresholds\":{\"mode\":\"absolute\",\"steps\":[{\"color\":\"green\",\"value\":null},{\"color\":\"red\",\"value\":80}]},\"unit\":\"decbytes\"},\"overrides\":[{\"matcher\":{\"id\":\"byValue\",\"options\":{\"op\":\"gte\",\"reducer\":\"allIsNull\",\"value\":0}},\"properties\":[{\"id\":\"custom.hideFrom\",\"value\":{\"legend\":true,\"tooltip\":true,\"viz\":false}}]}]},\"gridPos\":{\"h\":6,\"w\":8,\"x\":16,\"y\":22},\"id\":68,\"links\":[],\"options\":{\"legend\":{\"calcs\":[],\"displayMode\":\"list\",\"placement\":\"bottom\",\"showLegend\":true},\"tooltip\":{\"mode\":\"multi\",\"sort\":\"none\"}},\"pluginVersion\":\"10.1.5\",\"targets\":[{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.50, + sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", + destination_workload=~\\\"$workload\\\", destination_workload_namespace=~\\\"$namespace\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P50 (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.90, + sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", + destination_workload=~\\\"$workload\\\", destination_workload_namespace=~\\\"$namespace\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + \ P90 (\U0001F510mTLS)\",\"refId\":\"B\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.95, + sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", + destination_workload=~\\\"$workload\\\", destination_workload_namespace=~\\\"$namespace\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P95 (\U0001F510mTLS)\",\"refId\":\"C\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.99, + sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", + destination_workload=~\\\"$workload\\\", destination_workload_namespace=~\\\"$namespace\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + \ P99 (\U0001F510mTLS)\",\"refId\":\"D\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.50, + sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy!=\\\"mutual_tls\\\", + destination_workload=~\\\"$workload\\\", destination_workload_namespace=~\\\"$namespace\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P50\",\"refId\":\"E\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.90, + sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy!=\\\"mutual_tls\\\", + destination_workload=~\\\"$workload\\\", destination_workload_namespace=~\\\"$namespace\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P90\",\"refId\":\"F\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.95, + sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy!=\\\"mutual_tls\\\", + destination_workload=~\\\"$workload\\\", destination_workload_namespace=~\\\"$namespace\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P95\",\"refId\":\"G\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.99, + sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy!=\\\"mutual_tls\\\", + destination_workload=~\\\"$workload\\\", destination_workload_namespace=~\\\"$namespace\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P99\",\"refId\":\"H\",\"step\":2}],\"title\":\"Response Size By Source\",\"type\":\"timeseries\"},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"fieldConfig\":{\"defaults\":{\"color\":{\"mode\":\"palette-classic\"},\"custom\":{\"axisCenteredZero\":false,\"axisColorMode\":\"text\",\"axisLabel\":\"\",\"axisPlacement\":\"auto\",\"barAlignment\":0,\"drawStyle\":\"line\",\"fillOpacity\":10,\"gradientMode\":\"none\",\"hideFrom\":{\"legend\":false,\"tooltip\":false,\"viz\":false},\"insertNulls\":false,\"lineInterpolation\":\"linear\",\"lineWidth\":1,\"pointSize\":5,\"scaleDistribution\":{\"type\":\"linear\"},\"showPoints\":\"never\",\"spanNulls\":false,\"stacking\":{\"group\":\"A\",\"mode\":\"none\"},\"thresholdsStyle\":{\"mode\":\"off\"}},\"mappings\":[],\"min\":0,\"thresholds\":{\"mode\":\"absolute\",\"steps\":[{\"color\":\"green\",\"value\":null},{\"color\":\"red\",\"value\":80}]},\"unit\":\"Bps\"},\"overrides\":[]},\"gridPos\":{\"h\":6,\"w\":12,\"x\":0,\"y\":28},\"id\":80,\"links\":[],\"options\":{\"legend\":{\"calcs\":[],\"displayMode\":\"list\",\"placement\":\"bottom\",\"showLegend\":true},\"tooltip\":{\"mode\":\"multi\",\"sort\":\"none\"}},\"pluginVersion\":\"10.1.5\",\"targets\":[{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"round(sum(irate(istio_tcp_received_bytes_total{reporter=~\\\"$qrep\\\", + connection_security_policy=\\\"mutual_tls\\\", destination_workload_namespace=~\\\"$namespace\\\", + destination_workload=~\\\"$workload\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace), 0.001)\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + source_workload }}.{{ source_workload_namespace}} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"round(sum(irate(istio_tcp_received_bytes_total{reporter=~\\\"$qrep\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_workload_namespace=~\\\"$namespace\\\", + destination_workload=~\\\"$workload\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace), 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{ + source_workload }}.{{ source_workload_namespace}}\",\"refId\":\"B\",\"step\":2}],\"title\":\"Bytes + Received from Incoming TCP Connection\",\"type\":\"timeseries\"},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"fieldConfig\":{\"defaults\":{\"color\":{\"mode\":\"palette-classic\"},\"custom\":{\"axisCenteredZero\":false,\"axisColorMode\":\"text\",\"axisLabel\":\"\",\"axisPlacement\":\"auto\",\"barAlignment\":0,\"drawStyle\":\"line\",\"fillOpacity\":10,\"gradientMode\":\"none\",\"hideFrom\":{\"legend\":false,\"tooltip\":false,\"viz\":false},\"insertNulls\":false,\"lineInterpolation\":\"linear\",\"lineWidth\":1,\"pointSize\":5,\"scaleDistribution\":{\"type\":\"linear\"},\"showPoints\":\"never\",\"spanNulls\":false,\"stacking\":{\"group\":\"A\",\"mode\":\"none\"},\"thresholdsStyle\":{\"mode\":\"off\"}},\"mappings\":[],\"min\":0,\"thresholds\":{\"mode\":\"absolute\",\"steps\":[{\"color\":\"green\",\"value\":null},{\"color\":\"red\",\"value\":80}]},\"unit\":\"Bps\"},\"overrides\":[]},\"gridPos\":{\"h\":6,\"w\":12,\"x\":12,\"y\":28},\"id\":82,\"links\":[],\"options\":{\"legend\":{\"calcs\":[],\"displayMode\":\"list\",\"placement\":\"bottom\",\"showLegend\":true},\"tooltip\":{\"mode\":\"multi\",\"sort\":\"none\"}},\"pluginVersion\":\"10.1.5\",\"targets\":[{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy=\\\"mutual_tls\\\", + reporter=~\\\"$qrep\\\", destination_workload_namespace=~\\\"$namespace\\\", destination_workload=~\\\"$workload\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace), 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{ + source_workload }}.{{ source_workload_namespace}} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy!=\\\"mutual_tls\\\", + reporter=~\\\"$qrep\\\", destination_workload_namespace=~\\\"$namespace\\\", destination_workload=~\\\"$workload\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace), 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{ + source_workload }}.{{ source_workload_namespace}}\",\"refId\":\"B\",\"step\":2}],\"title\":\"Bytes + Sent to Incoming TCP Connection\",\"type\":\"timeseries\"},{\"collapsed\":false,\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"gridPos\":{\"h\":1,\"w\":24,\"x\":0,\"y\":34},\"id\":91,\"panels\":[],\"targets\":[{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"refId\":\"A\"}],\"title\":\"Outbound + Services\",\"type\":\"row\"},{\"gridPos\":{\"h\":3,\"w\":24,\"x\":0,\"y\":35},\"id\":69,\"links\":[],\"options\":{\"code\":{\"language\":\"plaintext\",\"showLineNumbers\":false,\"showMiniMap\":false},\"content\":\"
\\nOUTBOUND SERVICES\\n
\",\"mode\":\"html\"},\"pluginVersion\":\"10.1.5\",\"transparent\":true,\"type\":\"text\"},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"fieldConfig\":{\"defaults\":{\"color\":{\"mode\":\"palette-classic\"},\"custom\":{\"axisCenteredZero\":false,\"axisColorMode\":\"text\",\"axisLabel\":\"\",\"axisPlacement\":\"auto\",\"barAlignment\":0,\"drawStyle\":\"line\",\"fillOpacity\":0,\"gradientMode\":\"none\",\"hideFrom\":{\"legend\":false,\"tooltip\":false,\"viz\":false},\"insertNulls\":false,\"lineInterpolation\":\"linear\",\"lineWidth\":1,\"pointSize\":5,\"scaleDistribution\":{\"type\":\"linear\"},\"showPoints\":\"never\",\"spanNulls\":false,\"stacking\":{\"group\":\"A\",\"mode\":\"none\"},\"thresholdsStyle\":{\"mode\":\"off\"}},\"mappings\":[],\"min\":0,\"thresholds\":{\"mode\":\"absolute\",\"steps\":[{\"color\":\"green\",\"value\":null},{\"color\":\"red\",\"value\":80}]},\"unit\":\"ops\"},\"overrides\":[{\"matcher\":{\"id\":\"byValue\",\"options\":{\"op\":\"gte\",\"reducer\":\"allIsNull\",\"value\":0}},\"properties\":[{\"id\":\"custom.hideFrom\",\"value\":{\"legend\":true,\"tooltip\":true,\"viz\":false}}]}]},\"gridPos\":{\"h\":6,\"w\":12,\"x\":0,\"y\":38},\"id\":70,\"links\":[],\"options\":{\"legend\":{\"calcs\":[],\"displayMode\":\"list\",\"placement\":\"bottom\",\"showLegend\":true},\"tooltip\":{\"mode\":\"single\",\"sort\":\"none\"}},\"pluginVersion\":\"10.1.5\",\"targets\":[{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"round(sum(irate(istio_requests_total{destination_principal=~\\\"spiffe.*\\\", + source_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$workload\\\", + reporter=\\\"source\\\", destination_service=~\\\"$dstsvc\\\"}[5m])) by (destination_service, + response_code), 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }} : {{ response_code }} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"round(sum(irate(istio_requests_total{destination_principal!~\\\"spiffe.*\\\", + source_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$workload\\\", + reporter=\\\"source\\\", destination_service=~\\\"$dstsvc\\\"}[5m])) by (destination_service, + response_code), 0.001)\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }} : {{ response_code }}\",\"refId\":\"B\",\"step\":2}],\"title\":\"Outgoing + Requests By Destination And Response Code\",\"type\":\"timeseries\"},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"fieldConfig\":{\"defaults\":{\"color\":{\"mode\":\"palette-classic\"},\"custom\":{\"axisCenteredZero\":false,\"axisColorMode\":\"text\",\"axisLabel\":\"\",\"axisPlacement\":\"auto\",\"barAlignment\":0,\"drawStyle\":\"line\",\"fillOpacity\":10,\"gradientMode\":\"none\",\"hideFrom\":{\"legend\":false,\"tooltip\":false,\"viz\":false},\"insertNulls\":false,\"lineInterpolation\":\"linear\",\"lineWidth\":1,\"pointSize\":5,\"scaleDistribution\":{\"type\":\"linear\"},\"showPoints\":\"never\",\"spanNulls\":false,\"stacking\":{\"group\":\"A\",\"mode\":\"none\"},\"thresholdsStyle\":{\"mode\":\"off\"}},\"mappings\":[],\"max\":1.01,\"min\":0,\"thresholds\":{\"mode\":\"absolute\",\"steps\":[{\"color\":\"green\",\"value\":null},{\"color\":\"red\",\"value\":80}]},\"unit\":\"percentunit\"},\"overrides\":[{\"matcher\":{\"id\":\"byValue\",\"options\":{\"op\":\"gte\",\"reducer\":\"allIsNull\",\"value\":0}},\"properties\":[{\"id\":\"custom.hideFrom\",\"value\":{\"legend\":true,\"tooltip\":true,\"viz\":false}}]}]},\"gridPos\":{\"h\":6,\"w\":12,\"x\":12,\"y\":38},\"id\":71,\"links\":[],\"options\":{\"legend\":{\"calcs\":[],\"displayMode\":\"list\",\"placement\":\"bottom\",\"showLegend\":true},\"tooltip\":{\"mode\":\"multi\",\"sort\":\"none\"}},\"pluginVersion\":\"10.1.5\",\"targets\":[{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"sum(irate(istio_requests_total{reporter=\\\"source\\\", + connection_security_policy=\\\"mutual_tls\\\", source_workload_namespace=~\\\"$namespace\\\", + source_workload=~\\\"$workload\\\",response_code!~\\\"5.*\\\", destination_service=~\\\"$dstsvc\\\"}[5m])) + by (destination_service) / sum(irate(istio_requests_total{reporter=\\\"source\\\", + connection_security_policy=\\\"mutual_tls\\\", source_workload_namespace=~\\\"$namespace\\\", + source_workload=~\\\"$workload\\\", destination_service=~\\\"$dstsvc\\\"}[5m])) + by (destination_service)\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"sum(irate(istio_requests_total{reporter=\\\"source\\\", + connection_security_policy!=\\\"mutual_tls\\\", source_workload_namespace=~\\\"$namespace\\\", + source_workload=~\\\"$workload\\\",response_code!~\\\"5.*\\\", destination_service=~\\\"$dstsvc\\\"}[5m])) + by (destination_service) / sum(irate(istio_requests_total{reporter=\\\"source\\\", + connection_security_policy!=\\\"mutual_tls\\\", source_workload_namespace=~\\\"$namespace\\\", + source_workload=~\\\"$workload\\\", destination_service=~\\\"$dstsvc\\\"}[5m])) + by (destination_service)\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }}\",\"refId\":\"B\",\"step\":2}],\"title\":\"Outgoing Success + Rate (non-5xx responses) By Destination\",\"type\":\"timeseries\"},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"description\":\"\",\"fieldConfig\":{\"defaults\":{\"color\":{\"mode\":\"palette-classic\"},\"custom\":{\"axisCenteredZero\":false,\"axisColorMode\":\"text\",\"axisLabel\":\"\",\"axisPlacement\":\"auto\",\"barAlignment\":0,\"drawStyle\":\"line\",\"fillOpacity\":10,\"gradientMode\":\"none\",\"hideFrom\":{\"legend\":false,\"tooltip\":false,\"viz\":false},\"insertNulls\":false,\"lineInterpolation\":\"linear\",\"lineWidth\":1,\"pointSize\":5,\"scaleDistribution\":{\"type\":\"linear\"},\"showPoints\":\"never\",\"spanNulls\":false,\"stacking\":{\"group\":\"A\",\"mode\":\"none\"},\"thresholdsStyle\":{\"mode\":\"off\"}},\"mappings\":[],\"min\":0,\"thresholds\":{\"mode\":\"absolute\",\"steps\":[{\"color\":\"green\",\"value\":null},{\"color\":\"red\",\"value\":80}]},\"unit\":\"s\"},\"overrides\":[{\"matcher\":{\"id\":\"byValue\",\"options\":{\"op\":\"gte\",\"reducer\":\"allIsNull\",\"value\":0}},\"properties\":[{\"id\":\"custom.hideFrom\",\"value\":{\"legend\":true,\"tooltip\":true,\"viz\":false}}]}]},\"gridPos\":{\"h\":6,\"w\":8,\"x\":0,\"y\":44},\"id\":72,\"links\":[],\"options\":{\"legend\":{\"calcs\":[],\"displayMode\":\"list\",\"placement\":\"bottom\",\"showLegend\":true},\"tooltip\":{\"mode\":\"multi\",\"sort\":\"none\"}},\"pluginVersion\":\"10.1.5\",\"targets\":[{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"(histogram_quantile(0.50, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"source\\\", + connection_security_policy=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\", + source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m])) + by (destination_service, le)) / 1000) or histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"source\\\", + connection_security_policy=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\", + source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m])) + by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }} P50 (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"(histogram_quantile(0.90, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"source\\\", + connection_security_policy=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\", + source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m])) + by (destination_service, le)) / 1000) or histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"source\\\", + connection_security_policy=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\", + source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m])) + by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }} P90 (\U0001F510mTLS)\",\"refId\":\"B\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"(histogram_quantile(0.95, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"source\\\", + connection_security_policy=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\", + source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m])) + by (destination_service, le)) / 1000) or histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"source\\\", + connection_security_policy=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\", + source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m])) + by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }} P95 (\U0001F510mTLS)\",\"refId\":\"C\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"(histogram_quantile(0.99, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"source\\\", + connection_security_policy=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\", + source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m])) + by (destination_service, le)) / 1000) or histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"source\\\", + connection_security_policy=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\", + source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m])) + by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }} P99 (\U0001F510mTLS)\",\"refId\":\"D\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"(histogram_quantile(0.50, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"source\\\", + connection_security_policy!=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\", + source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m])) + by (destination_service, le)) / 1000) or histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"source\\\", + connection_security_policy!=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\", + source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m])) + by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }} P50\",\"refId\":\"E\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"(histogram_quantile(0.90, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"source\\\", + connection_security_policy!=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\", + source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m])) + by (destination_service, le)) / 1000) or histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"source\\\", + connection_security_policy!=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\", + source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m])) + by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }} P90\",\"refId\":\"F\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"(histogram_quantile(0.95, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"source\\\", + connection_security_policy!=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\", + source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m])) + by (destination_service, le)) / 1000) or histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"source\\\", + connection_security_policy!=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\", + source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m])) + by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }} P95\",\"refId\":\"G\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"(histogram_quantile(0.99, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"source\\\", + connection_security_policy!=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\", + source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m])) + by (destination_service, le)) / 1000) or histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"source\\\", + connection_security_policy!=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\", + source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m])) + by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }} P99\",\"refId\":\"H\",\"step\":2}],\"title\":\"Outgoing + Request Duration By Destination\",\"type\":\"timeseries\"},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"fieldConfig\":{\"defaults\":{\"color\":{\"mode\":\"palette-classic\"},\"custom\":{\"axisCenteredZero\":false,\"axisColorMode\":\"text\",\"axisLabel\":\"\",\"axisPlacement\":\"auto\",\"barAlignment\":0,\"drawStyle\":\"line\",\"fillOpacity\":10,\"gradientMode\":\"none\",\"hideFrom\":{\"legend\":false,\"tooltip\":false,\"viz\":false},\"insertNulls\":false,\"lineInterpolation\":\"linear\",\"lineWidth\":1,\"pointSize\":5,\"scaleDistribution\":{\"type\":\"linear\"},\"showPoints\":\"never\",\"spanNulls\":false,\"stacking\":{\"group\":\"A\",\"mode\":\"none\"},\"thresholdsStyle\":{\"mode\":\"off\"}},\"mappings\":[],\"min\":0,\"thresholds\":{\"mode\":\"absolute\",\"steps\":[{\"color\":\"green\",\"value\":null},{\"color\":\"red\",\"value\":80}]},\"unit\":\"decbytes\"},\"overrides\":[{\"matcher\":{\"id\":\"byValue\",\"options\":{\"op\":\"gte\",\"reducer\":\"allIsNull\",\"value\":0}},\"properties\":[{\"id\":\"custom.hideFrom\",\"value\":{\"legend\":true,\"tooltip\":true,\"viz\":false}}]}]},\"gridPos\":{\"h\":6,\"w\":8,\"x\":8,\"y\":44},\"id\":73,\"links\":[],\"options\":{\"legend\":{\"calcs\":[],\"displayMode\":\"list\",\"placement\":\"bottom\",\"showLegend\":true},\"tooltip\":{\"mode\":\"multi\",\"sort\":\"none\"}},\"pluginVersion\":\"10.1.5\",\"targets\":[{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.50, + sum(irate(istio_request_bytes_bucket{reporter=\\\"source\\\", connection_security_policy=\\\"mutual_tls\\\", + source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\", + destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }} P50 (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.90, + sum(irate(istio_request_bytes_bucket{reporter=\\\"source\\\", connection_security_policy=\\\"mutual_tls\\\", + source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\", + destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }} P90 (\U0001F510mTLS)\",\"refId\":\"B\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.95, + sum(irate(istio_request_bytes_bucket{reporter=\\\"source\\\", connection_security_policy=\\\"mutual_tls\\\", + source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\", + destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }} P95 (\U0001F510mTLS)\",\"refId\":\"C\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.99, + sum(irate(istio_request_bytes_bucket{reporter=\\\"source\\\", connection_security_policy=\\\"mutual_tls\\\", + source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\", + destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }} P99 (\U0001F510mTLS)\",\"refId\":\"D\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.50, + sum(irate(istio_request_bytes_bucket{reporter=\\\"source\\\", connection_security_policy!=\\\"mutual_tls\\\", + source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\", + destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }} P50\",\"refId\":\"E\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.90, + sum(irate(istio_request_bytes_bucket{reporter=\\\"source\\\", connection_security_policy!=\\\"mutual_tls\\\", + source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\", + destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }} P90\",\"refId\":\"F\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.95, + sum(irate(istio_request_bytes_bucket{reporter=\\\"source\\\", connection_security_policy!=\\\"mutual_tls\\\", + source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\", + destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }} P95\",\"refId\":\"G\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.99, + sum(irate(istio_request_bytes_bucket{reporter=\\\"source\\\", connection_security_policy!=\\\"mutual_tls\\\", + source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\", + destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }} P99\",\"refId\":\"H\",\"step\":2}],\"title\":\"Outgoing + Request Size By Destination\",\"type\":\"timeseries\"},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"fieldConfig\":{\"defaults\":{\"color\":{\"mode\":\"palette-classic\"},\"custom\":{\"axisCenteredZero\":false,\"axisColorMode\":\"text\",\"axisLabel\":\"\",\"axisPlacement\":\"auto\",\"barAlignment\":0,\"drawStyle\":\"line\",\"fillOpacity\":10,\"gradientMode\":\"none\",\"hideFrom\":{\"legend\":false,\"tooltip\":false,\"viz\":false},\"insertNulls\":false,\"lineInterpolation\":\"linear\",\"lineWidth\":1,\"pointSize\":5,\"scaleDistribution\":{\"type\":\"linear\"},\"showPoints\":\"never\",\"spanNulls\":false,\"stacking\":{\"group\":\"A\",\"mode\":\"none\"},\"thresholdsStyle\":{\"mode\":\"off\"}},\"mappings\":[],\"min\":0,\"thresholds\":{\"mode\":\"absolute\",\"steps\":[{\"color\":\"green\",\"value\":null},{\"color\":\"red\",\"value\":80}]},\"unit\":\"decbytes\"},\"overrides\":[{\"matcher\":{\"id\":\"byValue\",\"options\":{\"op\":\"gte\",\"reducer\":\"allIsNull\",\"value\":0}},\"properties\":[{\"id\":\"custom.hideFrom\",\"value\":{\"legend\":true,\"tooltip\":true,\"viz\":false}}]}]},\"gridPos\":{\"h\":6,\"w\":8,\"x\":16,\"y\":44},\"id\":74,\"links\":[],\"options\":{\"legend\":{\"calcs\":[],\"displayMode\":\"list\",\"placement\":\"bottom\",\"showLegend\":true},\"tooltip\":{\"mode\":\"multi\",\"sort\":\"none\"}},\"pluginVersion\":\"10.1.5\",\"targets\":[{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.50, + sum(irate(istio_response_bytes_bucket{reporter=\\\"source\\\", connection_security_policy=\\\"mutual_tls\\\", + source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\", + destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }} P50 (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.90, + sum(irate(istio_response_bytes_bucket{reporter=\\\"source\\\", connection_security_policy=\\\"mutual_tls\\\", + source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\", + destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }} P90 (\U0001F510mTLS)\",\"refId\":\"B\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.95, + sum(irate(istio_response_bytes_bucket{reporter=\\\"source\\\", connection_security_policy=\\\"mutual_tls\\\", + source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\", + destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }} P95 (\U0001F510mTLS)\",\"refId\":\"C\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.99, + sum(irate(istio_response_bytes_bucket{reporter=\\\"source\\\", connection_security_policy=\\\"mutual_tls\\\", + source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\", + destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }} P99 (\U0001F510mTLS)\",\"refId\":\"D\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.50, + sum(irate(istio_response_bytes_bucket{reporter=\\\"source\\\", connection_security_policy!=\\\"mutual_tls\\\", + source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\", + destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }} P50\",\"refId\":\"E\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.90, + sum(irate(istio_response_bytes_bucket{reporter=\\\"source\\\", connection_security_policy!=\\\"mutual_tls\\\", + source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\", + destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }} P90\",\"refId\":\"F\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.95, + sum(irate(istio_response_bytes_bucket{reporter=\\\"source\\\", connection_security_policy!=\\\"mutual_tls\\\", + source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\", + destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }} P95\",\"refId\":\"G\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.99, + sum(irate(istio_response_bytes_bucket{reporter=\\\"source\\\", connection_security_policy!=\\\"mutual_tls\\\", + source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\", + destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }} P99\",\"refId\":\"H\",\"step\":2}],\"title\":\"Response + Size By Destination\",\"type\":\"timeseries\"},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"fieldConfig\":{\"defaults\":{\"color\":{\"mode\":\"palette-classic\"},\"custom\":{\"axisCenteredZero\":false,\"axisColorMode\":\"text\",\"axisLabel\":\"\",\"axisPlacement\":\"auto\",\"barAlignment\":0,\"drawStyle\":\"line\",\"fillOpacity\":10,\"gradientMode\":\"none\",\"hideFrom\":{\"legend\":false,\"tooltip\":false,\"viz\":false},\"insertNulls\":false,\"lineInterpolation\":\"linear\",\"lineWidth\":1,\"pointSize\":5,\"scaleDistribution\":{\"type\":\"linear\"},\"showPoints\":\"never\",\"spanNulls\":false,\"stacking\":{\"group\":\"A\",\"mode\":\"none\"},\"thresholdsStyle\":{\"mode\":\"off\"}},\"mappings\":[],\"min\":0,\"thresholds\":{\"mode\":\"absolute\",\"steps\":[{\"color\":\"green\",\"value\":null},{\"color\":\"red\",\"value\":80}]},\"unit\":\"Bps\"},\"overrides\":[]},\"gridPos\":{\"h\":6,\"w\":12,\"x\":0,\"y\":50},\"id\":76,\"links\":[],\"options\":{\"legend\":{\"calcs\":[],\"displayMode\":\"list\",\"placement\":\"bottom\",\"showLegend\":true},\"tooltip\":{\"mode\":\"multi\",\"sort\":\"none\"}},\"pluginVersion\":\"10.1.5\",\"targets\":[{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"round(sum(irate(istio_tcp_received_bytes_total{connection_security_policy=\\\"mutual_tls\\\", + reporter=\\\"source\\\", source_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$workload\\\", + destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service), 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"round(sum(irate(istio_tcp_received_bytes_total{connection_security_policy!=\\\"mutual_tls\\\", + reporter=\\\"source\\\", source_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$workload\\\", + destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service), 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }}\",\"refId\":\"B\",\"step\":2}],\"title\":\"Bytes Sent on + Outgoing TCP Connection\",\"type\":\"timeseries\"},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"fieldConfig\":{\"defaults\":{\"color\":{\"mode\":\"palette-classic\"},\"custom\":{\"axisCenteredZero\":false,\"axisColorMode\":\"text\",\"axisLabel\":\"\",\"axisPlacement\":\"auto\",\"barAlignment\":0,\"drawStyle\":\"line\",\"fillOpacity\":10,\"gradientMode\":\"none\",\"hideFrom\":{\"legend\":false,\"tooltip\":false,\"viz\":false},\"insertNulls\":false,\"lineInterpolation\":\"linear\",\"lineWidth\":1,\"pointSize\":5,\"scaleDistribution\":{\"type\":\"linear\"},\"showPoints\":\"never\",\"spanNulls\":false,\"stacking\":{\"group\":\"A\",\"mode\":\"none\"},\"thresholdsStyle\":{\"mode\":\"off\"}},\"mappings\":[],\"min\":0,\"thresholds\":{\"mode\":\"absolute\",\"steps\":[{\"color\":\"green\",\"value\":null},{\"color\":\"red\",\"value\":80}]},\"unit\":\"Bps\"},\"overrides\":[]},\"gridPos\":{\"h\":6,\"w\":12,\"x\":12,\"y\":50},\"id\":78,\"links\":[],\"options\":{\"legend\":{\"calcs\":[],\"displayMode\":\"list\",\"placement\":\"bottom\",\"showLegend\":true},\"tooltip\":{\"mode\":\"multi\",\"sort\":\"none\"}},\"pluginVersion\":\"10.1.5\",\"targets\":[{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"round(sum(irate(istio_tcp_sent_bytes_total{reporter=\\\"source\\\", + connection_security_policy=\\\"mutual_tls\\\", source_workload_namespace=~\\\"$namespace\\\", + source_workload=~\\\"$workload\\\", destination_service=~\\\"$dstsvc\\\"}[1m])) + by (destination_service), 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"round(sum(irate(istio_tcp_sent_bytes_total{reporter=\\\"source\\\", + connection_security_policy!=\\\"mutual_tls\\\", source_workload_namespace=~\\\"$namespace\\\", + source_workload=~\\\"$workload\\\", destination_service=~\\\"$dstsvc\\\"}[1m])) + by (destination_service), 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }}\",\"refId\":\"B\",\"step\":2}],\"title\":\"Bytes Received + from Outgoing TCP Connection\",\"type\":\"timeseries\"}],\"refresh\":\"1m\",\"schemaVersion\":38,\"style\":\"dark\",\"tags\":[],\"templating\":{\"list\":[{\"hide\":0,\"includeAll\":false,\"multi\":false,\"name\":\"datasource\",\"options\":[],\"query\":\"prometheus\",\"queryValue\":\"\",\"refresh\":1,\"regex\":\"\",\"skipUrlSync\":false,\"type\":\"datasource\"},{\"current\":{\"selected\":true,\"text\":\"default\",\"value\":\"default\"},\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"definition\":\"\",\"hide\":0,\"includeAll\":false,\"label\":\"Namespace\",\"multi\":false,\"name\":\"namespace\",\"options\":[],\"query\":\"query_result(sum(istio_requests_total) + by (destination_workload_namespace) or sum(istio_tcp_sent_bytes_total) by (destination_workload_namespace))\",\"refresh\":1,\"regex\":\"/.*_namespace=\\\"([^\\\"]*).*/\",\"skipUrlSync\":false,\"sort\":0,\"tagValuesQuery\":\"\",\"tagsQuery\":\"\",\"type\":\"query\",\"useTags\":false},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"definition\":\"\",\"hide\":0,\"includeAll\":false,\"label\":\"Workload\",\"multi\":false,\"name\":\"workload\",\"options\":[],\"query\":\"query_result((sum(istio_requests_total{destination_workload_namespace=~\\\"$namespace\\\"}) + by (destination_workload) or sum(istio_requests_total{source_workload_namespace=~\\\"$namespace\\\"}) + by (source_workload)) or (sum(istio_tcp_sent_bytes_total{destination_workload_namespace=~\\\"$namespace\\\"}) + by (destination_workload) or sum(istio_tcp_sent_bytes_total{source_workload_namespace=~\\\"$namespace\\\"}) + by (source_workload)))\",\"refresh\":1,\"regex\":\"/.*workload=\\\"([^\\\"]*).*/\",\"skipUrlSync\":false,\"sort\":1,\"tagValuesQuery\":\"\",\"tagsQuery\":\"\",\"type\":\"query\",\"useTags\":false},{\"current\":{\"selected\":false,\"text\":\"destination\",\"value\":\"destination\"},\"datasource\":\"Prometheus\",\"definition\":\"\",\"hide\":0,\"includeAll\":false,\"label\":\"Reporter\",\"multi\":true,\"name\":\"qrep\",\"options\":[{\"selected\":false,\"text\":\"source\",\"value\":\"source\"},{\"selected\":true,\"text\":\"destination\",\"value\":\"destination\"}],\"query\":\"source,destination\",\"refresh\":1,\"regex\":\"\",\"skipUrlSync\":false,\"sort\":2,\"tagValuesQuery\":\"\",\"tagsQuery\":\"\",\"type\":\"custom\",\"useTags\":false},{\"current\":{\"selected\":false,\"text\":\"All\",\"value\":\"$__all\"},\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"definition\":\"\",\"hide\":0,\"includeAll\":true,\"label\":\"Inbound + Workload Namespace\",\"multi\":true,\"name\":\"srcns\",\"options\":[],\"query\":\"query_result(sum(istio_requests_total{reporter=~\\\"$qrep\\\", + destination_workload=\\\"$workload\\\", destination_workload_namespace=~\\\"$namespace\\\"}) + by (source_workload_namespace) or sum(istio_tcp_sent_bytes_total{reporter=~\\\"$qrep\\\", + destination_workload=\\\"$workload\\\", destination_workload_namespace=~\\\"$namespace\\\"}) + by (source_workload_namespace))\",\"refresh\":1,\"regex\":\"/.*namespace=\\\"([^\\\"]*).*/\",\"skipUrlSync\":false,\"sort\":2,\"tagValuesQuery\":\"\",\"tagsQuery\":\"\",\"type\":\"query\",\"useTags\":false},{\"current\":{\"selected\":false,\"text\":\"All\",\"value\":\"$__all\"},\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"definition\":\"\",\"hide\":0,\"includeAll\":true,\"label\":\"Inbound + Workload\",\"multi\":true,\"name\":\"srcwl\",\"options\":[],\"query\":\"query_result(sum(istio_requests_total{reporter=~\\\"$qrep\\\", + destination_workload=\\\"$workload\\\", destination_workload_namespace=~\\\"$namespace\\\", + source_workload_namespace=~\\\"$srcns\\\"}) by (source_workload) or sum(istio_tcp_sent_bytes_total{reporter=~\\\"$qrep\\\", + destination_workload=\\\"$workload\\\", destination_workload_namespace=~\\\"$namespace\\\", + source_workload_namespace=~\\\"$srcns\\\"}) by (source_workload))\",\"refresh\":1,\"regex\":\"/.*workload=\\\"([^\\\"]*).*/\",\"skipUrlSync\":false,\"sort\":3,\"tagValuesQuery\":\"\",\"tagsQuery\":\"\",\"type\":\"query\",\"useTags\":false},{\"current\":{\"selected\":false,\"text\":\"All\",\"value\":\"$__all\"},\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"definition\":\"\",\"hide\":0,\"includeAll\":true,\"label\":\"Destination + Service\",\"multi\":true,\"name\":\"dstsvc\",\"options\":[],\"query\":\"query_result(sum(istio_requests_total{reporter=\\\"source\\\", + source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\"}) + by (destination_service) or sum(istio_tcp_sent_bytes_total{reporter=\\\"source\\\", + source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\"}) + by (destination_service))\",\"refresh\":1,\"regex\":\"/.*destination_service=\\\"([^\\\"]*).*/\",\"skipUrlSync\":false,\"sort\":4,\"tagValuesQuery\":\"\",\"tagsQuery\":\"\",\"type\":\"query\",\"useTags\":false}]},\"time\":{\"from\":\"now-30m\",\"to\":\"now\"},\"timepicker\":{\"refresh_intervals\":[\"5m\",\"15m\",\"30m\",\"1h\",\"2h\",\"1d\"],\"time_options\":[\"5m\",\"15m\",\"1h\",\"6h\",\"12h\",\"24h\",\"2d\",\"7d\",\"30d\"]},\"timezone\":\"\",\"title\":\"Istio + Workload Dashboard\",\"version\":1,\"weekStart\":\"\"}\n" +kind: ConfigMap +metadata: + creationTimestamp: null + name: istio-services-grafana-dashboards + namespace: istio-system diff --git a/istio-1.24.3/samples/addons/jaeger.yaml b/istio-1.24.3/samples/addons/jaeger.yaml new file mode 100644 index 00000000..6cc13587 --- /dev/null +++ b/istio-1.24.3/samples/addons/jaeger.yaml @@ -0,0 +1,121 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: jaeger + namespace: istio-system + labels: + app: jaeger +spec: + selector: + matchLabels: + app: jaeger + template: + metadata: + labels: + app: jaeger + sidecar.istio.io/inject: "false" + annotations: + prometheus.io/scrape: "true" + prometheus.io/port: "14269" + spec: + containers: + - name: jaeger + image: "docker.io/jaegertracing/all-in-one:1.58" + env: + - name: BADGER_EPHEMERAL + value: "false" + - name: SPAN_STORAGE_TYPE + value: "badger" + - name: BADGER_DIRECTORY_VALUE + value: "/badger/data" + - name: BADGER_DIRECTORY_KEY + value: "/badger/key" + - name: COLLECTOR_ZIPKIN_HOST_PORT + value: ":9411" + - name: MEMORY_MAX_TRACES + value: "50000" + - name: QUERY_BASE_PATH + value: /jaeger + livenessProbe: + httpGet: + path: / + port: 14269 + readinessProbe: + httpGet: + path: / + port: 14269 + volumeMounts: + - name: data + mountPath: /badger + resources: + requests: + cpu: 10m + volumes: + - name: data + emptyDir: {} +--- +apiVersion: v1 +kind: Service +metadata: + name: tracing + namespace: istio-system + labels: + app: jaeger +spec: + type: ClusterIP + ports: + - name: http-query + port: 80 + protocol: TCP + targetPort: 16686 + # Note: Change port name if you add '--query.grpc.tls.enabled=true' + - name: grpc-query + port: 16685 + protocol: TCP + targetPort: 16685 + selector: + app: jaeger +--- +# Jaeger implements the Zipkin API. To support swapping out the tracing backend, we use a Service named Zipkin. +apiVersion: v1 +kind: Service +metadata: + labels: + name: zipkin + name: zipkin + namespace: istio-system +spec: + ports: + - port: 9411 + targetPort: 9411 + name: http-query + selector: + app: jaeger +--- +apiVersion: v1 +kind: Service +metadata: + name: jaeger-collector + namespace: istio-system + labels: + app: jaeger +spec: + type: ClusterIP + ports: + - name: jaeger-collector-http + port: 14268 + targetPort: 14268 + protocol: TCP + - name: jaeger-collector-grpc + port: 14250 + targetPort: 14250 + protocol: TCP + - port: 9411 + targetPort: 9411 + name: http-zipkin + - port: 4317 + name: grpc-otel + - port: 4318 + name: http-otel + selector: + app: jaeger diff --git a/istio-1.24.3/samples/addons/kiali.yaml b/istio-1.24.3/samples/addons/kiali.yaml new file mode 100644 index 00000000..f899a633 --- /dev/null +++ b/istio-1.24.3/samples/addons/kiali.yaml @@ -0,0 +1,425 @@ +--- +# Source: kiali-server/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: kiali + namespace: "istio-system" + labels: + helm.sh/chart: kiali-server-2.0.0 + app: kiali + app.kubernetes.io/name: kiali + app.kubernetes.io/instance: kiali + version: "v2.0.0" + app.kubernetes.io/version: "v2.0.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: "kiali" +... +--- +# Source: kiali-server/templates/configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: kiali + namespace: "istio-system" + labels: + helm.sh/chart: kiali-server-2.0.0 + app: kiali + app.kubernetes.io/name: kiali + app.kubernetes.io/instance: kiali + version: "v2.0.0" + app.kubernetes.io/version: "v2.0.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: "kiali" +data: + config.yaml: | + additional_display_details: + - annotation: kiali.io/api-spec + icon_annotation: kiali.io/api-type + title: API Documentation + auth: + openid: {} + openshift: + client_id_prefix: kiali + strategy: anonymous + clustering: + autodetect_secrets: + enabled: true + label: kiali.io/multiCluster=true + clusters: [] + deployment: + additional_service_yaml: {} + affinity: + node: {} + pod: {} + pod_anti: {} + cluster_wide_access: true + configmap_annotations: {} + custom_envs: [] + custom_secrets: [] + dns: + config: {} + policy: "" + host_aliases: [] + hpa: + api_version: autoscaling/v2 + spec: {} + image_digest: "" + image_name: quay.io/kiali/kiali + image_pull_policy: IfNotPresent + image_pull_secrets: [] + image_version: v2.0 + ingress: + additional_labels: {} + class_name: nginx + override_yaml: + metadata: {} + ingress_enabled: false + instance_name: kiali + logger: + log_format: text + log_level: info + sampler_rate: "1" + time_field_format: 2006-01-02T15:04:05Z07:00 + namespace: istio-system + node_selector: {} + pod_annotations: {} + pod_labels: + sidecar.istio.io/inject: "false" + priority_class_name: "" + replicas: 1 + resources: + limits: + memory: 1Gi + requests: + cpu: 10m + memory: 64Mi + secret_name: kiali + security_context: {} + service_annotations: {} + service_type: "" + tolerations: [] + version_label: v2.0.0 + view_only_mode: false + external_services: + custom_dashboards: + enabled: true + istio: + root_namespace: istio-system + tracing: + enabled: false + identity: + cert_file: "" + private_key_file: "" + istio_namespace: istio-system + kiali_feature_flags: + disabled_features: [] + validations: + ignore: + - KIA1301 + login_token: + signing_key: CHANGEME00000000 + server: + observability: + metrics: + enabled: true + port: 9090 + port: 20001 + web_root: /kiali +... +--- +# Source: kiali-server/templates/role.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kiali + labels: + helm.sh/chart: kiali-server-2.0.0 + app: kiali + app.kubernetes.io/name: kiali + app.kubernetes.io/instance: kiali + version: "v2.0.0" + app.kubernetes.io/version: "v2.0.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: "kiali" +rules: +- apiGroups: [""] + resources: + - configmaps + - endpoints + - pods/log + verbs: + - get + - list + - watch +- apiGroups: [""] + resources: + - namespaces + - pods + - replicationcontrollers + - services + verbs: + - get + - list + - watch + - patch +- apiGroups: [""] + resources: + - pods/portforward + verbs: + - create + - post +- apiGroups: ["extensions", "apps"] + resources: + - daemonsets + - deployments + - replicasets + - statefulsets + verbs: + - get + - list + - watch + - patch +- apiGroups: ["batch"] + resources: + - cronjobs + - jobs + verbs: + - get + - list + - watch + - patch +- apiGroups: + - networking.istio.io + - security.istio.io + - extensions.istio.io + - telemetry.istio.io + - gateway.networking.k8s.io + resources: ["*"] + verbs: + - get + - list + - watch + - create + - delete + - patch +- apiGroups: ["apps.openshift.io"] + resources: + - deploymentconfigs + verbs: + - get + - list + - watch + - patch +- apiGroups: ["project.openshift.io"] + resources: + - projects + verbs: + - get +- apiGroups: ["route.openshift.io"] + resources: + - routes + verbs: + - get +- apiGroups: ["authentication.k8s.io"] + resources: + - tokenreviews + verbs: + - create +- apiGroups: ["oauth.openshift.io"] + resources: + - oauthclients + resourceNames: + - kiali-istio-system + verbs: + - get +- apiGroups: ["admissionregistration.k8s.io"] + resources: + - mutatingwebhookconfigurations + verbs: + - get + - list + - watch +... +--- +# Source: kiali-server/templates/rolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: kiali + labels: + helm.sh/chart: kiali-server-2.0.0 + app: kiali + app.kubernetes.io/name: kiali + app.kubernetes.io/instance: kiali + version: "v2.0.0" + app.kubernetes.io/version: "v2.0.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: "kiali" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kiali +subjects: +- kind: ServiceAccount + name: kiali + namespace: "istio-system" +... +--- +# Source: kiali-server/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: kiali + namespace: "istio-system" + labels: + helm.sh/chart: kiali-server-2.0.0 + app: kiali + app.kubernetes.io/name: kiali + app.kubernetes.io/instance: kiali + version: "v2.0.0" + app.kubernetes.io/version: "v2.0.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: "kiali" + annotations: +spec: + ports: + - name: http + appProtocol: http + protocol: TCP + port: 20001 + - name: http-metrics + appProtocol: http + protocol: TCP + port: 9090 + selector: + app.kubernetes.io/name: kiali + app.kubernetes.io/instance: kiali +... +--- +# Source: kiali-server/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: kiali + namespace: "istio-system" + labels: + helm.sh/chart: kiali-server-2.0.0 + app: kiali + app.kubernetes.io/name: kiali + app.kubernetes.io/instance: kiali + version: "v2.0.0" + app.kubernetes.io/version: "v2.0.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: "kiali" +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: kiali + app.kubernetes.io/instance: kiali + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 1 + type: RollingUpdate + template: + metadata: + name: kiali + labels: + helm.sh/chart: kiali-server-2.0.0 + app: kiali + app.kubernetes.io/name: kiali + app.kubernetes.io/instance: kiali + version: "v2.0.0" + app.kubernetes.io/version: "v2.0.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: "kiali" + sidecar.istio.io/inject: "false" + annotations: + checksum/config: 03a677accc379d7d5b7b3c74464dc72867b31f794e5beaa98221ba19c5735016 + prometheus.io/scrape: "true" + prometheus.io/port: "9090" + kiali.io/dashboards: go,kiali + spec: + serviceAccountName: kiali + containers: + - image: "quay.io/kiali/kiali:v2.0" + imagePullPolicy: IfNotPresent + name: kiali + command: + - "/opt/kiali/kiali" + - "-config" + - "/kiali-configuration/config.yaml" + securityContext: + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - ALL + ports: + - name: api-port + containerPort: 20001 + - name: http-metrics + containerPort: 9090 + readinessProbe: + httpGet: + path: /kiali/healthz + port: api-port + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 30 + livenessProbe: + httpGet: + path: /kiali/healthz + port: api-port + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 30 + env: + - name: ACTIVE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: LOG_LEVEL + value: "info" + - name: LOG_FORMAT + value: "text" + - name: LOG_TIME_FIELD_FORMAT + value: "2006-01-02T15:04:05Z07:00" + - name: LOG_SAMPLER_RATE + value: "1" + volumeMounts: + - name: kiali-configuration + mountPath: "/kiali-configuration" + - name: kiali-cert + mountPath: "/kiali-cert" + - name: kiali-secret + mountPath: "/kiali-secret" + - name: kiali-cabundle + mountPath: "/kiali-cabundle" + resources: + limits: + memory: 1Gi + requests: + cpu: 10m + memory: 64Mi + volumes: + - name: kiali-configuration + configMap: + name: kiali + - name: kiali-cert + secret: + secretName: istio.kiali-service-account + optional: true + - name: kiali-secret + secret: + secretName: kiali + optional: true + - name: kiali-cabundle + configMap: + name: kiali-cabundle + optional: true +... diff --git a/istio-1.24.3/samples/addons/loki.yaml b/istio-1.24.3/samples/addons/loki.yaml new file mode 100644 index 00000000..2bc77414 --- /dev/null +++ b/istio-1.24.3/samples/addons/loki.yaml @@ -0,0 +1,382 @@ +--- +# Source: loki/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: loki + namespace: istio-system + labels: + helm.sh/chart: loki-6.18.0 + app.kubernetes.io/name: loki + app.kubernetes.io/instance: loki + app.kubernetes.io/version: "3.2.0" + app.kubernetes.io/managed-by: Helm +automountServiceAccountToken: true +--- +# Source: loki/templates/config.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: loki + namespace: istio-system + labels: + helm.sh/chart: loki-6.18.0 + app.kubernetes.io/name: loki + app.kubernetes.io/instance: loki + app.kubernetes.io/version: "3.2.0" + app.kubernetes.io/managed-by: Helm +data: + config.yaml: | + + auth_enabled: false + bloom_build: + builder: + planner_address: "" + enabled: false + bloom_gateway: + client: + addresses: "" + enabled: false + common: + compactor_address: 'http://loki:3100' + path_prefix: /var/loki + replication_factor: 1 + storage: + filesystem: + chunks_directory: /var/loki/chunks + rules_directory: /var/loki/rules + frontend: + scheduler_address: "" + tail_proxy_url: "" + frontend_worker: + scheduler_address: "" + index_gateway: + mode: simple + limits_config: + max_cache_freshness_per_query: 10m + query_timeout: 300s + reject_old_samples: true + reject_old_samples_max_age: 168h + split_queries_by_interval: 15m + volume_enabled: true + memberlist: + join_members: + - loki-memberlist + pattern_ingester: + enabled: false + query_range: + align_queries_with_step: true + ruler: + storage: + type: local + runtime_config: + file: /etc/loki/runtime-config/runtime-config.yaml + schema_config: + configs: + - from: "2024-04-01" + index: + period: 24h + prefix: index_ + object_store: 'filesystem' + schema: v13 + store: tsdb + server: + grpc_listen_port: 9095 + http_listen_port: 3100 + http_server_read_timeout: 600s + http_server_write_timeout: 600s + storage_config: + bloom_shipper: + working_directory: /var/loki/data/bloomshipper + boltdb_shipper: + index_gateway_client: + server_address: "" + hedging: + at: 250ms + max_per_second: 20 + up_to: 3 + tsdb_shipper: + index_gateway_client: + server_address: "" + tracing: + enabled: false +--- +# Source: loki/templates/runtime-configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: loki-runtime + namespace: istio-system + labels: + helm.sh/chart: loki-6.18.0 + app.kubernetes.io/name: loki + app.kubernetes.io/instance: loki + app.kubernetes.io/version: "3.2.0" + app.kubernetes.io/managed-by: Helm +data: + runtime-config.yaml: | + {} +--- +# Source: loki/templates/backend/clusterrole.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + labels: + helm.sh/chart: loki-6.18.0 + app.kubernetes.io/name: loki + app.kubernetes.io/instance: loki + app.kubernetes.io/version: "3.2.0" + app.kubernetes.io/managed-by: Helm + name: loki-clusterrole +rules: +- apiGroups: [""] # "" indicates the core API group + resources: ["configmaps", "secrets"] + verbs: ["get", "watch", "list"] +--- +# Source: loki/templates/backend/clusterrolebinding.yaml +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: loki-clusterrolebinding + labels: + helm.sh/chart: loki-6.18.0 + app.kubernetes.io/name: loki + app.kubernetes.io/instance: loki + app.kubernetes.io/version: "3.2.0" + app.kubernetes.io/managed-by: Helm +subjects: + - kind: ServiceAccount + name: loki + namespace: istio-system +roleRef: + kind: ClusterRole + name: loki-clusterrole + apiGroup: rbac.authorization.k8s.io +--- +# Source: loki/templates/service-memberlist.yaml +apiVersion: v1 +kind: Service +metadata: + name: loki-memberlist + namespace: istio-system + labels: + helm.sh/chart: loki-6.18.0 + app.kubernetes.io/name: loki + app.kubernetes.io/instance: loki + app.kubernetes.io/version: "3.2.0" + app.kubernetes.io/managed-by: Helm + annotations: +spec: + type: ClusterIP + clusterIP: None + ports: + - name: tcp + port: 7946 + targetPort: http-memberlist + protocol: TCP + selector: + app.kubernetes.io/name: loki + app.kubernetes.io/instance: loki + app.kubernetes.io/part-of: memberlist +--- +# Source: loki/templates/single-binary/service-headless.yaml +apiVersion: v1 +kind: Service +metadata: + name: loki-headless + namespace: istio-system + labels: + helm.sh/chart: loki-6.18.0 + app.kubernetes.io/name: loki + app.kubernetes.io/instance: loki + app.kubernetes.io/version: "3.2.0" + app.kubernetes.io/managed-by: Helm + variant: headless + prometheus.io/service-monitor: "false" + annotations: +spec: + clusterIP: None + ports: + - name: http-metrics + port: 3100 + targetPort: http-metrics + protocol: TCP + selector: + app.kubernetes.io/name: loki + app.kubernetes.io/instance: loki +--- +# Source: loki/templates/single-binary/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: loki + namespace: istio-system + labels: + helm.sh/chart: loki-6.18.0 + app.kubernetes.io/name: loki + app.kubernetes.io/instance: loki + app.kubernetes.io/version: "3.2.0" + app.kubernetes.io/managed-by: Helm + annotations: +spec: + type: ClusterIP + ports: + - name: http-metrics + port: 3100 + targetPort: http-metrics + protocol: TCP + - name: grpc + port: 9095 + targetPort: grpc + protocol: TCP + selector: + app.kubernetes.io/name: loki + app.kubernetes.io/instance: loki + app.kubernetes.io/component: single-binary +--- +# Source: loki/templates/single-binary/statefulset.yaml +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: loki + namespace: istio-system + labels: + helm.sh/chart: loki-6.18.0 + app.kubernetes.io/name: loki + app.kubernetes.io/instance: loki + app.kubernetes.io/version: "3.2.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: single-binary + app.kubernetes.io/part-of: memberlist +spec: + replicas: 1 + podManagementPolicy: Parallel + updateStrategy: + rollingUpdate: + partition: 0 + serviceName: loki-headless + revisionHistoryLimit: 10 + + persistentVolumeClaimRetentionPolicy: + whenDeleted: Delete + whenScaled: Delete + selector: + matchLabels: + app.kubernetes.io/name: loki + app.kubernetes.io/instance: loki + app.kubernetes.io/component: single-binary + template: + metadata: + annotations: + checksum/config: 33763d92c95bb565c019078f0419bddedd9febff7743044c8a329dfe84d4d218 + labels: + app.kubernetes.io/name: loki + app.kubernetes.io/instance: loki + app.kubernetes.io/component: single-binary + app.kubernetes.io/part-of: memberlist + spec: + serviceAccountName: loki + automountServiceAccountToken: true + enableServiceLinks: true + + securityContext: + fsGroup: 10001 + runAsGroup: 10001 + runAsNonRoot: true + runAsUser: 10001 + terminationGracePeriodSeconds: 30 + containers: + - name: loki-sc-rules + image: "kiwigrid/k8s-sidecar:1.27.5" + imagePullPolicy: IfNotPresent + env: + - name: METHOD + value: WATCH + - name: LABEL + value: "loki_rule" + - name: FOLDER + value: "/rules" + - name: RESOURCE + value: "both" + - name: WATCH_SERVER_TIMEOUT + value: "60" + - name: WATCH_CLIENT_TIMEOUT + value: "60" + - name: LOG_LEVEL + value: "INFO" + volumeMounts: + - name: sc-rules-volume + mountPath: "/rules" + - name: loki + image: docker.io/grafana/loki:3.2.0 + imagePullPolicy: IfNotPresent + args: + - -config.file=/etc/loki/config/config.yaml + - -target=all + ports: + - name: http-metrics + containerPort: 3100 + protocol: TCP + - name: grpc + containerPort: 9095 + protocol: TCP + - name: http-memberlist + containerPort: 7946 + protocol: TCP + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + readinessProbe: + httpGet: + path: /ready + port: http-metrics + initialDelaySeconds: 30 + timeoutSeconds: 1 + volumeMounts: + - name: tmp + mountPath: /tmp + - name: config + mountPath: /etc/loki/config + - name: runtime-config + mountPath: /etc/loki/runtime-config + - name: storage + mountPath: /var/loki + - name: sc-rules-volume + mountPath: "/rules" + resources: + {} + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + app.kubernetes.io/component: single-binary + topologyKey: kubernetes.io/hostname + volumes: + - name: tmp + emptyDir: {} + - name: config + configMap: + name: loki + items: + - key: "config.yaml" + path: "config.yaml" + - name: runtime-config + configMap: + name: loki-runtime + - name: sc-rules-volume + emptyDir: {} + volumeClaimTemplates: + - apiVersion: v1 + kind: PersistentVolumeClaim + metadata: + name: storage + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: "10Gi" diff --git a/istio-1.24.3/samples/addons/prometheus.yaml b/istio-1.24.3/samples/addons/prometheus.yaml new file mode 100644 index 00000000..78f92228 --- /dev/null +++ b/istio-1.24.3/samples/addons/prometheus.yaml @@ -0,0 +1,570 @@ +--- +# Source: prometheus/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/component: server + app.kubernetes.io/name: prometheus + app.kubernetes.io/instance: prometheus + app.kubernetes.io/version: v2.54.1 + helm.sh/chart: prometheus-25.27.0 + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: prometheus + name: prometheus + namespace: istio-system + annotations: + {} +--- +# Source: prometheus/templates/cm.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + app.kubernetes.io/component: server + app.kubernetes.io/name: prometheus + app.kubernetes.io/instance: prometheus + app.kubernetes.io/version: v2.54.1 + helm.sh/chart: prometheus-25.27.0 + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: prometheus + name: prometheus + namespace: istio-system +data: + allow-snippet-annotations: "false" + alerting_rules.yml: | + {} + alerts: | + {} + prometheus.yml: | + global: + evaluation_interval: 1m + scrape_interval: 15s + scrape_timeout: 10s + rule_files: + - /etc/config/recording_rules.yml + - /etc/config/alerting_rules.yml + - /etc/config/rules + - /etc/config/alerts + scrape_configs: + - job_name: prometheus + static_configs: + - targets: + - localhost:9090 + - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + job_name: kubernetes-apiservers + kubernetes_sd_configs: + - role: endpoints + relabel_configs: + - action: keep + regex: default;kubernetes;https + source_labels: + - __meta_kubernetes_namespace + - __meta_kubernetes_service_name + - __meta_kubernetes_endpoint_port_name + scheme: https + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + insecure_skip_verify: true + - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + job_name: kubernetes-nodes + kubernetes_sd_configs: + - role: node + relabel_configs: + - action: labelmap + regex: __meta_kubernetes_node_label_(.+) + - replacement: kubernetes.default.svc:443 + target_label: __address__ + - regex: (.+) + replacement: /api/v1/nodes/$1/proxy/metrics + source_labels: + - __meta_kubernetes_node_name + target_label: __metrics_path__ + scheme: https + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + insecure_skip_verify: true + - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + job_name: kubernetes-nodes-cadvisor + kubernetes_sd_configs: + - role: node + relabel_configs: + - action: labelmap + regex: __meta_kubernetes_node_label_(.+) + - replacement: kubernetes.default.svc:443 + target_label: __address__ + - regex: (.+) + replacement: /api/v1/nodes/$1/proxy/metrics/cadvisor + source_labels: + - __meta_kubernetes_node_name + target_label: __metrics_path__ + scheme: https + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + insecure_skip_verify: true + - honor_labels: true + job_name: kubernetes-service-endpoints + kubernetes_sd_configs: + - role: endpoints + relabel_configs: + - action: keep + regex: true + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_scrape + - action: drop + regex: true + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_scrape_slow + - action: replace + regex: (https?) + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_scheme + target_label: __scheme__ + - action: replace + regex: (.+) + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_path + target_label: __metrics_path__ + - action: replace + regex: (.+?)(?::\d+)?;(\d+) + replacement: $1:$2 + source_labels: + - __address__ + - __meta_kubernetes_service_annotation_prometheus_io_port + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_service_annotation_prometheus_io_param_(.+) + replacement: __param_$1 + - action: labelmap + regex: __meta_kubernetes_service_label_(.+) + - action: replace + source_labels: + - __meta_kubernetes_namespace + target_label: namespace + - action: replace + source_labels: + - __meta_kubernetes_service_name + target_label: service + - action: replace + source_labels: + - __meta_kubernetes_pod_node_name + target_label: node + - honor_labels: true + job_name: kubernetes-service-endpoints-slow + kubernetes_sd_configs: + - role: endpoints + relabel_configs: + - action: keep + regex: true + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_scrape_slow + - action: replace + regex: (https?) + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_scheme + target_label: __scheme__ + - action: replace + regex: (.+) + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_path + target_label: __metrics_path__ + - action: replace + regex: (.+?)(?::\d+)?;(\d+) + replacement: $1:$2 + source_labels: + - __address__ + - __meta_kubernetes_service_annotation_prometheus_io_port + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_service_annotation_prometheus_io_param_(.+) + replacement: __param_$1 + - action: labelmap + regex: __meta_kubernetes_service_label_(.+) + - action: replace + source_labels: + - __meta_kubernetes_namespace + target_label: namespace + - action: replace + source_labels: + - __meta_kubernetes_service_name + target_label: service + - action: replace + source_labels: + - __meta_kubernetes_pod_node_name + target_label: node + scrape_interval: 5m + scrape_timeout: 30s + - honor_labels: true + job_name: prometheus-pushgateway + kubernetes_sd_configs: + - role: service + relabel_configs: + - action: keep + regex: pushgateway + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_probe + - honor_labels: true + job_name: kubernetes-services + kubernetes_sd_configs: + - role: service + metrics_path: /probe + params: + module: + - http_2xx + relabel_configs: + - action: keep + regex: true + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_probe + - source_labels: + - __address__ + target_label: __param_target + - replacement: blackbox + target_label: __address__ + - source_labels: + - __param_target + target_label: instance + - action: labelmap + regex: __meta_kubernetes_service_label_(.+) + - source_labels: + - __meta_kubernetes_namespace + target_label: namespace + - source_labels: + - __meta_kubernetes_service_name + target_label: service + - honor_labels: true + job_name: kubernetes-pods + kubernetes_sd_configs: + - role: pod + relabel_configs: + - action: keep + regex: true + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_scrape + - action: drop + regex: true + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_scrape_slow + - action: replace + regex: (https?) + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_scheme + target_label: __scheme__ + - action: replace + regex: (.+) + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_path + target_label: __metrics_path__ + - action: replace + regex: (\d+);(([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}) + replacement: '[$2]:$1' + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_port + - __meta_kubernetes_pod_ip + target_label: __address__ + - action: replace + regex: (\d+);((([0-9]+?)(\.|$)){4}) + replacement: $2:$1 + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_port + - __meta_kubernetes_pod_ip + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_pod_annotation_prometheus_io_param_(.+) + replacement: __param_$1 + - action: labelmap + regex: __meta_kubernetes_pod_label_(.+) + - action: replace + source_labels: + - __meta_kubernetes_namespace + target_label: namespace + - action: replace + source_labels: + - __meta_kubernetes_pod_name + target_label: pod + - action: drop + regex: Pending|Succeeded|Failed|Completed + source_labels: + - __meta_kubernetes_pod_phase + - action: replace + source_labels: + - __meta_kubernetes_pod_node_name + target_label: node + - honor_labels: true + job_name: kubernetes-pods-slow + kubernetes_sd_configs: + - role: pod + relabel_configs: + - action: keep + regex: true + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_scrape_slow + - action: replace + regex: (https?) + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_scheme + target_label: __scheme__ + - action: replace + regex: (.+) + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_path + target_label: __metrics_path__ + - action: replace + regex: (\d+);(([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}) + replacement: '[$2]:$1' + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_port + - __meta_kubernetes_pod_ip + target_label: __address__ + - action: replace + regex: (\d+);((([0-9]+?)(\.|$)){4}) + replacement: $2:$1 + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_port + - __meta_kubernetes_pod_ip + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_pod_annotation_prometheus_io_param_(.+) + replacement: __param_$1 + - action: labelmap + regex: __meta_kubernetes_pod_label_(.+) + - action: replace + source_labels: + - __meta_kubernetes_namespace + target_label: namespace + - action: replace + source_labels: + - __meta_kubernetes_pod_name + target_label: pod + - action: drop + regex: Pending|Succeeded|Failed|Completed + source_labels: + - __meta_kubernetes_pod_phase + - action: replace + source_labels: + - __meta_kubernetes_pod_node_name + target_label: node + scrape_interval: 5m + scrape_timeout: 30s + recording_rules.yml: | + {} + rules: | + {} +--- +# Source: prometheus/templates/clusterrole.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: server + app.kubernetes.io/name: prometheus + app.kubernetes.io/instance: prometheus + app.kubernetes.io/version: v2.54.1 + helm.sh/chart: prometheus-25.27.0 + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: prometheus + name: prometheus +rules: + - apiGroups: + - "" + resources: + - nodes + - nodes/proxy + - nodes/metrics + - services + - endpoints + - pods + - ingresses + - configmaps + verbs: + - get + - list + - watch + - apiGroups: + - "extensions" + - "networking.k8s.io" + resources: + - ingresses/status + - ingresses + verbs: + - get + - list + - watch + - apiGroups: + - "discovery.k8s.io" + resources: + - endpointslices + verbs: + - get + - list + - watch + - nonResourceURLs: + - "/metrics" + verbs: + - get +--- +# Source: prometheus/templates/clusterrolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/component: server + app.kubernetes.io/name: prometheus + app.kubernetes.io/instance: prometheus + app.kubernetes.io/version: v2.54.1 + helm.sh/chart: prometheus-25.27.0 + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: prometheus + name: prometheus +subjects: + - kind: ServiceAccount + name: prometheus + namespace: istio-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: prometheus +--- +# Source: prometheus/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/component: server + app.kubernetes.io/name: prometheus + app.kubernetes.io/instance: prometheus + app.kubernetes.io/version: v2.54.1 + helm.sh/chart: prometheus-25.27.0 + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: prometheus + name: prometheus + namespace: istio-system +spec: + ports: + - name: http + port: 9090 + protocol: TCP + targetPort: 9090 + selector: + app.kubernetes.io/component: server + app.kubernetes.io/name: prometheus + app.kubernetes.io/instance: prometheus + sessionAffinity: None + type: "ClusterIP" +--- +# Source: prometheus/templates/deploy.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/component: server + app.kubernetes.io/name: prometheus + app.kubernetes.io/instance: prometheus + app.kubernetes.io/version: v2.54.1 + helm.sh/chart: prometheus-25.27.0 + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: prometheus + name: prometheus + namespace: istio-system +spec: + selector: + matchLabels: + app.kubernetes.io/component: server + app.kubernetes.io/name: prometheus + app.kubernetes.io/instance: prometheus + replicas: 1 + revisionHistoryLimit: 10 + strategy: + type: Recreate + rollingUpdate: null + template: + metadata: + labels: + app.kubernetes.io/component: server + app.kubernetes.io/name: prometheus + app.kubernetes.io/instance: prometheus + app.kubernetes.io/version: v2.54.1 + helm.sh/chart: prometheus-25.27.0 + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: prometheus + + sidecar.istio.io/inject: "false" + spec: + enableServiceLinks: true + serviceAccountName: prometheus + containers: + - name: prometheus-server-configmap-reload + image: "ghcr.io/prometheus-operator/prometheus-config-reloader:v0.76.0" + imagePullPolicy: "IfNotPresent" + args: + - --watched-dir=/etc/config + - --listen-address=0.0.0.0:8080 + - --reload-url=http://127.0.0.1:9090/-/reload + ports: + - containerPort: 8080 + name: metrics + livenessProbe: + httpGet: + path: /healthz + port: metrics + scheme: HTTP + initialDelaySeconds: 2 + periodSeconds: 10 + readinessProbe: + httpGet: + path: /healthz + port: metrics + scheme: HTTP + periodSeconds: 10 + volumeMounts: + - name: config-volume + mountPath: /etc/config + readOnly: true + + - name: prometheus-server + image: "prom/prometheus:v2.54.1" + imagePullPolicy: "IfNotPresent" + args: + - --storage.tsdb.retention.time=15d + - --config.file=/etc/config/prometheus.yml + - --storage.tsdb.path=/data + - --web.console.libraries=/etc/prometheus/console_libraries + - --web.console.templates=/etc/prometheus/consoles + - --web.enable-lifecycle + ports: + - containerPort: 9090 + readinessProbe: + httpGet: + path: /-/ready + port: 9090 + scheme: HTTP + initialDelaySeconds: 0 + periodSeconds: 5 + timeoutSeconds: 4 + failureThreshold: 3 + successThreshold: 1 + livenessProbe: + httpGet: + path: /-/healthy + port: 9090 + scheme: HTTP + initialDelaySeconds: 30 + periodSeconds: 15 + timeoutSeconds: 10 + failureThreshold: 3 + successThreshold: 1 + volumeMounts: + - name: config-volume + mountPath: /etc/config + - name: storage-volume + mountPath: /data + subPath: "" + dnsPolicy: ClusterFirst + terminationGracePeriodSeconds: 300 + volumes: + - name: config-volume + configMap: + name: prometheus + - name: storage-volume + emptyDir: + {} diff --git a/istio-1.24.3/samples/ambient-argo/README.md b/istio-1.24.3/samples/ambient-argo/README.md new file mode 100644 index 00000000..9eb1024e --- /dev/null +++ b/istio-1.24.3/samples/ambient-argo/README.md @@ -0,0 +1,99 @@ +# Ambient Reference Architecture w/ Argo + +This repo contains a reference architecture for operating Istio Ambient Mesh with ArgoCD using GitOps. It demonstrates best practices for leveraging Istio as part of an application platform. + +## :boom: DISCLAIMER + +Istio Ambient Mesh is still in Alpha, and is not suitable for production use. Likewise, this reference architecture is of Alpha quality, and includes several rough edges, including: + * Cluster-Scoped upgrades cause known traffic loss, and have wide blast radius. + * The tag chart is forked from the primary istio repo, and needs to be merged and published + * CRDs are not currently upgraded + +## Getting Started + +This reference architecture assumes that you have an ArgoCD installation with: + * A [connected cluster](https://argo-cd.readthedocs.io/en/stable/user-guide/commands/argocd_cluster/) named `ambient-cluster` + * A connection to your repository (for private repos) + +To deploy Istio, supporting software, and the bookinfo sample application, copy this folder to the root of your repo and run: + +```bash +read -p 'Please enter the URL to your repo:' +OLD_REPO='{repo-placeholder}' +find . \( -type d -name .git -prune \) -o -type f -name '*.yaml' -print0 | xargs -0 sed -i s,$OLD_REPO,$NEW_REPO,g +argocd create application -f meta-application.json +``` + +## Repository Layout + +The meta-application.yaml file is an App-of-Apps that references all other applications needed for running Istio and the demo application via ArgoCD. The diagram below demonstrates the deployment mechanism for each part of the platform. + +![architecture diagram][layout] + +## Principles + +The [GitOps Principles](https://opengitops.dev/) guide this reference architecture. With the exception of [./meta-application.yaml](./meta-application.yaml) (the bootstrap file), Git is the source of truth for all components of our application. Changes to all components of Istio, including the data plane, are initiated with a pull request. Likewise, rollbacks are as simple as a revert. + +In particular, Istio Sidecars are known to violate the Declarative principle - the version of Istio injected in the sidecar is determined at runtime by the version of the injector at the time the pod was created. Upgrading the injector does not cause the sidecar to upgrade, instead all injected pods must be restarted in order to upgrade their sidecars, which is an imperative operation, rather than a declarative one. + +Additionally, emerging patterns from the field of Platform Engineering guide our understanding of enterprise roles. In particular, two roles are represented in this Architecture: the Application Developer (AppDev) and Platform Engineer (PlatEng). + +### Role: Application Developer + +The AppDev is responsible for the development and delivery of their application, in this case the bookinfo e-commerce application. The AppDev will make use of Istio features, such as HTTPRoutes, AuthorizationPolicy, and L4-L7 telemetry, but is not an expert in Istio, and should be unaware of installation and upgrades. In most cases, AppDev's use of Istio APIs is both templated, to provide them with a simpler API surface, and limited by Policy with tools such as Gatekeeper. Because the focus of this architecture, these technologies are not included here. + +### Role: Platform Engineer + +The PlatEng is responsible for providing the AppDev with a comprehensive application platform, which simplifies getting the application from Source Control to Production, as well as operating the App in Production. As such, the PlatEng team must have a good deal of expertise in installing, operating, and automating a broad array of Cloud Native technologies, such as Service Mesh, Kubernetes, Observability stores and consumers, GitOps tooling, Policy enforcement, and templating tools such as Crossplane. Due to this breadth, the Platform Engineer cannot spend all their time learning or operating any one technology, and any technology that is too difficult to operate is likely to be removed from the platform. + +## Components + +Istio is composed of six charts in Ambient Mode. The components are divided between the Control Plane and the Data Plane, and some are Cluster-Scoped, while others can have multiple versions in a single cluster. + +| | Control Plane | Data Plane | +| ------------------- |:--------------------------:| :----------------:| +| **Cluster-Scoped** | CRDs + validation | CNI
ztunnel | +| **Workload-Scoped** | istiod
tags + revisions | waypoint (envoy) | + +Of these components, only waypoints (and other gateways) are intended to be operated by the AppDev (some users may choose to limit ingress gateways to the PlatEng role as well). The remainder are the sole responsibility of the PlatEng role, and will be the focus of this reference architecture. + +### Tags and Revisions + +Istio components, particularly the waypoint, can specify which control plane they connect to (and by inference what version of the data plane they will run) using the `istio.io/rev` label set to a tag or revision. + +As in sidecar mode, every control plane installation may (and should) include a revision name, which is a stable identifier for that control plane installation and version. For simplicity, we recommend using the version of the control plane as the revision name (see [./istio/control-plane-appset.yaml:9](./istio/control-plane-appset.yaml), at .spec.generators[0].list.elements[*].revision). + +Tags also identify control planes, but unlike revisions, tags are mutable references to revisions. When an Istio Gateway (waypoint, ingress, or egress) references a particular tag, a dataplane is created using the version of the tag reference, and connects to the control plane indicated by the tag. In this way, gateways can be organized into channels, or distinct groups which will be upgraded concurrently, without any involvement from the AppDev who owns the gateway. + +In this reference architecture, three tags are used: stable, rapid, and default (the default tag will manage any gateways which do not use the `istio.io/rev` label). In the example application, we have included an ingress gateway on the default tag, and two waypoints for the reviews and details services, which use the rapid and stable tags. At the time of writing, the rapid revision points to revision 1-19-3, while the stable and default revisions point to revision 1-18-5. The tags definitions can be found at [./istio/tags.yaml](./istio/tags.yaml). + +## Upgrade Planning + +This reference architecture provides the tools to declaratively manage your Istio Ambient installations with simple pull requests. Before performing an upgrade, however, the PlatEng team should consider how they would like their upgrades to progress. The two most common strategies are channels and phases, and these strategies can be combined. + +In a phased model, there is generally a single version of Istio available in the cluster. When a new version becomes available, the phases are moved one at a time to the new version, in order, until all phases have upgraded to the new model. The phased model supports any number of phases based on the needs of your platform. + +In a channel model, multiple versions of Istio are available for use by application developers at any point in time, based on their requirements for risk profile and new features or bugfixes. For example, at the time of this writing, the stable tag or channel is using Istio 1.18.5, while the rapid channel is using Istio 1.19.3. Under the channel model, these versions would be updated in-place as new patch releases are produced for various bugs or security concerns. Then, when Istio 1.20.0 ships (ETA late November 2023), the rapid channel will be moved to point to version 1.20.0, while the stable version will be moved to point to 1.19.x (where x is the lates patch result at that time). Because Istio releases are supported until two subsequent minor versions are shipiped (ie 1.18 will be supported until several weeks after 1.20 ships), this reference architecture uses only two channels, though more are possible. + +![strategy diagram][strategies] + +The channel and phased strategies can be combined into a comprehensive (though somewhat complicated) model where each channel contains phases, which determine the order of rollouts within the channel. + +## Playbook: Minor Version Upgrade + +COMING SOON + +## Playbook: Major Version Upgrade + +COMING SOON + +## Tips and Tricks + +For a quick (but messy) readout on what Istio versions are being used in this repo, run: + +```bash +yq '.spec.generators[0].list.elements' < istio/control-plane-appset.yaml && yq '.spec.source.helm.valuesObject.base.tags' < istio/tags.yaml && grep 'targetRevision' istio/*.yaml +``` + +[layout]: ./documentation/argo-reference-arch.svg "Repo Layout Diagram" +[strategies]: ./documentation/Ambient%20Upgrade%20-%20Strategies.png "Upgrade Strategies Diagram" diff --git a/istio-1.24.3/samples/ambient-argo/application/application.yaml b/istio-1.24.3/samples/ambient-argo/application/application.yaml new file mode 100644 index 00000000..91eaea00 --- /dev/null +++ b/istio-1.24.3/samples/ambient-argo/application/application.yaml @@ -0,0 +1,22 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: bookinfo-application + namespace: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + destination: + name: ambient-cluster + namespace: ambient + source: + path: application + repoURL: '{repo-placeholder}' + targetRevision: HEAD + directory: + exclude: application.yaml + project: default + syncPolicy: + automated: + prune: true + selfHeal: true \ No newline at end of file diff --git a/istio-1.24.3/samples/ambient-argo/application/bookinfo-versions.yaml b/istio-1.24.3/samples/ambient-argo/application/bookinfo-versions.yaml new file mode 100644 index 00000000..c374bbee --- /dev/null +++ b/istio-1.24.3/samples/ambient-argo/application/bookinfo-versions.yaml @@ -0,0 +1,72 @@ +apiVersion: v1 +kind: Service +metadata: + name: reviews-v1 +spec: + ports: + - port: 9080 + name: http + selector: + app: reviews + version: v1 +--- +apiVersion: v1 +kind: Service +metadata: + name: reviews-v2 +spec: + ports: + - port: 9080 + name: http + selector: + app: reviews + version: v2 +--- +apiVersion: v1 +kind: Service +metadata: + name: reviews-v3 +spec: + ports: + - port: 9080 + name: http + selector: + app: reviews + version: v3 +--- +apiVersion: v1 +kind: Service +metadata: + name: productpage-v1 +spec: + ports: + - port: 9080 + name: http + selector: + app: productpage + version: v1 +--- +apiVersion: v1 +kind: Service +metadata: + name: ratings-v1 +spec: + ports: + - port: 9080 + name: http + selector: + app: ratings + version: v1 +--- +apiVersion: v1 +kind: Service +metadata: + name: details-v1 +spec: + ports: + - port: 9080 + name: http + selector: + app: details + version: v1 +--- diff --git a/istio-1.24.3/samples/ambient-argo/application/details-waypoint.yaml b/istio-1.24.3/samples/ambient-argo/application/details-waypoint.yaml new file mode 100644 index 00000000..d0e5fddd --- /dev/null +++ b/istio-1.24.3/samples/ambient-argo/application/details-waypoint.yaml @@ -0,0 +1,12 @@ +apiVersion: gateway.networking.k8s.io/v1 +kind: Gateway +metadata: + labels: + istio.io/rev: stable + name: bookinfo-details +spec: + gatewayClassName: istio-waypoint + listeners: + - name: mesh + port: 15008 + protocol: HBONE \ No newline at end of file diff --git a/istio-1.24.3/samples/ambient-argo/application/details.yaml b/istio-1.24.3/samples/ambient-argo/application/details.yaml new file mode 100644 index 00000000..f0d72b59 --- /dev/null +++ b/istio-1.24.3/samples/ambient-argo/application/details.yaml @@ -0,0 +1,50 @@ +################################################################################################## +# Details service +################################################################################################## +apiVersion: v1 +kind: Service +metadata: + name: details + labels: + app: details + service: details +spec: + ports: + - port: 9080 + name: http + selector: + app: details +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: bookinfo-details + labels: + account: details +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: details-v1 + labels: + app: details + version: v1 +spec: + replicas: 1 + selector: + matchLabels: + app: details + version: v1 + template: + metadata: + labels: + app: details + version: v1 + spec: + serviceAccountName: bookinfo-details + containers: + - name: details + image: docker.io/istio/examples-bookinfo-details-v1:1.18.0 + imagePullPolicy: IfNotPresent + ports: + - containerPort: 9080 \ No newline at end of file diff --git a/istio-1.24.3/samples/ambient-argo/application/ingress-gateway.yaml b/istio-1.24.3/samples/ambient-argo/application/ingress-gateway.yaml new file mode 100644 index 00000000..fdd5e7f2 --- /dev/null +++ b/istio-1.24.3/samples/ambient-argo/application/ingress-gateway.yaml @@ -0,0 +1,41 @@ +apiVersion: gateway.networking.k8s.io/v1 +kind: Gateway +metadata: + name: bookinfo-gateway +spec: + gatewayClassName: istio + listeners: + - name: http + port: 80 + protocol: HTTP + allowedRoutes: + namespaces: + from: Same +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: bookinfo +spec: + parentRefs: + - name: bookinfo-gateway + rules: + - matches: + - path: + type: Exact + value: /productpage + - path: + type: PathPrefix + value: /static + - path: + type: Exact + value: /login + - path: + type: Exact + value: /logout + - path: + type: PathPrefix + value: /api/v1/products + backendRefs: + - name: productpage + port: 9080 \ No newline at end of file diff --git a/istio-1.24.3/samples/ambient-argo/application/namespace.yaml b/istio-1.24.3/samples/ambient-argo/application/namespace.yaml new file mode 100644 index 00000000..1719eb58 --- /dev/null +++ b/istio-1.24.3/samples/ambient-argo/application/namespace.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: ambient \ No newline at end of file diff --git a/istio-1.24.3/samples/ambient-argo/application/productpage.yaml b/istio-1.24.3/samples/ambient-argo/application/productpage.yaml new file mode 100644 index 00000000..c136feb6 --- /dev/null +++ b/istio-1.24.3/samples/ambient-argo/application/productpage.yaml @@ -0,0 +1,60 @@ +################################################################################################## +# Productpage services +################################################################################################## +apiVersion: v1 +kind: Service +metadata: + name: productpage + labels: + app: productpage + service: productpage +spec: + ports: + - port: 9080 + name: http + selector: + app: productpage +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: bookinfo-productpage + labels: + account: productpage +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: productpage-v1 + labels: + app: productpage + version: v1 +spec: + replicas: 1 + selector: + matchLabels: + app: productpage + version: v1 + template: + metadata: + annotations: + prometheus.io/scrape: "true" + prometheus.io/port: "9080" + prometheus.io/path: "/metrics" + labels: + app: productpage + version: v1 + spec: + serviceAccountName: bookinfo-productpage + containers: + - name: productpage + image: docker.io/istio/examples-bookinfo-productpage-v1:1.18.0 + imagePullPolicy: IfNotPresent + ports: + - containerPort: 9080 + volumeMounts: + - name: tmp + mountPath: /tmp + volumes: + - name: tmp + emptyDir: {} \ No newline at end of file diff --git a/istio-1.24.3/samples/ambient-argo/application/ratings.yaml b/istio-1.24.3/samples/ambient-argo/application/ratings.yaml new file mode 100644 index 00000000..69cfd8e2 --- /dev/null +++ b/istio-1.24.3/samples/ambient-argo/application/ratings.yaml @@ -0,0 +1,50 @@ +################################################################################################## +# Ratings service +################################################################################################## +apiVersion: v1 +kind: Service +metadata: + name: ratings + labels: + app: ratings + service: ratings +spec: + ports: + - port: 9080 + name: http + selector: + app: ratings +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: bookinfo-ratings + labels: + account: ratings +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: ratings-v1 + labels: + app: ratings + version: v1 +spec: + replicas: 1 + selector: + matchLabels: + app: ratings + version: v1 + template: + metadata: + labels: + app: ratings + version: v1 + spec: + serviceAccountName: bookinfo-ratings + containers: + - name: ratings + image: docker.io/istio/examples-bookinfo-ratings-v1:1.18.0 + imagePullPolicy: IfNotPresent + ports: + - containerPort: 9080 \ No newline at end of file diff --git a/istio-1.24.3/samples/ambient-argo/application/reviews-waypoint.yaml b/istio-1.24.3/samples/ambient-argo/application/reviews-waypoint.yaml new file mode 100644 index 00000000..9cf6a1a4 --- /dev/null +++ b/istio-1.24.3/samples/ambient-argo/application/reviews-waypoint.yaml @@ -0,0 +1,12 @@ +apiVersion: gateway.networking.k8s.io/v1 +kind: Gateway +metadata: + labels: + istio.io/rev: rapid + name: bookinfo-reviews +spec: + gatewayClassName: istio-waypoint + listeners: + - name: mesh + port: 15008 + protocol: HBONE \ No newline at end of file diff --git a/istio-1.24.3/samples/ambient-argo/application/reviews.yaml b/istio-1.24.3/samples/ambient-argo/application/reviews.yaml new file mode 100644 index 00000000..6e389ad3 --- /dev/null +++ b/istio-1.24.3/samples/ambient-argo/application/reviews.yaml @@ -0,0 +1,143 @@ +################################################################################################## +# Reviews service +################################################################################################## +apiVersion: v1 +kind: Service +metadata: + name: reviews + labels: + app: reviews + service: reviews +spec: + ports: + - port: 9080 + name: http + selector: + app: reviews +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: bookinfo-reviews + labels: + account: reviews +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: reviews-v1 + labels: + app: reviews + version: v1 +spec: + replicas: 1 + selector: + matchLabels: + app: reviews + version: v1 + template: + metadata: + labels: + app: reviews + version: v1 + spec: + serviceAccountName: bookinfo-reviews + containers: + - name: reviews + image: docker.io/istio/examples-bookinfo-reviews-v1:1.18.0 + imagePullPolicy: IfNotPresent + env: + - name: LOG_DIR + value: "/tmp/logs" + ports: + - containerPort: 9080 + volumeMounts: + - name: tmp + mountPath: /tmp + - name: wlp-output + mountPath: /opt/ibm/wlp/output + volumes: + - name: wlp-output + emptyDir: {} + - name: tmp + emptyDir: {} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: reviews-v2 + labels: + app: reviews + version: v2 +spec: + replicas: 1 + selector: + matchLabels: + app: reviews + version: v2 + template: + metadata: + labels: + app: reviews + version: v2 + spec: + serviceAccountName: bookinfo-reviews + containers: + - name: reviews + image: docker.io/istio/examples-bookinfo-reviews-v2:1.18.0 + imagePullPolicy: IfNotPresent + env: + - name: LOG_DIR + value: "/tmp/logs" + ports: + - containerPort: 9080 + volumeMounts: + - name: tmp + mountPath: /tmp + - name: wlp-output + mountPath: /opt/ibm/wlp/output + volumes: + - name: wlp-output + emptyDir: {} + - name: tmp + emptyDir: {} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: reviews-v3 + labels: + app: reviews + version: v3 +spec: + replicas: 1 + selector: + matchLabels: + app: reviews + version: v3 + template: + metadata: + labels: + app: reviews + version: v3 + spec: + serviceAccountName: bookinfo-reviews + containers: + - name: reviews + image: docker.io/istio/examples-bookinfo-reviews-v3:1.18.0 + imagePullPolicy: IfNotPresent + env: + - name: LOG_DIR + value: "/tmp/logs" + ports: + - containerPort: 9080 + volumeMounts: + - name: tmp + mountPath: /tmp + - name: wlp-output + mountPath: /opt/ibm/wlp/output + volumes: + - name: wlp-output + emptyDir: {} + - name: tmp + emptyDir: {} \ No newline at end of file diff --git a/istio-1.24.3/samples/ambient-argo/application/route-reviews-90-10.yaml b/istio-1.24.3/samples/ambient-argo/application/route-reviews-90-10.yaml new file mode 100644 index 00000000..1160a442 --- /dev/null +++ b/istio-1.24.3/samples/ambient-argo/application/route-reviews-90-10.yaml @@ -0,0 +1,17 @@ +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: reviews +spec: + parentRefs: + - group: "" + kind: Service + name: reviews + rules: + - backendRefs: + - name: reviews-v1 + port: 9080 + weight: 90 + - name: reviews-v2 + port: 9080 + weight: 10 \ No newline at end of file diff --git a/istio-1.24.3/samples/ambient-argo/istio/cni.yaml b/istio-1.24.3/samples/ambient-argo/istio/cni.yaml new file mode 100644 index 00000000..85024c43 --- /dev/null +++ b/istio-1.24.3/samples/ambient-argo/istio/cni.yaml @@ -0,0 +1,33 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: istio-cni + namespace: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + project: default + destination: + name: ambient-cluster + namespace: kube-system + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true + sources: + - repoURL: 'https://istio-release.storage.googleapis.com/charts' + targetRevision: 1.18.5 + helm: + valuesObject: + revision: rapid + cni: + cniBinDir: "/home/kubernetes/bin" + valueFiles: + - >- + $values/manifests/charts/istio-cni/ambient-values.yaml + chart: cni + - repoURL: 'https://github.com/istio/istio.git' + targetRevision: HEAD + ref: values diff --git a/istio-1.24.3/samples/ambient-argo/istio/control-plane-appset.yaml b/istio-1.24.3/samples/ambient-argo/istio/control-plane-appset.yaml new file mode 100644 index 00000000..129091d0 --- /dev/null +++ b/istio-1.24.3/samples/ambient-argo/istio/control-plane-appset.yaml @@ -0,0 +1,39 @@ +apiVersion: argoproj.io/v1alpha1 +kind: ApplicationSet +metadata: + name: istio-multi-control +spec: + generators: + - list: + elements: + - version: 1.18.5 + revision: 1-18-5 + - version: 1.19.3 + revision: 1-19-3 + template: + metadata: + name: 'istio-control-{{revision}}' + spec: + project: default + sources: + - repoURL: 'https://istio-release.storage.googleapis.com/charts' + targetRevision: '{{version}}' + helm: + valuesObject: + revision: '{{revision}}' + valueFiles: + - >- + $values/manifests/charts/istio-control/istio-discovery/ambient-values.yaml + chart: istiod + - repoURL: 'https://github.com/istio/istio.git' + targetRevision: HEAD + ref: values + destination: + name: ambient-cluster + namespace: istio-system + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true \ No newline at end of file diff --git a/istio-1.24.3/samples/ambient-argo/istio/extras.yaml b/istio-1.24.3/samples/ambient-argo/istio/extras.yaml new file mode 100644 index 00000000..47a7e2dc --- /dev/null +++ b/istio-1.24.3/samples/ambient-argo/istio/extras.yaml @@ -0,0 +1,24 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: istio-addons + namespace: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + project: default + source: + repoURL: 'https://github.com/istio/istio.git' + targetRevision: HEAD + path: samples/addons + directory: + exclude: loki.yaml + destination: + name: ambient-cluster + namespace: istio-system + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true diff --git a/istio-1.24.3/samples/ambient-argo/istio/tags.yaml b/istio-1.24.3/samples/ambient-argo/istio/tags.yaml new file mode 100644 index 00000000..264ca34d --- /dev/null +++ b/istio-1.24.3/samples/ambient-argo/istio/tags.yaml @@ -0,0 +1,33 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: istio-tags + namespace: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + project: default + destination: + name: ambient-cluster + namespace: istio-system + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true + source: + path: tag-chart + repoURL: '{repo-placeholder}' + targetRevision: HEAD + helm: + valuesObject: + base: + tags: + default: + revision: "1-18-5" + stable: + revision: "1-18-5" + rapid: + revision: "1-19-3" + istiodservice: "1-18-5" # This can be removed once ztunnel is on 1.20 \ No newline at end of file diff --git a/istio-1.24.3/samples/ambient-argo/istio/ztunnel.yaml b/istio-1.24.3/samples/ambient-argo/istio/ztunnel.yaml new file mode 100644 index 00000000..e8cad644 --- /dev/null +++ b/istio-1.24.3/samples/ambient-argo/istio/ztunnel.yaml @@ -0,0 +1,25 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: istio-ztunnel + namespace: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + project: default + source: + repoURL: 'https://istio-release.storage.googleapis.com/charts' + targetRevision: 1.18.5 + chart: ztunnel + helm: + valuesObject: + revision: rapid + destination: + name: ambient-cluster + namespace: istio-system + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true diff --git a/istio-1.24.3/samples/ambient-argo/meta-application.yaml b/istio-1.24.3/samples/ambient-argo/meta-application.yaml new file mode 100644 index 00000000..19a9344c --- /dev/null +++ b/istio-1.24.3/samples/ambient-argo/meta-application.yaml @@ -0,0 +1,31 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: meta-application + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + destination: + name: in-cluster + namespace: argocd + server: '' + sources: + - path: istio + repoURL: '{repo-placeholder}' + targetRevision: HEAD + - path: application + repoURL: '{repo-placeholder}' + targetRevision: HEAD + directory: + include: application.yaml + project: default + syncPolicy: + automated: + prune: true + selfHeal: true + retry: + limit: 2 + backoff: + duration: 5s + maxDuration: 3m0s + factor: 2 \ No newline at end of file diff --git a/istio-1.24.3/samples/ambient-argo/tag-chart/Chart.yaml b/istio-1.24.3/samples/ambient-argo/tag-chart/Chart.yaml new file mode 100644 index 00000000..f7b73a56 --- /dev/null +++ b/istio-1.24.3/samples/ambient-argo/tag-chart/Chart.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +name: tags +version: 1.1.0 +tillerVersion: ">=2.7.2" +description: Helm chart for deploying Istio cluster resources and CRDs +keywords: + - istio +sources: + - http://github.com/istio/istio +engine: gotpl +icon: https://istio.io/latest/favicons/android-192x192.png diff --git a/istio-1.24.3/samples/ambient-argo/tag-chart/templates/mutatingwebhooks.yaml b/istio-1.24.3/samples/ambient-argo/tag-chart/templates/mutatingwebhooks.yaml new file mode 100644 index 00000000..339ba52a --- /dev/null +++ b/istio-1.24.3/samples/ambient-argo/tag-chart/templates/mutatingwebhooks.yaml @@ -0,0 +1,109 @@ +{{- define "core" }} +- name: {{.Prefix}}sidecar-injector.istio.io + clientConfig: + {{- if .injectionURL }} + url: "{{ .injectionURL }}" + {{- else }} + service: + name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }} + namespace: {{ .Release.Namespace }} + path: "{{ .injectionPath }}" + {{- end }} + sideEffects: None + rules: + - operations: [ "CREATE" ] + apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] + failurePolicy: Fail + admissionReviewVersions: ["v1"] +{{- end }} + +{{- range $tagName, $tag := $.Values.base.tags }} +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: +{{- if eq $.Release.Namespace "istio-system"}} + name: istio-revision-tag-{{ $tagName }} +{{- else }} + name: istio-revision-tag-{{ $tagName }}-{{ $.Release.Namespace }} +{{- end }} + labels: + istio.io/tag: {{ $tagName }} + istio.io/rev: {{ $tag.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ $.Values.ownerName | default "unknown" }} + operator.istio.io/component: "Pilot" + app: sidecar-injector + release: {{ $.Release.Name }} +webhooks: +{{- include "core" (mergeOverwrite (deepCopy $) (deepCopy $tag) (dict "Prefix" "rev.namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + - "{{ $tagName }}" + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" +{{- include "core" (mergeOverwrite (deepCopy $) (deepCopy $tag) (dict "Prefix" "rev.object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: DoesNotExist + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + - key: istio.io/rev + operator: In + values: + - "{{ $tagName }}" + +{{- /* When the tag is "default" we want to create webhooks for the default revision */}} +{{- /* These webhooks should be kept in sync with istio-discovery/templates/mutatingwebhook.yaml */}} +{{- if (eq $tagName "default") }} + +{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}} +{{- include "core" (mergeOverwrite (deepCopy $) (deepCopy $tag) (dict "Prefix" "namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: In + values: + - enabled + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + +{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}} +{{- include "core" (mergeOverwrite (deepCopy $) (deepCopy $tag) (dict "Prefix" "object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: In + values: + - "true" + - key: istio.io/rev + operator: DoesNotExist +{{- end }} +--- +{{- end }} diff --git a/istio-1.24.3/samples/ambient-argo/tag-chart/templates/shimservice.yaml b/istio-1.24.3/samples/ambient-argo/tag-chart/templates/shimservice.yaml new file mode 100644 index 00000000..ae63ae73 --- /dev/null +++ b/istio-1.24.3/samples/ambient-argo/tag-chart/templates/shimservice.yaml @@ -0,0 +1,31 @@ +{{- if ((.Values.base.tags.default).revision) }} +apiVersion: v1 +kind: Service +metadata: + labels: + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Pilot" + app: istiod + istio: pilot + release: {{ .Release.Name }} + name: istiod + namespace: istio-system +spec: + ports: + - name: grpc-xds + port: 15010 + protocol: TCP + - name: https-dns + port: 15012 + protocol: TCP + - name: https-webhook + port: 443 + protocol: TCP + targetPort: 15017 + - name: http-monitoring + port: 15014 + protocol: TCP + selector: + app: istiod + istio.io/rev: {{ .Values.base.istiodservice }} +{{- end }} \ No newline at end of file diff --git a/istio-1.24.3/samples/ambient-argo/tag-chart/templates/validatingwebhook.yaml b/istio-1.24.3/samples/ambient-argo/tag-chart/templates/validatingwebhook.yaml new file mode 100644 index 00000000..6dd4b29a --- /dev/null +++ b/istio-1.24.3/samples/ambient-argo/tag-chart/templates/validatingwebhook.yaml @@ -0,0 +1,48 @@ +{{- if .Values.global.configValidation }} +{{- if hasKey .Values.base.tags "default" }} +{{- $tag := .Values.base.tags.default }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: istiod-default-validator + labels: + app: istiod + istio: istiod + istio.io/rev: {{ $tag.revision | default "default" }} + istio.io/tag: "default" + # Required to make sure this resource is removed + # when purging Istio resources + operator.istio.io/component: Pilot +webhooks: + - name: validation.istio.io + clientConfig: + {{- if $tag.validationURL }} + url: {{ $tag.validationURL }} + {{- else }} + service: + name: istiod{{- if not (eq $tag.revision "") }}-{{ $tag.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} + path: "/validate" + {{- end }} + rules: + - operations: + - CREATE + - UPDATE + apiGroups: + - security.istio.io + - networking.istio.io + - telemetry.istio.io + apiVersions: + - "*" + resources: + - "*" + failurePolicy: Ignore + sideEffects: None + admissionReviewVersions: ["v1"] + objectSelector: + matchExpressions: + - key: istio.io/rev + operator: DoesNotExist +--- +{{- end }} +{{- end }} diff --git a/istio-1.24.3/samples/ambient-argo/tag-chart/values.yaml b/istio-1.24.3/samples/ambient-argo/tag-chart/values.yaml new file mode 100644 index 00000000..f27642b7 --- /dev/null +++ b/istio-1.24.3/samples/ambient-argo/tag-chart/values.yaml @@ -0,0 +1,41 @@ +global: + + # ImagePullSecrets for control plane ServiceAccount, list of secrets in the same namespace + # to use for pulling any images in pods that reference this ServiceAccount. + # Must be set for any cluster configured with private docker registry. + imagePullSecrets: [] + + # Used to locate istiod. + istioNamespace: istio-system + + istiod: + enableAnalysis: false + + configValidation: true + externalIstiod: false + remotePilotAddress: "" + +base: + # Used for helm2 to add the CRDs to templates. + enableCRDTemplates: false + + # Validation webhook configuration url + # For example: https://$remotePilotAddress:15017/validate + validationURL: "" + + # For istioctl usage to disable istio config crds in base + enableIstioConfigCRDs: true + + # Defines the mapping from revision tags to revisions. + # + # The following fields can be set for each revision tag: + # (1) revision (REQUIRED): the revision to use for this revision tag. + # (2) namespace: the namespace containing the istiod revision. + # (3) validationURL: the URL to use for validation on this revision tag. + # (4) injectionURL: the URL to for injection on this revision tag. + # (5) injectionPath: the injection path to use for this tag webhook. + # + # Note that the revision tag "default" has additional semantic meaning as it + # controls the revision that performs validation and the revision that handles + # injection for default selectors ("istio-injection=enabled" and "sidecar.istio.io/inject"). + tags: {} diff --git a/istio-1.24.3/samples/bookinfo/README.md b/istio-1.24.3/samples/bookinfo/README.md new file mode 100644 index 00000000..18f9701d --- /dev/null +++ b/istio-1.24.3/samples/bookinfo/README.md @@ -0,0 +1,234 @@ +# Bookinfo Sample + +See . + +**Note**: We need the owner of the PR to perform the appropriate testing with built/pushed images to their own docker repository before we would build/push images to the official Istio repository. + +## General Setup + +```bash +# This defines the docker hub to use when running integration tests and building docker images +# eg: HUB="docker.io/istio", HUB="gcr.io/istio-testing" +export HUB="docker.io/$USER" + +# This defines the docker tag to use when running integration tests and +# building docker images to be your user id. You may also set this variable +# this to any other legitimate docker tag. +export TAG= +``` + +## Compile code + +```bash +cd samples/bookinfo +BOOKINFO_TAG=$TAG BOOKINFO_HUB=$HUB src/build-services.sh +``` + +For example: + +```bash +$ BOOKINFO_TAG=test1.0 BOOKINFO_HUB=docker.io/user1 src/build-services.sh ++++ dirname ./build-services.sh +++ cd . +++ pwd ++ SCRIPTDIR=/work/samples/bookinfo/src ++ cd /work/samples/bookinfo/src/../../.. ++ h=docker.io/user1 ++ t=test1.0 ++ [[ docker.io/user1 == \i\s\t\i\o ]] ++ [[ docker.io/user1 == \d\o\c\k\e\r\.\i\o\/\i\s\t\i\o ]] ++ plat=linux/amd64 ++ [[ '' == \t\r\u\e ]] ++ env TAG=test1.0 HUB=docker.io/user1 docker buildx bake -f samples/bookinfo/src/docker-bake.hcl --set '*.platform=linux/amd64' +[+] Building 1.9s (123/133) + => [examples-bookinfo-ratings-v-faulty internal] load build definition from Dockerfile 0.0s + => => transferring dockerfile: 1.05kB 0.0s +... + => CACHED [examples-bookinfo-ratings-v-faulty 4/6] COPY ratings.js /opt/microservices/ 0.0s + => CACHED [examples-bookinfo-ratings-v-faulty 5/6] WORKDIR /opt/microservices 0.0s + => CACHED [examples-bookinfo-ratings-v-faulty 6/6] RUN npm install 0.0s +WARNING: No output specified for examples-bookinfo-mysqldb, examples-bookinfo-ratings-v-faulty, examples-bookinfo-reviews-v2, examples-bookinfo-reviews-v3, examples-bookinfo-productpage-v-flooding, examples-bookinfo-ratings-v-unhealthy, examples-bookinfo-ratings-v-unavailable, examples-bookinfo-ratings-v1, examples-bookinfo-details-v2, examples-bookinfo-reviews-v1, examples-bookinfo-productpage-v1, examples-bookinfo-ratings-v-delayed, examples-bookinfo-details-v1, examples-bookinfo-ratings-v2, examples-bookinfo-mongodb target(s) with docker-container driver. Build result will only remain in the build cache. To push result image into registry use --push or to load image into docker use --load +``` + +The code for the bookinfo sample is now compiled and built. The bookinfo versions are different from Istio versions since the sample should work with any version of Istio. + +## Build docker images + +```bash +cd samples/bookinfo +BOOKINFO_TAG=$TAG BOOKINFO_HUB=$HUB src/build-services.sh --load +``` + +For example: + +```bash +$ BOOKINFO_TAG=test1.0 BOOKINFO_HUB=docker.io/user1 src/build-services.sh --load ++++ dirname ./build-services.sh +++ cd . +++ pwd ++ SCRIPTDIR=/work/samples/bookinfo/src ++ cd /work/samples/bookinfo/src/../../.. ++ h=docker.io/user1 ++ t=test1.0 ++ [[ docker.io/user1 == \i\s\t\i\o ]] ++ [[ docker.io/user1 == \d\o\c\k\e\r\.\i\o\/\i\s\t\i\o ]] ++ plat=linux/amd64 ++ [[ '' == \t\r\u\e ]] +... + => [examples-bookinfo-productpage-v-flooding] exporting to docker image format 10.4s + => => exporting layers 0.0s + => => exporting manifest sha256:5046deeca78c67f0977fa627b3c2a98ba380b09f4dabf5620040fbf723785f6a 0.0s + => => exporting config sha256:5a632c874e649f6492d5a6592a3da2b9ee3fca8d6f55bfbc0249b865eb8579be 0.0s + => => sending tarball 10.4s + => importing to docker 0.1s + => importing to docker 0.0s + => importing to docker 0.0s + => importing to docker 0.0s + => importing to docker 0.0s + => importing to docker 0.0s + => importing to docker 0.0s + => importing to docker 0.0s + => importing to docker 0.0s + => importing to docker 0.0s + => importing to docker 0.0s + => importing to docker 0.1s + => importing to docker 0.3s + => importing to docker 0.2s + => importing to docker 0.1s ++ [[ true == \t\r\u\e ]] ++ find ./samples/bookinfo/platform -name '*bookinfo*.yaml' -exec sed -i.bak 's#image:.*\(\/examples-bookinfo-.*\):.*#image: docker.io\/user1\1:test1.0#g' '{}' +/ay +``` + +Docker images are now created. + +## Push docker images to docker hub + +After the local build is successful, you will need to push the images to Docker hub. You may need to login to Docker before you run the command using `docker login`. + +```bash +cd samples/bookinfo +BOOKINFO_LATEST=true BOOKINFO_TAG=$TAG BOOKINFO_HUB=$HUB src/build-services.sh --push +``` + +For example: + +```bash +$ BOOKINFO_TAG=test1.0 BOOKINFO_HUB=docker.io/user1 src/build-services.sh --push ++++ dirname ./build-services.sh +++ cd . +++ pwd ++ SCRIPTDIR=/work/samples/bookinfo/src ++ cd /work/samples/bookinfo/src/../../.. ++ h=docker.io/user1 ++ t=test1.0 ++ [[ docker.io/user1 == \i\s\t\i\o ]] ++ [[ docker.io/user1 == \d\o\c\k\e\r\.\i\o\/\i\s\t\i\o ]] ++ plat=linux/amd64 ++ [[ '' == \t\r\u\e ]] ++ env TAG=test1.0 HUB=docker.io/user1 docker buildx bake -f samples/bookinfo/src/docker-bake.hcl --set '*.platform=linux/amd64' --push +... + => => pushing layers 11.1s + => => pushing manifest for docker.io/user1/examples-bookinfo-reviews-v3:test1.0@sha256:4c9e2dfcabdfc55fba9037967ee412690b23d676481713eb88985926e229c8db 0.7s + => [auth] user1/examples-bookinfo-ratings-v2:pull,push token for registry-1.docker.io 0.0s + => [auth] user1/examples-bookinfo-ratings-v-delayed:pull,push token for registry-1.docker.io 0.0s + => [auth] user1/examples-bookinfo-ratings-v-unavailable:pull,push token for registry-1.docker.io 0.0s + => [auth] user1/examples-bookinfo-ratings-v-unhealthy:pull,push token for registry-1.docker.io 0.0s + => [auth] user1/examples-bookinfo-ratings-v-faulty:pull,push token for registry-1.docker.io 0.0s + => [auth] user1/examples-bookinfo-mongodb:pull,push token for registry-1.docker.io 0.0s + => [auth] user1/examples-bookinfo-details-v1:pull,push token for registry-1.docker.io 0.0s + => [auth] user1/examples-bookinfo-productpage-v1:pull,push token for registry-1.docker.io 0.0s + => [auth] user1/examples-bookinfo-details-v2:pull,push token for registry-1.docker.io 0.0s + => [auth] user1/examples-bookinfo-productpage-v-flooding:pull,push token for registry-1.docker.io 0.0s + => [auth] user1/examples-bookinfo-reviews-v1:pull,push token for registry-1.docker.io 0.0s + => [auth] user1/examples-bookinfo-reviews-v3:pull,push token for registry-1.docker.io 0.0s + => [auth] user1/examples-bookinfo-reviews-v2:pull,push token for registry-1.docker.io 0.0s ++ [[ true == \t\r\u\e ]] ++ find ./samples/bookinfo/platform -name '*bookinfo*.yaml' -exec sed -i.bak 's#image:.*\(\/examples-bookinfo-.*\):.*#image: docker.io\/user1\1:test1.0#g' '{}' + +``` + +## Update YAML files to point to the newly created images + +You need to update the YAML file with the latest tag that you used during the build, eg: `$HUB:$TAG`. + +Run the following script to update the YAML files in one step. + +```bash +cd samples/bookinfo +export BOOKINFO_UPDATE=true +BOOKINFO_TAG=test1.0 BOOKINFO_HUB=user1 src/build-services.sh +``` + +For example: + +```bash +$ export BOOKINFO_UPDATE=true +$ BOOKINFO_TAG=test1.0 BOOKINFO_HUB=user1 src/build-services.sh ++++ dirname samples/bookinfo/src/build-services.sh +++ cd samples/bookinfo/src +++ pwd ++ SCRIPTDIR=/work/samples/bookinfo/src ++ cd /work/samples/bookinfo/src/../../.. ++ h=user1 ++ t=test1.0 ++ [[ user1 == \i\s\t\i\o ]] ++ [[ user1 == \d\o\c\k\e\r\.\i\o\/\i\s\t\i\o ]] ++ plat=linux/amd64 ++ [[ '' == \t\r\u\e ]] ++ env TAG=test1.0 HUB=docker.io/user1 docker buildx bake -f samples/bookinfo/src/docker-bake.hcl --set '*.platform=linux/amd64' +... + => CACHED [examples-bookinfo-ratings-v-faulty 4/6] COPY ratings.js /opt/microservices/ 0.0s + => CACHED [examples-bookinfo-ratings-v-faulty 5/6] WORKDIR /opt/microservices 0.0s + => CACHED [examples-bookinfo-ratings-v-faulty 6/6] RUN npm install 0.0s +WARNING: No output specified for examples-bookinfo-mysqldb, examples-bookinfo-ratings-v-faulty, examples-bookinfo-reviews-v2, examples-bookinfo-reviews-v3, examples-bookinfo-productpage-v-flooding, examples-bookinfo-ratings-v-unhealthy, examples-bookinfo-ratings-v-unavailable, examples-bookinfo-ratings-v1, examples-bookinfo-details-v2, examples-bookinfo-reviews-v1, examples-bookinfo-productpage-v1, examples-bookinfo-ratings-v-delayed, examples-bookinfo-details-v1, examples-bookinfo-ratings-v2, examples-bookinfo-mongodb target(s) with docker-container driver. Build result will only remain in the build cache. To push result image into registry use --push or to load image into docker use --load ++ [[ true == \t\r\u\e ]] ++ find ./samples/bookinfo/platform -name '*bookinfo*.yaml' -exec sed -i.bak 's#image:.*\(\/examples-bookinfo-.*\):.*#image: user1\1:test1.0#g' '{}' + +``` + +Verify that expected image eg: `user1/examples-bookinfo-*:test1.0` is updated in `platform/kube/bookinfo*.yaml` files. + +## Tests + +Test that the bookinfo samples work with the latest image eg: `user1/examples-bookinfo-*:test1.0` that you pushed. + +```bash +$ cd ../../ +$ kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml +serviceaccount/bookinfo-details created +deployment.apps/details-v1 created +serviceaccount/bookinfo-ratings created +... +``` + +Wait for all the pods to be in `Running` start. + +```bash +$ kubectl get pods +NAME READY STATUS RESTARTS AGE +details-v1-7f556f5c6b-485l2 2/2 Running 0 10m +productpage-v1-84c8f95c8d-tlml2 2/2 Running 0 10m +ratings-v1-66777f856b-2ls78 2/2 Running 0 10m +reviews-v1-64c47f4f44-rx642 2/2 Running 0 10m +reviews-v2-66b6b95f44-s5nt6 2/2 Running 0 10m +reviews-v3-7f69dd7fd4-zjvc8 2/2 Running 0 10m +``` + +Once all the pods are in the `Running` state. Test if the bookinfo works through cli. + +```bash +$ kubectl exec -it "$(kubectl get pod -l app=ratings -o jsonpath='{.items[0].metadata.name}')" -c ratings -- curl productpage:9080/productpage | grep -o ".*" +Simple Bookstore App +``` + +You can also test it by hitting productpage in the browser. + +```bash +http://192.168.39.116:31395/productpage +``` + +You should see the following in the browser. + +![star](https://user-images.githubusercontent.com/2920003/86032538-212ff900-ba55-11ea-9492-d4bc90656a02.png) + +**Note**: If everything works as mentioned above, request a new official set of images be built and pushed from the reviewer, and add another commit to the original PR with the version changes. + +Bookinfo is tested by istio.io integration tests. You can find them under [tests](https://github.com/istio/istio.io/tree/master/tests) in the [istio/istio.io](https://github.com/istio/istio.io) repository. diff --git a/istio-1.24.3/samples/bookinfo/demo-profile-no-gateways.yaml b/istio-1.24.3/samples/bookinfo/demo-profile-no-gateways.yaml new file mode 100644 index 00000000..4edaba40 --- /dev/null +++ b/istio-1.24.3/samples/bookinfo/demo-profile-no-gateways.yaml @@ -0,0 +1,12 @@ +# IOP configuration used to install the demo profile without gateways. +apiVersion: install.istio.io/v1alpha1 +kind: IstioOperator +spec: + profile: demo + components: + ingressGateways: + - name: istio-ingressgateway + enabled: false + egressGateways: + - name: istio-egressgateway + enabled: false diff --git a/istio-1.24.3/samples/bookinfo/gateway-api/bookinfo-gateway.yaml b/istio-1.24.3/samples/bookinfo/gateway-api/bookinfo-gateway.yaml new file mode 100644 index 00000000..bcc17cfa --- /dev/null +++ b/istio-1.24.3/samples/bookinfo/gateway-api/bookinfo-gateway.yaml @@ -0,0 +1,41 @@ +apiVersion: gateway.networking.k8s.io/v1 +kind: Gateway +metadata: + name: bookinfo-gateway +spec: + gatewayClassName: istio + listeners: + - name: http + port: 80 + protocol: HTTP + allowedRoutes: + namespaces: + from: Same +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: bookinfo +spec: + parentRefs: + - name: bookinfo-gateway + rules: + - matches: + - path: + type: Exact + value: /productpage + - path: + type: PathPrefix + value: /static + - path: + type: Exact + value: /login + - path: + type: Exact + value: /logout + - path: + type: PathPrefix + value: /api/v1/products + backendRefs: + - name: productpage + port: 9080 diff --git a/istio-1.24.3/samples/bookinfo/gateway-api/route-all-v1.yaml b/istio-1.24.3/samples/bookinfo/gateway-api/route-all-v1.yaml new file mode 100644 index 00000000..17620e8f --- /dev/null +++ b/istio-1.24.3/samples/bookinfo/gateway-api/route-all-v1.yaml @@ -0,0 +1,60 @@ +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: reviews +spec: + parentRefs: + - group: "" + kind: Service + name: reviews + port: 9080 + rules: + - backendRefs: + - name: reviews-v1 + port: 9080 +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: productpage +spec: + parentRefs: + - group: "" + kind: Service + name: productpage + port: 9080 + rules: + - backendRefs: + - name: productpage-v1 + port: 9080 +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: ratings +spec: + parentRefs: + - group: "" + kind: Service + name: ratings + port: 9080 + rules: + - backendRefs: + - name: ratings-v1 + port: 9080 +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: details +spec: + parentRefs: + - group: "" + kind: Service + name: details + port: 9080 + rules: + - backendRefs: + - name: details-v1 + port: 9080 +--- diff --git a/istio-1.24.3/samples/bookinfo/gateway-api/route-reviews-50-v3.yaml b/istio-1.24.3/samples/bookinfo/gateway-api/route-reviews-50-v3.yaml new file mode 100644 index 00000000..42cbe35b --- /dev/null +++ b/istio-1.24.3/samples/bookinfo/gateway-api/route-reviews-50-v3.yaml @@ -0,0 +1,18 @@ +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: reviews +spec: + parentRefs: + - group: "" + kind: Service + name: reviews + port: 9080 + rules: + - backendRefs: + - name: reviews-v1 + port: 9080 + weight: 50 + - name: reviews-v3 + port: 9080 + weight: 50 diff --git a/istio-1.24.3/samples/bookinfo/gateway-api/route-reviews-90-10.yaml b/istio-1.24.3/samples/bookinfo/gateway-api/route-reviews-90-10.yaml new file mode 100644 index 00000000..f0ab4815 --- /dev/null +++ b/istio-1.24.3/samples/bookinfo/gateway-api/route-reviews-90-10.yaml @@ -0,0 +1,18 @@ +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: reviews +spec: + parentRefs: + - group: "" + kind: Service + name: reviews + port: 9080 + rules: + - backendRefs: + - name: reviews-v1 + port: 9080 + weight: 90 + - name: reviews-v2 + port: 9080 + weight: 10 diff --git a/istio-1.24.3/samples/bookinfo/gateway-api/route-reviews-v1.yaml b/istio-1.24.3/samples/bookinfo/gateway-api/route-reviews-v1.yaml new file mode 100644 index 00000000..b7f8d3cf --- /dev/null +++ b/istio-1.24.3/samples/bookinfo/gateway-api/route-reviews-v1.yaml @@ -0,0 +1,14 @@ +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: reviews +spec: + parentRefs: + - group: "" + kind: Service + name: reviews + port: 9080 + rules: + - backendRefs: + - name: reviews-v1 + port: 9080 diff --git a/istio-1.24.3/samples/bookinfo/gateway-api/route-reviews-v3.yaml b/istio-1.24.3/samples/bookinfo/gateway-api/route-reviews-v3.yaml new file mode 100644 index 00000000..e76909aa --- /dev/null +++ b/istio-1.24.3/samples/bookinfo/gateway-api/route-reviews-v3.yaml @@ -0,0 +1,14 @@ +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: reviews +spec: + parentRefs: + - group: "" + kind: Service + name: reviews + port: 9080 + rules: + - backendRefs: + - name: reviews-v3 + port: 9080 diff --git a/istio-1.24.3/samples/bookinfo/networking/bookinfo-gateway.yaml b/istio-1.24.3/samples/bookinfo/networking/bookinfo-gateway.yaml new file mode 100644 index 00000000..54e86888 --- /dev/null +++ b/istio-1.24.3/samples/bookinfo/networking/bookinfo-gateway.yaml @@ -0,0 +1,43 @@ +apiVersion: networking.istio.io/v1 +kind: Gateway +metadata: + name: bookinfo-gateway +spec: + # The selector matches the ingress gateway pod labels. + # If you installed Istio using Helm following the standard documentation, this would be "istio=ingress" + selector: + istio: ingressgateway # use istio default controller + servers: + - port: + number: 8080 + name: http + protocol: HTTP + hosts: + - "*" +--- +apiVersion: networking.istio.io/v1 +kind: VirtualService +metadata: + name: bookinfo +spec: + hosts: + - "*" + gateways: + - bookinfo-gateway + http: + - match: + - uri: + exact: /productpage + - uri: + prefix: /static + - uri: + exact: /login + - uri: + exact: /logout + - uri: + prefix: /api/v1/products + route: + - destination: + host: productpage + port: + number: 9080 diff --git a/istio-1.24.3/samples/bookinfo/networking/certmanager-gateway.yaml b/istio-1.24.3/samples/bookinfo/networking/certmanager-gateway.yaml new file mode 100644 index 00000000..f60f1c3b --- /dev/null +++ b/istio-1.24.3/samples/bookinfo/networking/certmanager-gateway.yaml @@ -0,0 +1,35 @@ +apiVersion: networking.istio.io/v1 +kind: Gateway +metadata: + name: cert-manager-gateway + namespace: istio-system +spec: + selector: + istio: ingressgateway + servers: + - port: + number: 80 + name: http + protocol: HTTP + hosts: + - "*" +--- +apiVersion: networking.istio.io/v1 +kind: VirtualService +metadata: + name: cert-manager + namespace: istio-system +spec: + hosts: + - "*" + gateways: + - cert-manager-gateway + http: + - match: + - uri: + prefix: /.well-known/acme-challenge/ + route: + - destination: + host: cert-manager-resolver + port: + number: 8089 diff --git a/istio-1.24.3/samples/bookinfo/networking/destination-rule-all-mtls.yaml b/istio-1.24.3/samples/bookinfo/networking/destination-rule-all-mtls.yaml new file mode 100644 index 00000000..4aea699a --- /dev/null +++ b/istio-1.24.3/samples/bookinfo/networking/destination-rule-all-mtls.yaml @@ -0,0 +1,74 @@ +apiVersion: networking.istio.io/v1 +kind: DestinationRule +metadata: + name: productpage +spec: + host: productpage + trafficPolicy: + tls: + mode: ISTIO_MUTUAL + subsets: + - name: v1 + labels: + version: v1 +--- +apiVersion: networking.istio.io/v1 +kind: DestinationRule +metadata: + name: reviews +spec: + host: reviews + trafficPolicy: + tls: + mode: ISTIO_MUTUAL + subsets: + - name: v1 + labels: + version: v1 + - name: v2 + labels: + version: v2 + - name: v3 + labels: + version: v3 +--- +apiVersion: networking.istio.io/v1 +kind: DestinationRule +metadata: + name: ratings +spec: + host: ratings + trafficPolicy: + tls: + mode: ISTIO_MUTUAL + subsets: + - name: v1 + labels: + version: v1 + - name: v2 + labels: + version: v2 + - name: v2-mysql + labels: + version: v2-mysql + - name: v2-mysql-vm + labels: + version: v2-mysql-vm +--- +apiVersion: networking.istio.io/v1 +kind: DestinationRule +metadata: + name: details +spec: + host: details + trafficPolicy: + tls: + mode: ISTIO_MUTUAL + subsets: + - name: v1 + labels: + version: v1 + - name: v2 + labels: + version: v2 +--- diff --git a/istio-1.24.3/samples/bookinfo/networking/destination-rule-all.yaml b/istio-1.24.3/samples/bookinfo/networking/destination-rule-all.yaml new file mode 100644 index 00000000..0bf3337f --- /dev/null +++ b/istio-1.24.3/samples/bookinfo/networking/destination-rule-all.yaml @@ -0,0 +1,62 @@ +apiVersion: networking.istio.io/v1 +kind: DestinationRule +metadata: + name: productpage +spec: + host: productpage + subsets: + - name: v1 + labels: + version: v1 +--- +apiVersion: networking.istio.io/v1 +kind: DestinationRule +metadata: + name: reviews +spec: + host: reviews + subsets: + - name: v1 + labels: + version: v1 + - name: v2 + labels: + version: v2 + - name: v3 + labels: + version: v3 +--- +apiVersion: networking.istio.io/v1 +kind: DestinationRule +metadata: + name: ratings +spec: + host: ratings + subsets: + - name: v1 + labels: + version: v1 + - name: v2 + labels: + version: v2 + - name: v2-mysql + labels: + version: v2-mysql + - name: v2-mysql-vm + labels: + version: v2-mysql-vm +--- +apiVersion: networking.istio.io/v1 +kind: DestinationRule +metadata: + name: details +spec: + host: details + subsets: + - name: v1 + labels: + version: v1 + - name: v2 + labels: + version: v2 +--- diff --git a/istio-1.24.3/samples/bookinfo/networking/destination-rule-reviews.yaml b/istio-1.24.3/samples/bookinfo/networking/destination-rule-reviews.yaml new file mode 100644 index 00000000..ec549cec --- /dev/null +++ b/istio-1.24.3/samples/bookinfo/networking/destination-rule-reviews.yaml @@ -0,0 +1,19 @@ +apiVersion: networking.istio.io/v1 +kind: DestinationRule +metadata: + name: reviews +spec: + host: reviews + trafficPolicy: + loadBalancer: + simple: RANDOM + subsets: + - name: v1 + labels: + version: v1 + - name: v2 + labels: + version: v2 + - name: v3 + labels: + version: v3 diff --git a/istio-1.24.3/samples/bookinfo/networking/egress-rule-google-apis.yaml b/istio-1.24.3/samples/bookinfo/networking/egress-rule-google-apis.yaml new file mode 100644 index 00000000..2c88692c --- /dev/null +++ b/istio-1.24.3/samples/bookinfo/networking/egress-rule-google-apis.yaml @@ -0,0 +1,46 @@ +apiVersion: networking.istio.io/v1 +kind: ServiceEntry +metadata: + name: googleapis +spec: + hosts: + - www.googleapis.com + ports: + - number: 80 + name: http + protocol: HTTP + - number: 443 + name: https + protocol: HTTPS + resolution: DNS +--- +apiVersion: networking.istio.io/v1 +kind: VirtualService +metadata: + name: rewrite-port-for-googleapis +spec: + hosts: + - www.googleapis.com + http: + - match: + - port: 80 + route: + - destination: + host: www.googleapis.com + port: + number: 443 +--- +apiVersion: networking.istio.io/v1 +kind: DestinationRule +metadata: + name: originate-tls-for-googleapis +spec: + host: www.googleapis.com + trafficPolicy: + loadBalancer: + simple: ROUND_ROBIN + portLevelSettings: + - port: + number: 443 + tls: + mode: SIMPLE # initiates HTTPS when accessing www.googleapis.com diff --git a/istio-1.24.3/samples/bookinfo/networking/fault-injection-details-v1.yaml b/istio-1.24.3/samples/bookinfo/networking/fault-injection-details-v1.yaml new file mode 100644 index 00000000..cbf52713 --- /dev/null +++ b/istio-1.24.3/samples/bookinfo/networking/fault-injection-details-v1.yaml @@ -0,0 +1,32 @@ +apiVersion: networking.istio.io/v1 +kind: VirtualService +metadata: + name: details +spec: + hosts: + - details + http: + - fault: + abort: + httpStatus: 555 + percentage: + value: 100 + route: + - destination: + host: details + subset: v1 + - route: + - destination: + host: details + subset: v1 +--- +apiVersion: networking.istio.io/v1 +kind: DestinationRule +metadata: + name: details +spec: + host: details + subsets: + - name: v1 + labels: + version: v1 \ No newline at end of file diff --git a/istio-1.24.3/samples/bookinfo/networking/virtual-service-all-v1.yaml b/istio-1.24.3/samples/bookinfo/networking/virtual-service-all-v1.yaml new file mode 100644 index 00000000..53e2fd71 --- /dev/null +++ b/istio-1.24.3/samples/bookinfo/networking/virtual-service-all-v1.yaml @@ -0,0 +1,52 @@ +apiVersion: networking.istio.io/v1 +kind: VirtualService +metadata: + name: productpage +spec: + hosts: + - productpage + http: + - route: + - destination: + host: productpage + subset: v1 +--- +apiVersion: networking.istio.io/v1 +kind: VirtualService +metadata: + name: reviews +spec: + hosts: + - reviews + http: + - route: + - destination: + host: reviews + subset: v1 +--- +apiVersion: networking.istio.io/v1 +kind: VirtualService +metadata: + name: ratings +spec: + hosts: + - ratings + http: + - route: + - destination: + host: ratings + subset: v1 +--- +apiVersion: networking.istio.io/v1 +kind: VirtualService +metadata: + name: details +spec: + hosts: + - details + http: + - route: + - destination: + host: details + subset: v1 +--- diff --git a/istio-1.24.3/samples/bookinfo/networking/virtual-service-details-v2.yaml b/istio-1.24.3/samples/bookinfo/networking/virtual-service-details-v2.yaml new file mode 100644 index 00000000..74f93a9a --- /dev/null +++ b/istio-1.24.3/samples/bookinfo/networking/virtual-service-details-v2.yaml @@ -0,0 +1,12 @@ +apiVersion: networking.istio.io/v1 +kind: VirtualService +metadata: + name: details +spec: + hosts: + - details + http: + - route: + - destination: + host: details + subset: v2 diff --git a/istio-1.24.3/samples/bookinfo/networking/virtual-service-ratings-db.yaml b/istio-1.24.3/samples/bookinfo/networking/virtual-service-ratings-db.yaml new file mode 100644 index 00000000..0f15398e --- /dev/null +++ b/istio-1.24.3/samples/bookinfo/networking/virtual-service-ratings-db.yaml @@ -0,0 +1,26 @@ +apiVersion: networking.istio.io/v1 +kind: VirtualService +metadata: + name: reviews +spec: + hosts: + - reviews + http: + - route: + - destination: + host: reviews + subset: v3 +--- +apiVersion: networking.istio.io/v1 +kind: VirtualService +metadata: + name: ratings +spec: + hosts: + - ratings + http: + - route: + - destination: + host: ratings + subset: v2 +--- diff --git a/istio-1.24.3/samples/bookinfo/networking/virtual-service-ratings-mysql-vm.yaml b/istio-1.24.3/samples/bookinfo/networking/virtual-service-ratings-mysql-vm.yaml new file mode 100644 index 00000000..fb70fd96 --- /dev/null +++ b/istio-1.24.3/samples/bookinfo/networking/virtual-service-ratings-mysql-vm.yaml @@ -0,0 +1,26 @@ +apiVersion: networking.istio.io/v1 +kind: VirtualService +metadata: + name: reviews +spec: + hosts: + - reviews + http: + - route: + - destination: + host: reviews + subset: v3 +--- +apiVersion: networking.istio.io/v1 +kind: VirtualService +metadata: + name: ratings +spec: + hosts: + - ratings + http: + - route: + - destination: + host: ratings + subset: v2-mysql-vm +--- diff --git a/istio-1.24.3/samples/bookinfo/networking/virtual-service-ratings-mysql.yaml b/istio-1.24.3/samples/bookinfo/networking/virtual-service-ratings-mysql.yaml new file mode 100644 index 00000000..6d37feb6 --- /dev/null +++ b/istio-1.24.3/samples/bookinfo/networking/virtual-service-ratings-mysql.yaml @@ -0,0 +1,26 @@ +apiVersion: networking.istio.io/v1 +kind: VirtualService +metadata: + name: reviews +spec: + hosts: + - reviews + http: + - route: + - destination: + host: reviews + subset: v3 +--- +apiVersion: networking.istio.io/v1 +kind: VirtualService +metadata: + name: ratings +spec: + hosts: + - ratings + http: + - route: + - destination: + host: ratings + subset: v2-mysql +--- diff --git a/istio-1.24.3/samples/bookinfo/networking/virtual-service-ratings-test-abort.yaml b/istio-1.24.3/samples/bookinfo/networking/virtual-service-ratings-test-abort.yaml new file mode 100644 index 00000000..b99455d7 --- /dev/null +++ b/istio-1.24.3/samples/bookinfo/networking/virtual-service-ratings-test-abort.yaml @@ -0,0 +1,25 @@ +apiVersion: networking.istio.io/v1 +kind: VirtualService +metadata: + name: ratings +spec: + hosts: + - ratings + http: + - match: + - headers: + end-user: + exact: jason + fault: + abort: + percentage: + value: 100.0 + httpStatus: 500 + route: + - destination: + host: ratings + subset: v1 + - route: + - destination: + host: ratings + subset: v1 diff --git a/istio-1.24.3/samples/bookinfo/networking/virtual-service-ratings-test-delay.yaml b/istio-1.24.3/samples/bookinfo/networking/virtual-service-ratings-test-delay.yaml new file mode 100644 index 00000000..516eba01 --- /dev/null +++ b/istio-1.24.3/samples/bookinfo/networking/virtual-service-ratings-test-delay.yaml @@ -0,0 +1,25 @@ +apiVersion: networking.istio.io/v1 +kind: VirtualService +metadata: + name: ratings +spec: + hosts: + - ratings + http: + - match: + - headers: + end-user: + exact: jason + fault: + delay: + percentage: + value: 100.0 + fixedDelay: 7s + route: + - destination: + host: ratings + subset: v1 + - route: + - destination: + host: ratings + subset: v1 diff --git a/istio-1.24.3/samples/bookinfo/networking/virtual-service-reviews-50-v3.yaml b/istio-1.24.3/samples/bookinfo/networking/virtual-service-reviews-50-v3.yaml new file mode 100644 index 00000000..2883c635 --- /dev/null +++ b/istio-1.24.3/samples/bookinfo/networking/virtual-service-reviews-50-v3.yaml @@ -0,0 +1,17 @@ +apiVersion: networking.istio.io/v1 +kind: VirtualService +metadata: + name: reviews +spec: + hosts: + - reviews + http: + - route: + - destination: + host: reviews + subset: v1 + weight: 50 + - destination: + host: reviews + subset: v3 + weight: 50 diff --git a/istio-1.24.3/samples/bookinfo/networking/virtual-service-reviews-80-20.yaml b/istio-1.24.3/samples/bookinfo/networking/virtual-service-reviews-80-20.yaml new file mode 100644 index 00000000..72683061 --- /dev/null +++ b/istio-1.24.3/samples/bookinfo/networking/virtual-service-reviews-80-20.yaml @@ -0,0 +1,17 @@ +apiVersion: networking.istio.io/v1 +kind: VirtualService +metadata: + name: reviews +spec: + hosts: + - reviews + http: + - route: + - destination: + host: reviews + subset: v1 + weight: 80 + - destination: + host: reviews + subset: v2 + weight: 20 diff --git a/istio-1.24.3/samples/bookinfo/networking/virtual-service-reviews-90-10.yaml b/istio-1.24.3/samples/bookinfo/networking/virtual-service-reviews-90-10.yaml new file mode 100644 index 00000000..4de526f7 --- /dev/null +++ b/istio-1.24.3/samples/bookinfo/networking/virtual-service-reviews-90-10.yaml @@ -0,0 +1,17 @@ +apiVersion: networking.istio.io/v1 +kind: VirtualService +metadata: + name: reviews +spec: + hosts: + - reviews + http: + - route: + - destination: + host: reviews + subset: v1 + weight: 90 + - destination: + host: reviews + subset: v2 + weight: 10 diff --git a/istio-1.24.3/samples/bookinfo/networking/virtual-service-reviews-jason-v2-v3.yaml b/istio-1.24.3/samples/bookinfo/networking/virtual-service-reviews-jason-v2-v3.yaml new file mode 100644 index 00000000..c79517b6 --- /dev/null +++ b/istio-1.24.3/samples/bookinfo/networking/virtual-service-reviews-jason-v2-v3.yaml @@ -0,0 +1,20 @@ +apiVersion: networking.istio.io/v1 +kind: VirtualService +metadata: + name: reviews +spec: + hosts: + - reviews + http: + - match: + - headers: + end-user: + exact: jason + route: + - destination: + host: reviews + subset: v2 + - route: + - destination: + host: reviews + subset: v3 diff --git a/istio-1.24.3/samples/bookinfo/networking/virtual-service-reviews-test-v2.yaml b/istio-1.24.3/samples/bookinfo/networking/virtual-service-reviews-test-v2.yaml new file mode 100644 index 00000000..d13156e2 --- /dev/null +++ b/istio-1.24.3/samples/bookinfo/networking/virtual-service-reviews-test-v2.yaml @@ -0,0 +1,20 @@ +apiVersion: networking.istio.io/v1 +kind: VirtualService +metadata: + name: reviews +spec: + hosts: + - reviews + http: + - match: + - headers: + end-user: + exact: jason + route: + - destination: + host: reviews + subset: v2 + - route: + - destination: + host: reviews + subset: v1 diff --git a/istio-1.24.3/samples/bookinfo/networking/virtual-service-reviews-v2-v3.yaml b/istio-1.24.3/samples/bookinfo/networking/virtual-service-reviews-v2-v3.yaml new file mode 100644 index 00000000..28c1fdd9 --- /dev/null +++ b/istio-1.24.3/samples/bookinfo/networking/virtual-service-reviews-v2-v3.yaml @@ -0,0 +1,17 @@ +apiVersion: networking.istio.io/v1 +kind: VirtualService +metadata: + name: reviews +spec: + hosts: + - reviews + http: + - route: + - destination: + host: reviews + subset: v2 + weight: 50 + - destination: + host: reviews + subset: v3 + weight: 50 diff --git a/istio-1.24.3/samples/bookinfo/networking/virtual-service-reviews-v3.yaml b/istio-1.24.3/samples/bookinfo/networking/virtual-service-reviews-v3.yaml new file mode 100644 index 00000000..bd2d3f6e --- /dev/null +++ b/istio-1.24.3/samples/bookinfo/networking/virtual-service-reviews-v3.yaml @@ -0,0 +1,12 @@ +apiVersion: networking.istio.io/v1 +kind: VirtualService +metadata: + name: reviews +spec: + hosts: + - reviews + http: + - route: + - destination: + host: reviews + subset: v3 diff --git a/istio-1.24.3/samples/bookinfo/platform/kube/README.md b/istio-1.24.3/samples/bookinfo/platform/kube/README.md new file mode 100644 index 00000000..d1189bec --- /dev/null +++ b/istio-1.24.3/samples/bookinfo/platform/kube/README.md @@ -0,0 +1,2 @@ +See the [Bookinfo guide](https://istio.io/docs/guides/bookinfo.html) in Istio +docs for instructions on how to run this demo application. diff --git a/istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-certificate.yaml b/istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-certificate.yaml new file mode 100644 index 00000000..bce874dc --- /dev/null +++ b/istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-certificate.yaml @@ -0,0 +1,37 @@ +--- +apiVersion: certmanager.k8s.io/v1alpha1 +kind: ClusterIssuer +metadata: + name: letsencrypt-staging + namespace: istio-system +spec: + acme: + # The ACME server URL + server: https://acme-staging-v02.api.letsencrypt.org/directory + # Email address used for ACME registration + email: stage@istio.io + # Name of a secret used to store the ACME account private key + privateKeySecretRef: + name: letsencrypt-staging + # Enable the HTTP-01 challenge provider + http01: {} +--- +apiVersion: certmanager.k8s.io/v1alpha1 +kind: Certificate +metadata: + name: istio-ingressgateway-certs + namespace: istio-system +spec: + secretName: istio-ingressgateway-certs + issuerRef: + name: letsencrypt-staging + kind: ClusterIssuer + commonName: bookinfo.example.com + dnsNames: + - bookinfo.example.com + acme: + config: + - http01: + ingressClass: none + domains: + - bookinfo.example.com diff --git a/istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-db.yaml b/istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-db.yaml new file mode 100644 index 00000000..b0887e5a --- /dev/null +++ b/istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-db.yaml @@ -0,0 +1,63 @@ +# Copyright Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: Service +metadata: + name: mongodb + labels: + app: mongodb + service: mongodb +spec: + ports: + - port: 27017 + name: mongo + selector: + app: mongodb +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: mongodb-v1 + labels: + app: mongodb + version: v1 +spec: + replicas: 1 + selector: + matchLabels: + app: mongodb + version: v1 + template: + metadata: + labels: + app: mongodb + version: v1 + spec: + containers: + - name: mongodb + image: docker.io/istio/examples-bookinfo-mongodb:1.20.2 + imagePullPolicy: IfNotPresent + ports: + - containerPort: 27017 + args: + - '--ipv6' + - '--bind_ip_all' + volumeMounts: + - name: data-db + mountPath: /data/db + volumes: + - name: data-db + emptyDir: {} +--- diff --git a/istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-details-dualstack.yaml b/istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-details-dualstack.yaml new file mode 100644 index 00000000..2a2b59f8 --- /dev/null +++ b/istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-details-dualstack.yaml @@ -0,0 +1,59 @@ +# Copyright Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################################################## +# Details service +################################################################################################## +apiVersion: v1 +kind: Service +metadata: + name: details + labels: + app: details + service: details +spec: + ipFamilyPolicy: RequireDualStack + ipFamilies: [IPv6, IPv4] + ports: + - port: 9080 + name: http + selector: + app: details +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: details-v1 + labels: + app: details + version: v1 +spec: + replicas: 1 + selector: + matchLabels: + app: details + version: v1 + template: + metadata: + labels: + app: details + version: v1 + spec: + containers: + - name: details + image: docker.io/istio/examples-bookinfo-details-v1:1.20.2 + imagePullPolicy: IfNotPresent + ports: + - containerPort: 9080 +--- diff --git a/istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-details-v2.yaml b/istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-details-v2.yaml new file mode 100644 index 00000000..84d4faef --- /dev/null +++ b/istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-details-v2.yaml @@ -0,0 +1,46 @@ +# Copyright Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################################################## +# Details service v2 +################################################################################################## +apiVersion: apps/v1 +kind: Deployment +metadata: + name: details-v2 + labels: + app: details + version: v2 +spec: + replicas: 1 + selector: + matchLabels: + app: details + version: v2 + template: + metadata: + labels: + app: details + version: v2 + spec: + containers: + - name: details + image: docker.io/istio/examples-bookinfo-details-v2:1.20.2 + imagePullPolicy: IfNotPresent + ports: + - containerPort: 9080 + env: + - name: DO_NOT_ENCRYPT + value: "true" +--- diff --git a/istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-details.yaml b/istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-details.yaml new file mode 100644 index 00000000..57024f8a --- /dev/null +++ b/istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-details.yaml @@ -0,0 +1,57 @@ +# Copyright Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################################################## +# Details service +################################################################################################## +apiVersion: v1 +kind: Service +metadata: + name: details + labels: + app: details + service: details +spec: + ports: + - port: 9080 + name: http + selector: + app: details +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: details-v1 + labels: + app: details + version: v1 +spec: + replicas: 1 + selector: + matchLabels: + app: details + version: v1 + template: + metadata: + labels: + app: details + version: v1 + spec: + containers: + - name: details + image: docker.io/istio/examples-bookinfo-details-v1:1.20.2 + imagePullPolicy: IfNotPresent + ports: + - containerPort: 9080 +--- diff --git a/istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-dualstack.yaml b/istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-dualstack.yaml new file mode 100644 index 00000000..8f8d79c7 --- /dev/null +++ b/istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-dualstack.yaml @@ -0,0 +1,343 @@ +# Copyright Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################################################## +# This file defines the services, service accounts, and deployments for the Bookinfo sample. +# +# To apply all 4 Bookinfo services, their corresponding service accounts, and deployments: +# +# kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml +# +# Alternatively, you can deploy any resource separately: +# +# kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml -l service=reviews # reviews Service +# kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml -l account=reviews # reviews ServiceAccount +# kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml -l app=reviews,version=v3 # reviews-v3 Deployment +################################################################################################## + +################################################################################################## +# Details service +################################################################################################## +apiVersion: v1 +kind: Service +metadata: + name: details + labels: + app: details + service: details +spec: + ipFamilyPolicy: RequireDualStack + ipFamilies: [IPv6, IPv4] + ports: + - port: 9080 + name: http + selector: + app: details +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: bookinfo-details + labels: + account: details +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: details-v1 + labels: + app: details + version: v1 +spec: + replicas: 1 + selector: + matchLabels: + app: details + version: v1 + template: + metadata: + labels: + app: details + version: v1 + spec: + serviceAccountName: bookinfo-details + containers: + - name: details + image: docker.io/istio/examples-bookinfo-details-v1:1.20.2 + imagePullPolicy: IfNotPresent + ports: + - containerPort: 9080 +--- +################################################################################################## +# Ratings service +################################################################################################## +apiVersion: v1 +kind: Service +metadata: + name: ratings + labels: + app: ratings + service: ratings +spec: + ipFamilyPolicy: RequireDualStack + ipFamilies: [IPv6, IPv4] + ports: + - port: 9080 + name: http + selector: + app: ratings +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: bookinfo-ratings + labels: + account: ratings +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: ratings-v1 + labels: + app: ratings + version: v1 +spec: + replicas: 1 + selector: + matchLabels: + app: ratings + version: v1 + template: + metadata: + labels: + app: ratings + version: v1 + spec: + serviceAccountName: bookinfo-ratings + containers: + - name: ratings + image: docker.io/istio/examples-bookinfo-ratings-v1:1.20.2 + imagePullPolicy: IfNotPresent + ports: + - containerPort: 9080 +--- +################################################################################################## +# Reviews service +################################################################################################## +apiVersion: v1 +kind: Service +metadata: + name: reviews + labels: + app: reviews + service: reviews +spec: + ipFamilyPolicy: RequireDualStack + ipFamilies: [IPv4, IPv6] + ports: + - port: 9080 + name: http + selector: + app: reviews +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: bookinfo-reviews + labels: + account: reviews +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: reviews-v1 + labels: + app: reviews + version: v1 +spec: + replicas: 1 + selector: + matchLabels: + app: reviews + version: v1 + template: + metadata: + labels: + app: reviews + version: v1 + spec: + serviceAccountName: bookinfo-reviews + containers: + - name: reviews + image: docker.io/istio/examples-bookinfo-reviews-v1:1.20.2 + imagePullPolicy: IfNotPresent + env: + - name: LOG_DIR + value: "/tmp/logs" + ports: + - containerPort: 9080 + volumeMounts: + - name: tmp + mountPath: /tmp + - name: wlp-output + mountPath: /opt/ibm/wlp/output + volumes: + - name: wlp-output + emptyDir: {} + - name: tmp + emptyDir: {} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: reviews-v2 + labels: + app: reviews + version: v2 +spec: + replicas: 1 + selector: + matchLabels: + app: reviews + version: v2 + template: + metadata: + labels: + app: reviews + version: v2 + spec: + serviceAccountName: bookinfo-reviews + containers: + - name: reviews + image: docker.io/istio/examples-bookinfo-reviews-v2:1.20.2 + imagePullPolicy: IfNotPresent + env: + - name: LOG_DIR + value: "/tmp/logs" + ports: + - containerPort: 9080 + volumeMounts: + - name: tmp + mountPath: /tmp + - name: wlp-output + mountPath: /opt/ibm/wlp/output + volumes: + - name: wlp-output + emptyDir: {} + - name: tmp + emptyDir: {} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: reviews-v3 + labels: + app: reviews + version: v3 +spec: + replicas: 1 + selector: + matchLabels: + app: reviews + version: v3 + template: + metadata: + labels: + app: reviews + version: v3 + spec: + serviceAccountName: bookinfo-reviews + containers: + - name: reviews + image: docker.io/istio/examples-bookinfo-reviews-v3:1.20.2 + imagePullPolicy: IfNotPresent + env: + - name: LOG_DIR + value: "/tmp/logs" + ports: + - containerPort: 9080 + volumeMounts: + - name: tmp + mountPath: /tmp + - name: wlp-output + mountPath: /opt/ibm/wlp/output + volumes: + - name: wlp-output + emptyDir: {} + - name: tmp + emptyDir: {} +--- +################################################################################################## +# Productpage services +################################################################################################## +apiVersion: v1 +kind: Service +metadata: + name: productpage + labels: + app: productpage + service: productpage +spec: + ipFamilyPolicy: RequireDualStack + ipFamilies: [IPv4, IPv6] + ports: + - port: 9080 + name: http + selector: + app: productpage +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: bookinfo-productpage + labels: + account: productpage +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: productpage-v1 + labels: + app: productpage + version: v1 +spec: + replicas: 1 + selector: + matchLabels: + app: productpage + version: v1 + template: + metadata: + annotations: + prometheus.io/scrape: "true" + prometheus.io/port: "9080" + prometheus.io/path: "/metrics" + labels: + app: productpage + version: v1 + spec: + serviceAccountName: bookinfo-productpage + containers: + - name: productpage + image: docker.io/istio/examples-bookinfo-productpage-v1:1.20.2 + imagePullPolicy: IfNotPresent + ports: + - containerPort: 9080 + volumeMounts: + - name: tmp + mountPath: /tmp + volumes: + - name: tmp + emptyDir: {} +--- diff --git a/istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-ingress.yaml b/istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-ingress.yaml new file mode 100644 index 00000000..e2143399 --- /dev/null +++ b/istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-ingress.yaml @@ -0,0 +1,63 @@ +# Copyright Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +########################################################################### +# Ingress resource (gateway) +########################################################################## +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: gateway + annotations: + kubernetes.io/ingress.class: "istio" +spec: + rules: + - http: + paths: + - path: /productpage + pathType: Exact + backend: + service: + name: productpage + port: + number: 9080 + - path: /static/ + pathType: Prefix + backend: + service: + name: productpage + port: + number: 9080 + - path: /login + pathType: Exact + backend: + service: + name: productpage + port: + number: 9080 + - path: /logout + pathType: Exact + backend: + service: + name: productpage + port: + number: 9080 + - path: /api/v1/products + pathType: Prefix + backend: + service: + name: productpage + port: + number: 9080 +--- diff --git a/istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-mysql.yaml b/istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-mysql.yaml new file mode 100644 index 00000000..84c74202 --- /dev/null +++ b/istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-mysql.yaml @@ -0,0 +1,79 @@ +# Copyright Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################################################## +# Mysql db services +# credentials: root/password +################################################################################################## +apiVersion: v1 +kind: Secret +metadata: + name: mysql-credentials +type: Opaque +data: + rootpasswd: cGFzc3dvcmQ= +--- +apiVersion: v1 +kind: Service +metadata: + name: mysqldb + labels: + app: mysqldb + service: mysqldb +spec: + ports: + - port: 3306 + name: tcp + selector: + app: mysqldb +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: mysqldb-v1 + labels: + app: mysqldb + version: v1 +spec: + replicas: 1 + selector: + matchLabels: + app: mysqldb + version: v1 + template: + metadata: + labels: + app: mysqldb + version: v1 + spec: + containers: + - name: mysqldb + image: docker.io/istio/examples-bookinfo-mysqldb:1.20.2 + imagePullPolicy: IfNotPresent + ports: + - containerPort: 3306 + env: + - name: MYSQL_ROOT_PASSWORD + valueFrom: + secretKeyRef: + name: mysql-credentials + key: rootpasswd + args: ["--default-authentication-plugin","mysql_native_password"] + volumeMounts: + - name: var-lib-mysql + mountPath: /var/lib/mysql + volumes: + - name: var-lib-mysql + emptyDir: {} +--- diff --git a/istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-psa.yaml b/istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-psa.yaml new file mode 100644 index 00000000..8e133c9c --- /dev/null +++ b/istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-psa.yaml @@ -0,0 +1,363 @@ +# Copyright Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################################################## +# This file defines the same services, service accounts, and deployments as bookinfo.yaml with +# added securityContext fields to allow the bookinfo demo to run on a PodSecurityAdmission +# enabled cluster that enforces the baseline policy. +################################################################################################## + +################################################################################################## +# Details service +################################################################################################## +apiVersion: v1 +kind: Service +metadata: + name: details + labels: + app: details + service: details +spec: + ports: + - port: 9080 + name: http + selector: + app: details +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: bookinfo-details + labels: + account: details +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: details-v1 + labels: + app: details + version: v1 +spec: + replicas: 1 + selector: + matchLabels: + app: details + version: v1 + template: + metadata: + labels: + app: details + version: v1 + spec: + serviceAccountName: bookinfo-details + containers: + - name: details + image: docker.io/istio/examples-bookinfo-details-v1:1.20.2 + imagePullPolicy: IfNotPresent + ports: + - containerPort: 9080 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + runAsNonRoot: true +--- +################################################################################################## +# Ratings service +################################################################################################## +apiVersion: v1 +kind: Service +metadata: + name: ratings + labels: + app: ratings + service: ratings +spec: + ports: + - port: 9080 + name: http + selector: + app: ratings +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: bookinfo-ratings + labels: + account: ratings +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: ratings-v1 + labels: + app: ratings + version: v1 +spec: + replicas: 1 + selector: + matchLabels: + app: ratings + version: v1 + template: + metadata: + labels: + app: ratings + version: v1 + spec: + serviceAccountName: bookinfo-ratings + containers: + - name: ratings + image: docker.io/istio/examples-bookinfo-ratings-v1:1.20.2 + imagePullPolicy: IfNotPresent + ports: + - containerPort: 9080 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + runAsNonRoot: true +--- +################################################################################################## +# Reviews service +################################################################################################## +apiVersion: v1 +kind: Service +metadata: + name: reviews + labels: + app: reviews + service: reviews +spec: + ports: + - port: 9080 + name: http + selector: + app: reviews +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: bookinfo-reviews + labels: + account: reviews +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: reviews-v1 + labels: + app: reviews + version: v1 +spec: + replicas: 1 + selector: + matchLabels: + app: reviews + version: v1 + template: + metadata: + labels: + app: reviews + version: v1 + spec: + serviceAccountName: bookinfo-reviews + containers: + - name: reviews + image: docker.io/istio/examples-bookinfo-reviews-v1:1.20.2 + imagePullPolicy: IfNotPresent + env: + - name: LOG_DIR + value: "/tmp/logs" + ports: + - containerPort: 9080 + volumeMounts: + - name: tmp + mountPath: /tmp + - name: wlp-output + mountPath: /opt/ibm/wlp/output + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + runAsNonRoot: true + volumes: + - name: wlp-output + emptyDir: {} + - name: tmp + emptyDir: {} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: reviews-v2 + labels: + app: reviews + version: v2 +spec: + replicas: 1 + selector: + matchLabels: + app: reviews + version: v2 + template: + metadata: + labels: + app: reviews + version: v2 + spec: + serviceAccountName: bookinfo-reviews + containers: + - name: reviews + image: docker.io/istio/examples-bookinfo-reviews-v2:1.20.2 + imagePullPolicy: IfNotPresent + env: + - name: LOG_DIR + value: "/tmp/logs" + ports: + - containerPort: 9080 + volumeMounts: + - name: tmp + mountPath: /tmp + - name: wlp-output + mountPath: /opt/ibm/wlp/output + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + runAsNonRoot: true + volumes: + - name: wlp-output + emptyDir: {} + - name: tmp + emptyDir: {} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: reviews-v3 + labels: + app: reviews + version: v3 +spec: + replicas: 1 + selector: + matchLabels: + app: reviews + version: v3 + template: + metadata: + labels: + app: reviews + version: v3 + spec: + serviceAccountName: bookinfo-reviews + containers: + - name: reviews + image: docker.io/istio/examples-bookinfo-reviews-v3:1.20.2 + imagePullPolicy: IfNotPresent + env: + - name: LOG_DIR + value: "/tmp/logs" + ports: + - containerPort: 9080 + volumeMounts: + - name: tmp + mountPath: /tmp + - name: wlp-output + mountPath: /opt/ibm/wlp/output + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + runAsNonRoot: true + volumes: + - name: wlp-output + emptyDir: {} + - name: tmp + emptyDir: {} +--- +################################################################################################## +# Productpage services +################################################################################################## +apiVersion: v1 +kind: Service +metadata: + name: productpage + labels: + app: productpage + service: productpage +spec: + ports: + - port: 9080 + name: http + selector: + app: productpage +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: bookinfo-productpage + labels: + account: productpage +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: productpage-v1 + labels: + app: productpage + version: v1 +spec: + replicas: 1 + selector: + matchLabels: + app: productpage + version: v1 + template: + metadata: + annotations: + prometheus.io/scrape: "true" + prometheus.io/port: "9080" + prometheus.io/path: "/metrics" + labels: + app: productpage + version: v1 + spec: + serviceAccountName: bookinfo-productpage + containers: + - name: productpage + image: docker.io/istio/examples-bookinfo-productpage-v1:1.20.2 + imagePullPolicy: IfNotPresent + ports: + - containerPort: 9080 + volumeMounts: + - name: tmp + mountPath: /tmp + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + runAsNonRoot: true + volumes: + - name: tmp + emptyDir: {} +--- diff --git a/istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-ratings-discovery-dualstack.yaml b/istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-ratings-discovery-dualstack.yaml new file mode 100644 index 00000000..c8364636 --- /dev/null +++ b/istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-ratings-discovery-dualstack.yaml @@ -0,0 +1,33 @@ +# Copyright Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################################################## +# Ratings service +################################################################################################## +apiVersion: v1 +kind: Service +metadata: + name: ratings + labels: + app: ratings + service: ratings +spec: + ipFamilyPolicy: RequireDualStack + ipFamilies: [IPv6, IPv4] + ports: + - port: 9080 + name: http + selector: + app: ratings +--- diff --git a/istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-ratings-discovery.yaml b/istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-ratings-discovery.yaml new file mode 100644 index 00000000..61c4b7f1 --- /dev/null +++ b/istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-ratings-discovery.yaml @@ -0,0 +1,31 @@ +# Copyright Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################################################## +# Ratings service +################################################################################################## +apiVersion: v1 +kind: Service +metadata: + name: ratings + labels: + app: ratings + service: ratings +spec: + ports: + - port: 9080 + name: http + selector: + app: ratings +--- diff --git a/istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-ratings-dualstack.yaml b/istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-ratings-dualstack.yaml new file mode 100644 index 00000000..7b0833cc --- /dev/null +++ b/istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-ratings-dualstack.yaml @@ -0,0 +1,59 @@ +# Copyright Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################################################## +# Ratings service +################################################################################################## +apiVersion: v1 +kind: Service +metadata: + name: ratings + labels: + app: ratings + service: ratings +spec: + ipFamilyPolicy: RequireDualStack + ipFamilies: [IPv6, IPv4] + ports: + - port: 9080 + name: http + selector: + app: ratings +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: ratings-v1 + labels: + app: ratings + version: v1 +spec: + replicas: 1 + selector: + matchLabels: + app: ratings + version: v1 + template: + metadata: + labels: + app: ratings + version: v1 + spec: + containers: + - name: ratings + image: docker.io/istio/examples-bookinfo-ratings-v1:1.20.2 + imagePullPolicy: IfNotPresent + ports: + - containerPort: 9080 +--- diff --git a/istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-ratings-v2-mysql-vm.yaml b/istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-ratings-v2-mysql-vm.yaml new file mode 100644 index 00000000..73e3130c --- /dev/null +++ b/istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-ratings-v2-mysql-vm.yaml @@ -0,0 +1,53 @@ +# Copyright Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: ratings-v2-mysql-vm + labels: + app: ratings + version: v2-mysql-vm +spec: + replicas: 1 + selector: + matchLabels: + app: ratings + version: v2-mysql-vm + template: + metadata: + labels: + app: ratings + version: v2-mysql-vm + spec: + containers: + - name: ratings + image: docker.io/istio/examples-bookinfo-ratings-v2:1.20.2 + imagePullPolicy: IfNotPresent + env: + # This assumes you registered your mysql vm as + # istioctl register -n vm mysqldb 1.2.3.4 3306 + - name: DB_TYPE + value: "mysql" + - name: MYSQL_DB_HOST + value: mysqldb.vm.svc.cluster.local + - name: MYSQL_DB_PORT + value: "3306" + - name: MYSQL_DB_USER + value: root + - name: MYSQL_DB_PASSWORD + value: password + ports: + - containerPort: 9080 +--- diff --git a/istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-ratings-v2-mysql.yaml b/istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-ratings-v2-mysql.yaml new file mode 100644 index 00000000..746681b6 --- /dev/null +++ b/istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-ratings-v2-mysql.yaml @@ -0,0 +1,56 @@ +# Copyright Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: ratings-v2-mysql + labels: + app: ratings + version: v2-mysql +spec: + replicas: 1 + selector: + matchLabels: + app: ratings + version: v2-mysql + template: + metadata: + labels: + app: ratings + version: v2-mysql + spec: + containers: + - name: ratings + image: docker.io/istio/examples-bookinfo-ratings-v2:1.20.2 + imagePullPolicy: IfNotPresent + env: + # ratings-v2 will use mongodb as the default db backend. + # if you would like to use mysqldb then you can use this file + # which sets DB_TYPE = 'mysql' and the rest of the parameters shown + # here and also create the # mysqldb service using bookinfo-mysql.yaml + # NOTE: This file is mutually exclusive to bookinfo-ratings-v2.yaml + - name: DB_TYPE + value: "mysql" + - name: MYSQL_DB_HOST + value: mysqldb + - name: MYSQL_DB_PORT + value: "3306" + - name: MYSQL_DB_USER + value: root + - name: MYSQL_DB_PASSWORD + value: password + ports: + - containerPort: 9080 +--- diff --git a/istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-ratings-v2.yaml b/istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-ratings-v2.yaml new file mode 100644 index 00000000..b06d84fc --- /dev/null +++ b/istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-ratings-v2.yaml @@ -0,0 +1,63 @@ +# Copyright Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: bookinfo-ratings-v2 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: ratings-v2 + labels: + app: ratings + version: v2 +spec: + replicas: 1 + selector: + matchLabels: + app: ratings + version: v2 + template: + metadata: + labels: + app: ratings + version: v2 + spec: + serviceAccountName: bookinfo-ratings-v2 + containers: + - name: ratings + image: docker.io/istio/examples-bookinfo-ratings-v2:1.20.2 + imagePullPolicy: IfNotPresent + env: + # ratings-v2 will use mongodb as the default db backend. + # if you would like to use mysqldb then set DB_TYPE = 'mysql', set + # the rest of the parameters shown here and also create the + # mysqldb service using bookinfo-mysql.yaml + # - name: DB_TYPE #default to + # value: "mysql" + # - name: MYSQL_DB_HOST + # value: mysqldb + # - name: MYSQL_DB_PORT + # value: "3306" + # - name: MYSQL_DB_USER + # value: root + # - name: MYSQL_DB_PASSWORD + # value: password + - name: MONGO_DB_URL + value: mongodb://mongodb:27017/test + ports: + - containerPort: 9080 +--- diff --git a/istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-ratings.yaml b/istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-ratings.yaml new file mode 100644 index 00000000..0a55a32e --- /dev/null +++ b/istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-ratings.yaml @@ -0,0 +1,57 @@ +# Copyright Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################################################## +# Ratings service +################################################################################################## +apiVersion: v1 +kind: Service +metadata: + name: ratings + labels: + app: ratings + service: ratings +spec: + ports: + - port: 9080 + name: http + selector: + app: ratings +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: ratings-v1 + labels: + app: ratings + version: v1 +spec: + replicas: 1 + selector: + matchLabels: + app: ratings + version: v1 + template: + metadata: + labels: + app: ratings + version: v1 + spec: + containers: + - name: ratings + image: docker.io/istio/examples-bookinfo-ratings-v1:1.20.2 + imagePullPolicy: IfNotPresent + ports: + - containerPort: 9080 +--- diff --git a/istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-reviews-v2.yaml b/istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-reviews-v2.yaml new file mode 100644 index 00000000..5637ecd8 --- /dev/null +++ b/istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-reviews-v2.yaml @@ -0,0 +1,56 @@ +# Copyright Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################################################## +# Reviews service v2 +################################################################################################## +apiVersion: apps/v1 +kind: Deployment +metadata: + name: reviews-v2 + labels: + app: reviews + version: v2 +spec: + replicas: 1 + selector: + matchLabels: + app: reviews + version: v2 + template: + metadata: + labels: + app: reviews + version: v2 + spec: + containers: + - name: reviews + image: docker.io/istio/examples-bookinfo-reviews-v2:1.20.2 + imagePullPolicy: IfNotPresent + env: + - name: LOG_DIR + value: "/tmp/logs" + ports: + - containerPort: 9080 + volumeMounts: + - name: tmp + mountPath: /tmp + - name: wlp-output + mountPath: /opt/ibm/wlp/output + volumes: + - name: wlp-output + emptyDir: {} + - name: tmp + emptyDir: {} +--- diff --git a/istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-versions.yaml b/istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-versions.yaml new file mode 100644 index 00000000..c374bbee --- /dev/null +++ b/istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-versions.yaml @@ -0,0 +1,72 @@ +apiVersion: v1 +kind: Service +metadata: + name: reviews-v1 +spec: + ports: + - port: 9080 + name: http + selector: + app: reviews + version: v1 +--- +apiVersion: v1 +kind: Service +metadata: + name: reviews-v2 +spec: + ports: + - port: 9080 + name: http + selector: + app: reviews + version: v2 +--- +apiVersion: v1 +kind: Service +metadata: + name: reviews-v3 +spec: + ports: + - port: 9080 + name: http + selector: + app: reviews + version: v3 +--- +apiVersion: v1 +kind: Service +metadata: + name: productpage-v1 +spec: + ports: + - port: 9080 + name: http + selector: + app: productpage + version: v1 +--- +apiVersion: v1 +kind: Service +metadata: + name: ratings-v1 +spec: + ports: + - port: 9080 + name: http + selector: + app: ratings + version: v1 +--- +apiVersion: v1 +kind: Service +metadata: + name: details-v1 +spec: + ports: + - port: 9080 + name: http + selector: + app: details + version: v1 +--- diff --git a/istio-1.24.3/samples/bookinfo/platform/kube/bookinfo.yaml b/istio-1.24.3/samples/bookinfo/platform/kube/bookinfo.yaml new file mode 100644 index 00000000..35a8a313 --- /dev/null +++ b/istio-1.24.3/samples/bookinfo/platform/kube/bookinfo.yaml @@ -0,0 +1,335 @@ +# Copyright Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################################################## +# This file defines the services, service accounts, and deployments for the Bookinfo sample. +# +# To apply all 4 Bookinfo services, their corresponding service accounts, and deployments: +# +# kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml +# +# Alternatively, you can deploy any resource separately: +# +# kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml -l service=reviews # reviews Service +# kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml -l account=reviews # reviews ServiceAccount +# kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml -l app=reviews,version=v3 # reviews-v3 Deployment +################################################################################################## + +################################################################################################## +# Details service +################################################################################################## +apiVersion: v1 +kind: Service +metadata: + name: details + labels: + app: details + service: details +spec: + ports: + - port: 9080 + name: http + selector: + app: details +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: bookinfo-details + labels: + account: details +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: details-v1 + labels: + app: details + version: v1 +spec: + replicas: 1 + selector: + matchLabels: + app: details + version: v1 + template: + metadata: + labels: + app: details + version: v1 + spec: + serviceAccountName: bookinfo-details + containers: + - name: details + image: docker.io/istio/examples-bookinfo-details-v1:1.20.2 + imagePullPolicy: IfNotPresent + ports: + - containerPort: 9080 +--- +################################################################################################## +# Ratings service +################################################################################################## +apiVersion: v1 +kind: Service +metadata: + name: ratings + labels: + app: ratings + service: ratings +spec: + ports: + - port: 9080 + name: http + selector: + app: ratings +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: bookinfo-ratings + labels: + account: ratings +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: ratings-v1 + labels: + app: ratings + version: v1 +spec: + replicas: 1 + selector: + matchLabels: + app: ratings + version: v1 + template: + metadata: + labels: + app: ratings + version: v1 + spec: + serviceAccountName: bookinfo-ratings + containers: + - name: ratings + image: docker.io/istio/examples-bookinfo-ratings-v1:1.20.2 + imagePullPolicy: IfNotPresent + ports: + - containerPort: 9080 +--- +################################################################################################## +# Reviews service +################################################################################################## +apiVersion: v1 +kind: Service +metadata: + name: reviews + labels: + app: reviews + service: reviews +spec: + ports: + - port: 9080 + name: http + selector: + app: reviews +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: bookinfo-reviews + labels: + account: reviews +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: reviews-v1 + labels: + app: reviews + version: v1 +spec: + replicas: 1 + selector: + matchLabels: + app: reviews + version: v1 + template: + metadata: + labels: + app: reviews + version: v1 + spec: + serviceAccountName: bookinfo-reviews + containers: + - name: reviews + image: docker.io/istio/examples-bookinfo-reviews-v1:1.20.2 + imagePullPolicy: IfNotPresent + env: + - name: LOG_DIR + value: "/tmp/logs" + ports: + - containerPort: 9080 + volumeMounts: + - name: tmp + mountPath: /tmp + - name: wlp-output + mountPath: /opt/ibm/wlp/output + volumes: + - name: wlp-output + emptyDir: {} + - name: tmp + emptyDir: {} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: reviews-v2 + labels: + app: reviews + version: v2 +spec: + replicas: 1 + selector: + matchLabels: + app: reviews + version: v2 + template: + metadata: + labels: + app: reviews + version: v2 + spec: + serviceAccountName: bookinfo-reviews + containers: + - name: reviews + image: docker.io/istio/examples-bookinfo-reviews-v2:1.20.2 + imagePullPolicy: IfNotPresent + env: + - name: LOG_DIR + value: "/tmp/logs" + ports: + - containerPort: 9080 + volumeMounts: + - name: tmp + mountPath: /tmp + - name: wlp-output + mountPath: /opt/ibm/wlp/output + volumes: + - name: wlp-output + emptyDir: {} + - name: tmp + emptyDir: {} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: reviews-v3 + labels: + app: reviews + version: v3 +spec: + replicas: 1 + selector: + matchLabels: + app: reviews + version: v3 + template: + metadata: + labels: + app: reviews + version: v3 + spec: + serviceAccountName: bookinfo-reviews + containers: + - name: reviews + image: docker.io/istio/examples-bookinfo-reviews-v3:1.20.2 + imagePullPolicy: IfNotPresent + env: + - name: LOG_DIR + value: "/tmp/logs" + ports: + - containerPort: 9080 + volumeMounts: + - name: tmp + mountPath: /tmp + - name: wlp-output + mountPath: /opt/ibm/wlp/output + volumes: + - name: wlp-output + emptyDir: {} + - name: tmp + emptyDir: {} +--- +################################################################################################## +# Productpage services +################################################################################################## +apiVersion: v1 +kind: Service +metadata: + name: productpage + labels: + app: productpage + service: productpage +spec: + ports: + - port: 9080 + name: http + selector: + app: productpage +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: bookinfo-productpage + labels: + account: productpage +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: productpage-v1 + labels: + app: productpage + version: v1 +spec: + replicas: 1 + selector: + matchLabels: + app: productpage + version: v1 + template: + metadata: + annotations: + prometheus.io/scrape: "true" + prometheus.io/port: "9080" + prometheus.io/path: "/metrics" + labels: + app: productpage + version: v1 + spec: + serviceAccountName: bookinfo-productpage + containers: + - name: productpage + image: docker.io/istio/examples-bookinfo-productpage-v1:1.20.2 + imagePullPolicy: IfNotPresent + ports: + - containerPort: 9080 + volumeMounts: + - name: tmp + mountPath: /tmp + volumes: + - name: tmp + emptyDir: {} +--- diff --git a/istio-1.24.3/samples/bookinfo/platform/kube/cleanup.sh b/istio-1.24.3/samples/bookinfo/platform/kube/cleanup.sh new file mode 100755 index 00000000..ac6720a4 --- /dev/null +++ b/istio-1.24.3/samples/bookinfo/platform/kube/cleanup.sh @@ -0,0 +1,85 @@ +#!/bin/bash +# +# Copyright Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +SCRIPTDIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd ) + +# only ask if in interactive mode +if [[ -t 0 && -z ${NAMESPACE} ]];then + echo -n "namespace ? [default] " + read -r NAMESPACE +fi + +# verify if the namespace exists, otherwise use default namespace +if [[ -n ${NAMESPACE} ]];then + ns=$(kubectl get namespace "${NAMESPACE}" --no-headers --output=go-template="{{.metadata.name}}" 2>/dev/null) + if [[ -z ${ns} ]];then + echo "NAMESPACE ${NAMESPACE} not found." + NAMESPACE=default + fi +fi + +# if no namespace is provided, use default namespace +if [[ -z ${NAMESPACE} ]];then + NAMESPACE=default +fi + +echo "using NAMESPACE=${NAMESPACE}" + +# clean up Istio traffic management resources that may have been used +protos=( destinationrules virtualservices gateways authorizationpolicies ) +for proto in "${protos[@]}"; do + for resource in $(kubectl get -n "${NAMESPACE}" "$proto" -o name); do + kubectl delete -n "${NAMESPACE}" "$resource"; + done +done + +# clean up Gateway API resources that may have been used +if kubectl get crd gateways.gateway.networking.k8s.io >/dev/null 2>&1; then + protos=( httproutes gateways.gateway.networking.k8s.io ) + for proto in "${protos[@]}"; do + for resource in $(kubectl get -n "${NAMESPACE}" "$proto" -o name); do + kubectl delete -n "${NAMESPACE}" "$resource"; + done + done + kubectl delete -n "${NAMESPACE}" -f "$SCRIPTDIR/bookinfo-versions.yaml" >/dev/null 2>&1 +fi + +OUTPUT=$(mktemp) +export OUTPUT +echo "Application cleanup may take up to one minute" +kubectl delete -n "${NAMESPACE}" -f "$SCRIPTDIR/bookinfo.yaml" > "${OUTPUT}" 2>&1 +ret=$? +function cleanup() { + rm -f "${OUTPUT}" +} + +trap cleanup EXIT + +if [[ ${ret} -eq 0 ]];then + cat "${OUTPUT}" +else + # ignore NotFound errors + OUT2=$(grep -v NotFound "${OUTPUT}") + if [[ -n ${OUT2} ]];then + cat "${OUTPUT}" + exit ${ret} + fi +fi + +# wait for 30 sec for bookinfo to clean up +sleep 30 + +echo "Application cleanup successful" diff --git a/istio-1.24.3/samples/bookinfo/platform/kube/productpage-nodeport.yaml b/istio-1.24.3/samples/bookinfo/platform/kube/productpage-nodeport.yaml new file mode 100644 index 00000000..aadba2e0 --- /dev/null +++ b/istio-1.24.3/samples/bookinfo/platform/kube/productpage-nodeport.yaml @@ -0,0 +1,32 @@ +# Copyright Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################################################## +# Productpage services +################################################################################################## +apiVersion: v1 +kind: Service +metadata: + name: productpage + labels: + app: productpage + service: productpage +spec: + type: NodePort + ports: + - port: 9080 + name: http + selector: + app: productpage +--- diff --git a/istio-1.24.3/samples/bookinfo/policy/productpage_envoy_ratelimit.yaml b/istio-1.24.3/samples/bookinfo/policy/productpage_envoy_ratelimit.yaml new file mode 100644 index 00000000..ef96dc56 --- /dev/null +++ b/istio-1.24.3/samples/bookinfo/policy/productpage_envoy_ratelimit.yaml @@ -0,0 +1,88 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: filter-ratelimit + namespace: istio-system +spec: + workloadSelector: + # select by label in the same namespace + labels: + istio: ingressgateway + configPatches: + # The Envoy config you want to modify + - applyTo: HTTP_FILTER + match: + context: GATEWAY + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "envoy.filters.http.router" + patch: + operation: INSERT_BEFORE + value: + name: envoy.ratelimit + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.ratelimit.v3.RateLimit + # domain can be anything! Match it to the ratelimter service config + domain: productpage-ratelimit + failure_mode_deny: true + rate_limit_service: + grpc_service: + envoy_grpc: + cluster_name: rate_limit_cluster + timeout: 10s + - applyTo: CLUSTER + match: + cluster: + service: ratelimit.default.svc.cluster.local + patch: + operation: ADD + value: + name: rate_limit_cluster + type: STRICT_DNS + connect_timeout: 10s + lb_policy: ROUND_ROBIN + http2_protocol_options: {} + load_assignment: + cluster_name: rate_limit_cluster + endpoints: + - lb_endpoints: + - endpoint: + address: + socket_address: + address: ratelimit.default.svc.cluster.local + port_value: 8081 +--- +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: filter-ratelimit-svc + namespace: istio-system +spec: + workloadSelector: + labels: + istio: ingressgateway + configPatches: + - applyTo: VIRTUAL_HOST + match: + context: GATEWAY + routeConfiguration: + vhost: + name: "" + route: + action: ANY + patch: + operation: MERGE + value: + rate_limits: + - actions: # any actions in here + # Multiple actions nest the descriptors + # - generic_key: + # descriptor_value: "test" + - request_headers: + header_name: ":path" + descriptor_key: "PATH" + # - remote_address: {} + # - destination_cluster: {} \ No newline at end of file diff --git a/istio-1.24.3/samples/bookinfo/src/build-services.sh b/istio-1.24.3/samples/bookinfo/src/build-services.sh new file mode 100755 index 00000000..74efb909 --- /dev/null +++ b/istio-1.24.3/samples/bookinfo/src/build-services.sh @@ -0,0 +1,42 @@ +#!/bin/bash +# +# Copyright Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -ox errexit + +# Get to the root directory of the repo... +SCRIPTDIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd ) +cd "$SCRIPTDIR/../../.." + +h="${BOOKINFO_HUB:?BOOKINFO_HUB must be set}" +t="${BOOKINFO_TAG:?BOOKINFO_TAG must be set}" +if [[ ("${h}" == "istio" || "${h}" == "docker.io/istio") && -z "$CI" && "$*" =~ "--push" ]]; then + echo "Can only push to prod registry in CI" + exit 1 +fi + +if [[ "${BOOKINFO_LATEST}" == "true" ]]; then + BOOKINFO_TAG="${BOOKINFO_TAG},latest" +fi + +# Pass input args to the command. This allows using --push, --load, etc +env TAGS="${BOOKINFO_TAG}" HUB="${BOOKINFO_HUB}" \ + docker buildx bake -f samples/bookinfo/src/docker-bake.hcl "$@" + +if [[ "${BOOKINFO_UPDATE}" == "true" ]]; then +# Update image references in the yaml files + find ./samples/bookinfo/platform -name "*bookinfo*.yaml" -exec sed -i.bak "s#image:.*\\(\\/examples-bookinfo-.*\\):.*#image: ${h//\//\\/}\\1:$t#g" {} + +fi + diff --git a/istio-1.24.3/samples/bookinfo/src/mongodb/ratings_data.json b/istio-1.24.3/samples/bookinfo/src/mongodb/ratings_data.json new file mode 100644 index 00000000..b4563b50 --- /dev/null +++ b/istio-1.24.3/samples/bookinfo/src/mongodb/ratings_data.json @@ -0,0 +1,2 @@ +{rating: 5} +{rating: 4} diff --git a/istio-1.24.3/samples/bookinfo/src/mongodb/script.sh b/istio-1.24.3/samples/bookinfo/src/mongodb/script.sh new file mode 100644 index 00000000..7e230ee5 --- /dev/null +++ b/istio-1.24.3/samples/bookinfo/src/mongodb/script.sh @@ -0,0 +1,18 @@ +#!/bin/sh + +# Copyright Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -e +mongoimport --host localhost --db test --collection ratings --drop --file /app/data/ratings_data.json diff --git a/istio-1.24.3/samples/bookinfo/src/productpage/requirements.txt b/istio-1.24.3/samples/bookinfo/src/productpage/requirements.txt new file mode 100644 index 00000000..a2d57a9a --- /dev/null +++ b/istio-1.24.3/samples/bookinfo/src/productpage/requirements.txt @@ -0,0 +1,633 @@ +# +# This file is autogenerated by pip-compile with Python 3.12 +# by the following command: +# +# pip-compile --generate-hashes requirements.in +# +blinker==1.8.2 \ + --hash=sha256:1779309f71bf239144b9399d06ae925637cf6634cf6bd131104184531bf67c01 \ + --hash=sha256:8f77b09d3bf7c795e969e9486f39c2c5e9c39d4ee07424be2bc594ece9642d83 + # via flask +certifi==2024.7.4 \ + --hash=sha256:5a1e7645bc0ec61a09e26c36f6106dd4cf40c6db3a1fb6352b0244e7fb057c7b \ + --hash=sha256:c198e21b1289c2ab85ee4e67bb4b4ef3ead0892059901a8d5b622f24a1101e90 + # via requests +charset-normalizer==3.3.2 \ + --hash=sha256:06435b539f889b1f6f4ac1758871aae42dc3a8c0e24ac9e60c2384973ad73027 \ + --hash=sha256:06a81e93cd441c56a9b65d8e1d043daeb97a3d0856d177d5c90ba85acb3db087 \ + --hash=sha256:0a55554a2fa0d408816b3b5cedf0045f4b8e1a6065aec45849de2d6f3f8e9786 \ + --hash=sha256:0b2b64d2bb6d3fb9112bafa732def486049e63de9618b5843bcdd081d8144cd8 \ + --hash=sha256:10955842570876604d404661fbccbc9c7e684caf432c09c715ec38fbae45ae09 \ + --hash=sha256:122c7fa62b130ed55f8f285bfd56d5f4b4a5b503609d181f9ad85e55c89f4185 \ + --hash=sha256:1ceae2f17a9c33cb48e3263960dc5fc8005351ee19db217e9b1bb15d28c02574 \ + --hash=sha256:1d3193f4a680c64b4b6a9115943538edb896edc190f0b222e73761716519268e \ + --hash=sha256:1f79682fbe303db92bc2b1136016a38a42e835d932bab5b3b1bfcfbf0640e519 \ + --hash=sha256:2127566c664442652f024c837091890cb1942c30937add288223dc895793f898 \ + --hash=sha256:22afcb9f253dac0696b5a4be4a1c0f8762f8239e21b99680099abd9b2b1b2269 \ + --hash=sha256:25baf083bf6f6b341f4121c2f3c548875ee6f5339300e08be3f2b2ba1721cdd3 \ + --hash=sha256:2e81c7b9c8979ce92ed306c249d46894776a909505d8f5a4ba55b14206e3222f \ + --hash=sha256:3287761bc4ee9e33561a7e058c72ac0938c4f57fe49a09eae428fd88aafe7bb6 \ + --hash=sha256:34d1c8da1e78d2e001f363791c98a272bb734000fcef47a491c1e3b0505657a8 \ + --hash=sha256:37e55c8e51c236f95b033f6fb391d7d7970ba5fe7ff453dad675e88cf303377a \ + --hash=sha256:3d47fa203a7bd9c5b6cee4736ee84ca03b8ef23193c0d1ca99b5089f72645c73 \ + --hash=sha256:3e4d1f6587322d2788836a99c69062fbb091331ec940e02d12d179c1d53e25fc \ + --hash=sha256:42cb296636fcc8b0644486d15c12376cb9fa75443e00fb25de0b8602e64c1714 \ + --hash=sha256:45485e01ff4d3630ec0d9617310448a8702f70e9c01906b0d0118bdf9d124cf2 \ + --hash=sha256:4a78b2b446bd7c934f5dcedc588903fb2f5eec172f3d29e52a9096a43722adfc \ + --hash=sha256:4ab2fe47fae9e0f9dee8c04187ce5d09f48eabe611be8259444906793ab7cbce \ + --hash=sha256:4d0d1650369165a14e14e1e47b372cfcb31d6ab44e6e33cb2d4e57265290044d \ + --hash=sha256:549a3a73da901d5bc3ce8d24e0600d1fa85524c10287f6004fbab87672bf3e1e \ + --hash=sha256:55086ee1064215781fff39a1af09518bc9255b50d6333f2e4c74ca09fac6a8f6 \ + --hash=sha256:572c3763a264ba47b3cf708a44ce965d98555f618ca42c926a9c1616d8f34269 \ + --hash=sha256:573f6eac48f4769d667c4442081b1794f52919e7edada77495aaed9236d13a96 \ + --hash=sha256:5b4c145409bef602a690e7cfad0a15a55c13320ff7a3ad7ca59c13bb8ba4d45d \ + --hash=sha256:6463effa3186ea09411d50efc7d85360b38d5f09b870c48e4600f63af490e56a \ + --hash=sha256:65f6f63034100ead094b8744b3b97965785388f308a64cf8d7c34f2f2e5be0c4 \ + --hash=sha256:663946639d296df6a2bb2aa51b60a2454ca1cb29835324c640dafb5ff2131a77 \ + --hash=sha256:6897af51655e3691ff853668779c7bad41579facacf5fd7253b0133308cf000d \ + --hash=sha256:68d1f8a9e9e37c1223b656399be5d6b448dea850bed7d0f87a8311f1ff3dabb0 \ + --hash=sha256:6ac7ffc7ad6d040517be39eb591cac5ff87416c2537df6ba3cba3bae290c0fed \ + --hash=sha256:6b3251890fff30ee142c44144871185dbe13b11bab478a88887a639655be1068 \ + --hash=sha256:6c4caeef8fa63d06bd437cd4bdcf3ffefe6738fb1b25951440d80dc7df8c03ac \ + --hash=sha256:6ef1d82a3af9d3eecdba2321dc1b3c238245d890843e040e41e470ffa64c3e25 \ + --hash=sha256:753f10e867343b4511128c6ed8c82f7bec3bd026875576dfd88483c5c73b2fd8 \ + --hash=sha256:7cd13a2e3ddeed6913a65e66e94b51d80a041145a026c27e6bb76c31a853c6ab \ + --hash=sha256:7ed9e526742851e8d5cc9e6cf41427dfc6068d4f5a3bb03659444b4cabf6bc26 \ + --hash=sha256:7f04c839ed0b6b98b1a7501a002144b76c18fb1c1850c8b98d458ac269e26ed2 \ + --hash=sha256:802fe99cca7457642125a8a88a084cef28ff0cf9407060f7b93dca5aa25480db \ + --hash=sha256:80402cd6ee291dcb72644d6eac93785fe2c8b9cb30893c1af5b8fdd753b9d40f \ + --hash=sha256:8465322196c8b4d7ab6d1e049e4c5cb460d0394da4a27d23cc242fbf0034b6b5 \ + --hash=sha256:86216b5cee4b06df986d214f664305142d9c76df9b6512be2738aa72a2048f99 \ + --hash=sha256:87d1351268731db79e0f8e745d92493ee2841c974128ef629dc518b937d9194c \ + --hash=sha256:8bdb58ff7ba23002a4c5808d608e4e6c687175724f54a5dade5fa8c67b604e4d \ + --hash=sha256:8c622a5fe39a48f78944a87d4fb8a53ee07344641b0562c540d840748571b811 \ + --hash=sha256:8d756e44e94489e49571086ef83b2bb8ce311e730092d2c34ca8f7d925cb20aa \ + --hash=sha256:8f4a014bc36d3c57402e2977dada34f9c12300af536839dc38c0beab8878f38a \ + --hash=sha256:9063e24fdb1e498ab71cb7419e24622516c4a04476b17a2dab57e8baa30d6e03 \ + --hash=sha256:90d558489962fd4918143277a773316e56c72da56ec7aa3dc3dbbe20fdfed15b \ + --hash=sha256:923c0c831b7cfcb071580d3f46c4baf50f174be571576556269530f4bbd79d04 \ + --hash=sha256:95f2a5796329323b8f0512e09dbb7a1860c46a39da62ecb2324f116fa8fdc85c \ + --hash=sha256:96b02a3dc4381e5494fad39be677abcb5e6634bf7b4fa83a6dd3112607547001 \ + --hash=sha256:9f96df6923e21816da7e0ad3fd47dd8f94b2a5ce594e00677c0013018b813458 \ + --hash=sha256:a10af20b82360ab00827f916a6058451b723b4e65030c5a18577c8b2de5b3389 \ + --hash=sha256:a50aebfa173e157099939b17f18600f72f84eed3049e743b68ad15bd69b6bf99 \ + --hash=sha256:a981a536974bbc7a512cf44ed14938cf01030a99e9b3a06dd59578882f06f985 \ + --hash=sha256:a9a8e9031d613fd2009c182b69c7b2c1ef8239a0efb1df3f7c8da66d5dd3d537 \ + --hash=sha256:ae5f4161f18c61806f411a13b0310bea87f987c7d2ecdbdaad0e94eb2e404238 \ + --hash=sha256:aed38f6e4fb3f5d6bf81bfa990a07806be9d83cf7bacef998ab1a9bd660a581f \ + --hash=sha256:b01b88d45a6fcb69667cd6d2f7a9aeb4bf53760d7fc536bf679ec94fe9f3ff3d \ + --hash=sha256:b261ccdec7821281dade748d088bb6e9b69e6d15b30652b74cbbac25e280b796 \ + --hash=sha256:b2b0a0c0517616b6869869f8c581d4eb2dd83a4d79e0ebcb7d373ef9956aeb0a \ + --hash=sha256:b4a23f61ce87adf89be746c8a8974fe1c823c891d8f86eb218bb957c924bb143 \ + --hash=sha256:bd8f7df7d12c2db9fab40bdd87a7c09b1530128315d047a086fa3ae3435cb3a8 \ + --hash=sha256:beb58fe5cdb101e3a055192ac291b7a21e3b7ef4f67fa1d74e331a7f2124341c \ + --hash=sha256:c002b4ffc0be611f0d9da932eb0f704fe2602a9a949d1f738e4c34c75b0863d5 \ + --hash=sha256:c083af607d2515612056a31f0a8d9e0fcb5876b7bfc0abad3ecd275bc4ebc2d5 \ + --hash=sha256:c180f51afb394e165eafe4ac2936a14bee3eb10debc9d9e4db8958fe36afe711 \ + --hash=sha256:c235ebd9baae02f1b77bcea61bce332cb4331dc3617d254df3323aa01ab47bd4 \ + --hash=sha256:cd70574b12bb8a4d2aaa0094515df2463cb429d8536cfb6c7ce983246983e5a6 \ + --hash=sha256:d0eccceffcb53201b5bfebb52600a5fb483a20b61da9dbc885f8b103cbe7598c \ + --hash=sha256:d965bba47ddeec8cd560687584e88cf699fd28f192ceb452d1d7ee807c5597b7 \ + --hash=sha256:db364eca23f876da6f9e16c9da0df51aa4f104a972735574842618b8c6d999d4 \ + --hash=sha256:ddbb2551d7e0102e7252db79ba445cdab71b26640817ab1e3e3648dad515003b \ + --hash=sha256:deb6be0ac38ece9ba87dea880e438f25ca3eddfac8b002a2ec3d9183a454e8ae \ + --hash=sha256:e06ed3eb3218bc64786f7db41917d4e686cc4856944f53d5bdf83a6884432e12 \ + --hash=sha256:e27ad930a842b4c5eb8ac0016b0a54f5aebbe679340c26101df33424142c143c \ + --hash=sha256:e537484df0d8f426ce2afb2d0f8e1c3d0b114b83f8850e5f2fbea0e797bd82ae \ + --hash=sha256:eb00ed941194665c332bf8e078baf037d6c35d7c4f3102ea2d4f16ca94a26dc8 \ + --hash=sha256:eb6904c354526e758fda7167b33005998fb68c46fbc10e013ca97f21ca5c8887 \ + --hash=sha256:eb8821e09e916165e160797a6c17edda0679379a4be5c716c260e836e122f54b \ + --hash=sha256:efcb3f6676480691518c177e3b465bcddf57cea040302f9f4e6e191af91174d4 \ + --hash=sha256:f27273b60488abe721a075bcca6d7f3964f9f6f067c8c4c605743023d7d3944f \ + --hash=sha256:f30c3cb33b24454a82faecaf01b19c18562b1e89558fb6c56de4d9118a032fd5 \ + --hash=sha256:fb69256e180cb6c8a894fee62b3afebae785babc1ee98b81cdf68bbca1987f33 \ + --hash=sha256:fd1abc0d89e30cc4e02e4064dc67fcc51bd941eb395c502aac3ec19fab46b519 \ + --hash=sha256:ff8fa367d09b717b2a17a052544193ad76cd49979c805768879cb63d9ca50561 + # via requests +click==8.1.3 \ + --hash=sha256:7682dc8afb30297001674575ea00d1814d808d6a36af415a82bd481d37ba7b8e \ + --hash=sha256:bb4d8133cb15a609f44e8213d9b391b0809795062913b383c62be0ee95b1db48 + # via flask +deprecated==1.2.14 \ + --hash=sha256:6fac8b097794a90302bdbb17b9b815e732d3c4720583ff1b198499d78470466c \ + --hash=sha256:e5323eb936458dccc2582dc6f9c322c852a775a27065ff2b0c4970b9d53d01b3 + # via + # opentelemetry-api + # opentelemetry-propagator-b3 +dominate==2.9.1 \ + --hash=sha256:558284687d9b8aae1904e3d6051ad132dd4a8c0cf551b37ea4e7e42a31d19dc4 \ + --hash=sha256:cb7b6b79d33b15ae0a6e87856b984879927c7c2ebb29522df4c75b28ffd9b989 + # via flask-bootstrap +flask==3.0.2 \ + --hash=sha256:3232e0e9c850d781933cf0207523d1ece087eb8d87b23777ae38456e2fbe7c6e \ + --hash=sha256:822c03f4b799204250a7ee84b1eddc40665395333973dfb9deebfe425fefcb7d + # via + # -r requirements.in + # flask-bootstrap + # flask-json +flask-bootstrap==3.3.7.1 \ + --hash=sha256:cb08ed940183f6343a64e465e83b3a3f13c53e1baabb8d72b5da4545ef123ac8 + # via -r requirements.in +flask-json==0.4.0 \ + --hash=sha256:07945d66024f3b77694ce1db5d1fe83940f2aa3bcad8a608535686be67e4bc48 \ + --hash=sha256:1c1b87a657daa2179fc19f1ffc78204a716c7c5139673dc5038772db4d9f1988 + # via -r requirements.in +future==0.18.3 \ + --hash=sha256:34a17436ed1e96697a86f9de3d15a3b0be01d8bc8de9c1dffd59fb8234ed5307 + # via -r requirements.in +gevent==24.2.1 \ + --hash=sha256:03aa5879acd6b7076f6a2a307410fb1e0d288b84b03cdfd8c74db8b4bc882fc5 \ + --hash=sha256:117e5837bc74a1673605fb53f8bfe22feb6e5afa411f524c835b2ddf768db0de \ + --hash=sha256:141a2b24ad14f7b9576965c0c84927fc85f824a9bb19f6ec1e61e845d87c9cd8 \ + --hash=sha256:14532a67f7cb29fb055a0e9b39f16b88ed22c66b96641df8c04bdc38c26b9ea5 \ + --hash=sha256:1dffb395e500613e0452b9503153f8f7ba587c67dd4a85fc7cd7aa7430cb02cc \ + --hash=sha256:2955eea9c44c842c626feebf4459c42ce168685aa99594e049d03bedf53c2800 \ + --hash=sha256:2ae3a25ecce0a5b0cd0808ab716bfca180230112bb4bc89b46ae0061d62d4afe \ + --hash=sha256:2e9ac06f225b696cdedbb22f9e805e2dd87bf82e8fa5e17756f94e88a9d37cf7 \ + --hash=sha256:368a277bd9278ddb0fde308e6a43f544222d76ed0c4166e0d9f6b036586819d9 \ + --hash=sha256:3adfb96637f44010be8abd1b5e73b5070f851b817a0b182e601202f20fa06533 \ + --hash=sha256:3d5325ccfadfd3dcf72ff88a92fb8fc0b56cacc7225f0f4b6dcf186c1a6eeabc \ + --hash=sha256:432fc76f680acf7cf188c2ee0f5d3ab73b63c1f03114c7cd8a34cebbe5aa2056 \ + --hash=sha256:44098038d5e2749b0784aabb27f1fcbb3f43edebedf64d0af0d26955611be8d6 \ + --hash=sha256:5a1df555431f5cd5cc189a6ee3544d24f8c52f2529134685f1e878c4972ab026 \ + --hash=sha256:6c47ae7d1174617b3509f5d884935e788f325eb8f1a7efc95d295c68d83cce40 \ + --hash=sha256:6f947a9abc1a129858391b3d9334c45041c08a0f23d14333d5b844b6e5c17a07 \ + --hash=sha256:782a771424fe74bc7e75c228a1da671578c2ba4ddb2ca09b8f959abdf787331e \ + --hash=sha256:7899a38d0ae7e817e99adb217f586d0a4620e315e4de577444ebeeed2c5729be \ + --hash=sha256:7b00f8c9065de3ad226f7979154a7b27f3b9151c8055c162332369262fc025d8 \ + --hash=sha256:8f4b8e777d39013595a7740b4463e61b1cfe5f462f1b609b28fbc1e4c4ff01e5 \ + --hash=sha256:90cbac1ec05b305a1b90ede61ef73126afdeb5a804ae04480d6da12c56378df1 \ + --hash=sha256:918cdf8751b24986f915d743225ad6b702f83e1106e08a63b736e3a4c6ead789 \ + --hash=sha256:9202f22ef811053077d01f43cc02b4aaf4472792f9fd0f5081b0b05c926cca19 \ + --hash=sha256:94138682e68ec197db42ad7442d3cf9b328069c3ad8e4e5022e6b5cd3e7ffae5 \ + --hash=sha256:968581d1717bbcf170758580f5f97a2925854943c45a19be4d47299507db2eb7 \ + --hash=sha256:9d8d0642c63d453179058abc4143e30718b19a85cbf58c2744c9a63f06a1d388 \ + --hash=sha256:a7ceb59986456ce851160867ce4929edaffbd2f069ae25717150199f8e1548b8 \ + --hash=sha256:b9913c45d1be52d7a5db0c63977eebb51f68a2d5e6fd922d1d9b5e5fd758cc98 \ + --hash=sha256:bde283313daf0b34a8d1bab30325f5cb0f4e11b5869dbe5bc61f8fe09a8f66f3 \ + --hash=sha256:bf5b9c72b884c6f0c4ed26ef204ee1f768b9437330422492c319470954bc4cc7 \ + --hash=sha256:ca80b121bbec76d7794fcb45e65a7eca660a76cc1a104ed439cdbd7df5f0b060 \ + --hash=sha256:cdf66977a976d6a3cfb006afdf825d1482f84f7b81179db33941f2fc9673bb1d \ + --hash=sha256:d4faf846ed132fd7ebfbbf4fde588a62d21faa0faa06e6f468b7faa6f436b661 \ + --hash=sha256:d7f87c2c02e03d99b95cfa6f7a776409083a9e4d468912e18c7680437b29222c \ + --hash=sha256:dd23df885318391856415e20acfd51a985cba6919f0be78ed89f5db9ff3a31cb \ + --hash=sha256:f5de3c676e57177b38857f6e3cdfbe8f38d1cd754b63200c0615eaa31f514b4f \ + --hash=sha256:f5e8e8d60e18d5f7fd49983f0c4696deeddaf6e608fbab33397671e2fcc6cc91 \ + --hash=sha256:f7cac622e11b4253ac4536a654fe221249065d9a69feb6cdcd4d9af3503602e0 \ + --hash=sha256:f8a04cf0c5b7139bc6368b461257d4a757ea2fe89b3773e494d235b7dd51119f \ + --hash=sha256:f8bb35ce57a63c9a6896c71a285818a3922d8ca05d150fd1fe49a7f57287b836 \ + --hash=sha256:fbfdce91239fe306772faab57597186710d5699213f4df099d1612da7320d682 + # via -r requirements.in +greenlet==3.0.3 \ + --hash=sha256:01bc7ea167cf943b4c802068e178bbf70ae2e8c080467070d01bfa02f337ee67 \ + --hash=sha256:0448abc479fab28b00cb472d278828b3ccca164531daab4e970a0458786055d6 \ + --hash=sha256:086152f8fbc5955df88382e8a75984e2bb1c892ad2e3c80a2508954e52295257 \ + --hash=sha256:098d86f528c855ead3479afe84b49242e174ed262456c342d70fc7f972bc13c4 \ + --hash=sha256:149e94a2dd82d19838fe4b2259f1b6b9957d5ba1b25640d2380bea9c5df37676 \ + --hash=sha256:1551a8195c0d4a68fac7a4325efac0d541b48def35feb49d803674ac32582f61 \ + --hash=sha256:15d79dd26056573940fcb8c7413d84118086f2ec1a8acdfa854631084393efcc \ + --hash=sha256:1996cb9306c8595335bb157d133daf5cf9f693ef413e7673cb07e3e5871379ca \ + --hash=sha256:1a7191e42732df52cb5f39d3527217e7ab73cae2cb3694d241e18f53d84ea9a7 \ + --hash=sha256:1ea188d4f49089fc6fb283845ab18a2518d279c7cd9da1065d7a84e991748728 \ + --hash=sha256:1f672519db1796ca0d8753f9e78ec02355e862d0998193038c7073045899f305 \ + --hash=sha256:2516a9957eed41dd8f1ec0c604f1cdc86758b587d964668b5b196a9db5bfcde6 \ + --hash=sha256:2797aa5aedac23af156bbb5a6aa2cd3427ada2972c828244eb7d1b9255846379 \ + --hash=sha256:2dd6e660effd852586b6a8478a1d244b8dc90ab5b1321751d2ea15deb49ed414 \ + --hash=sha256:3ddc0f794e6ad661e321caa8d2f0a55ce01213c74722587256fb6566049a8b04 \ + --hash=sha256:3ed7fb269f15dc662787f4119ec300ad0702fa1b19d2135a37c2c4de6fadfd4a \ + --hash=sha256:419b386f84949bf0e7c73e6032e3457b82a787c1ab4a0e43732898a761cc9dbf \ + --hash=sha256:43374442353259554ce33599da8b692d5aa96f8976d567d4badf263371fbe491 \ + --hash=sha256:52f59dd9c96ad2fc0d5724107444f76eb20aaccb675bf825df6435acb7703559 \ + --hash=sha256:57e8974f23e47dac22b83436bdcf23080ade568ce77df33159e019d161ce1d1e \ + --hash=sha256:5b51e85cb5ceda94e79d019ed36b35386e8c37d22f07d6a751cb659b180d5274 \ + --hash=sha256:649dde7de1a5eceb258f9cb00bdf50e978c9db1b996964cd80703614c86495eb \ + --hash=sha256:64d7675ad83578e3fc149b617a444fab8efdafc9385471f868eb5ff83e446b8b \ + --hash=sha256:68834da854554926fbedd38c76e60c4a2e3198c6fbed520b106a8986445caaf9 \ + --hash=sha256:6b66c9c1e7ccabad3a7d037b2bcb740122a7b17a53734b7d72a344ce39882a1b \ + --hash=sha256:70fb482fdf2c707765ab5f0b6655e9cfcf3780d8d87355a063547b41177599be \ + --hash=sha256:7170375bcc99f1a2fbd9c306f5be8764eaf3ac6b5cb968862cad4c7057756506 \ + --hash=sha256:73a411ef564e0e097dbe7e866bb2dda0f027e072b04da387282b02c308807405 \ + --hash=sha256:77457465d89b8263bca14759d7c1684df840b6811b2499838cc5b040a8b5b113 \ + --hash=sha256:7f362975f2d179f9e26928c5b517524e89dd48530a0202570d55ad6ca5d8a56f \ + --hash=sha256:81bb9c6d52e8321f09c3d165b2a78c680506d9af285bfccbad9fb7ad5a5da3e5 \ + --hash=sha256:881b7db1ebff4ba09aaaeae6aa491daeb226c8150fc20e836ad00041bcb11230 \ + --hash=sha256:894393ce10ceac937e56ec00bb71c4c2f8209ad516e96033e4b3b1de270e200d \ + --hash=sha256:99bf650dc5d69546e076f413a87481ee1d2d09aaaaaca058c9251b6d8c14783f \ + --hash=sha256:9da2bd29ed9e4f15955dd1595ad7bc9320308a3b766ef7f837e23ad4b4aac31a \ + --hash=sha256:afaff6cf5200befd5cec055b07d1c0a5a06c040fe5ad148abcd11ba6ab9b114e \ + --hash=sha256:b1b5667cced97081bf57b8fa1d6bfca67814b0afd38208d52538316e9422fc61 \ + --hash=sha256:b37eef18ea55f2ffd8f00ff8fe7c8d3818abd3e25fb73fae2ca3b672e333a7a6 \ + --hash=sha256:b542be2440edc2d48547b5923c408cbe0fc94afb9f18741faa6ae970dbcb9b6d \ + --hash=sha256:b7dcbe92cc99f08c8dd11f930de4d99ef756c3591a5377d1d9cd7dd5e896da71 \ + --hash=sha256:b7f009caad047246ed379e1c4dbcb8b020f0a390667ea74d2387be2998f58a22 \ + --hash=sha256:bba5387a6975598857d86de9eac14210a49d554a77eb8261cc68b7d082f78ce2 \ + --hash=sha256:c5e1536de2aad7bf62e27baf79225d0d64360d4168cf2e6becb91baf1ed074f3 \ + --hash=sha256:c5ee858cfe08f34712f548c3c363e807e7186f03ad7a5039ebadb29e8c6be067 \ + --hash=sha256:c9db1c18f0eaad2f804728c67d6c610778456e3e1cc4ab4bbd5eeb8e6053c6fc \ + --hash=sha256:d353cadd6083fdb056bb46ed07e4340b0869c305c8ca54ef9da3421acbdf6881 \ + --hash=sha256:d46677c85c5ba00a9cb6f7a00b2bfa6f812192d2c9f7d9c4f6a55b60216712f3 \ + --hash=sha256:d4d1ac74f5c0c0524e4a24335350edad7e5f03b9532da7ea4d3c54d527784f2e \ + --hash=sha256:d73a9fe764d77f87f8ec26a0c85144d6a951a6c438dfe50487df5595c6373eac \ + --hash=sha256:da70d4d51c8b306bb7a031d5cff6cc25ad253affe89b70352af5f1cb68e74b53 \ + --hash=sha256:daf3cb43b7cf2ba96d614252ce1684c1bccee6b2183a01328c98d36fcd7d5cb0 \ + --hash=sha256:dca1e2f3ca00b84a396bc1bce13dd21f680f035314d2379c4160c98153b2059b \ + --hash=sha256:dd4f49ae60e10adbc94b45c0b5e6a179acc1736cf7a90160b404076ee283cf83 \ + --hash=sha256:e1f145462f1fa6e4a4ae3c0f782e580ce44d57c8f2c7aae1b6fa88c0b2efdb41 \ + --hash=sha256:e3391d1e16e2a5a1507d83e4a8b100f4ee626e8eca43cf2cadb543de69827c4c \ + --hash=sha256:fcd2469d6a2cf298f198f0487e0a5b1a47a42ca0fa4dfd1b6862c999f018ebbf \ + --hash=sha256:fd096eb7ffef17c456cfa587523c5f92321ae02427ff955bebe9e3c63bc9f0da \ + --hash=sha256:fe754d231288e1e64323cfad462fcee8f0288654c10bdf4f603a39ed923bef33 + # via gevent +gunicorn==22.0.0 \ + --hash=sha256:350679f91b24062c86e386e198a15438d53a7a8207235a78ba1b53df4c4378d9 \ + --hash=sha256:4a0b436239ff76fb33f11c07a16482c521a7e09c1ce3cc293c2330afe01bec63 + # via -r requirements.in +idna==3.7 \ + --hash=sha256:028ff3aadf0609c1fd278d8ea3089299412a7a8b9bd005dd08b9f8285bcb5cfc \ + --hash=sha256:82fee1fc78add43492d3a1898bfa6d8a904cc97d8427f683ed8e798d07761aa0 + # via requests +importlib-metadata==6.11.0 \ + --hash=sha256:1231cf92d825c9e03cfc4da076a16de6422c863558229ea0b22b675657463443 \ + --hash=sha256:f0afba6205ad8f8947c7d338b5342d5db2afbfd82f9cbef7879a9539cc12eb9b + # via opentelemetry-api +itsdangerous==2.2.0 \ + --hash=sha256:c6242fc49e35958c8b15141343aa660db5fc54d4f13a1db01a3f5891b98700ef \ + --hash=sha256:e0050c0b7da1eea53ffaf149c0cfbb5c6e2e2b69c4bef22c81fa6eb73e5f6173 + # via flask +jinja2==3.1.4 \ + --hash=sha256:4a3aee7acbbe7303aede8e9648d13b8bf88a429282aa6122a993f0ac800cb369 \ + --hash=sha256:bc5dd2abb727a5319567b7a813e6a2e7318c39f4f487cfe6c89c6f9c7d25197d + # via flask +json2html==1.3.0 \ + --hash=sha256:8951a53662ae9cfd812685facdba693fc950ffc1c1fd1a8a2d3cf4c34600689c + # via -r requirements.in +markupsafe==2.1.5 \ + --hash=sha256:00e046b6dd71aa03a41079792f8473dc494d564611a8f89bbbd7cb93295ebdcf \ + --hash=sha256:075202fa5b72c86ad32dc7d0b56024ebdbcf2048c0ba09f1cde31bfdd57bcfff \ + --hash=sha256:0e397ac966fdf721b2c528cf028494e86172b4feba51d65f81ffd65c63798f3f \ + --hash=sha256:17b950fccb810b3293638215058e432159d2b71005c74371d784862b7e4683f3 \ + --hash=sha256:1f3fbcb7ef1f16e48246f704ab79d79da8a46891e2da03f8783a5b6fa41a9532 \ + --hash=sha256:2174c595a0d73a3080ca3257b40096db99799265e1c27cc5a610743acd86d62f \ + --hash=sha256:2b7c57a4dfc4f16f7142221afe5ba4e093e09e728ca65c51f5620c9aaeb9a617 \ + --hash=sha256:2d2d793e36e230fd32babe143b04cec8a8b3eb8a3122d2aceb4a371e6b09b8df \ + --hash=sha256:30b600cf0a7ac9234b2638fbc0fb6158ba5bdcdf46aeb631ead21248b9affbc4 \ + --hash=sha256:397081c1a0bfb5124355710fe79478cdbeb39626492b15d399526ae53422b906 \ + --hash=sha256:3a57fdd7ce31c7ff06cdfbf31dafa96cc533c21e443d57f5b1ecc6cdc668ec7f \ + --hash=sha256:3c6b973f22eb18a789b1460b4b91bf04ae3f0c4234a0a6aa6b0a92f6f7b951d4 \ + --hash=sha256:3e53af139f8579a6d5f7b76549125f0d94d7e630761a2111bc431fd820e163b8 \ + --hash=sha256:4096e9de5c6fdf43fb4f04c26fb114f61ef0bf2e5604b6ee3019d51b69e8c371 \ + --hash=sha256:4275d846e41ecefa46e2015117a9f491e57a71ddd59bbead77e904dc02b1bed2 \ + --hash=sha256:4c31f53cdae6ecfa91a77820e8b151dba54ab528ba65dfd235c80b086d68a465 \ + --hash=sha256:4f11aa001c540f62c6166c7726f71f7573b52c68c31f014c25cc7901deea0b52 \ + --hash=sha256:5049256f536511ee3f7e1b3f87d1d1209d327e818e6ae1365e8653d7e3abb6a6 \ + --hash=sha256:58c98fee265677f63a4385256a6d7683ab1832f3ddd1e66fe948d5880c21a169 \ + --hash=sha256:598e3276b64aff0e7b3451b72e94fa3c238d452e7ddcd893c3ab324717456bad \ + --hash=sha256:5b7b716f97b52c5a14bffdf688f971b2d5ef4029127f1ad7a513973cfd818df2 \ + --hash=sha256:5dedb4db619ba5a2787a94d877bc8ffc0566f92a01c0ef214865e54ecc9ee5e0 \ + --hash=sha256:619bc166c4f2de5caa5a633b8b7326fbe98e0ccbfacabd87268a2b15ff73a029 \ + --hash=sha256:629ddd2ca402ae6dbedfceeba9c46d5f7b2a61d9749597d4307f943ef198fc1f \ + --hash=sha256:656f7526c69fac7f600bd1f400991cc282b417d17539a1b228617081106feb4a \ + --hash=sha256:6ec585f69cec0aa07d945b20805be741395e28ac1627333b1c5b0105962ffced \ + --hash=sha256:72b6be590cc35924b02c78ef34b467da4ba07e4e0f0454a2c5907f473fc50ce5 \ + --hash=sha256:7502934a33b54030eaf1194c21c692a534196063db72176b0c4028e140f8f32c \ + --hash=sha256:7a68b554d356a91cce1236aa7682dc01df0edba8d043fd1ce607c49dd3c1edcf \ + --hash=sha256:7b2e5a267c855eea6b4283940daa6e88a285f5f2a67f2220203786dfa59b37e9 \ + --hash=sha256:823b65d8706e32ad2df51ed89496147a42a2a6e01c13cfb6ffb8b1e92bc910bb \ + --hash=sha256:8590b4ae07a35970728874632fed7bd57b26b0102df2d2b233b6d9d82f6c62ad \ + --hash=sha256:8dd717634f5a044f860435c1d8c16a270ddf0ef8588d4887037c5028b859b0c3 \ + --hash=sha256:8dec4936e9c3100156f8a2dc89c4b88d5c435175ff03413b443469c7c8c5f4d1 \ + --hash=sha256:97cafb1f3cbcd3fd2b6fbfb99ae11cdb14deea0736fc2b0952ee177f2b813a46 \ + --hash=sha256:a17a92de5231666cfbe003f0e4b9b3a7ae3afb1ec2845aadc2bacc93ff85febc \ + --hash=sha256:a549b9c31bec33820e885335b451286e2969a2d9e24879f83fe904a5ce59d70a \ + --hash=sha256:ac07bad82163452a6884fe8fa0963fb98c2346ba78d779ec06bd7a6262132aee \ + --hash=sha256:ae2ad8ae6ebee9d2d94b17fb62763125f3f374c25618198f40cbb8b525411900 \ + --hash=sha256:b91c037585eba9095565a3556f611e3cbfaa42ca1e865f7b8015fe5c7336d5a5 \ + --hash=sha256:bc1667f8b83f48511b94671e0e441401371dfd0f0a795c7daa4a3cd1dde55bea \ + --hash=sha256:bec0a414d016ac1a18862a519e54b2fd0fc8bbfd6890376898a6c0891dd82e9f \ + --hash=sha256:bf50cd79a75d181c9181df03572cdce0fbb75cc353bc350712073108cba98de5 \ + --hash=sha256:bff1b4290a66b490a2f4719358c0cdcd9bafb6b8f061e45c7a2460866bf50c2e \ + --hash=sha256:c061bb86a71b42465156a3ee7bd58c8c2ceacdbeb95d05a99893e08b8467359a \ + --hash=sha256:c8b29db45f8fe46ad280a7294f5c3ec36dbac9491f2d1c17345be8e69cc5928f \ + --hash=sha256:ce409136744f6521e39fd8e2a24c53fa18ad67aa5bc7c2cf83645cce5b5c4e50 \ + --hash=sha256:d050b3361367a06d752db6ead6e7edeb0009be66bc3bae0ee9d97fb326badc2a \ + --hash=sha256:d283d37a890ba4c1ae73ffadf8046435c76e7bc2247bbb63c00bd1a709c6544b \ + --hash=sha256:d9fad5155d72433c921b782e58892377c44bd6252b5af2f67f16b194987338a4 \ + --hash=sha256:daa4ee5a243f0f20d528d939d06670a298dd39b1ad5f8a72a4275124a7819eff \ + --hash=sha256:db0b55e0f3cc0be60c1f19efdde9a637c32740486004f20d1cff53c3c0ece4d2 \ + --hash=sha256:e61659ba32cf2cf1481e575d0462554625196a1f2fc06a1c777d3f48e8865d46 \ + --hash=sha256:ea3d8a3d18833cf4304cd2fc9cbb1efe188ca9b5efef2bdac7adc20594a0e46b \ + --hash=sha256:ec6a563cff360b50eed26f13adc43e61bc0c04d94b8be985e6fb24b81f6dcfdf \ + --hash=sha256:f5dfb42c4604dddc8e4305050aa6deb084540643ed5804d7455b5df8fe16f5e5 \ + --hash=sha256:fa173ec60341d6bb97a89f5ea19c85c5643c1e7dedebc22f5181eb73573142c5 \ + --hash=sha256:fa9db3f79de01457b03d4f01b34cf91bc0048eb2c3846ff26f66687c2f6d16ab \ + --hash=sha256:fce659a462a1be54d2ffcacea5e3ba2d74daa74f30f5f143fe0c58636e355fdd \ + --hash=sha256:ffee1f21e5ef0d712f9033568f8344d5da8cc2869dbd08d87c84656e6a2d2f68 + # via + # jinja2 + # werkzeug +opentelemetry-api==1.22.0 \ + --hash=sha256:15ae4ca925ecf9cfdfb7a709250846fbb08072260fca08ade78056c502b86bed \ + --hash=sha256:43621514301a7e9f5d06dd8013a1b450f30c2e9372b8e30aaeb4562abf2ce034 + # via + # -r requirements.in + # opentelemetry-instrumentation + # opentelemetry-instrumentation-flask + # opentelemetry-instrumentation-wsgi + # opentelemetry-propagator-b3 + # opentelemetry-sdk +opentelemetry-instrumentation==0.43b0 \ + --hash=sha256:0ff1334d7e359e27640e9d420024efeb73eacae464309c2e14ede7ba6c93967e \ + --hash=sha256:c3755da6c4be8033be0216d0501e11f4832690f4e2eca5a3576fbf113498f0f6 + # via + # -r requirements.in + # opentelemetry-instrumentation-flask + # opentelemetry-instrumentation-wsgi +opentelemetry-instrumentation-flask==0.43b0 \ + --hash=sha256:537aecdd8de1c00f9b408d7a02b85e9ba55cda1ed95f4712199478ceaa4dfb2c \ + --hash=sha256:ea3779f157a7efe82d0e10a59af64440e34b5e8004eaee08d7d61bbb889701fa + # via -r requirements.in +opentelemetry-instrumentation-wsgi==0.43b0 \ + --hash=sha256:0b7511469daa29a6e75b9cc54b4d01a9bb46aa1f964471dc3ee3f06ff39f94b2 \ + --hash=sha256:3a1cf045f7ccf04987a89cdd49eda93e9195de4c8b73be228a9e565ec3ab453c + # via + # -r requirements.in + # opentelemetry-instrumentation-flask +opentelemetry-propagator-b3==1.22.0 \ + --hash=sha256:3270f17bceb46338d700b5a09ff2e0499ec4f5189b3a4114bc3f2e64283b317d \ + --hash=sha256:cef5528b5c16866fdf7d6d6eb5dfbca216f071cda3c87da658cedf3451e6f6bf + # via -r requirements.in +opentelemetry-sdk==1.22.0 \ + --hash=sha256:45267ac1f38a431fc2eb5d6e0c0d83afc0b78de57ac345488aa58c28c17991d0 \ + --hash=sha256:a730555713d7c8931657612a88a141e3a4fe6eb5523d9e2d5a8b1e673d76efa6 + # via -r requirements.in +opentelemetry-semantic-conventions==0.43b0 \ + --hash=sha256:291284d7c1bf15fdaddf309b3bd6d3b7ce12a253cec6d27144439819a15d8445 \ + --hash=sha256:b9576fb890df479626fa624e88dde42d3d60b8b6c8ae1152ad157a8b97358635 + # via + # -r requirements.in + # opentelemetry-instrumentation-flask + # opentelemetry-instrumentation-wsgi + # opentelemetry-sdk +opentelemetry-util-http==0.43b0 \ + --hash=sha256:3ff6ab361dbe99fc81200d625603c0fb890c055c6e416a3e6d661ddf47a6c7f7 \ + --hash=sha256:f25a820784b030f6cb86b3d76e5676c769b75ed3f55a210bcdae0a5e175ebadb + # via + # -r requirements.in + # opentelemetry-instrumentation-flask + # opentelemetry-instrumentation-wsgi +packaging==24.0 \ + --hash=sha256:2ddfb553fdf02fb784c234c7ba6ccc288296ceabec964ad2eae3777778130bc5 \ + --hash=sha256:eb82c5e3e56209074766e6885bb04b8c38a0c015d0a30036ebe7ece34c9989e9 + # via + # gunicorn + # opentelemetry-instrumentation-flask +prometheus-client==0.19.0 \ + --hash=sha256:4585b0d1223148c27a225b10dbec5ae9bc4c81a99a3fa80774fa6209935324e1 \ + --hash=sha256:c88b1e6ecf6b41cd8fb5731c7ae919bf66df6ec6fafa555cd6c0e16ca169ae92 + # via -r requirements.in +requests==2.32.2 \ + --hash=sha256:dd951ff5ecf3e3b3aa26b40703ba77495dab41da839ae72ef3c8e5d8e2433289 \ + --hash=sha256:fc06670dd0ed212426dfeb94fc1b983d917c4f9847c863f313c9dfaaffb7c23c + # via -r requirements.in +simplejson==3.19.2 \ + --hash=sha256:0405984f3ec1d3f8777c4adc33eac7ab7a3e629f3b1c05fdded63acc7cf01137 \ + --hash=sha256:0436a70d8eb42bea4fe1a1c32d371d9bb3b62c637969cb33970ad624d5a3336a \ + --hash=sha256:061e81ea2d62671fa9dea2c2bfbc1eec2617ae7651e366c7b4a2baf0a8c72cae \ + --hash=sha256:064300a4ea17d1cd9ea1706aa0590dcb3be81112aac30233823ee494f02cb78a \ + --hash=sha256:08889f2f597ae965284d7b52a5c3928653a9406d88c93e3161180f0abc2433ba \ + --hash=sha256:0a48679310e1dd5c9f03481799311a65d343748fe86850b7fb41df4e2c00c087 \ + --hash=sha256:0b0a3eb6dd39cce23801a50c01a0976971498da49bc8a0590ce311492b82c44b \ + --hash=sha256:0d2d5119b1d7a1ed286b8af37357116072fc96700bce3bec5bb81b2e7057ab41 \ + --hash=sha256:0d551dc931638e2102b8549836a1632e6e7cf620af3d093a7456aa642bff601d \ + --hash=sha256:1018bd0d70ce85f165185d2227c71e3b1e446186f9fa9f971b69eee223e1e3cd \ + --hash=sha256:11c39fbc4280d7420684494373b7c5904fa72a2b48ef543a56c2d412999c9e5d \ + --hash=sha256:11cc3afd8160d44582543838b7e4f9aa5e97865322844b75d51bf4e0e413bb3e \ + --hash=sha256:1537b3dd62d8aae644f3518c407aa8469e3fd0f179cdf86c5992792713ed717a \ + --hash=sha256:16ca9c90da4b1f50f089e14485db8c20cbfff2d55424062791a7392b5a9b3ff9 \ + --hash=sha256:176a1b524a3bd3314ed47029a86d02d5a95cc0bee15bd3063a1e1ec62b947de6 \ + --hash=sha256:18955c1da6fc39d957adfa346f75226246b6569e096ac9e40f67d102278c3bcb \ + --hash=sha256:1bb5b50dc6dd671eb46a605a3e2eb98deb4a9af787a08fcdddabe5d824bb9664 \ + --hash=sha256:1c768e7584c45094dca4b334af361e43b0aaa4844c04945ac7d43379eeda9bc2 \ + --hash=sha256:1dd4f692304854352c3e396e9b5f0a9c9e666868dd0bdc784e2ac4c93092d87b \ + --hash=sha256:25785d038281cd106c0d91a68b9930049b6464288cea59ba95b35ee37c2d23a5 \ + --hash=sha256:287e39ba24e141b046812c880f4619d0ca9e617235d74abc27267194fc0c7835 \ + --hash=sha256:2c1467d939932901a97ba4f979e8f2642415fcf02ea12f53a4e3206c9c03bc17 \ + --hash=sha256:2c433a412e96afb9a3ce36fa96c8e61a757af53e9c9192c97392f72871e18e69 \ + --hash=sha256:2d022b14d7758bfb98405672953fe5c202ea8a9ccf9f6713c5bd0718eba286fd \ + --hash=sha256:2f98d918f7f3aaf4b91f2b08c0c92b1774aea113334f7cde4fe40e777114dbe6 \ + --hash=sha256:2fc697be37585eded0c8581c4788fcfac0e3f84ca635b73a5bf360e28c8ea1a2 \ + --hash=sha256:3194cd0d2c959062b94094c0a9f8780ffd38417a5322450a0db0ca1a23e7fbd2 \ + --hash=sha256:332c848f02d71a649272b3f1feccacb7e4f7e6de4a2e6dc70a32645326f3d428 \ + --hash=sha256:346820ae96aa90c7d52653539a57766f10f33dd4be609206c001432b59ddf89f \ + --hash=sha256:3471e95110dcaf901db16063b2e40fb394f8a9e99b3fe9ee3acc6f6ef72183a2 \ + --hash=sha256:3848427b65e31bea2c11f521b6fc7a3145d6e501a1038529da2391aff5970f2f \ + --hash=sha256:39b6d79f5cbfa3eb63a869639cfacf7c41d753c64f7801efc72692c1b2637ac7 \ + --hash=sha256:3e74355cb47e0cd399ead3477e29e2f50e1540952c22fb3504dda0184fc9819f \ + --hash=sha256:3f39bb1f6e620f3e158c8b2eaf1b3e3e54408baca96a02fe891794705e788637 \ + --hash=sha256:40847f617287a38623507d08cbcb75d51cf9d4f9551dd6321df40215128325a3 \ + --hash=sha256:4280e460e51f86ad76dc456acdbfa9513bdf329556ffc8c49e0200878ca57816 \ + --hash=sha256:445a96543948c011a3a47c8e0f9d61e9785df2544ea5be5ab3bc2be4bd8a2565 \ + --hash=sha256:4969d974d9db826a2c07671273e6b27bc48e940738d768fa8f33b577f0978378 \ + --hash=sha256:49aaf4546f6023c44d7e7136be84a03a4237f0b2b5fb2b17c3e3770a758fc1a0 \ + --hash=sha256:49e0e3faf3070abdf71a5c80a97c1afc059b4f45a5aa62de0c2ca0444b51669b \ + --hash=sha256:49f9da0d6cd17b600a178439d7d2d57c5ef01f816b1e0e875e8e8b3b42db2693 \ + --hash=sha256:4a8c3cc4f9dfc33220246760358c8265dad6e1104f25f0077bbca692d616d358 \ + --hash=sha256:4d36081c0b1c12ea0ed62c202046dca11438bee48dd5240b7c8de8da62c620e9 \ + --hash=sha256:4edcd0bf70087b244ba77038db23cd98a1ace2f91b4a3ecef22036314d77ac23 \ + --hash=sha256:554313db34d63eac3b3f42986aa9efddd1a481169c12b7be1e7512edebff8eaf \ + --hash=sha256:5675e9d8eeef0aa06093c1ff898413ade042d73dc920a03e8cea2fb68f62445a \ + --hash=sha256:60848ab779195b72382841fc3fa4f71698a98d9589b0a081a9399904487b5832 \ + --hash=sha256:66e5dc13bfb17cd6ee764fc96ccafd6e405daa846a42baab81f4c60e15650414 \ + --hash=sha256:6779105d2fcb7fcf794a6a2a233787f6bbd4731227333a072d8513b252ed374f \ + --hash=sha256:6ad331349b0b9ca6da86064a3599c425c7a21cd41616e175ddba0866da32df48 \ + --hash=sha256:6f0a0b41dd05eefab547576bed0cf066595f3b20b083956b1405a6f17d1be6ad \ + --hash=sha256:73a8a4653f2e809049999d63530180d7b5a344b23a793502413ad1ecea9a0290 \ + --hash=sha256:778331444917108fa8441f59af45886270d33ce8a23bfc4f9b192c0b2ecef1b3 \ + --hash=sha256:7cb98be113911cb0ad09e5523d0e2a926c09a465c9abb0784c9269efe4f95917 \ + --hash=sha256:7d74beca677623481810c7052926365d5f07393c72cbf62d6cce29991b676402 \ + --hash=sha256:7f2398361508c560d0bf1773af19e9fe644e218f2a814a02210ac2c97ad70db0 \ + --hash=sha256:8434dcdd347459f9fd9c526117c01fe7ca7b016b6008dddc3c13471098f4f0dc \ + --hash=sha256:8a390e56a7963e3946ff2049ee1eb218380e87c8a0e7608f7f8790ba19390867 \ + --hash=sha256:92c4a4a2b1f4846cd4364855cbac83efc48ff5a7d7c06ba014c792dd96483f6f \ + --hash=sha256:9300aee2a8b5992d0f4293d88deb59c218989833e3396c824b69ba330d04a589 \ + --hash=sha256:9453419ea2ab9b21d925d0fd7e3a132a178a191881fab4169b6f96e118cc25bb \ + --hash=sha256:9652e59c022e62a5b58a6f9948b104e5bb96d3b06940c6482588176f40f4914b \ + --hash=sha256:972a7833d4a1fcf7a711c939e315721a88b988553fc770a5b6a5a64bd6ebeba3 \ + --hash=sha256:9c1a4393242e321e344213a90a1e3bf35d2f624aa8b8f6174d43e3c6b0e8f6eb \ + --hash=sha256:9e038c615b3906df4c3be8db16b3e24821d26c55177638ea47b3f8f73615111c \ + --hash=sha256:9e4c166f743bb42c5fcc60760fb1c3623e8fda94f6619534217b083e08644b46 \ + --hash=sha256:9eb117db8d7ed733a7317c4215c35993b815bf6aeab67523f1f11e108c040672 \ + --hash=sha256:9eb442a2442ce417801c912df68e1f6ccfcd41577ae7274953ab3ad24ef7d82c \ + --hash=sha256:a3cd18e03b0ee54ea4319cdcce48357719ea487b53f92a469ba8ca8e39df285e \ + --hash=sha256:a8617625369d2d03766413bff9e64310feafc9fc4f0ad2b902136f1a5cd8c6b0 \ + --hash=sha256:a970a2e6d5281d56cacf3dc82081c95c1f4da5a559e52469287457811db6a79b \ + --hash=sha256:aad7405c033d32c751d98d3a65801e2797ae77fac284a539f6c3a3e13005edc4 \ + --hash=sha256:adcb3332979cbc941b8fff07181f06d2b608625edc0a4d8bc3ffc0be414ad0c4 \ + --hash=sha256:af9c7e6669c4d0ad7362f79cb2ab6784d71147503e62b57e3d95c4a0f222c01c \ + --hash=sha256:b01fda3e95d07a6148702a641e5e293b6da7863f8bc9b967f62db9461330562c \ + --hash=sha256:b8d940fd28eb34a7084877747a60873956893e377f15a32ad445fe66c972c3b8 \ + --hash=sha256:bccb3e88ec26ffa90f72229f983d3a5d1155e41a1171190fa723d4135523585b \ + --hash=sha256:bcedf4cae0d47839fee7de344f96b5694ca53c786f28b5f773d4f0b265a159eb \ + --hash=sha256:be893258d5b68dd3a8cba8deb35dc6411db844a9d35268a8d3793b9d9a256f80 \ + --hash=sha256:c0521e0f07cb56415fdb3aae0bbd8701eb31a9dfef47bb57206075a0584ab2a2 \ + --hash=sha256:c594642d6b13d225e10df5c16ee15b3398e21a35ecd6aee824f107a625690374 \ + --hash=sha256:c87c22bd6a987aca976e3d3e23806d17f65426191db36d40da4ae16a6a494cbc \ + --hash=sha256:c9ac1c2678abf9270e7228133e5b77c6c3c930ad33a3c1dfbdd76ff2c33b7b50 \ + --hash=sha256:d0e5ffc763678d48ecc8da836f2ae2dd1b6eb2d27a48671066f91694e575173c \ + --hash=sha256:d0f402e787e6e7ee7876c8b05e2fe6464820d9f35ba3f172e95b5f8b699f6c7f \ + --hash=sha256:d222a9ed082cd9f38b58923775152003765016342a12f08f8c123bf893461f28 \ + --hash=sha256:d94245caa3c61f760c4ce4953cfa76e7739b6f2cbfc94cc46fff6c050c2390c5 \ + --hash=sha256:de9a2792612ec6def556d1dc621fd6b2073aff015d64fba9f3e53349ad292734 \ + --hash=sha256:e2f5a398b5e77bb01b23d92872255e1bcb3c0c719a3be40b8df146570fe7781a \ + --hash=sha256:e8dd53a8706b15bc0e34f00e6150fbefb35d2fd9235d095b4f83b3c5ed4fa11d \ + --hash=sha256:e9eb3cff1b7d71aa50c89a0536f469cb8d6dcdd585d8f14fb8500d822f3bdee4 \ + --hash=sha256:ed628c1431100b0b65387419551e822987396bee3c088a15d68446d92f554e0c \ + --hash=sha256:ef7938a78447174e2616be223f496ddccdbf7854f7bf2ce716dbccd958cc7d13 \ + --hash=sha256:f1c70249b15e4ce1a7d5340c97670a95f305ca79f376887759b43bb33288c973 \ + --hash=sha256:f3c7363a8cb8c5238878ec96c5eb0fc5ca2cb11fc0c7d2379863d342c6ee367a \ + --hash=sha256:fbbcc6b0639aa09b9649f36f1bcb347b19403fe44109948392fbb5ea69e48c3e \ + --hash=sha256:febffa5b1eda6622d44b245b0685aff6fb555ce0ed734e2d7b1c3acd018a2cff \ + --hash=sha256:ff836cd4041e16003549449cc0a5e372f6b6f871eb89007ab0ee18fb2800fded + # via -r requirements.in +typing-extensions==4.11.0 \ + --hash=sha256:83f085bd5ca59c80295fc2a82ab5dac679cbe02b9f33f7d83af68e241bea51b0 \ + --hash=sha256:c1f94d72897edaf4ce775bb7558d5b79d8126906a14ea5ed1635921406c0387a + # via opentelemetry-sdk +urllib3==2.2.2 \ + --hash=sha256:a448b2f64d686155468037e1ace9f2d2199776e17f0a46610480d311f73e3472 \ + --hash=sha256:dd505485549a7a552833da5e6063639d0d177c04f23bc3864e41e5dc5f612168 + # via + # -r requirements.in + # requests +visitor==0.1.3 \ + --hash=sha256:2c737903b2b6864ebc6167eef7cf3b997126f1aa94bdf590f90f1436d23e480a + # via flask-bootstrap +werkzeug==3.0.3 \ + --hash=sha256:097e5bfda9f0aba8da6b8545146def481d06aa7d3266e7448e2cccf67dd8bd18 \ + --hash=sha256:fc9645dc43e03e4d630d23143a04a7f947a9a3b5727cd535fdfe155a17cc48c8 + # via flask +wrapt==1.16.0 \ + --hash=sha256:0d2691979e93d06a95a26257adb7bfd0c93818e89b1406f5a28f36e0d8c1e1fc \ + --hash=sha256:14d7dc606219cdd7405133c713f2c218d4252f2a469003f8c46bb92d5d095d81 \ + --hash=sha256:1a5db485fe2de4403f13fafdc231b0dbae5eca4359232d2efc79025527375b09 \ + --hash=sha256:1acd723ee2a8826f3d53910255643e33673e1d11db84ce5880675954183ec47e \ + --hash=sha256:1ca9b6085e4f866bd584fb135a041bfc32cab916e69f714a7d1d397f8c4891ca \ + --hash=sha256:1dd50a2696ff89f57bd8847647a1c363b687d3d796dc30d4dd4a9d1689a706f0 \ + --hash=sha256:2076fad65c6736184e77d7d4729b63a6d1ae0b70da4868adeec40989858eb3fb \ + --hash=sha256:2a88e6010048489cda82b1326889ec075a8c856c2e6a256072b28eaee3ccf487 \ + --hash=sha256:3ebf019be5c09d400cf7b024aa52b1f3aeebeff51550d007e92c3c1c4afc2a40 \ + --hash=sha256:418abb18146475c310d7a6dc71143d6f7adec5b004ac9ce08dc7a34e2babdc5c \ + --hash=sha256:43aa59eadec7890d9958748db829df269f0368521ba6dc68cc172d5d03ed8060 \ + --hash=sha256:44a2754372e32ab315734c6c73b24351d06e77ffff6ae27d2ecf14cf3d229202 \ + --hash=sha256:490b0ee15c1a55be9c1bd8609b8cecd60e325f0575fc98f50058eae366e01f41 \ + --hash=sha256:49aac49dc4782cb04f58986e81ea0b4768e4ff197b57324dcbd7699c5dfb40b9 \ + --hash=sha256:5eb404d89131ec9b4f748fa5cfb5346802e5ee8836f57d516576e61f304f3b7b \ + --hash=sha256:5f15814a33e42b04e3de432e573aa557f9f0f56458745c2074952f564c50e664 \ + --hash=sha256:5f370f952971e7d17c7d1ead40e49f32345a7f7a5373571ef44d800d06b1899d \ + --hash=sha256:66027d667efe95cc4fa945af59f92c5a02c6f5bb6012bff9e60542c74c75c362 \ + --hash=sha256:66dfbaa7cfa3eb707bbfcd46dab2bc6207b005cbc9caa2199bcbc81d95071a00 \ + --hash=sha256:685f568fa5e627e93f3b52fda002c7ed2fa1800b50ce51f6ed1d572d8ab3e7fc \ + --hash=sha256:6906c4100a8fcbf2fa735f6059214bb13b97f75b1a61777fcf6432121ef12ef1 \ + --hash=sha256:6a42cd0cfa8ffc1915aef79cb4284f6383d8a3e9dcca70c445dcfdd639d51267 \ + --hash=sha256:6dcfcffe73710be01d90cae08c3e548d90932d37b39ef83969ae135d36ef3956 \ + --hash=sha256:6f6eac2360f2d543cc875a0e5efd413b6cbd483cb3ad7ebf888884a6e0d2e966 \ + --hash=sha256:72554a23c78a8e7aa02abbd699d129eead8b147a23c56e08d08dfc29cfdddca1 \ + --hash=sha256:73870c364c11f03ed072dda68ff7aea6d2a3a5c3fe250d917a429c7432e15228 \ + --hash=sha256:73aa7d98215d39b8455f103de64391cb79dfcad601701a3aa0dddacf74911d72 \ + --hash=sha256:75ea7d0ee2a15733684badb16de6794894ed9c55aa5e9903260922f0482e687d \ + --hash=sha256:7bd2d7ff69a2cac767fbf7a2b206add2e9a210e57947dd7ce03e25d03d2de292 \ + --hash=sha256:807cc8543a477ab7422f1120a217054f958a66ef7314f76dd9e77d3f02cdccd0 \ + --hash=sha256:8e9723528b9f787dc59168369e42ae1c3b0d3fadb2f1a71de14531d321ee05b0 \ + --hash=sha256:9090c9e676d5236a6948330e83cb89969f433b1943a558968f659ead07cb3b36 \ + --hash=sha256:9153ed35fc5e4fa3b2fe97bddaa7cbec0ed22412b85bcdaf54aeba92ea37428c \ + --hash=sha256:9159485323798c8dc530a224bd3ffcf76659319ccc7bbd52e01e73bd0241a0c5 \ + --hash=sha256:941988b89b4fd6b41c3f0bfb20e92bd23746579736b7343283297c4c8cbae68f \ + --hash=sha256:94265b00870aa407bd0cbcfd536f17ecde43b94fb8d228560a1e9d3041462d73 \ + --hash=sha256:98b5e1f498a8ca1858a1cdbffb023bfd954da4e3fa2c0cb5853d40014557248b \ + --hash=sha256:9b201ae332c3637a42f02d1045e1d0cccfdc41f1f2f801dafbaa7e9b4797bfc2 \ + --hash=sha256:a0ea261ce52b5952bf669684a251a66df239ec6d441ccb59ec7afa882265d593 \ + --hash=sha256:a33a747400b94b6d6b8a165e4480264a64a78c8a4c734b62136062e9a248dd39 \ + --hash=sha256:a452f9ca3e3267cd4d0fcf2edd0d035b1934ac2bd7e0e57ac91ad6b95c0c6389 \ + --hash=sha256:a86373cf37cd7764f2201b76496aba58a52e76dedfaa698ef9e9688bfd9e41cf \ + --hash=sha256:ac83a914ebaf589b69f7d0a1277602ff494e21f4c2f743313414378f8f50a4cf \ + --hash=sha256:aefbc4cb0a54f91af643660a0a150ce2c090d3652cf4052a5397fb2de549cd89 \ + --hash=sha256:b3646eefa23daeba62643a58aac816945cadc0afaf21800a1421eeba5f6cfb9c \ + --hash=sha256:b47cfad9e9bbbed2339081f4e346c93ecd7ab504299403320bf85f7f85c7d46c \ + --hash=sha256:b935ae30c6e7400022b50f8d359c03ed233d45b725cfdd299462f41ee5ffba6f \ + --hash=sha256:bb2dee3874a500de01c93d5c71415fcaef1d858370d405824783e7a8ef5db440 \ + --hash=sha256:bc57efac2da352a51cc4658878a68d2b1b67dbe9d33c36cb826ca449d80a8465 \ + --hash=sha256:bf5703fdeb350e36885f2875d853ce13172ae281c56e509f4e6eca049bdfb136 \ + --hash=sha256:c31f72b1b6624c9d863fc095da460802f43a7c6868c5dda140f51da24fd47d7b \ + --hash=sha256:c5cd603b575ebceca7da5a3a251e69561bec509e0b46e4993e1cac402b7247b8 \ + --hash=sha256:d2efee35b4b0a347e0d99d28e884dfd82797852d62fcd7ebdeee26f3ceb72cf3 \ + --hash=sha256:d462f28826f4657968ae51d2181a074dfe03c200d6131690b7d65d55b0f360f8 \ + --hash=sha256:d5e49454f19ef621089e204f862388d29e6e8d8b162efce05208913dde5b9ad6 \ + --hash=sha256:da4813f751142436b075ed7aa012a8778aa43a99f7b36afe9b742d3ed8bdc95e \ + --hash=sha256:db2e408d983b0e61e238cf579c09ef7020560441906ca990fe8412153e3b291f \ + --hash=sha256:db98ad84a55eb09b3c32a96c576476777e87c520a34e2519d3e59c44710c002c \ + --hash=sha256:dbed418ba5c3dce92619656802cc5355cb679e58d0d89b50f116e4a9d5a9603e \ + --hash=sha256:dcdba5c86e368442528f7060039eda390cc4091bfd1dca41e8046af7c910dda8 \ + --hash=sha256:decbfa2f618fa8ed81c95ee18a387ff973143c656ef800c9f24fb7e9c16054e2 \ + --hash=sha256:e4fdb9275308292e880dcbeb12546df7f3e0f96c6b41197e0cf37d2826359020 \ + --hash=sha256:eb1b046be06b0fce7249f1d025cd359b4b80fc1c3e24ad9eca33e0dcdb2e4a35 \ + --hash=sha256:eb6e651000a19c96f452c85132811d25e9264d836951022d6e81df2fff38337d \ + --hash=sha256:ed867c42c268f876097248e05b6117a65bcd1e63b779e916fe2e33cd6fd0d3c3 \ + --hash=sha256:edfad1d29c73f9b863ebe7082ae9321374ccb10879eeabc84ba3b69f2579d537 \ + --hash=sha256:f2058f813d4f2b5e3a9eb2eb3faf8f1d99b81c3e51aeda4b168406443e8ba809 \ + --hash=sha256:f6b2d0c6703c988d334f297aa5df18c45e97b0af3679bb75059e0e0bd8b1069d \ + --hash=sha256:f8212564d49c50eb4565e502814f694e240c55551a5f1bc841d4fcaabb0a9b8a \ + --hash=sha256:ffa565331890b90056c01db69c0fe634a776f8019c143a5ae265f9c6bc4bd6d4 + # via + # deprecated + # opentelemetry-instrumentation +zipp==3.19.1 \ + --hash=sha256:2828e64edb5386ea6a52e7ba7cdb17bb30a73a858f5eb6eb93d8d36f5ea26091 \ + --hash=sha256:35427f6d5594f4acf82d25541438348c26736fa9b3afa2754bcd63cdb99d8e8f + # via importlib-metadata +zope-event==5.0 \ + --hash=sha256:2832e95014f4db26c47a13fdaef84cef2f4df37e66b59d8f1f4a8f319a632c26 \ + --hash=sha256:bac440d8d9891b4068e2b5a2c5e2c9765a9df762944bda6955f96bb9b91e67cd + # via gevent +zope-interface==6.4.post2 \ + --hash=sha256:00b5c3e9744dcdc9e84c24ed6646d5cf0cf66551347b310b3ffd70f056535854 \ + --hash=sha256:0e4fa5d34d7973e6b0efa46fe4405090f3b406f64b6290facbb19dcbf642ad6b \ + --hash=sha256:136cacdde1a2c5e5bc3d0b2a1beed733f97e2dad8c2ad3c2e17116f6590a3827 \ + --hash=sha256:1730c93a38b5a18d24549bc81613223962a19d457cfda9bdc66e542f475a36f4 \ + --hash=sha256:1a62fd6cd518693568e23e02f41816adedfca637f26716837681c90b36af3671 \ + --hash=sha256:1c207e6f6dfd5749a26f5a5fd966602d6b824ec00d2df84a7e9a924e8933654e \ + --hash=sha256:2eccd5bef45883802848f821d940367c1d0ad588de71e5cabe3813175444202c \ + --hash=sha256:33ee982237cffaf946db365c3a6ebaa37855d8e3ca5800f6f48890209c1cfefc \ + --hash=sha256:3d136e5b8821073e1a09dde3eb076ea9988e7010c54ffe4d39701adf0c303438 \ + --hash=sha256:47654177e675bafdf4e4738ce58cdc5c6d6ee2157ac0a78a3fa460942b9d64a8 \ + --hash=sha256:47937cf2e7ed4e0e37f7851c76edeb8543ec9b0eae149b36ecd26176ff1ca874 \ + --hash=sha256:4ac46298e0143d91e4644a27a769d1388d5d89e82ee0cf37bf2b0b001b9712a4 \ + --hash=sha256:4c0b208a5d6c81434bdfa0f06d9b667e5de15af84d8cae5723c3a33ba6611b82 \ + --hash=sha256:551db2fe892fcbefb38f6f81ffa62de11090c8119fd4e66a60f3adff70751ec7 \ + --hash=sha256:599f3b07bde2627e163ce484d5497a54a0a8437779362395c6b25e68c6590ede \ + --hash=sha256:5ef8356f16b1a83609f7a992a6e33d792bb5eff2370712c9eaae0d02e1924341 \ + --hash=sha256:5fe919027f29b12f7a2562ba0daf3e045cb388f844e022552a5674fcdf5d21f1 \ + --hash=sha256:6f0a6be264afb094975b5ef55c911379d6989caa87c4e558814ec4f5125cfa2e \ + --hash=sha256:706efc19f9679a1b425d6fa2b4bc770d976d0984335eaea0869bd32f627591d2 \ + --hash=sha256:73f9752cf3596771c7726f7eea5b9e634ad47c6d863043589a1c3bb31325c7eb \ + --hash=sha256:762e616199f6319bb98e7f4f27d254c84c5fb1c25c908c2a9d0f92b92fb27530 \ + --hash=sha256:866a0f583be79f0def667a5d2c60b7b4cc68f0c0a470f227e1122691b443c934 \ + --hash=sha256:86a94af4a88110ed4bb8961f5ac72edf782958e665d5bfceaab6bf388420a78b \ + --hash=sha256:8e0343a6e06d94f6b6ac52fbc75269b41dd3c57066541a6c76517f69fe67cb43 \ + --hash=sha256:97e615eab34bd8477c3f34197a17ce08c648d38467489359cb9eb7394f1083f7 \ + --hash=sha256:a96e6d4074db29b152222c34d7eec2e2db2f92638d2b2b2c704f9e8db3ae0edc \ + --hash=sha256:b912750b13d76af8aac45ddf4679535def304b2a48a07989ec736508d0bbfbde \ + --hash=sha256:bc2676312cc3468a25aac001ec727168994ea3b69b48914944a44c6a0b251e79 \ + --hash=sha256:cebff2fe5dc82cb22122e4e1225e00a4a506b1a16fafa911142ee124febf2c9e \ + --hash=sha256:d22fce0b0f5715cdac082e35a9e735a1752dc8585f005d045abb1a7c20e197f9 \ + --hash=sha256:d3f7e001328bd6466b3414215f66dde3c7c13d8025a9c160a75d7b2687090d15 \ + --hash=sha256:d3fe667935e9562407c2511570dca14604a654988a13d8725667e95161d92e9b \ + --hash=sha256:dabb70a6e3d9c22df50e08dc55b14ca2a99da95a2d941954255ac76fd6982bc5 \ + --hash=sha256:e2fb8e8158306567a3a9a41670c1ff99d0567d7fc96fa93b7abf8b519a46b250 \ + --hash=sha256:e96ac6b3169940a8cd57b4f2b8edcad8f5213b60efcd197d59fbe52f0accd66e \ + --hash=sha256:fbf649bc77510ef2521cf797700b96167bb77838c40780da7ea3edd8b78044d1 + # via gevent + +# WARNING: The following packages were not pinned, but pip requires them to be +# pinned when the requirements file includes hashes and the requirement is not +# satisfied by a package already installed. Consider using the --allow-unsafe flag. +# setuptools diff --git a/istio-1.24.3/samples/bookinfo/src/productpage/test-requirements.txt b/istio-1.24.3/samples/bookinfo/src/productpage/test-requirements.txt new file mode 100644 index 00000000..f1ad8e3b --- /dev/null +++ b/istio-1.24.3/samples/bookinfo/src/productpage/test-requirements.txt @@ -0,0 +1,122 @@ +# +# This file is autogenerated by pip-compile with Python 3.12 +# by the following command: +# +# pip-compile --generate-hashes test-requirements.in +# +certifi==2024.7.4 \ + --hash=sha256:5a1e7645bc0ec61a09e26c36f6106dd4cf40c6db3a1fb6352b0244e7fb057c7b \ + --hash=sha256:c198e21b1289c2ab85ee4e67bb4b4ef3ead0892059901a8d5b622f24a1101e90 + # via requests +charset-normalizer==3.3.2 \ + --hash=sha256:06435b539f889b1f6f4ac1758871aae42dc3a8c0e24ac9e60c2384973ad73027 \ + --hash=sha256:06a81e93cd441c56a9b65d8e1d043daeb97a3d0856d177d5c90ba85acb3db087 \ + --hash=sha256:0a55554a2fa0d408816b3b5cedf0045f4b8e1a6065aec45849de2d6f3f8e9786 \ + --hash=sha256:0b2b64d2bb6d3fb9112bafa732def486049e63de9618b5843bcdd081d8144cd8 \ + --hash=sha256:10955842570876604d404661fbccbc9c7e684caf432c09c715ec38fbae45ae09 \ + --hash=sha256:122c7fa62b130ed55f8f285bfd56d5f4b4a5b503609d181f9ad85e55c89f4185 \ + --hash=sha256:1ceae2f17a9c33cb48e3263960dc5fc8005351ee19db217e9b1bb15d28c02574 \ + --hash=sha256:1d3193f4a680c64b4b6a9115943538edb896edc190f0b222e73761716519268e \ + --hash=sha256:1f79682fbe303db92bc2b1136016a38a42e835d932bab5b3b1bfcfbf0640e519 \ + --hash=sha256:2127566c664442652f024c837091890cb1942c30937add288223dc895793f898 \ + --hash=sha256:22afcb9f253dac0696b5a4be4a1c0f8762f8239e21b99680099abd9b2b1b2269 \ + --hash=sha256:25baf083bf6f6b341f4121c2f3c548875ee6f5339300e08be3f2b2ba1721cdd3 \ + --hash=sha256:2e81c7b9c8979ce92ed306c249d46894776a909505d8f5a4ba55b14206e3222f \ + --hash=sha256:3287761bc4ee9e33561a7e058c72ac0938c4f57fe49a09eae428fd88aafe7bb6 \ + --hash=sha256:34d1c8da1e78d2e001f363791c98a272bb734000fcef47a491c1e3b0505657a8 \ + --hash=sha256:37e55c8e51c236f95b033f6fb391d7d7970ba5fe7ff453dad675e88cf303377a \ + --hash=sha256:3d47fa203a7bd9c5b6cee4736ee84ca03b8ef23193c0d1ca99b5089f72645c73 \ + --hash=sha256:3e4d1f6587322d2788836a99c69062fbb091331ec940e02d12d179c1d53e25fc \ + --hash=sha256:42cb296636fcc8b0644486d15c12376cb9fa75443e00fb25de0b8602e64c1714 \ + --hash=sha256:45485e01ff4d3630ec0d9617310448a8702f70e9c01906b0d0118bdf9d124cf2 \ + --hash=sha256:4a78b2b446bd7c934f5dcedc588903fb2f5eec172f3d29e52a9096a43722adfc \ + --hash=sha256:4ab2fe47fae9e0f9dee8c04187ce5d09f48eabe611be8259444906793ab7cbce \ + --hash=sha256:4d0d1650369165a14e14e1e47b372cfcb31d6ab44e6e33cb2d4e57265290044d \ + --hash=sha256:549a3a73da901d5bc3ce8d24e0600d1fa85524c10287f6004fbab87672bf3e1e \ + --hash=sha256:55086ee1064215781fff39a1af09518bc9255b50d6333f2e4c74ca09fac6a8f6 \ + --hash=sha256:572c3763a264ba47b3cf708a44ce965d98555f618ca42c926a9c1616d8f34269 \ + --hash=sha256:573f6eac48f4769d667c4442081b1794f52919e7edada77495aaed9236d13a96 \ + --hash=sha256:5b4c145409bef602a690e7cfad0a15a55c13320ff7a3ad7ca59c13bb8ba4d45d \ + --hash=sha256:6463effa3186ea09411d50efc7d85360b38d5f09b870c48e4600f63af490e56a \ + --hash=sha256:65f6f63034100ead094b8744b3b97965785388f308a64cf8d7c34f2f2e5be0c4 \ + --hash=sha256:663946639d296df6a2bb2aa51b60a2454ca1cb29835324c640dafb5ff2131a77 \ + --hash=sha256:6897af51655e3691ff853668779c7bad41579facacf5fd7253b0133308cf000d \ + --hash=sha256:68d1f8a9e9e37c1223b656399be5d6b448dea850bed7d0f87a8311f1ff3dabb0 \ + --hash=sha256:6ac7ffc7ad6d040517be39eb591cac5ff87416c2537df6ba3cba3bae290c0fed \ + --hash=sha256:6b3251890fff30ee142c44144871185dbe13b11bab478a88887a639655be1068 \ + --hash=sha256:6c4caeef8fa63d06bd437cd4bdcf3ffefe6738fb1b25951440d80dc7df8c03ac \ + --hash=sha256:6ef1d82a3af9d3eecdba2321dc1b3c238245d890843e040e41e470ffa64c3e25 \ + --hash=sha256:753f10e867343b4511128c6ed8c82f7bec3bd026875576dfd88483c5c73b2fd8 \ + --hash=sha256:7cd13a2e3ddeed6913a65e66e94b51d80a041145a026c27e6bb76c31a853c6ab \ + --hash=sha256:7ed9e526742851e8d5cc9e6cf41427dfc6068d4f5a3bb03659444b4cabf6bc26 \ + --hash=sha256:7f04c839ed0b6b98b1a7501a002144b76c18fb1c1850c8b98d458ac269e26ed2 \ + --hash=sha256:802fe99cca7457642125a8a88a084cef28ff0cf9407060f7b93dca5aa25480db \ + --hash=sha256:80402cd6ee291dcb72644d6eac93785fe2c8b9cb30893c1af5b8fdd753b9d40f \ + --hash=sha256:8465322196c8b4d7ab6d1e049e4c5cb460d0394da4a27d23cc242fbf0034b6b5 \ + --hash=sha256:86216b5cee4b06df986d214f664305142d9c76df9b6512be2738aa72a2048f99 \ + --hash=sha256:87d1351268731db79e0f8e745d92493ee2841c974128ef629dc518b937d9194c \ + --hash=sha256:8bdb58ff7ba23002a4c5808d608e4e6c687175724f54a5dade5fa8c67b604e4d \ + --hash=sha256:8c622a5fe39a48f78944a87d4fb8a53ee07344641b0562c540d840748571b811 \ + --hash=sha256:8d756e44e94489e49571086ef83b2bb8ce311e730092d2c34ca8f7d925cb20aa \ + --hash=sha256:8f4a014bc36d3c57402e2977dada34f9c12300af536839dc38c0beab8878f38a \ + --hash=sha256:9063e24fdb1e498ab71cb7419e24622516c4a04476b17a2dab57e8baa30d6e03 \ + --hash=sha256:90d558489962fd4918143277a773316e56c72da56ec7aa3dc3dbbe20fdfed15b \ + --hash=sha256:923c0c831b7cfcb071580d3f46c4baf50f174be571576556269530f4bbd79d04 \ + --hash=sha256:95f2a5796329323b8f0512e09dbb7a1860c46a39da62ecb2324f116fa8fdc85c \ + --hash=sha256:96b02a3dc4381e5494fad39be677abcb5e6634bf7b4fa83a6dd3112607547001 \ + --hash=sha256:9f96df6923e21816da7e0ad3fd47dd8f94b2a5ce594e00677c0013018b813458 \ + --hash=sha256:a10af20b82360ab00827f916a6058451b723b4e65030c5a18577c8b2de5b3389 \ + --hash=sha256:a50aebfa173e157099939b17f18600f72f84eed3049e743b68ad15bd69b6bf99 \ + --hash=sha256:a981a536974bbc7a512cf44ed14938cf01030a99e9b3a06dd59578882f06f985 \ + --hash=sha256:a9a8e9031d613fd2009c182b69c7b2c1ef8239a0efb1df3f7c8da66d5dd3d537 \ + --hash=sha256:ae5f4161f18c61806f411a13b0310bea87f987c7d2ecdbdaad0e94eb2e404238 \ + --hash=sha256:aed38f6e4fb3f5d6bf81bfa990a07806be9d83cf7bacef998ab1a9bd660a581f \ + --hash=sha256:b01b88d45a6fcb69667cd6d2f7a9aeb4bf53760d7fc536bf679ec94fe9f3ff3d \ + --hash=sha256:b261ccdec7821281dade748d088bb6e9b69e6d15b30652b74cbbac25e280b796 \ + --hash=sha256:b2b0a0c0517616b6869869f8c581d4eb2dd83a4d79e0ebcb7d373ef9956aeb0a \ + --hash=sha256:b4a23f61ce87adf89be746c8a8974fe1c823c891d8f86eb218bb957c924bb143 \ + --hash=sha256:bd8f7df7d12c2db9fab40bdd87a7c09b1530128315d047a086fa3ae3435cb3a8 \ + --hash=sha256:beb58fe5cdb101e3a055192ac291b7a21e3b7ef4f67fa1d74e331a7f2124341c \ + --hash=sha256:c002b4ffc0be611f0d9da932eb0f704fe2602a9a949d1f738e4c34c75b0863d5 \ + --hash=sha256:c083af607d2515612056a31f0a8d9e0fcb5876b7bfc0abad3ecd275bc4ebc2d5 \ + --hash=sha256:c180f51afb394e165eafe4ac2936a14bee3eb10debc9d9e4db8958fe36afe711 \ + --hash=sha256:c235ebd9baae02f1b77bcea61bce332cb4331dc3617d254df3323aa01ab47bd4 \ + --hash=sha256:cd70574b12bb8a4d2aaa0094515df2463cb429d8536cfb6c7ce983246983e5a6 \ + --hash=sha256:d0eccceffcb53201b5bfebb52600a5fb483a20b61da9dbc885f8b103cbe7598c \ + --hash=sha256:d965bba47ddeec8cd560687584e88cf699fd28f192ceb452d1d7ee807c5597b7 \ + --hash=sha256:db364eca23f876da6f9e16c9da0df51aa4f104a972735574842618b8c6d999d4 \ + --hash=sha256:ddbb2551d7e0102e7252db79ba445cdab71b26640817ab1e3e3648dad515003b \ + --hash=sha256:deb6be0ac38ece9ba87dea880e438f25ca3eddfac8b002a2ec3d9183a454e8ae \ + --hash=sha256:e06ed3eb3218bc64786f7db41917d4e686cc4856944f53d5bdf83a6884432e12 \ + --hash=sha256:e27ad930a842b4c5eb8ac0016b0a54f5aebbe679340c26101df33424142c143c \ + --hash=sha256:e537484df0d8f426ce2afb2d0f8e1c3d0b114b83f8850e5f2fbea0e797bd82ae \ + --hash=sha256:eb00ed941194665c332bf8e078baf037d6c35d7c4f3102ea2d4f16ca94a26dc8 \ + --hash=sha256:eb6904c354526e758fda7167b33005998fb68c46fbc10e013ca97f21ca5c8887 \ + --hash=sha256:eb8821e09e916165e160797a6c17edda0679379a4be5c716c260e836e122f54b \ + --hash=sha256:efcb3f6676480691518c177e3b465bcddf57cea040302f9f4e6e191af91174d4 \ + --hash=sha256:f27273b60488abe721a075bcca6d7f3964f9f6f067c8c4c605743023d7d3944f \ + --hash=sha256:f30c3cb33b24454a82faecaf01b19c18562b1e89558fb6c56de4d9118a032fd5 \ + --hash=sha256:fb69256e180cb6c8a894fee62b3afebae785babc1ee98b81cdf68bbca1987f33 \ + --hash=sha256:fd1abc0d89e30cc4e02e4064dc67fcc51bd941eb395c502aac3ec19fab46b519 \ + --hash=sha256:ff8fa367d09b717b2a17a052544193ad76cd49979c805768879cb63d9ca50561 + # via requests +idna==3.7 \ + --hash=sha256:028ff3aadf0609c1fd278d8ea3089299412a7a8b9bd005dd08b9f8285bcb5cfc \ + --hash=sha256:82fee1fc78add43492d3a1898bfa6d8a904cc97d8427f683ed8e798d07761aa0 + # via requests +requests==2.32.2 \ + --hash=sha256:dd951ff5ecf3e3b3aa26b40703ba77495dab41da839ae72ef3c8e5d8e2433289 \ + --hash=sha256:fc06670dd0ed212426dfeb94fc1b983d917c4f9847c863f313c9dfaaffb7c23c + # via requests-mock +requests-mock==1.5.2 \ + --hash=sha256:7a5fa99db5e3a2a961b6f20ed40ee6baeff73503cf0a553cc4d679409e6170fb \ + --hash=sha256:8ca0628dc66d3f212878932fd741b02aa197ad53fd2228164800a169a4a826af + # via -r test-requirements.in +six==1.16.0 \ + --hash=sha256:1e61c37477a1626458e36f7b1d82aa5c9b094fa4802892072e49de9c60c4c926 \ + --hash=sha256:8abb2f1d86890a2dfb989f9a77cfcfd3e47c2a354b01111771326f8aa26e0254 + # via requests-mock +urllib3==2.2.2 \ + --hash=sha256:a448b2f64d686155468037e1ace9f2d2199776e17f0a46610480d311f73e3472 \ + --hash=sha256:dd505485549a7a552833da5e6063639d0d177c04f23bc3864e41e5dc5f612168 + # via requests diff --git a/istio-1.24.3/samples/bookinfo/src/ratings/package.json b/istio-1.24.3/samples/bookinfo/src/ratings/package.json new file mode 100644 index 00000000..f0498224 --- /dev/null +++ b/istio-1.24.3/samples/bookinfo/src/ratings/package.json @@ -0,0 +1,11 @@ +{ + "scripts": { + "start": "node ratings.js" + }, + "dependencies": { + "httpdispatcher": "1.0.0", + "mongodb": "^3.6.0", + "mysql": "^2.15.0" + }, + "private": true +} diff --git a/istio-1.24.3/samples/bookinfo/swagger.yaml b/istio-1.24.3/samples/bookinfo/swagger.yaml new file mode 100644 index 00000000..6782e732 --- /dev/null +++ b/istio-1.24.3/samples/bookinfo/swagger.yaml @@ -0,0 +1,248 @@ +swagger: "2.0" +info: + description: "This is the API of the Istio BookInfo sample application." + version: "1.0.0" + title: "BookInfo API" + termsOfService: "https://istio.io/" + license: + name: "Apache 2.0" + url: "http://www.apache.org/licenses/LICENSE-2.0.html" +basePath: "/api/v1" +tags: +- name: "product" + description: "Information about a product (in this case a book)" +- name: "review" + description: "Review information for a product" +- name: "rating" + description: "Rating information for a product" +externalDocs: + description: "Learn more about the Istio BookInfo application" + url: "https://istio.io/docs/samples/bookinfo.html" +paths: + /products: + get: + tags: + - "product" + summary: "List all products" + description: "List all products available in the application with a minimum amount of information." + operationId: "getProducts" + consumes: + - "application/json" + produces: + - "application/json" + responses: + 200: + description: "successful operation" + schema: + type: "array" + items: + $ref: "#/definitions/Product" + /products/{id}: + get: + tags: + - "product" + summary: "Get individual product" + description: "Get detailed information about an individual product with the given id." + operationId: "getProduct" + consumes: + - "application/json" + produces: + - "application/json" + parameters: + - name: "id" + in: "path" + description: "Product id" + required: true + type: "integer" + format: "int32" + responses: + 200: + description: "successful operation" + schema: + $ref: "#/definitions/ProductDetails" + 400: + description: "Invalid product id" + /products/{id}/reviews: + get: + tags: + - "review" + summary: "Get reviews for a product" + description: "Get reviews for a product, including review text and possibly ratings information." + operationId: "getProductReviews" + consumes: + - "application/json" + produces: + - "application/json" + parameters: + - name: "id" + in: "path" + description: "Product id" + required: true + type: "integer" + format: "int32" + responses: + 200: + description: "successful operation" + schema: + $ref: "#/definitions/ProductReviews" + 400: + description: "Invalid product id" + /products/{id}/ratings: + get: + tags: + - "rating" + summary: "Get ratings for a product" + description: "Get ratings for a product, including stars and their color." + operationId: "getProductRatings" + consumes: + - "application/json" + produces: + - "application/json" + parameters: + - name: "id" + in: "path" + description: "Product id" + required: true + type: "integer" + format: "int32" + responses: + 200: + description: "successful operation" + schema: + $ref: "#/definitions/ProductRatings" + 400: + description: "Invalid product id" + + +definitions: + Product: + type: "object" + description: "Basic information about a product" + properties: + id: + type: "integer" + format: "int32" + description: "Product id" + title: + type: "string" + description: "Title of the book" + descriptionHtml: + type: "string" + description: "Description of the book - may contain HTML tags" + required: + - "id" + - "title" + - "descriptionHtml" + ProductDetails: + type: "object" + description: "Detailed information about a product" + properties: + id: + type: "integer" + format: "int32" + description: "Product id" + publisher: + type: "string" + description: "Publisher of the book" + language: + type: "string" + description: "Language of the book" + author: + type: "string" + description: "Author of the book" + ISBN-10: + type: "string" + description: "ISBN-10 of the book" + ISBN-13: + type: "string" + description: "ISBN-13 of the book" + year: + type: "integer" + format: "int32" + description: "Year the book was first published in" + type: + type: "string" + enum: + - "paperback" + - "hardcover" + description: "Type of the book" + pages: + type: "integer" + format: "int32" + description: "Number of pages of the book" + required: + - "id" + - "publisher" + - "language" + - "author" + - "ISBN-10" + - "ISBN-13" + - "year" + - "type" + - "pages" + ProductReviews: + type: "object" + description: "Object containing reviews for a product" + properties: + id: + type: "integer" + format: "int32" + description: "Product id" + reviews: + type: "array" + description: "List of reviews" + items: + $ref: "#/definitions/Review" + required: + - "id" + - "reviews" + Review: + type: "object" + description: "Review of a product" + properties: + reviewer: + type: "string" + description: "Name of the reviewer" + text: + type: "string" + description: "Review text" + rating: + $ref: "#/definitions/Rating" + required: + - "reviewer" + - "text" + Rating: + type: "object" + description: "Rating of a product" + properties: + stars: + type: "integer" + format: "int32" + minimum: 1 + maximum: 5 + description: "Number of stars" + color: + type: "string" + enum: + - "red" + - "black" + description: "Color in which stars should be displayed" + required: + - "stars" + - "color" + ProductRatings: + type: "object" + description: "Object containing ratings of a product" + properties: + id: + type: "integer" + format: "int32" + description: "Product id" + ratings: + type: "object" + description: "A hashmap where keys are reviewer names, values are number of stars" + additionalProperties: + type: "string" + required: + - "id" + - "ratings" \ No newline at end of file diff --git a/istio-1.24.3/samples/builder/README.md b/istio-1.24.3/samples/builder/README.md new file mode 100644 index 00000000..ca007151 --- /dev/null +++ b/istio-1.24.3/samples/builder/README.md @@ -0,0 +1,31 @@ +# Sample builder + +This folder contains docker image building logic for various samples, to consolidate things. +Note some images still user per-folder config, so this is not complete. + +## Building for testing + +To build all images and push them: + +```bash +docker buildx bake --push +``` + +This will push to `localhost:5000` by default, which you can override with `HUB=localhost:5000`. +It will also build `linux/amd64,linux/arm64` which you can override with `PLATFORMS`. + +You can also build a set of images instead of all of them: + +```bash +docker buildx bake --push examples-helloworld-v1 tcp-echo-server +``` + +## Updating images + +When updating images, increment the version for the image in the `tags` config. +You will also want to update the sample YAMLs + +## Building official images + +Set `HUB=docker.io/istio` for official image builds. +Its best to only do this once for each image to avoid accidentally mutating existing images. diff --git a/istio-1.24.3/samples/certs/README.md b/istio-1.24.3/samples/certs/README.md new file mode 100644 index 00000000..847d60ab --- /dev/null +++ b/istio-1.24.3/samples/certs/README.md @@ -0,0 +1,38 @@ +# Istio plugin CA sample certificates + +This directory contains sample pre-generated certificate and keys to demonstrate how an operator could configure Citadel with an existing root certificate, signing certificates and keys. In such +a deployment, Citadel acts as an intermediate certificate authority (CA), under the given root CA. +Instructions are available [here](https://istio.io/docs/tasks/security/cert-management/plugin-ca-cert/). + +The included sample files are: + +- `root-cert.pem`: root CA certificate. +- `root-cert-alt.pem`: alternative CA certificate. +- `root-cert-combined.pem`: combine `root-cert.pem` and `root-cert-alt.pem` into a single file. +- `root-cert-combined-2.pem`: combine `root-cert.pem` and two `root-cert-alt.pem` into a single file. +- `ca-[cert|key].pem`: Citadel intermediate certificate and corresponding private key. +- `ca-[cert-alt|key-alt].pem`: alternative intermediate certificate and corresponding private key. +- `ca-[cert-alt-2|key-alt-2].pem`: alternative intermediate certificate and corresponding private key signed by `root-cert-alt.pem`. +- `cert-chain.pem`: certificate trust chain. +- `cert-chain-alt.pem`: alternative certificate chain. +- `cert-chain-alt-2.pem`: alternative certificate chain signed by `root-cert-alt.pem`. +- `workload-foo-[cert|key].pem`: workload certificate and key for URI SAN `spiffe://trust-domain-foo/ns/foo/sa/foo` signed by `ca-cert.key`. +- `workload-bar-[cert|key].pem`: workload certificate and key for URI SAN `spiffe://trust-domain-bar/ns/bar/sa/bar` signed by `ca-cert.key`. +- `workload-foo-root-certs.pem`: root and intermediate CA certificates for foo workload certificate. +- `workload-bar-root-certs.pem`: root and intermediate CA certificates for bar workload certificate. +- `leaf-workload-foo-cert.pem`: leaf workload certificate for URI SAN `spiffe://trust-domain-foo/ns/foo/sa/foo`. +- `leaf-workload-bar-cert.pem`: leaf workload certificate for URI SAN `spiffe://trust-domain-bar/ns/bar/sa/bar`. + +The workload cert and key are generated by: + +```shell script + ./generate-workload.sh foo + ./generate-workload.sh bar +``` + +To generate certs signed by the alternative root `root-cert-alt.pem` + +```shell script +./generate-workload.sh name namespace serviceAccount tmpDir use-alternative-root +./generate-workload.sh name namespace serviceAccount tmpDir use-alternative-root +``` diff --git a/istio-1.24.3/samples/certs/ca-cert-alt-2.pem b/istio-1.24.3/samples/certs/ca-cert-alt-2.pem new file mode 100644 index 00000000..afd02209 --- /dev/null +++ b/istio-1.24.3/samples/certs/ca-cert-alt-2.pem @@ -0,0 +1,32 @@ +-----BEGIN CERTIFICATE----- +MIIFeTCCA2GgAwIBAgIUNnd90WzsKHfAhOFJAiow2W5D8iQwDQYJKoZIhvcNAQEL +BQAwIjEOMAwGA1UECgwFSXN0aW8xEDAOBgNVBAMMB1Jvb3QgQ0EwHhcNMjMxMjEx +MTYyNTMwWhcNMzMxMjA4MTYyNTMwWjA9MQ4wDAYDVQQKDAVJc3RpbzEYMBYGA1UE +AwwPSW50ZXJtZWRpYXRlIENBMREwDwYDVQQHDAhjbHVzdGVyMjCCAiIwDQYJKoZI +hvcNAQEBBQADggIPADCCAgoCggIBAMbK7UmbUiCLkoUMUXE+5gkfHQ/x808O/RfL +JNxUa/1pN6Jt9COosld69FmJBwpTufOyCZOP7rerOeufxlel45R28EVNyRnjG6jO +Kl/O1vuAwjc0HNvftXTsYVEZ+zpV4UWa4QK6kUwIZ6KH75A6HT6qmJavNEs1PEUA +oCitowAMpn8Ix1E9LxQNgx7IUeAD8THzyeAPZsOYcl1IFWvZkcqabg9hMqXtPxP0 +eciHlQb/jeEd0gLTXVi7ymhUczMmffxZZrQ346Ylz7zZ6SkHFjPCyfeNSwB5iszk +VdKGVtyogmp7mEcwa8o4p1JESmWF3qRZpUVs+Y7loGYTVQBlqUSdnI/zx5yd+qXY +mR3ktEUK5AUI7liIwJ1BKZy6z4OSZ+qna+LbJRqLcB/4tK0YuOf8ffmk18GyjQQ+ +tKeZjntTnnaS+mtFLP1zpW+BnurCRfVPxEg8bFCg511AuyuWRuB2MHQXQg+H915C +e2qm5/ccGfV2mDVF2jKS1q39g7YVLd5HCxR0rBlrh9IwdxE5sAzoREylLrc+HsJn +27841ID+MiwI3l/GUst/UW2SEA1OtxT5USC6pkZyRBM/Y7OJthNxXyCOpzUhu8AQ +GUbtrdI7oEFaSLsdH2GXhQeh0TecJiNnhbvIryZK2HofWncdBVE+AcK7VWUFO4At +6gVcR1qPAgMBAAGjgYswgYgwHQYDVR0OBBYEFCuu9MuphtLDKUZpJK49m12qXRwo +MBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgLkMCIGA1UdEQQbMBmC +F2lzdGlvZC5pc3Rpby1zeXN0ZW0uc3ZjMB8GA1UdIwQYMBaAFL3svuf0yV+M2BHp +EvDmo37j045gMA0GCSqGSIb3DQEBCwUAA4ICAQDGvZxypjwVUljjvQ1AFi6Grirq +iLPgrC5zepLyUaWefLr9I99k4Uq8+f5WWk3Y04SWnY2JPNGvdjAG8aRpM0IixnO0 +OFnlaYjRBv0EKhdzg+TC6O9R2s5s01lR4ya1kmzDyC7BKcGzo8T2IXOOTftcFAAT +arc6Z55BuFuYslWlj+bQ96mxuN1q53a+JzYl+o92vpdnCBKb3OSGjb1hA29E3wzm +YPsctkItuGImX/JUBqZH/0YxdRDjXI8AJ8R8p1qoZZORMrMVey8bX98EN3ai8HVQ +RmP1Fa7qU3O28fi5JHGaX48O8VdJHdRR0G87qDNxArtrhrylrcTykPZkapwUQP+C +SJuy2F5hEVwI8nwX6SKbzW3tsUYQssk9/3U4DmfIWhCg7ffeEp+aLshkrtlIi9NY +YZtznntQagFSs3Cg/XsSjcKMmVfQ69uy7tTHUpK66mz5DosRBo13DFaI19bxNfQX +yJnKuuvyx1q6Y7BsFwqElX2G9WZ6/mgUpochDKgTni0o6AmDBvrfcXfJRxQwICUe +crvOngDaRmQ50HaKoNtWgYHYCXSNP8de//Yz+ebusyLca4i0PTt5oGInW4k8folC +ntXpODzLE3qNYRrSM74KGNre7hwp9BE+i6ksiojVawt5GJgS98PK3zdpVNNIPp0s +ZW8HVio+HD4I2VBxTQ== +-----END CERTIFICATE----- diff --git a/istio-1.24.3/samples/certs/ca-cert-alt.pem b/istio-1.24.3/samples/certs/ca-cert-alt.pem new file mode 100644 index 00000000..f20a8c6e --- /dev/null +++ b/istio-1.24.3/samples/certs/ca-cert-alt.pem @@ -0,0 +1,32 @@ +-----BEGIN CERTIFICATE----- +MIIFeTCCA2GgAwIBAgIUQchu+RczGG1A4BnmrCcpkURQGTAwDQYJKoZIhvcNAQEL +BQAwIjEOMAwGA1UECgwFSXN0aW8xEDAOBgNVBAMMB1Jvb3QgQ0EwHhcNMjMxMjEx +MTYyNTI1WhcNMzMxMjA4MTYyNTI1WjA9MQ4wDAYDVQQKDAVJc3RpbzEYMBYGA1UE +AwwPSW50ZXJtZWRpYXRlIENBMREwDwYDVQQHDAhjbHVzdGVyMTCCAiIwDQYJKoZI +hvcNAQEBBQADggIPADCCAgoCggIBAJCkq9Y68g9n0i4xkyYo4mygXIgaj94cvmu3 +X81CLEu/hYrl08acaKZMno+57ibAfxKBsWfA0FMp1eXZ3T9KYlNsSarC8c6RCPbX +Lzp4iPGMq5n/+OgCGaVUbaLuZB7F6gCJebyM3Du6Zap7X1xm3w2EpiVqHW6iAJqv +oBNtm7/uzFQiIU3UMeea/XBzo1FpDqNcuc/GgyILs1GA2+U4LfmcwhvUjF36bZ1q +WMnPfCMHwHTNiGikAJKSXqADz8+rthOyNZq3yFGV/ZOJf6yHOWiyP1BjojRbHCt1 +P8u2nWuD40iqreVrQw3h5Hsz6+mCIkUYFZ45yO0fyRZ/q46M8RKHluD1VI7X6R98 +wB+XPqh12tbXUQJw1/QdtUotszhQq/WUbewX9v4joGIel3MFpoBCoaHh4N4/S1Vk +9k32c4lEYeV5wO6DZSV9fuasN6KzaiPNNiufP2MnIzJSbal0uZJ0dmyhmHGLGsGc +t6zxAQpV8reqWZE1mZt94T4TnDpm61BDKRPRu7s6sP42iq6055c+5x3DhVqTInnB +uTi7oikTykZ2s0budYyjATNMUuz2RHZXxfb6ScqC5mEL0kbKCDgRzS0NS15LHpUX +Ue65PG8hiuWLuDTcQohWFkeIQyKUGL9uQ5qmmGK8FZwUU/9gY1JjrMw5sa+rVN/C +hkbRsHmBAgMBAAGjgYswgYgwHQYDVR0OBBYEFP/KjsSWWC+hw1cIaZLn1ZV3IeMq +MBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgLkMCIGA1UdEQQbMBmC +F2lzdGlvZC5pc3Rpby1zeXN0ZW0uc3ZjMB8GA1UdIwQYMBaAFL3svuf0yV+M2BHp +EvDmo37j045gMA0GCSqGSIb3DQEBCwUAA4ICAQBO6P+y7UQ7HRyA7dOf2Dvze6xv +HKgjh8z5uKNbfvmgUT2gECQ+3g0LvDRYHU7w/isSmhCQxIGf+xc7r3+Rtyjg+uEc +8z0UBysbqrn8pZXPr+FPU5X5czUnwXlZwj02e1fY250LCmfHXFYuPzgwtlbJs2Ec +2exDG7EZWWX6l/mRFQR8HiF/jum2i06yjO1v+phUVenW/ym2fq+/lY/ZWebQasD7 +7PT3yT/Eage4AIj5zYmZzqJex3OKDiVltAUefnekFJBKqv1UIcWlijRPZPK8uYQk +IYHRL5fpa9E/HkwY8QopXPJi6Yfx76acY+dQd1xovY3noUVGzQV5wuaICS9V6H9B +5vkxDYbbABQQ9OJcy8XR7cqlkUATiH5hVRjMSKJiostO+CiVDWjZyJdNgR0kZeaa +9cSYBdTBxN82A/Vtq4ETq/PG5rR08KQY4HqIlOlo16OxGcJ2zVKSk5lTeI1wx/in +uOnJTo5mDJHOJrtYGuCLiqZp/Fbcz/Tb9Qccc1yw78feYiNV6JXKx3uPvfsNbXkY +KnsorT6OQ9G2d/zKPYUw+JEc1BJpk8okvGT8oTfvnfXty63ccN4+iyohQP/GwtQ9 +XiIJ0gGGQjY1VA/L2MOYV0hSMLgddvl4Pt8KXsxQ72gGl8a/s1oOKkYfpm/xchpd +3ldrrKbAwExwhsARrA== +-----END CERTIFICATE----- diff --git a/istio-1.24.3/samples/certs/ca-cert.pem b/istio-1.24.3/samples/certs/ca-cert.pem new file mode 100644 index 00000000..a460e036 --- /dev/null +++ b/istio-1.24.3/samples/certs/ca-cert.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDnzCCAoegAwIBAgIJAON1ifrBZ2/BMA0GCSqGSIb3DQEBCwUAMIGLMQswCQYD +VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJU3Vubnl2YWxl +MQ4wDAYDVQQKDAVJc3RpbzENMAsGA1UECwwEVGVzdDEQMA4GA1UEAwwHUm9vdCBD +QTEiMCAGCSqGSIb3DQEJARYTdGVzdHJvb3RjYUBpc3Rpby5pbzAgFw0xODAxMjQx +OTE1NTFaGA8yMTE3MTIzMTE5MTU1MVowWTELMAkGA1UEBhMCVVMxEzARBgNVBAgT +CkNhbGlmb3JuaWExEjAQBgNVBAcTCVN1bm55dmFsZTEOMAwGA1UEChMFSXN0aW8x +ETAPBgNVBAMTCElzdGlvIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC +AQEAyzCxr/xu0zy5rVBiso9ffgl00bRKvB/HF4AX9/ytmZ6Hqsy13XIQk8/u/By9 +iCvVwXIMvyT0CbiJq/aPEj5mJUy0lzbrUs13oneXqrPXf7ir3HzdRw+SBhXlsh9z +APZJXcF93DJU3GabPKwBvGJ0IVMJPIFCuDIPwW4kFAI7R/8A5LSdPrFx6EyMXl7K +M8jekC0y9DnTj83/fY72WcWX7YTpgZeBHAeeQOPTZ2KYbFal2gLsar69PgFS0Tom +ESO9M14Yit7mzB1WDK2z9g3r+zLxENdJ5JG/ZskKe+TO4Diqi5OJt/h8yspS1ck8 +LJtCole9919umByg5oruflqIlQIDAQABozUwMzALBgNVHQ8EBAMCAgQwDAYDVR0T +BAUwAwEB/zAWBgNVHREEDzANggtjYS5pc3Rpby5pbzANBgkqhkiG9w0BAQsFAAOC +AQEAltHEhhyAsve4K4bLgBXtHwWzo6SpFzdAfXpLShpOJNtQNERb3qg6iUGQdY+w +A2BpmSkKr3Rw/6ClP5+cCG7fGocPaZh+c+4Nxm9suMuZBZCtNOeYOMIfvCPcCS+8 +PQ/0hC4/0J3WJKzGBssaaMufJxzgFPPtDJ998kY8rlROghdSaVt423/jXIAYnP3Y +05n8TGERBj7TLdtIVbtUIx3JHAo3PWJywA6mEDovFMJhJERp9sDHIr1BbhXK1TFN +Z6HNH6gInkSSMtvC4Ptejb749PTaePRPF7ID//eq/3AH8UK50F3TQcLjEqWUsJUn +aFKltOc+RAjzDklcUPeG4Y6eMA== +-----END CERTIFICATE----- diff --git a/istio-1.24.3/samples/certs/ca-key-alt-2.pem b/istio-1.24.3/samples/certs/ca-key-alt-2.pem new file mode 100644 index 00000000..f6e2468d --- /dev/null +++ b/istio-1.24.3/samples/certs/ca-key-alt-2.pem @@ -0,0 +1,52 @@ +-----BEGIN PRIVATE KEY----- +MIIJRAIBADANBgkqhkiG9w0BAQEFAASCCS4wggkqAgEAAoICAQDopeTrevAe/mV+ +rXUNjxsamaQgQ6GQuHlsysUxO9MfMo6jn/v55KZv8LvjRTQXsxT7SIY5UPAcDXUZ +So866W4kIncUFuIFCvRQfULcP0/dVz8Al1tcssyi5s5rEnUIb8QmCXpM3g7cTONz +taBSwmY8JG+EjNkUJzFzlWOdMa9kvR2DboWhTnKazM8SUCa7gQDCI0ntZkbFotqx +uqIkbsxYpgw2mplEGoEcVbfBID2MYqoK+w5CtNGBsnr946auIb33smqtnAC52fyC +xwoDu3I9XLJZmYEPqk/EyP6cTmxRT3E4SSTGtgEqS51L+eraubpDUBwoW5NPkKah +qRhaia/26nCMB29WVvSWOfnIb8irZF+Gaq7tWsGY3oZ0o4VWXLmhxMBeeHGhy6Zu +RID6lE2HCj/LJCChKAThwGpLn2P+9TYiAHjrP8A47SRUq+evKWPgUtOgnF7plgGk +1WafZt9kIxV0+tptoqquUoMgOT1StBsFRHjUIEk4ABHSZ83y1U61T5AnmVWWfArf +bsBNYSRRAFU3fD9aIF2RqNlYxCezxoMZaNC7hyqD4vrH+yTsJxuFVgUo+iSYtIxa +jeJODKtUv0x1sxzhH3JhQ/I2Gk8fby3HEC21eHit69MU+qDQQ69xApY28qk3uEE0 +whzxBAmdqWuWMOkdM4dQpq93vqaJRQIDAQABAoICACZ9FY2AofuarjtiInibCYqh +yvWcgrzwzAPb2vo9cbzaTh9TTypFMeTYkJj1oLvgAHNfCPewBH07m7kSrPX72uEn +A4jDDWL0sD0lr/tEjSeq8K0eHTsNiI3VveYYYFzEMtDxJfbUEOTQ4ptIu8ydRTEj +fQCSlbJAFq4O07NUnjX+FIUjMn/gfNTP190pffLs0W2MzYT1M/Wr7t7S59K7stpi +pCgfdQY/lUcVBkiw1wXj58pXxQDzrap1luPsdu2dfvJc5cmxgqw8nEodeDJsXya4 +MHhizSeEj1xYvUiqL8DW8f30Gd23DCPNbSk94CUN73sF5JanqcwSvAKIOVN3LnFM +DrGnvMi4Quct5rBEVsZW7mKdgmNd0rPCjAbQKY3T3HyQuAm/gR0rEv3x4WOvFK2m +SgPpgcrozNvP9RUgZlziNkdl9iVlnpi/bOAk2VKbQWhArOTolWiEJDNcKOsAQXUj +JuTEEfv2z9adbguhIL7A79AeqsdJze7YBSqvZcmxVg8FOvQlzlMnznQIfMSTniS2 +CAIEmxPqQ6EQLjMSyDoDdQ5UFQ62MAoG3XGkI9iUQLSsaqY6GBVBJVpAGfbQed/c +6HAxwdJBw5270Z0xw+U4gTuaG8qDvHHqqO6M9YIjsKAnkwjwGmF1l6HHFFsr5Hyc +8ZdOGuBV5KBne3vVkmXxAoIBAQD4FTx5vLwdbILvr0ehxLfIH3jxsfF8Dphqb1g0 +tCaiKMEqaeLaKTBxy+h9Z4qfXDQW+3Oa2CZgAbDc2bCJynQ/li5lDGwXlFwnuzPV +Dq8mIOymogZFgX+WbDDLOJ7rNrj7+82WV4UHZVlDQ3/5zkvJ2GuVICV9MAr1b2c+ ++1y0ozE87wViQDuBlHxLDHL7OZq0UinBlAJ0eyPWn5ZjkhxKHqqcDBKjbYm5JgV+ +GhNvNeJZcLUUkmg+MCPMglZ0SJojDBiLVBE5m1S8x+vyoy4bjb0GWag2rapqkCbv +5X/WqMrVxZdB1X86d4hLFaDwG7yNZtnijJigdFwS+EayE+rVAoIBAQDwEo8ofTZa +hoY5Fl8KNigqEP5/5n24q+qZ6Ku+SkWBnqmGS5ZHx7u6aItXWc/m9MoZh/jLlbba +LNCqT1MKa4jLkVVkyUBTqFy4bu3baU1BYHE0zLEkegsb8RnD3tFGI4tjEoBnvwEq +yQItbQp9IhGTw60fml619WU2yZK5gfIYxBxJyT8M33aizYRSGP2ihBtwFz16/L33 +If0nA30RD2hOXcSGAfoyAn7nFqQfTkByTsSTp8HrqtHLDrTLNDSewx09c2ExuXPd +XdcXVvA6Z7ZP/vpVrqkLQHVx4dpPsvKQ7rwI0KKjjkvEh/XkJq4xUlPlyMrVkULX +EFPXHGNhmnyxAoIBAQCmEKEg5KQQFjk39N9AfIyBm/+72t/JqYOBi/NBpG5QEnPr +zmGapAPXySVh/NOghXohAEWMm7Bkh/06eUZhlnJmtkNsRPp+dkOSHRA/SMsZ/OQt +TzxffqZHrTikcMyAq2r80rv2LbPRFZjBHAgo0l2NSiAJ/TDbMjPDw8UbNewCx1MI +dP/nmxO6VAk3u6ekYBUdK/rjqA5UprGA0+c50+639vtB5hr75zFQDRGULiRgR3Oz +Z2zvzmmVZ2gvV/hDcu4rE8fCTI4TP9VjYXiiPXV54FFuVMnzgCEZoFFQORJwQSE2 +JERyP1Yhby5/BIVs9UQsa3Li4jaxAfM4h5XbUtXZAoIBAQDPCrJ78MCXgbzwLuL4 +I4yv+sgB9f4m7dz9rzOugM9A4lzBfR61+QNl2BOT2dj7DdHeAu4GZa+0qUGsH402 +R1dKeKR0rzvS6jhMtx5bQ41k/I+lQYLkOnyqNFxMGDXTj4P+hU5IKuoOxBwkoQ2S +rXcLQI5l2vQjaOdJQL5RTkhEI51h5TWDHJVsAmJDi1nydoxTNzfGgYIzSBTTOKb7 +t5X1P9jk2X+08YIQOe6BMTNTYasWzG7pmAAmZyB0vylCYnMtM/x2rcHG/88oScoU +FK2ef//VNTSEh6rB9E4avfGEHN/9mjEpbObbL4ZYpSNFVgMVAP4tAYHriCFGOy1a +V6mBAoIBAQDVG3hZJ8jONTpW4EXLrHIWtgxhYNjIdM3EFPFLZtMQ3ub6iNwtfMeM +fjD4CJGRIK52t4jv65F0lY8p4JFGLVjnXIIxP45/GZ4CGj+APg4dBd5cORmJmuZQ +jzJyHJ1/Oc12v1VMb7HJRezeAm60wjGKr1PeFezp2HkjQDNswwSvjmbQhIYvIII+ +l5RosqYuIPYq96+L4gj4VSh4IfbUHt0fY6O90cjdHK0fbXL99GtKMJvgA4u9IKDb +FwimOxL+xU8CeBV8TebVS5NYyyPHoKNkGh5GDNkKFG4e75Qn04P+vRvn/CJaz2Vt +f9ijIRn01xKm7QpucsEmo6FNo58miyT9 +-----END PRIVATE KEY----- diff --git a/istio-1.24.3/samples/certs/ca-key-alt.pem b/istio-1.24.3/samples/certs/ca-key-alt.pem new file mode 100644 index 00000000..3f1f1964 --- /dev/null +++ b/istio-1.24.3/samples/certs/ca-key-alt.pem @@ -0,0 +1,52 @@ +-----BEGIN PRIVATE KEY----- +MIIJQQIBADANBgkqhkiG9w0BAQEFAASCCSswggknAgEAAoICAQCQpKvWOvIPZ9Iu +MZMmKOJsoFyIGo/eHL5rt1/NQixLv4WK5dPGnGimTJ6Pue4mwH8SgbFnwNBTKdXl +2d0/SmJTbEmqwvHOkQj21y86eIjxjKuZ//joAhmlVG2i7mQexeoAiXm8jNw7umWq +e19cZt8NhKYlah1uogCar6ATbZu/7sxUIiFN1DHnmv1wc6NRaQ6jXLnPxoMiC7NR +gNvlOC35nMIb1Ixd+m2daljJz3wjB8B0zYhopACSkl6gA8/Pq7YTsjWat8hRlf2T +iX+shzlosj9QY6I0WxwrdT/Ltp1rg+NIqq3la0MN4eR7M+vpgiJFGBWeOcjtH8kW +f6uOjPESh5bg9VSO1+kffMAflz6oddrW11ECcNf0HbVKLbM4UKv1lG3sF/b+I6Bi +HpdzBaaAQqGh4eDeP0tVZPZN9nOJRGHlecDug2UlfX7mrDeis2ojzTYrnz9jJyMy +Um2pdLmSdHZsoZhxixrBnLes8QEKVfK3qlmRNZmbfeE+E5w6ZutQQykT0bu7OrD+ +NoqutOeXPucdw4VakyJ5wbk4u6IpE8pGdrNG7nWMowEzTFLs9kR2V8X2+knKguZh +C9JGygg4Ec0tDUteSx6VF1HuuTxvIYrli7g03EKIVhZHiEMilBi/bkOapphivBWc +FFP/YGNSY6zMObGvq1TfwoZG0bB5gQIDAQABAoICAAOg1NRkMMKbCyg4W0GEmqbo +yB9sIqYavJpTPIyHm5i4FHmLKbJ4hY2/2+WdL2ySjTF1tkF08kjWwqBAFHsgIpqm ++4tUdeg1hkb6V3uBDubXvW140LmhpVrqxPAGiLWGp4e1SxvkIOlg4+hYjUgiJrfW +JyyGtpeqCce3jnV0TTkNnHujCkizcR/HGRLFPNBXyTum8ZyFFVChIGGz0LhFji4t +7ObRsGZyV+XwJytjSHDwwqavaeu9iuviTuw2wkOKYjAo6wwvLl/BCl4FP8IQN4wB +NiI+KJFFhI2wxI2XrmfWNGkkCmYICHPggeinARS/vFw1NiQcnRYZIzQ8tj0GeyzP +FeC4ozplVdsp4ouY1/XsyoW1vG/gRLV+ua3dQyHPreLAP452QGOhzffUNksCejtb +dPQJ5e4RZeAQab5YL2MSNCutZ/tcGJtsjuiSfDZZflWEeKpXz/NU4WiGxX+AHC6C +TIscYhXbCkanZ6J5UXOwVjUsg2xLcuAyoh67iphMuqTbaeQSJehPwhkR4VXad9mW +1ChZJnc/YSD6S3/fGzSn94kWWDCoRh9KUtqk0ZCRJBQdHq9owPny0tszxJZZw6wF +6nnQH8Ywk5RsvNL2CxMWFuPIfPgUuoSgucBpWoHmcN7ZRWsd+wfZsolbZtE09buz +mUXybkHnWtMUO3MlJoARAoIBAQDK7E9ZExt4GGsyvWAw2HVuHJ0VF5LAlvgHGiHj +r2zDw7mWX9jIMnZcB3s3DJFIZloQspDyxrIwefuI2xTHpoI4yeTH/MWjyzaBhZAW +uMDakWuUTFXYfPPrLorLh7HwMYGxJoI5Gx9bvTHs/Gl/3KwNsX6kWayCTruvUfuH +5uOKZd3XvjgfcUT9uKnOf/K8eJDZ2d4LIDm+VkCSsU832CsPMf1O0wLGe1QEiaAt +PXHyxF5wnNn3URYmtukyX4gspI9ZCqu6cYOYdvuwl6XihaFD812eUtnaNc5b8BQH +5/INKNvZrPmcjvW2LiPqHFfnG8gvcZ++hy/poG48/5K7/k3RAoIBAQC2efRnqHxi ++mPDCytVdI1egkMZzkfq8syzPKr1zE6fDCizYuIGl00SJOVvm0avFz0z+mBT2cGl +xYMe36XtkLZ7qt0g95M/8Obt1EZvOJ5AGgjFgOCD3BPK1W/CdXP+Aa1HKb0LrUak +VRfARWjDvF97q2BANyWRy4mfRHcgQbXDcuSG4iyUP9IPZWHtt13CTrkM0zbawFb/ +nx1tmLCXT4N+s3h3PgB6+TpolWuZX1Sxbkggf4uQwZrwrcuDF+F9pbgQ97oeNmmP +BSZoh0YG9COdVxTJ5nqFYKKenLl3PVG5SADBrW5Hftax2bfijq/UdwolwLWc26uV +y05jJ8odIOyxAoIBAF1bYJoDX2TeHxtl4sY2H7h784zLnpl6GzvxOtwsTea2ukBD +clGQXcGzM229G23qoM8DyAnZfgstY5qv6Bx+L3T+9YFIeokDqdzm3MaHUzp7IrpE +cE48FmABtpsyn5t4u0kMBWdOYhvrq/dynPrVRFa8bR4hn2sH2/MpzYXVpKN8gBaM +jfdxPiNYfM7jMIKjGUkQocYOmmJF/kk+x8pSamUAQ6CrFaDJBntb8dQ+a5kb3LME +hobwyDcheaHSL60SPFzjuuP462kOfHbfHdNcVTgU0+JODaoFjR3hEuYcQNDrFlJL +8T6kysh4687+ITbTIkMpjCu0uEdMpsrrbc+NjLECggEAPuxI6iHAWsUq94v3cm1R +fmB+0Pw/8nWtPrVR4paEGfYwZsNXW5x62CHe+CBcPG5QDYduBhwV2ZsFPvUyG3yG +YJinzgFxRmBE0YgcjafBcitIEQsC4JVYQd5dvnmP+OwNG3f6F3e13170ZLnKiYyA +hH2xIBOkIeVE3KXYSkg+bFpHEXgWlTx4rBRys21CqIlK6HBA/yfKGDV/CVbYtiSW +HG+4v62irsUYbg3wX5/u7Yww1PwGXXFVg176yYbHm/M0SK2UAW0T81x8RRk4fZdc +XJo1sfWHFE0hZn52ufZsIu8AS8kJOSA02nlQHpDDcwlld2U/ewqI3YuQyUJkQK0k +0QKCAQAdJtr4fvDtghvum7+ZYkzmt9kstm4/elM35FmAtJfm11DQJ4bSTErrj+Zz +zQOJ0P8VF0MFoFoCuUPoN5u2eq3Y0na6DhD4RqYJA9BkZFrKqn8U33CgX6qQ7UHC +P3WuawYeR3xBdIKPUGOMPdUiwfC6Xz9JL2L0WcnoGQ3rI3AhijvyF4r4F3dCycZy +IM5LZJWsTOhCJqOuxrAQLJz2UX28+Bn7gH+jPTZLKE2yX3NH9/L0ydqwZLjFw3e9 +I53RcJBti1zA8N0n8IISOlwiKnhUiLyrujccEYzQFDVyjvcGos68gNLEXPPOceq1 +8xj8Qh/Q3Y4H3Ktn1ELiSPHc44oM +-----END PRIVATE KEY----- diff --git a/istio-1.24.3/samples/certs/ca-key.pem b/istio-1.24.3/samples/certs/ca-key.pem new file mode 100644 index 00000000..faa77f38 --- /dev/null +++ b/istio-1.24.3/samples/certs/ca-key.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAyzCxr/xu0zy5rVBiso9ffgl00bRKvB/HF4AX9/ytmZ6Hqsy1 +3XIQk8/u/By9iCvVwXIMvyT0CbiJq/aPEj5mJUy0lzbrUs13oneXqrPXf7ir3Hzd +Rw+SBhXlsh9zAPZJXcF93DJU3GabPKwBvGJ0IVMJPIFCuDIPwW4kFAI7R/8A5LSd +PrFx6EyMXl7KM8jekC0y9DnTj83/fY72WcWX7YTpgZeBHAeeQOPTZ2KYbFal2gLs +ar69PgFS0TomESO9M14Yit7mzB1WDK2z9g3r+zLxENdJ5JG/ZskKe+TO4Diqi5OJ +t/h8yspS1ck8LJtCole9919umByg5oruflqIlQIDAQABAoIBAGZI8fnUinmd5R6B +C941XG3XFs6GAuUm3hNPcUFuGnntmv/5I0gBpqSyFO0nDqYg4u8Jma8TTCIkmnFN +ogIeFU+LiJFinR3GvwWzTE8rTz1FWoaY+M9P4ENd/I4pVLxUPuSKhfA2ChAVOupU +8F7D9Q/dfBXQQCT3VoUaC+FiqjL4HvIhji1zIqaqpK7fChGPraC/4WHwLMNzI0Zg +oDdAanwVygettvm6KD7AeKzhK94gX1PcnsOi3KuzQYvkenQE1M6/K7YtEc5qXCYf +QETj0UCzB55btgdF36BGoZXf0LwHqxys9ubfHuhwKBpY0xg2z4/4RXZNhfIDih3w +J3mihcECgYEA6FtQ0cfh0Zm03OPDpBGc6sdKxTw6aBDtE3KztfI2hl26xHQoeFqp +FmV/TbnExnppw+gWJtwx7IfvowUD8uRR2P0M2wGctWrMpnaEYTiLAPhXsj69HSM/ +CYrh54KM0YWyjwNhtUzwbOTrh1jWtT9HV5e7ay9Atk3UWljuR74CFMUCgYEA392e +DVoDLE0XtbysmdlfSffhiQLP9sT8+bf/zYnr8Eq/4LWQoOtjEARbuCj3Oq7bP8IE +Vz45gT1mEE3IacC9neGwuEa6icBiuQi86NW8ilY/ZbOWrRPLOhk3zLiZ+yqkt+sN +cqWx0JkIh7IMKWI4dVQgk4I0jcFP7vNG/So4AZECgYEA426eSPgxHQwqcBuwn6Nt +yJCRq0UsljgbFfIr3Wfb3uFXsntQMZ3r67QlS1sONIgVhmBhbmARrcfQ0+xQ1SqO +wqnOL4AAd8K11iojoVXLGYP7ssieKysYxKpgPE8Yru0CveE9fkx0+OGJeM2IO5hY +qHAoTt3NpaPAuz5Y3XgqaVECgYA0TONS/TeGjxA9/jFY1Cbl8gp35vdNEKKFeM5D +Z7h+cAg56FE8tyFyqYIAGVoBFL7WO26mLzxiDEUfA/0Rb90c2JBfzO5hpleqIPd5 +cg3VR+cRzI4kK16sWR3nLy2SN1k6OqjuovVS5Z3PjfI3bOIBz0C5FY9Pmt0g1yc7 +mDRzcQKBgQCXWCZStbdjewaLd5u5Hhbw8tIWImMVfcfs3H1FN669LLpbARM8RtAa +8dYwDVHmWmevb/WX03LiSE+GCjCBO79fa1qc5RKAalqH/1OYxTuvYOeTUebSrg8+ +lQFlP2OC4GGolKrN6HVWdxtf+F+SdjwX6qGCfYkXJRLYXIFSFjFeuw== +-----END RSA PRIVATE KEY----- diff --git a/istio-1.24.3/samples/certs/cert-chain-alt-2.pem b/istio-1.24.3/samples/certs/cert-chain-alt-2.pem new file mode 100644 index 00000000..ba9e49e7 --- /dev/null +++ b/istio-1.24.3/samples/certs/cert-chain-alt-2.pem @@ -0,0 +1,62 @@ +-----BEGIN CERTIFICATE----- +MIIFeTCCA2GgAwIBAgIUNnd90WzsKHfAhOFJAiow2W5D8iQwDQYJKoZIhvcNAQEL +BQAwIjEOMAwGA1UECgwFSXN0aW8xEDAOBgNVBAMMB1Jvb3QgQ0EwHhcNMjMxMjEx +MTYyNTMwWhcNMzMxMjA4MTYyNTMwWjA9MQ4wDAYDVQQKDAVJc3RpbzEYMBYGA1UE +AwwPSW50ZXJtZWRpYXRlIENBMREwDwYDVQQHDAhjbHVzdGVyMjCCAiIwDQYJKoZI +hvcNAQEBBQADggIPADCCAgoCggIBAMbK7UmbUiCLkoUMUXE+5gkfHQ/x808O/RfL +JNxUa/1pN6Jt9COosld69FmJBwpTufOyCZOP7rerOeufxlel45R28EVNyRnjG6jO +Kl/O1vuAwjc0HNvftXTsYVEZ+zpV4UWa4QK6kUwIZ6KH75A6HT6qmJavNEs1PEUA +oCitowAMpn8Ix1E9LxQNgx7IUeAD8THzyeAPZsOYcl1IFWvZkcqabg9hMqXtPxP0 +eciHlQb/jeEd0gLTXVi7ymhUczMmffxZZrQ346Ylz7zZ6SkHFjPCyfeNSwB5iszk +VdKGVtyogmp7mEcwa8o4p1JESmWF3qRZpUVs+Y7loGYTVQBlqUSdnI/zx5yd+qXY +mR3ktEUK5AUI7liIwJ1BKZy6z4OSZ+qna+LbJRqLcB/4tK0YuOf8ffmk18GyjQQ+ +tKeZjntTnnaS+mtFLP1zpW+BnurCRfVPxEg8bFCg511AuyuWRuB2MHQXQg+H915C +e2qm5/ccGfV2mDVF2jKS1q39g7YVLd5HCxR0rBlrh9IwdxE5sAzoREylLrc+HsJn +27841ID+MiwI3l/GUst/UW2SEA1OtxT5USC6pkZyRBM/Y7OJthNxXyCOpzUhu8AQ +GUbtrdI7oEFaSLsdH2GXhQeh0TecJiNnhbvIryZK2HofWncdBVE+AcK7VWUFO4At +6gVcR1qPAgMBAAGjgYswgYgwHQYDVR0OBBYEFCuu9MuphtLDKUZpJK49m12qXRwo +MBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgLkMCIGA1UdEQQbMBmC +F2lzdGlvZC5pc3Rpby1zeXN0ZW0uc3ZjMB8GA1UdIwQYMBaAFL3svuf0yV+M2BHp +EvDmo37j045gMA0GCSqGSIb3DQEBCwUAA4ICAQDGvZxypjwVUljjvQ1AFi6Grirq +iLPgrC5zepLyUaWefLr9I99k4Uq8+f5WWk3Y04SWnY2JPNGvdjAG8aRpM0IixnO0 +OFnlaYjRBv0EKhdzg+TC6O9R2s5s01lR4ya1kmzDyC7BKcGzo8T2IXOOTftcFAAT +arc6Z55BuFuYslWlj+bQ96mxuN1q53a+JzYl+o92vpdnCBKb3OSGjb1hA29E3wzm +YPsctkItuGImX/JUBqZH/0YxdRDjXI8AJ8R8p1qoZZORMrMVey8bX98EN3ai8HVQ +RmP1Fa7qU3O28fi5JHGaX48O8VdJHdRR0G87qDNxArtrhrylrcTykPZkapwUQP+C +SJuy2F5hEVwI8nwX6SKbzW3tsUYQssk9/3U4DmfIWhCg7ffeEp+aLshkrtlIi9NY +YZtznntQagFSs3Cg/XsSjcKMmVfQ69uy7tTHUpK66mz5DosRBo13DFaI19bxNfQX +yJnKuuvyx1q6Y7BsFwqElX2G9WZ6/mgUpochDKgTni0o6AmDBvrfcXfJRxQwICUe +crvOngDaRmQ50HaKoNtWgYHYCXSNP8de//Yz+ebusyLca4i0PTt5oGInW4k8folC +ntXpODzLE3qNYRrSM74KGNre7hwp9BE+i6ksiojVawt5GJgS98PK3zdpVNNIPp0s +ZW8HVio+HD4I2VBxTQ== +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIFFDCCAvygAwIBAgIUbQ/RQ9GNnLx7rNVNUJHeizdO1TswDQYJKoZIhvcNAQEL +BQAwIjEOMAwGA1UECgwFSXN0aW8xEDAOBgNVBAMMB1Jvb3QgQ0EwHhcNMjMxMjEx +MTYyNDM2WhcNMzMxMjA4MTYyNDM2WjAiMQ4wDAYDVQQKDAVJc3RpbzEQMA4GA1UE +AwwHUm9vdCBDQTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAN7V2l7b +/bZsHlWY5qC1p99Au3I0VYr34i/2BIMHSnh1jHn1B6qspjHw2IkqH0SU41M3Vpr7 +m06HGuuZHsq8biUfuUL6Ywt+Vyj2UnPuc6SDPRXxAkBaVGGEAs30akJPkhbbA2qv +jFxfc2A8GCfnHpGYQkZOvZEQNeHPYkTDsdLEKdbdXkzJMFEGxGDgYiW7xjowDkta +YlrLBIeHwRCnZ/gTjdCu6oPjCW9JsySbbfx8dYWthIDf/SGqnX8gnDn5K1W5Ip+w +xaiXZ9FsEzrWd+DXx67sPAS2wl/Qe+RVFLbCGfGnfKdj0CGUtwV/hE2BLWk7fMK/ +dzQR9Bc6GM06uJejZFGuVrwkJldzWW7rp6cJc5D5vJxYCRZZsuk3x6o/mg+z+meh +kYeUCgsEGU1eKJB7tJ6myiYCLvgjihnnbS0fQlq+9XhHh3IlQfYvZsgPPlWZjyE6 +SO0JUNgCenuvgawihEHCUvFW/VbeuhxNlcP8w03tXcZCPJd75Xe1GRboa0KEcCwx +hFMWMZmqLQOZ6XZUAWZIPqKPvBCLJKCDhXwf3kZjX9Geg04+KJwsJt5wJndlWjdb +LWUIoiy41Jovc3N2hME5cinTllZI4kdOrnZ+NdL5aqoppfjZDQGHESuuPY0vxJEP +dcfM5Q3BiMo/K/hNCnbp1ywtvbzGqd8/b9OtAgMBAAGjQjBAMB0GA1UdDgQWBBS9 +7L7n9MlfjNgR6RLw5qN+49OOYDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQE +AwIC5DANBgkqhkiG9w0BAQsFAAOCAgEANnOOVzb6CpOkkXsSwxqaFfrCwJT+L+1O +H8WvVtewAmzu8TcfuVjwwSgnVMF48TbnA1KvHIWktRNGtSTyEMLN5pH4SvCyK/9w +IeIOqTNyHmN/4nETT7HjbszdjfsIWYZAjcq2cyhRj+650OJdotUHbBo7iBbAi4TW +IuqseH4hgrT7qDFebhcVz8ualx9UJkmR7QqWhWqOsMbcLtm4OLZCFNJseaHM/t6H +seO/OH7FNqe+GMCoXX1m348iJBZ/1ZhBMReqtNMQKpGL23fQqJnUTrD3717kS+xF +36PsFP5YYtBJ9WMXfX8Wk/YQIimXpcQeuF40VAIw5EG6SxntpBjoSPET2mTj2j9X +Gunoh3PjYMBOlszrQVs66Qwe+vBj6xdPMHyRI0eTiETnmVG5jUo2cJnr8ztqD6oU +zCmTX2SXCE9FXJ6MifPHEXJ1OPb9IY5tcUdjxhIB2HAigFHasxBlX44Ob6nHUyJO +ZqhsF8FouuzSQTRWP7soIA3HT9MlZHhRh3Uef+ZXziKZR/Uyb66uYylIWCWsAoiU +Hw4wPZhG65XTVQfg7R2cz1w72v7ugXAy3xbGfgLXhFzVnjy/ttIV/TSgpdBquhTQ +1ZG9Ieiu16avJkphqkmNr/CRCdZqDGp4DGQZNo69POGphapVe7EZenpzDU787oZF +tugW0JVzMZI= +-----END CERTIFICATE----- diff --git a/istio-1.24.3/samples/certs/cert-chain-alt.pem b/istio-1.24.3/samples/certs/cert-chain-alt.pem new file mode 100644 index 00000000..204d4090 --- /dev/null +++ b/istio-1.24.3/samples/certs/cert-chain-alt.pem @@ -0,0 +1,62 @@ +-----BEGIN CERTIFICATE----- +MIIFeTCCA2GgAwIBAgIUQchu+RczGG1A4BnmrCcpkURQGTAwDQYJKoZIhvcNAQEL +BQAwIjEOMAwGA1UECgwFSXN0aW8xEDAOBgNVBAMMB1Jvb3QgQ0EwHhcNMjMxMjEx +MTYyNTI1WhcNMzMxMjA4MTYyNTI1WjA9MQ4wDAYDVQQKDAVJc3RpbzEYMBYGA1UE +AwwPSW50ZXJtZWRpYXRlIENBMREwDwYDVQQHDAhjbHVzdGVyMTCCAiIwDQYJKoZI +hvcNAQEBBQADggIPADCCAgoCggIBAJCkq9Y68g9n0i4xkyYo4mygXIgaj94cvmu3 +X81CLEu/hYrl08acaKZMno+57ibAfxKBsWfA0FMp1eXZ3T9KYlNsSarC8c6RCPbX +Lzp4iPGMq5n/+OgCGaVUbaLuZB7F6gCJebyM3Du6Zap7X1xm3w2EpiVqHW6iAJqv +oBNtm7/uzFQiIU3UMeea/XBzo1FpDqNcuc/GgyILs1GA2+U4LfmcwhvUjF36bZ1q +WMnPfCMHwHTNiGikAJKSXqADz8+rthOyNZq3yFGV/ZOJf6yHOWiyP1BjojRbHCt1 +P8u2nWuD40iqreVrQw3h5Hsz6+mCIkUYFZ45yO0fyRZ/q46M8RKHluD1VI7X6R98 +wB+XPqh12tbXUQJw1/QdtUotszhQq/WUbewX9v4joGIel3MFpoBCoaHh4N4/S1Vk +9k32c4lEYeV5wO6DZSV9fuasN6KzaiPNNiufP2MnIzJSbal0uZJ0dmyhmHGLGsGc +t6zxAQpV8reqWZE1mZt94T4TnDpm61BDKRPRu7s6sP42iq6055c+5x3DhVqTInnB +uTi7oikTykZ2s0budYyjATNMUuz2RHZXxfb6ScqC5mEL0kbKCDgRzS0NS15LHpUX +Ue65PG8hiuWLuDTcQohWFkeIQyKUGL9uQ5qmmGK8FZwUU/9gY1JjrMw5sa+rVN/C +hkbRsHmBAgMBAAGjgYswgYgwHQYDVR0OBBYEFP/KjsSWWC+hw1cIaZLn1ZV3IeMq +MBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgLkMCIGA1UdEQQbMBmC +F2lzdGlvZC5pc3Rpby1zeXN0ZW0uc3ZjMB8GA1UdIwQYMBaAFL3svuf0yV+M2BHp +EvDmo37j045gMA0GCSqGSIb3DQEBCwUAA4ICAQBO6P+y7UQ7HRyA7dOf2Dvze6xv +HKgjh8z5uKNbfvmgUT2gECQ+3g0LvDRYHU7w/isSmhCQxIGf+xc7r3+Rtyjg+uEc +8z0UBysbqrn8pZXPr+FPU5X5czUnwXlZwj02e1fY250LCmfHXFYuPzgwtlbJs2Ec +2exDG7EZWWX6l/mRFQR8HiF/jum2i06yjO1v+phUVenW/ym2fq+/lY/ZWebQasD7 +7PT3yT/Eage4AIj5zYmZzqJex3OKDiVltAUefnekFJBKqv1UIcWlijRPZPK8uYQk +IYHRL5fpa9E/HkwY8QopXPJi6Yfx76acY+dQd1xovY3noUVGzQV5wuaICS9V6H9B +5vkxDYbbABQQ9OJcy8XR7cqlkUATiH5hVRjMSKJiostO+CiVDWjZyJdNgR0kZeaa +9cSYBdTBxN82A/Vtq4ETq/PG5rR08KQY4HqIlOlo16OxGcJ2zVKSk5lTeI1wx/in +uOnJTo5mDJHOJrtYGuCLiqZp/Fbcz/Tb9Qccc1yw78feYiNV6JXKx3uPvfsNbXkY +KnsorT6OQ9G2d/zKPYUw+JEc1BJpk8okvGT8oTfvnfXty63ccN4+iyohQP/GwtQ9 +XiIJ0gGGQjY1VA/L2MOYV0hSMLgddvl4Pt8KXsxQ72gGl8a/s1oOKkYfpm/xchpd +3ldrrKbAwExwhsARrA== +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIFFDCCAvygAwIBAgIUbQ/RQ9GNnLx7rNVNUJHeizdO1TswDQYJKoZIhvcNAQEL +BQAwIjEOMAwGA1UECgwFSXN0aW8xEDAOBgNVBAMMB1Jvb3QgQ0EwHhcNMjMxMjEx +MTYyNDM2WhcNMzMxMjA4MTYyNDM2WjAiMQ4wDAYDVQQKDAVJc3RpbzEQMA4GA1UE +AwwHUm9vdCBDQTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAN7V2l7b +/bZsHlWY5qC1p99Au3I0VYr34i/2BIMHSnh1jHn1B6qspjHw2IkqH0SU41M3Vpr7 +m06HGuuZHsq8biUfuUL6Ywt+Vyj2UnPuc6SDPRXxAkBaVGGEAs30akJPkhbbA2qv +jFxfc2A8GCfnHpGYQkZOvZEQNeHPYkTDsdLEKdbdXkzJMFEGxGDgYiW7xjowDkta +YlrLBIeHwRCnZ/gTjdCu6oPjCW9JsySbbfx8dYWthIDf/SGqnX8gnDn5K1W5Ip+w +xaiXZ9FsEzrWd+DXx67sPAS2wl/Qe+RVFLbCGfGnfKdj0CGUtwV/hE2BLWk7fMK/ +dzQR9Bc6GM06uJejZFGuVrwkJldzWW7rp6cJc5D5vJxYCRZZsuk3x6o/mg+z+meh +kYeUCgsEGU1eKJB7tJ6myiYCLvgjihnnbS0fQlq+9XhHh3IlQfYvZsgPPlWZjyE6 +SO0JUNgCenuvgawihEHCUvFW/VbeuhxNlcP8w03tXcZCPJd75Xe1GRboa0KEcCwx +hFMWMZmqLQOZ6XZUAWZIPqKPvBCLJKCDhXwf3kZjX9Geg04+KJwsJt5wJndlWjdb +LWUIoiy41Jovc3N2hME5cinTllZI4kdOrnZ+NdL5aqoppfjZDQGHESuuPY0vxJEP +dcfM5Q3BiMo/K/hNCnbp1ywtvbzGqd8/b9OtAgMBAAGjQjBAMB0GA1UdDgQWBBS9 +7L7n9MlfjNgR6RLw5qN+49OOYDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQE +AwIC5DANBgkqhkiG9w0BAQsFAAOCAgEANnOOVzb6CpOkkXsSwxqaFfrCwJT+L+1O +H8WvVtewAmzu8TcfuVjwwSgnVMF48TbnA1KvHIWktRNGtSTyEMLN5pH4SvCyK/9w +IeIOqTNyHmN/4nETT7HjbszdjfsIWYZAjcq2cyhRj+650OJdotUHbBo7iBbAi4TW +IuqseH4hgrT7qDFebhcVz8ualx9UJkmR7QqWhWqOsMbcLtm4OLZCFNJseaHM/t6H +seO/OH7FNqe+GMCoXX1m348iJBZ/1ZhBMReqtNMQKpGL23fQqJnUTrD3717kS+xF +36PsFP5YYtBJ9WMXfX8Wk/YQIimXpcQeuF40VAIw5EG6SxntpBjoSPET2mTj2j9X +Gunoh3PjYMBOlszrQVs66Qwe+vBj6xdPMHyRI0eTiETnmVG5jUo2cJnr8ztqD6oU +zCmTX2SXCE9FXJ6MifPHEXJ1OPb9IY5tcUdjxhIB2HAigFHasxBlX44Ob6nHUyJO +ZqhsF8FouuzSQTRWP7soIA3HT9MlZHhRh3Uef+ZXziKZR/Uyb66uYylIWCWsAoiU +Hw4wPZhG65XTVQfg7R2cz1w72v7ugXAy3xbGfgLXhFzVnjy/ttIV/TSgpdBquhTQ +1ZG9Ieiu16avJkphqkmNr/CRCdZqDGp4DGQZNo69POGphapVe7EZenpzDU787oZF +tugW0JVzMZI= +-----END CERTIFICATE----- diff --git a/istio-1.24.3/samples/certs/cert-chain.pem b/istio-1.24.3/samples/certs/cert-chain.pem new file mode 100644 index 00000000..a460e036 --- /dev/null +++ b/istio-1.24.3/samples/certs/cert-chain.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDnzCCAoegAwIBAgIJAON1ifrBZ2/BMA0GCSqGSIb3DQEBCwUAMIGLMQswCQYD +VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJU3Vubnl2YWxl +MQ4wDAYDVQQKDAVJc3RpbzENMAsGA1UECwwEVGVzdDEQMA4GA1UEAwwHUm9vdCBD +QTEiMCAGCSqGSIb3DQEJARYTdGVzdHJvb3RjYUBpc3Rpby5pbzAgFw0xODAxMjQx +OTE1NTFaGA8yMTE3MTIzMTE5MTU1MVowWTELMAkGA1UEBhMCVVMxEzARBgNVBAgT +CkNhbGlmb3JuaWExEjAQBgNVBAcTCVN1bm55dmFsZTEOMAwGA1UEChMFSXN0aW8x +ETAPBgNVBAMTCElzdGlvIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC +AQEAyzCxr/xu0zy5rVBiso9ffgl00bRKvB/HF4AX9/ytmZ6Hqsy13XIQk8/u/By9 +iCvVwXIMvyT0CbiJq/aPEj5mJUy0lzbrUs13oneXqrPXf7ir3HzdRw+SBhXlsh9z +APZJXcF93DJU3GabPKwBvGJ0IVMJPIFCuDIPwW4kFAI7R/8A5LSdPrFx6EyMXl7K +M8jekC0y9DnTj83/fY72WcWX7YTpgZeBHAeeQOPTZ2KYbFal2gLsar69PgFS0Tom +ESO9M14Yit7mzB1WDK2z9g3r+zLxENdJ5JG/ZskKe+TO4Diqi5OJt/h8yspS1ck8 +LJtCole9919umByg5oruflqIlQIDAQABozUwMzALBgNVHQ8EBAMCAgQwDAYDVR0T +BAUwAwEB/zAWBgNVHREEDzANggtjYS5pc3Rpby5pbzANBgkqhkiG9w0BAQsFAAOC +AQEAltHEhhyAsve4K4bLgBXtHwWzo6SpFzdAfXpLShpOJNtQNERb3qg6iUGQdY+w +A2BpmSkKr3Rw/6ClP5+cCG7fGocPaZh+c+4Nxm9suMuZBZCtNOeYOMIfvCPcCS+8 +PQ/0hC4/0J3WJKzGBssaaMufJxzgFPPtDJ998kY8rlROghdSaVt423/jXIAYnP3Y +05n8TGERBj7TLdtIVbtUIx3JHAo3PWJywA6mEDovFMJhJERp9sDHIr1BbhXK1TFN +Z6HNH6gInkSSMtvC4Ptejb749PTaePRPF7ID//eq/3AH8UK50F3TQcLjEqWUsJUn +aFKltOc+RAjzDklcUPeG4Y6eMA== +-----END CERTIFICATE----- diff --git a/istio-1.24.3/samples/certs/generate-workload.sh b/istio-1.24.3/samples/certs/generate-workload.sh new file mode 100755 index 00000000..2ff08c8e --- /dev/null +++ b/istio-1.24.3/samples/certs/generate-workload.sh @@ -0,0 +1,111 @@ +#!/bin/bash +# +# Copyright Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -euo pipefail + +name=${1:-foo} +ns=${2:-$name} +sa=${3:-$name} +tmp=${4:-""} +rootselect=${5:-""} +san="spiffe://trust-domain-$name/ns/$ns/sa/$sa" + +DIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd ) + +FINAL_DIR=$DIR +if [ -n "$tmp" ]; then + if [ -d "$tmp" ]; then + FINAL_DIR=$tmp + cp "$DIR"/root-cert.pem "$FINAL_DIR" + cp "$DIR"/ca-cert.pem "$FINAL_DIR" + cp "$DIR"/ca-key.pem "$FINAL_DIR" + cp "$DIR"/cert-chain.pem "$FINAL_DIR" + + cp "$DIR"/root-cert-alt.pem "$FINAL_DIR" + cp "$DIR"/ca-cert-alt.pem "$FINAL_DIR" + cp "$DIR"/ca-key-alt.pem "$FINAL_DIR" + cp "$DIR"/cert-chain-alt.pem "$FINAL_DIR" + + else + echo "tmp argument is not a directory: $tmp" + exit 1 + fi +fi + +function cleanup() { + if [ -f "$FINAL_DIR"/.srl ]; then + rm "$FINAL_DIR"/.srl + fi + if [ -f "$FINAL_DIR"/ca-cert.srl ]; then + rm "$FINAL_DIR"/ca-cert.srl + fi + if [ -f "$FINAL_DIR"/ca-cert-alt.srl ]; then + rm "$FINAL_DIR"/ca-cert-alt.srl + fi + if [ -f "$FINAL_DIR"/workload.cfg ]; then + rm "$FINAL_DIR"/workload.cfg + fi + if [ -f "$FINAL_DIR"/workload.csr ]; then + rm "$FINAL_DIR"/workload.csr + fi +} + +trap cleanup EXIT + +openssl genrsa -out "$FINAL_DIR/workload-$sa-key.pem" 2048 + +cat > "$FINAL_DIR"/workload.cfg <> "$FINAL_DIR/workload-$sa-cert.pem" +cp "$certchain" "$FINAL_DIR/workload-$sa-root-certs.pem" +cat "$rootcert" >> "$FINAL_DIR/workload-$sa-root-certs.pem" + +echo "Generated workload-$sa-[cert|key].pem with URI SAN $san" +openssl verify -CAfile <(cat "$certchain" "$rootcert") "$FINAL_DIR/workload-$sa-cert.pem" + diff --git a/istio-1.24.3/samples/certs/leaf-workload-bar-cert.pem b/istio-1.24.3/samples/certs/leaf-workload-bar-cert.pem new file mode 100644 index 00000000..b5f4752c --- /dev/null +++ b/istio-1.24.3/samples/certs/leaf-workload-bar-cert.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDXTCCAkWgAwIBAgIUJS8Ge239oviRxEdt1/drPcAB194wDQYJKoZIhvcNAQEL +BQAwWTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExEjAQBgNVBAcT +CVN1bm55dmFsZTEOMAwGA1UEChMFSXN0aW8xETAPBgNVBAMTCElzdGlvIENBMB4X +DTIzMDIwMjE4MjA1MVoXDTMzMDEzMDE4MjA1MVowADCCASIwDQYJKoZIhvcNAQEB +BQADggEPADCCAQoCggEBAOqfOu1GdBXNbvC9iWsqHOWIEQeKTO8UTSYOzflXKQHd +GCC42TSu+uRRH808Qnyz8Ce6eJJ1UwP+m7S2zZfNbY1L2VJvWboQtFC7egbxp2eR +91rJ2WmRiQO6ZoAmQG+UVaVMjqWtrOyJ/tkzjXSskZXcbUkWkrPPAkxsSBRWoCXI +j230dRKggvzZgIgBm4NfDjrdj7AmwEZA0tziPFy/5h+6XJEqD8cFOzKj0Sop80GE +OzSB8zDnZComFz8CZv2WUkJjngj7rOD+coC1LoWJiUlTFMdAngwSWPsyaqpZtDDw +Ct+Cs51lhkQQXC6b3t9D9bHbXAxYsEcHaqR+dKVVHIsCAwEAAaN2MHQwDgYDVR0P +AQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMB +Af8EAjAAMDUGA1UdEQEB/wQrMCmGJ3NwaWZmZTovL3RydXN0LWRvbWFpbi1iYXIv +bnMvYmFyL3NhL2JhcjANBgkqhkiG9w0BAQsFAAOCAQEAjwguC0yf0YavkVJripre +gVkzLMFSn5MeTxbnHxwDGJAHs+0znOXPrCnAxQ6tU7Z1QwpDLlHEekFKGTLdOz4C +FT/kDz7ec7SXt2HkPopRSKY+x0FKuxRcYrDTctMliKul5SFU8h3hcT+hIw9ynPU/ +4+I8WxJjpbw91FTddhMCOD2c23xMS9HNENtCxMlR9vrmkKXcim9M0RlPbuMEMbcT +ntDtdfoHeOC++DdY+41ulGzsbs1NiKdcJu2trxw8axgUFpENo9+xGjmaUdo5AjIE +JjsPVxRStETMko/pV5i6/hTnE5ZejV/o80OMLXvdIdHVxLO0N0X7fR0xDv45bmY9 +8w== +-----END CERTIFICATE----- diff --git a/istio-1.24.3/samples/certs/leaf-workload-foo-cert.pem b/istio-1.24.3/samples/certs/leaf-workload-foo-cert.pem new file mode 100644 index 00000000..fee6dcf8 --- /dev/null +++ b/istio-1.24.3/samples/certs/leaf-workload-foo-cert.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDXTCCAkWgAwIBAgIUVrmTEZowmbvjxihqy0tqCb6CDJEwDQYJKoZIhvcNAQEL +BQAwWTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExEjAQBgNVBAcT +CVN1bm55dmFsZTEOMAwGA1UEChMFSXN0aW8xETAPBgNVBAMTCElzdGlvIENBMB4X +DTIzMDIwMjE4MjA1N1oXDTMzMDEzMDE4MjA1N1owADCCASIwDQYJKoZIhvcNAQEB +BQADggEPADCCAQoCggEBAMRFee8ym0dNiLEaK46r3axHmSaPEu+8weYsq5Jz++pp +tpLYrRxV79UPKzKqMLmfca1KUs6PYkCipf/hsvNjLwkQf1RRpdScHk17VK/Aa0Er +3maIDw5TzReqd7MfgsIUStmy6T0WVyzMHVAjDV/aRkTwzWwp29bJgfkvI2/Qy9Mh +MONNOZ3+m+UcIK4opgg7GmNwynfrPxhWfUsgtYEpaTXEbJOjqQh/8Io56IK4AbS5 +IvNFfN2RKLi0wg9Yzgd+odoifpumaTP6iuJpohSyCgphr8a3jX5DuUNXduveiwMG ++PESc0QSGzAWA11/PWC1v0nU45oWTB31ibduGWenm2cCAwEAAaN2MHQwDgYDVR0P +AQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMB +Af8EAjAAMDUGA1UdEQEB/wQrMCmGJ3NwaWZmZTovL3RydXN0LWRvbWFpbi1mb28v +bnMvZm9vL3NhL2ZvbzANBgkqhkiG9w0BAQsFAAOCAQEAVwpzfheyDDAitN9zVirV +WZtk70CMabWPxEMk76/70MK2LBZmC1v1Zhjt9NOj1viTRA8jbi/WtNJhfkdH6UzC +FaHhPdg8FidIuSazyrXEfiP88L9BLQ2qvJEQq3+ZoyQoCX8bWLOh/8vqm+CgwJR/ +q9JzdYf4rjvXmrm3leHI9Q1AgC83bvNn1FUXBNoMyhHzPYB5/u0j2nlnaeSjc6og +MSgcq/yrq8CpLK4ZS3E5dk8DQPOlTtACFRCSahRn7O7aqZn3QKZ2dXVzu2Uo0GbE +Jgkh1hAemPL9zwSxcfz2uBF4J//ecfDM3xccXuBRaXs6qaDwoM1n+84R9VODKLqT +bw== +-----END CERTIFICATE----- diff --git a/istio-1.24.3/samples/certs/root-cert-alt.pem b/istio-1.24.3/samples/certs/root-cert-alt.pem new file mode 100644 index 00000000..751429c9 --- /dev/null +++ b/istio-1.24.3/samples/certs/root-cert-alt.pem @@ -0,0 +1,30 @@ +-----BEGIN CERTIFICATE----- +MIIFFDCCAvygAwIBAgIUbQ/RQ9GNnLx7rNVNUJHeizdO1TswDQYJKoZIhvcNAQEL +BQAwIjEOMAwGA1UECgwFSXN0aW8xEDAOBgNVBAMMB1Jvb3QgQ0EwHhcNMjMxMjEx +MTYyNDM2WhcNMzMxMjA4MTYyNDM2WjAiMQ4wDAYDVQQKDAVJc3RpbzEQMA4GA1UE +AwwHUm9vdCBDQTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAN7V2l7b +/bZsHlWY5qC1p99Au3I0VYr34i/2BIMHSnh1jHn1B6qspjHw2IkqH0SU41M3Vpr7 +m06HGuuZHsq8biUfuUL6Ywt+Vyj2UnPuc6SDPRXxAkBaVGGEAs30akJPkhbbA2qv +jFxfc2A8GCfnHpGYQkZOvZEQNeHPYkTDsdLEKdbdXkzJMFEGxGDgYiW7xjowDkta +YlrLBIeHwRCnZ/gTjdCu6oPjCW9JsySbbfx8dYWthIDf/SGqnX8gnDn5K1W5Ip+w +xaiXZ9FsEzrWd+DXx67sPAS2wl/Qe+RVFLbCGfGnfKdj0CGUtwV/hE2BLWk7fMK/ +dzQR9Bc6GM06uJejZFGuVrwkJldzWW7rp6cJc5D5vJxYCRZZsuk3x6o/mg+z+meh +kYeUCgsEGU1eKJB7tJ6myiYCLvgjihnnbS0fQlq+9XhHh3IlQfYvZsgPPlWZjyE6 +SO0JUNgCenuvgawihEHCUvFW/VbeuhxNlcP8w03tXcZCPJd75Xe1GRboa0KEcCwx +hFMWMZmqLQOZ6XZUAWZIPqKPvBCLJKCDhXwf3kZjX9Geg04+KJwsJt5wJndlWjdb +LWUIoiy41Jovc3N2hME5cinTllZI4kdOrnZ+NdL5aqoppfjZDQGHESuuPY0vxJEP +dcfM5Q3BiMo/K/hNCnbp1ywtvbzGqd8/b9OtAgMBAAGjQjBAMB0GA1UdDgQWBBS9 +7L7n9MlfjNgR6RLw5qN+49OOYDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQE +AwIC5DANBgkqhkiG9w0BAQsFAAOCAgEANnOOVzb6CpOkkXsSwxqaFfrCwJT+L+1O +H8WvVtewAmzu8TcfuVjwwSgnVMF48TbnA1KvHIWktRNGtSTyEMLN5pH4SvCyK/9w +IeIOqTNyHmN/4nETT7HjbszdjfsIWYZAjcq2cyhRj+650OJdotUHbBo7iBbAi4TW +IuqseH4hgrT7qDFebhcVz8ualx9UJkmR7QqWhWqOsMbcLtm4OLZCFNJseaHM/t6H +seO/OH7FNqe+GMCoXX1m348iJBZ/1ZhBMReqtNMQKpGL23fQqJnUTrD3717kS+xF +36PsFP5YYtBJ9WMXfX8Wk/YQIimXpcQeuF40VAIw5EG6SxntpBjoSPET2mTj2j9X +Gunoh3PjYMBOlszrQVs66Qwe+vBj6xdPMHyRI0eTiETnmVG5jUo2cJnr8ztqD6oU +zCmTX2SXCE9FXJ6MifPHEXJ1OPb9IY5tcUdjxhIB2HAigFHasxBlX44Ob6nHUyJO +ZqhsF8FouuzSQTRWP7soIA3HT9MlZHhRh3Uef+ZXziKZR/Uyb66uYylIWCWsAoiU +Hw4wPZhG65XTVQfg7R2cz1w72v7ugXAy3xbGfgLXhFzVnjy/ttIV/TSgpdBquhTQ +1ZG9Ieiu16avJkphqkmNr/CRCdZqDGp4DGQZNo69POGphapVe7EZenpzDU787oZF +tugW0JVzMZI= +-----END CERTIFICATE----- diff --git a/istio-1.24.3/samples/certs/root-cert-combined-2.pem b/istio-1.24.3/samples/certs/root-cert-combined-2.pem new file mode 100644 index 00000000..3be5ea66 --- /dev/null +++ b/istio-1.24.3/samples/certs/root-cert-combined-2.pem @@ -0,0 +1,84 @@ +-----BEGIN CERTIFICATE----- +MIID7TCCAtWgAwIBAgIJAOIRDhOcxsx6MA0GCSqGSIb3DQEBCwUAMIGLMQswCQYD +VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJU3Vubnl2YWxl +MQ4wDAYDVQQKDAVJc3RpbzENMAsGA1UECwwEVGVzdDEQMA4GA1UEAwwHUm9vdCBD +QTEiMCAGCSqGSIb3DQEJARYTdGVzdHJvb3RjYUBpc3Rpby5pbzAgFw0xODAxMjQx +OTE1NTFaGA8yMTE3MTIzMTE5MTU1MVowgYsxCzAJBgNVBAYTAlVTMRMwEQYDVQQI +DApDYWxpZm9ybmlhMRIwEAYDVQQHDAlTdW5ueXZhbGUxDjAMBgNVBAoMBUlzdGlv +MQ0wCwYDVQQLDARUZXN0MRAwDgYDVQQDDAdSb290IENBMSIwIAYJKoZIhvcNAQkB +FhN0ZXN0cm9vdGNhQGlzdGlvLmlvMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB +CgKCAQEA38uEfAatzQYqbaLou1nxJ348VyNzumYMmDDt5pbLYRrCo2pS3ki1ZVDN +8yxIENJFkpKw9UctTGdbNGuGCiSDP7uqF6BiVn+XKAU/3pnPFBbTd0S33NqbDEQu +IYraHSl/tSk5rARbC1DrQRdZ6nYD2KrapC4g0XbjY6Pu5l4y7KnFwSunnp9uqpZw +uERv/BgumJ5QlSeSeCmhnDhLxooG8w5tC2yVr1yDpsOHGimP/mc8Cds4V0zfIhQv +YzfIHphhE9DKjmnjBYLOdj4aycv44jHnOGc+wvA1Jqsl60t3wgms+zJTiWwABLdw +zgMAa7yxLyoV0+PiVQud6k+8ZoIFcwIDAQABo1AwTjAdBgNVHQ4EFgQUOUYGtUyh +euxO4lGe4Op1y8NVoagwHwYDVR0jBBgwFoAUOUYGtUyheuxO4lGe4Op1y8NVoagw +DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEANXLyfAs7J9rmBamGJvPZ +ltx390WxzzLFQsBRAaH6rgeipBq3dR9qEjAwb6BTF+ROmtQzX+fjstCRrJxCto9W +tC8KvXTdRfIjfCCZjhtIOBKqRxE4KJV/RBfv9xD5lyjtCPCQl3Ia6MSf42N+abAK +WCdU6KCojA8WB9YhSCzza3aQbPTzd26OC/JblJpVgtus5f8ILzCsz+pbMimgTkhy +AuhYRppJaQ24APijsEC9+GIaVKPg5IwWroiPoj+QXNpshuvqVQQXvGaRiq4zoSnx +xAJz+w8tjrDWcf826VN14IL+/Cmqlg/rIfB5CHdwVIfWwpuGB66q/UiPegZMNs8a +3g== +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIFFDCCAvygAwIBAgIUbQ/RQ9GNnLx7rNVNUJHeizdO1TswDQYJKoZIhvcNAQEL +BQAwIjEOMAwGA1UECgwFSXN0aW8xEDAOBgNVBAMMB1Jvb3QgQ0EwHhcNMjMxMjEx +MTYyNDM2WhcNMzMxMjA4MTYyNDM2WjAiMQ4wDAYDVQQKDAVJc3RpbzEQMA4GA1UE +AwwHUm9vdCBDQTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAN7V2l7b +/bZsHlWY5qC1p99Au3I0VYr34i/2BIMHSnh1jHn1B6qspjHw2IkqH0SU41M3Vpr7 +m06HGuuZHsq8biUfuUL6Ywt+Vyj2UnPuc6SDPRXxAkBaVGGEAs30akJPkhbbA2qv +jFxfc2A8GCfnHpGYQkZOvZEQNeHPYkTDsdLEKdbdXkzJMFEGxGDgYiW7xjowDkta +YlrLBIeHwRCnZ/gTjdCu6oPjCW9JsySbbfx8dYWthIDf/SGqnX8gnDn5K1W5Ip+w +xaiXZ9FsEzrWd+DXx67sPAS2wl/Qe+RVFLbCGfGnfKdj0CGUtwV/hE2BLWk7fMK/ +dzQR9Bc6GM06uJejZFGuVrwkJldzWW7rp6cJc5D5vJxYCRZZsuk3x6o/mg+z+meh +kYeUCgsEGU1eKJB7tJ6myiYCLvgjihnnbS0fQlq+9XhHh3IlQfYvZsgPPlWZjyE6 +SO0JUNgCenuvgawihEHCUvFW/VbeuhxNlcP8w03tXcZCPJd75Xe1GRboa0KEcCwx +hFMWMZmqLQOZ6XZUAWZIPqKPvBCLJKCDhXwf3kZjX9Geg04+KJwsJt5wJndlWjdb +LWUIoiy41Jovc3N2hME5cinTllZI4kdOrnZ+NdL5aqoppfjZDQGHESuuPY0vxJEP +dcfM5Q3BiMo/K/hNCnbp1ywtvbzGqd8/b9OtAgMBAAGjQjBAMB0GA1UdDgQWBBS9 +7L7n9MlfjNgR6RLw5qN+49OOYDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQE +AwIC5DANBgkqhkiG9w0BAQsFAAOCAgEANnOOVzb6CpOkkXsSwxqaFfrCwJT+L+1O +H8WvVtewAmzu8TcfuVjwwSgnVMF48TbnA1KvHIWktRNGtSTyEMLN5pH4SvCyK/9w +IeIOqTNyHmN/4nETT7HjbszdjfsIWYZAjcq2cyhRj+650OJdotUHbBo7iBbAi4TW +IuqseH4hgrT7qDFebhcVz8ualx9UJkmR7QqWhWqOsMbcLtm4OLZCFNJseaHM/t6H +seO/OH7FNqe+GMCoXX1m348iJBZ/1ZhBMReqtNMQKpGL23fQqJnUTrD3717kS+xF +36PsFP5YYtBJ9WMXfX8Wk/YQIimXpcQeuF40VAIw5EG6SxntpBjoSPET2mTj2j9X +Gunoh3PjYMBOlszrQVs66Qwe+vBj6xdPMHyRI0eTiETnmVG5jUo2cJnr8ztqD6oU +zCmTX2SXCE9FXJ6MifPHEXJ1OPb9IY5tcUdjxhIB2HAigFHasxBlX44Ob6nHUyJO +ZqhsF8FouuzSQTRWP7soIA3HT9MlZHhRh3Uef+ZXziKZR/Uyb66uYylIWCWsAoiU +Hw4wPZhG65XTVQfg7R2cz1w72v7ugXAy3xbGfgLXhFzVnjy/ttIV/TSgpdBquhTQ +1ZG9Ieiu16avJkphqkmNr/CRCdZqDGp4DGQZNo69POGphapVe7EZenpzDU787oZF +tugW0JVzMZI= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIFFDCCAvygAwIBAgIUbQ/RQ9GNnLx7rNVNUJHeizdO1TswDQYJKoZIhvcNAQEL +BQAwIjEOMAwGA1UECgwFSXN0aW8xEDAOBgNVBAMMB1Jvb3QgQ0EwHhcNMjMxMjEx +MTYyNDM2WhcNMzMxMjA4MTYyNDM2WjAiMQ4wDAYDVQQKDAVJc3RpbzEQMA4GA1UE +AwwHUm9vdCBDQTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAN7V2l7b +/bZsHlWY5qC1p99Au3I0VYr34i/2BIMHSnh1jHn1B6qspjHw2IkqH0SU41M3Vpr7 +m06HGuuZHsq8biUfuUL6Ywt+Vyj2UnPuc6SDPRXxAkBaVGGEAs30akJPkhbbA2qv +jFxfc2A8GCfnHpGYQkZOvZEQNeHPYkTDsdLEKdbdXkzJMFEGxGDgYiW7xjowDkta +YlrLBIeHwRCnZ/gTjdCu6oPjCW9JsySbbfx8dYWthIDf/SGqnX8gnDn5K1W5Ip+w +xaiXZ9FsEzrWd+DXx67sPAS2wl/Qe+RVFLbCGfGnfKdj0CGUtwV/hE2BLWk7fMK/ +dzQR9Bc6GM06uJejZFGuVrwkJldzWW7rp6cJc5D5vJxYCRZZsuk3x6o/mg+z+meh +kYeUCgsEGU1eKJB7tJ6myiYCLvgjihnnbS0fQlq+9XhHh3IlQfYvZsgPPlWZjyE6 +SO0JUNgCenuvgawihEHCUvFW/VbeuhxNlcP8w03tXcZCPJd75Xe1GRboa0KEcCwx +hFMWMZmqLQOZ6XZUAWZIPqKPvBCLJKCDhXwf3kZjX9Geg04+KJwsJt5wJndlWjdb +LWUIoiy41Jovc3N2hME5cinTllZI4kdOrnZ+NdL5aqoppfjZDQGHESuuPY0vxJEP +dcfM5Q3BiMo/K/hNCnbp1ywtvbzGqd8/b9OtAgMBAAGjQjBAMB0GA1UdDgQWBBS9 +7L7n9MlfjNgR6RLw5qN+49OOYDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQE +AwIC5DANBgkqhkiG9w0BAQsFAAOCAgEANnOOVzb6CpOkkXsSwxqaFfrCwJT+L+1O +H8WvVtewAmzu8TcfuVjwwSgnVMF48TbnA1KvHIWktRNGtSTyEMLN5pH4SvCyK/9w +IeIOqTNyHmN/4nETT7HjbszdjfsIWYZAjcq2cyhRj+650OJdotUHbBo7iBbAi4TW +IuqseH4hgrT7qDFebhcVz8ualx9UJkmR7QqWhWqOsMbcLtm4OLZCFNJseaHM/t6H +seO/OH7FNqe+GMCoXX1m348iJBZ/1ZhBMReqtNMQKpGL23fQqJnUTrD3717kS+xF +36PsFP5YYtBJ9WMXfX8Wk/YQIimXpcQeuF40VAIw5EG6SxntpBjoSPET2mTj2j9X +Gunoh3PjYMBOlszrQVs66Qwe+vBj6xdPMHyRI0eTiETnmVG5jUo2cJnr8ztqD6oU +zCmTX2SXCE9FXJ6MifPHEXJ1OPb9IY5tcUdjxhIB2HAigFHasxBlX44Ob6nHUyJO +ZqhsF8FouuzSQTRWP7soIA3HT9MlZHhRh3Uef+ZXziKZR/Uyb66uYylIWCWsAoiU +Hw4wPZhG65XTVQfg7R2cz1w72v7ugXAy3xbGfgLXhFzVnjy/ttIV/TSgpdBquhTQ +1ZG9Ieiu16avJkphqkmNr/CRCdZqDGp4DGQZNo69POGphapVe7EZenpzDU787oZF +tugW0JVzMZI= +-----END CERTIFICATE----- \ No newline at end of file diff --git a/istio-1.24.3/samples/certs/root-cert-combined.pem b/istio-1.24.3/samples/certs/root-cert-combined.pem new file mode 100644 index 00000000..fc7ee45a --- /dev/null +++ b/istio-1.24.3/samples/certs/root-cert-combined.pem @@ -0,0 +1,54 @@ +-----BEGIN CERTIFICATE----- +MIID7TCCAtWgAwIBAgIJAOIRDhOcxsx6MA0GCSqGSIb3DQEBCwUAMIGLMQswCQYD +VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJU3Vubnl2YWxl +MQ4wDAYDVQQKDAVJc3RpbzENMAsGA1UECwwEVGVzdDEQMA4GA1UEAwwHUm9vdCBD +QTEiMCAGCSqGSIb3DQEJARYTdGVzdHJvb3RjYUBpc3Rpby5pbzAgFw0xODAxMjQx +OTE1NTFaGA8yMTE3MTIzMTE5MTU1MVowgYsxCzAJBgNVBAYTAlVTMRMwEQYDVQQI +DApDYWxpZm9ybmlhMRIwEAYDVQQHDAlTdW5ueXZhbGUxDjAMBgNVBAoMBUlzdGlv +MQ0wCwYDVQQLDARUZXN0MRAwDgYDVQQDDAdSb290IENBMSIwIAYJKoZIhvcNAQkB +FhN0ZXN0cm9vdGNhQGlzdGlvLmlvMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB +CgKCAQEA38uEfAatzQYqbaLou1nxJ348VyNzumYMmDDt5pbLYRrCo2pS3ki1ZVDN +8yxIENJFkpKw9UctTGdbNGuGCiSDP7uqF6BiVn+XKAU/3pnPFBbTd0S33NqbDEQu +IYraHSl/tSk5rARbC1DrQRdZ6nYD2KrapC4g0XbjY6Pu5l4y7KnFwSunnp9uqpZw +uERv/BgumJ5QlSeSeCmhnDhLxooG8w5tC2yVr1yDpsOHGimP/mc8Cds4V0zfIhQv +YzfIHphhE9DKjmnjBYLOdj4aycv44jHnOGc+wvA1Jqsl60t3wgms+zJTiWwABLdw +zgMAa7yxLyoV0+PiVQud6k+8ZoIFcwIDAQABo1AwTjAdBgNVHQ4EFgQUOUYGtUyh +euxO4lGe4Op1y8NVoagwHwYDVR0jBBgwFoAUOUYGtUyheuxO4lGe4Op1y8NVoagw +DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEANXLyfAs7J9rmBamGJvPZ +ltx390WxzzLFQsBRAaH6rgeipBq3dR9qEjAwb6BTF+ROmtQzX+fjstCRrJxCto9W +tC8KvXTdRfIjfCCZjhtIOBKqRxE4KJV/RBfv9xD5lyjtCPCQl3Ia6MSf42N+abAK +WCdU6KCojA8WB9YhSCzza3aQbPTzd26OC/JblJpVgtus5f8ILzCsz+pbMimgTkhy +AuhYRppJaQ24APijsEC9+GIaVKPg5IwWroiPoj+QXNpshuvqVQQXvGaRiq4zoSnx +xAJz+w8tjrDWcf826VN14IL+/Cmqlg/rIfB5CHdwVIfWwpuGB66q/UiPegZMNs8a +3g== +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIFFDCCAvygAwIBAgIUbQ/RQ9GNnLx7rNVNUJHeizdO1TswDQYJKoZIhvcNAQEL +BQAwIjEOMAwGA1UECgwFSXN0aW8xEDAOBgNVBAMMB1Jvb3QgQ0EwHhcNMjMxMjEx +MTYyNDM2WhcNMzMxMjA4MTYyNDM2WjAiMQ4wDAYDVQQKDAVJc3RpbzEQMA4GA1UE +AwwHUm9vdCBDQTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAN7V2l7b +/bZsHlWY5qC1p99Au3I0VYr34i/2BIMHSnh1jHn1B6qspjHw2IkqH0SU41M3Vpr7 +m06HGuuZHsq8biUfuUL6Ywt+Vyj2UnPuc6SDPRXxAkBaVGGEAs30akJPkhbbA2qv +jFxfc2A8GCfnHpGYQkZOvZEQNeHPYkTDsdLEKdbdXkzJMFEGxGDgYiW7xjowDkta +YlrLBIeHwRCnZ/gTjdCu6oPjCW9JsySbbfx8dYWthIDf/SGqnX8gnDn5K1W5Ip+w +xaiXZ9FsEzrWd+DXx67sPAS2wl/Qe+RVFLbCGfGnfKdj0CGUtwV/hE2BLWk7fMK/ +dzQR9Bc6GM06uJejZFGuVrwkJldzWW7rp6cJc5D5vJxYCRZZsuk3x6o/mg+z+meh +kYeUCgsEGU1eKJB7tJ6myiYCLvgjihnnbS0fQlq+9XhHh3IlQfYvZsgPPlWZjyE6 +SO0JUNgCenuvgawihEHCUvFW/VbeuhxNlcP8w03tXcZCPJd75Xe1GRboa0KEcCwx +hFMWMZmqLQOZ6XZUAWZIPqKPvBCLJKCDhXwf3kZjX9Geg04+KJwsJt5wJndlWjdb +LWUIoiy41Jovc3N2hME5cinTllZI4kdOrnZ+NdL5aqoppfjZDQGHESuuPY0vxJEP +dcfM5Q3BiMo/K/hNCnbp1ywtvbzGqd8/b9OtAgMBAAGjQjBAMB0GA1UdDgQWBBS9 +7L7n9MlfjNgR6RLw5qN+49OOYDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQE +AwIC5DANBgkqhkiG9w0BAQsFAAOCAgEANnOOVzb6CpOkkXsSwxqaFfrCwJT+L+1O +H8WvVtewAmzu8TcfuVjwwSgnVMF48TbnA1KvHIWktRNGtSTyEMLN5pH4SvCyK/9w +IeIOqTNyHmN/4nETT7HjbszdjfsIWYZAjcq2cyhRj+650OJdotUHbBo7iBbAi4TW +IuqseH4hgrT7qDFebhcVz8ualx9UJkmR7QqWhWqOsMbcLtm4OLZCFNJseaHM/t6H +seO/OH7FNqe+GMCoXX1m348iJBZ/1ZhBMReqtNMQKpGL23fQqJnUTrD3717kS+xF +36PsFP5YYtBJ9WMXfX8Wk/YQIimXpcQeuF40VAIw5EG6SxntpBjoSPET2mTj2j9X +Gunoh3PjYMBOlszrQVs66Qwe+vBj6xdPMHyRI0eTiETnmVG5jUo2cJnr8ztqD6oU +zCmTX2SXCE9FXJ6MifPHEXJ1OPb9IY5tcUdjxhIB2HAigFHasxBlX44Ob6nHUyJO +ZqhsF8FouuzSQTRWP7soIA3HT9MlZHhRh3Uef+ZXziKZR/Uyb66uYylIWCWsAoiU +Hw4wPZhG65XTVQfg7R2cz1w72v7ugXAy3xbGfgLXhFzVnjy/ttIV/TSgpdBquhTQ +1ZG9Ieiu16avJkphqkmNr/CRCdZqDGp4DGQZNo69POGphapVe7EZenpzDU787oZF +tugW0JVzMZI= +-----END CERTIFICATE----- \ No newline at end of file diff --git a/istio-1.24.3/samples/certs/root-cert.pem b/istio-1.24.3/samples/certs/root-cert.pem new file mode 100644 index 00000000..64c3fd50 --- /dev/null +++ b/istio-1.24.3/samples/certs/root-cert.pem @@ -0,0 +1,24 @@ +-----BEGIN CERTIFICATE----- +MIID7TCCAtWgAwIBAgIJAOIRDhOcxsx6MA0GCSqGSIb3DQEBCwUAMIGLMQswCQYD +VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJU3Vubnl2YWxl +MQ4wDAYDVQQKDAVJc3RpbzENMAsGA1UECwwEVGVzdDEQMA4GA1UEAwwHUm9vdCBD +QTEiMCAGCSqGSIb3DQEJARYTdGVzdHJvb3RjYUBpc3Rpby5pbzAgFw0xODAxMjQx +OTE1NTFaGA8yMTE3MTIzMTE5MTU1MVowgYsxCzAJBgNVBAYTAlVTMRMwEQYDVQQI +DApDYWxpZm9ybmlhMRIwEAYDVQQHDAlTdW5ueXZhbGUxDjAMBgNVBAoMBUlzdGlv +MQ0wCwYDVQQLDARUZXN0MRAwDgYDVQQDDAdSb290IENBMSIwIAYJKoZIhvcNAQkB +FhN0ZXN0cm9vdGNhQGlzdGlvLmlvMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB +CgKCAQEA38uEfAatzQYqbaLou1nxJ348VyNzumYMmDDt5pbLYRrCo2pS3ki1ZVDN +8yxIENJFkpKw9UctTGdbNGuGCiSDP7uqF6BiVn+XKAU/3pnPFBbTd0S33NqbDEQu +IYraHSl/tSk5rARbC1DrQRdZ6nYD2KrapC4g0XbjY6Pu5l4y7KnFwSunnp9uqpZw +uERv/BgumJ5QlSeSeCmhnDhLxooG8w5tC2yVr1yDpsOHGimP/mc8Cds4V0zfIhQv +YzfIHphhE9DKjmnjBYLOdj4aycv44jHnOGc+wvA1Jqsl60t3wgms+zJTiWwABLdw +zgMAa7yxLyoV0+PiVQud6k+8ZoIFcwIDAQABo1AwTjAdBgNVHQ4EFgQUOUYGtUyh +euxO4lGe4Op1y8NVoagwHwYDVR0jBBgwFoAUOUYGtUyheuxO4lGe4Op1y8NVoagw +DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEANXLyfAs7J9rmBamGJvPZ +ltx390WxzzLFQsBRAaH6rgeipBq3dR9qEjAwb6BTF+ROmtQzX+fjstCRrJxCto9W +tC8KvXTdRfIjfCCZjhtIOBKqRxE4KJV/RBfv9xD5lyjtCPCQl3Ia6MSf42N+abAK +WCdU6KCojA8WB9YhSCzza3aQbPTzd26OC/JblJpVgtus5f8ILzCsz+pbMimgTkhy +AuhYRppJaQ24APijsEC9+GIaVKPg5IwWroiPoj+QXNpshuvqVQQXvGaRiq4zoSnx +xAJz+w8tjrDWcf826VN14IL+/Cmqlg/rIfB5CHdwVIfWwpuGB66q/UiPegZMNs8a +3g== +-----END CERTIFICATE----- diff --git a/istio-1.24.3/samples/certs/workload-bar-cert.pem b/istio-1.24.3/samples/certs/workload-bar-cert.pem new file mode 100644 index 00000000..1b59e9c5 --- /dev/null +++ b/istio-1.24.3/samples/certs/workload-bar-cert.pem @@ -0,0 +1,43 @@ +-----BEGIN CERTIFICATE----- +MIIDXTCCAkWgAwIBAgIUJS8Ge239oviRxEdt1/drPcAB194wDQYJKoZIhvcNAQEL +BQAwWTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExEjAQBgNVBAcT +CVN1bm55dmFsZTEOMAwGA1UEChMFSXN0aW8xETAPBgNVBAMTCElzdGlvIENBMB4X +DTIzMDIwMjE4MjA1MVoXDTMzMDEzMDE4MjA1MVowADCCASIwDQYJKoZIhvcNAQEB +BQADggEPADCCAQoCggEBAOqfOu1GdBXNbvC9iWsqHOWIEQeKTO8UTSYOzflXKQHd +GCC42TSu+uRRH808Qnyz8Ce6eJJ1UwP+m7S2zZfNbY1L2VJvWboQtFC7egbxp2eR +91rJ2WmRiQO6ZoAmQG+UVaVMjqWtrOyJ/tkzjXSskZXcbUkWkrPPAkxsSBRWoCXI +j230dRKggvzZgIgBm4NfDjrdj7AmwEZA0tziPFy/5h+6XJEqD8cFOzKj0Sop80GE +OzSB8zDnZComFz8CZv2WUkJjngj7rOD+coC1LoWJiUlTFMdAngwSWPsyaqpZtDDw +Ct+Cs51lhkQQXC6b3t9D9bHbXAxYsEcHaqR+dKVVHIsCAwEAAaN2MHQwDgYDVR0P +AQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMB +Af8EAjAAMDUGA1UdEQEB/wQrMCmGJ3NwaWZmZTovL3RydXN0LWRvbWFpbi1iYXIv +bnMvYmFyL3NhL2JhcjANBgkqhkiG9w0BAQsFAAOCAQEAjwguC0yf0YavkVJripre +gVkzLMFSn5MeTxbnHxwDGJAHs+0znOXPrCnAxQ6tU7Z1QwpDLlHEekFKGTLdOz4C +FT/kDz7ec7SXt2HkPopRSKY+x0FKuxRcYrDTctMliKul5SFU8h3hcT+hIw9ynPU/ +4+I8WxJjpbw91FTddhMCOD2c23xMS9HNENtCxMlR9vrmkKXcim9M0RlPbuMEMbcT +ntDtdfoHeOC++DdY+41ulGzsbs1NiKdcJu2trxw8axgUFpENo9+xGjmaUdo5AjIE +JjsPVxRStETMko/pV5i6/hTnE5ZejV/o80OMLXvdIdHVxLO0N0X7fR0xDv45bmY9 +8w== +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDnzCCAoegAwIBAgIJAON1ifrBZ2/BMA0GCSqGSIb3DQEBCwUAMIGLMQswCQYD +VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJU3Vubnl2YWxl +MQ4wDAYDVQQKDAVJc3RpbzENMAsGA1UECwwEVGVzdDEQMA4GA1UEAwwHUm9vdCBD +QTEiMCAGCSqGSIb3DQEJARYTdGVzdHJvb3RjYUBpc3Rpby5pbzAgFw0xODAxMjQx +OTE1NTFaGA8yMTE3MTIzMTE5MTU1MVowWTELMAkGA1UEBhMCVVMxEzARBgNVBAgT +CkNhbGlmb3JuaWExEjAQBgNVBAcTCVN1bm55dmFsZTEOMAwGA1UEChMFSXN0aW8x +ETAPBgNVBAMTCElzdGlvIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC +AQEAyzCxr/xu0zy5rVBiso9ffgl00bRKvB/HF4AX9/ytmZ6Hqsy13XIQk8/u/By9 +iCvVwXIMvyT0CbiJq/aPEj5mJUy0lzbrUs13oneXqrPXf7ir3HzdRw+SBhXlsh9z +APZJXcF93DJU3GabPKwBvGJ0IVMJPIFCuDIPwW4kFAI7R/8A5LSdPrFx6EyMXl7K +M8jekC0y9DnTj83/fY72WcWX7YTpgZeBHAeeQOPTZ2KYbFal2gLsar69PgFS0Tom +ESO9M14Yit7mzB1WDK2z9g3r+zLxENdJ5JG/ZskKe+TO4Diqi5OJt/h8yspS1ck8 +LJtCole9919umByg5oruflqIlQIDAQABozUwMzALBgNVHQ8EBAMCAgQwDAYDVR0T +BAUwAwEB/zAWBgNVHREEDzANggtjYS5pc3Rpby5pbzANBgkqhkiG9w0BAQsFAAOC +AQEAltHEhhyAsve4K4bLgBXtHwWzo6SpFzdAfXpLShpOJNtQNERb3qg6iUGQdY+w +A2BpmSkKr3Rw/6ClP5+cCG7fGocPaZh+c+4Nxm9suMuZBZCtNOeYOMIfvCPcCS+8 +PQ/0hC4/0J3WJKzGBssaaMufJxzgFPPtDJ998kY8rlROghdSaVt423/jXIAYnP3Y +05n8TGERBj7TLdtIVbtUIx3JHAo3PWJywA6mEDovFMJhJERp9sDHIr1BbhXK1TFN +Z6HNH6gInkSSMtvC4Ptejb749PTaePRPF7ID//eq/3AH8UK50F3TQcLjEqWUsJUn +aFKltOc+RAjzDklcUPeG4Y6eMA== +-----END CERTIFICATE----- diff --git a/istio-1.24.3/samples/certs/workload-bar-key.pem b/istio-1.24.3/samples/certs/workload-bar-key.pem new file mode 100644 index 00000000..1b7889a9 --- /dev/null +++ b/istio-1.24.3/samples/certs/workload-bar-key.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEA6p867UZ0Fc1u8L2Jayoc5YgRB4pM7xRNJg7N+VcpAd0YILjZ +NK765FEfzTxCfLPwJ7p4knVTA/6btLbNl81tjUvZUm9ZuhC0ULt6BvGnZ5H3WsnZ +aZGJA7pmgCZAb5RVpUyOpa2s7In+2TONdKyRldxtSRaSs88CTGxIFFagJciPbfR1 +EqCC/NmAiAGbg18OOt2PsCbARkDS3OI8XL/mH7pckSoPxwU7MqPRKinzQYQ7NIHz +MOdkKiYXPwJm/ZZSQmOeCPus4P5ygLUuhYmJSVMUx0CeDBJY+zJqqlm0MPAK34Kz +nWWGRBBcLpve30P1sdtcDFiwRwdqpH50pVUciwIDAQABAoIBABVjCmYSpAZQwaok +POCN6DBsJNFBJB4vBZFQjCoMbeqDku14rCQHR0uEsZdtxMnFRUD52H/RPg4BKYRh +nYAW88OLhHXlPJKfbzBkxozXfmEMhzW5bJ4Y7Bpw5WMNGZaSOPRmdCJaIIc3VQnL +jztxd5vnifa9ngXR+u2oeTGRa+vFncwtf+lDjid6KOsclFEOVRquT9e3BgccwWJL +O7k8GZzHCWj+jxeExrcoD5NMulHZGDTc49ZZeqpVIwQnhFEe+e6LcZ7jaHs1AgUK +v3cHVQUoeHa+NYATeoyXWUJzD0vW6fTgxUrf+GNrtdmbwaoGW4+FmsYKB0YD2FO3 +bQ5cQWECgYEA+sXSllaDmrwFhX7Tga7nHN74maGk0V4eUnVQ2rkwRXgwaUh+V3K7 +5jJ1ZTZuWYbAWup+rVt0cAb0Ja8zBnnkHRdwe0gQqtoj+5YdD8RAluBJePFigp77 +pK+JfdiYnA0JC3Z+7gkeWM/uY9ojDuasX83yVf7Kgm+7HMUrh5dGaDMCgYEA74M5 +Q32oM8zxGm9ck82rh7ox0NwTeIrwr5U42QFqT0h26nR3m51l8odj3rz0WnRtOfAl +sjJ3y5tygdVLMzwpuHzpA/iq7YRY04+g7Q5MoVAImLKzKJzIxZra+6eo2ctcQCBO +U90+jY4C4/YgvTYKnndFvlVXcXXNyhPJKlfLAkkCgYEA8yOWmHjtRLuERvi+rYAd +SJrPQnW9TdoJYD2q1Ua0jMaJear2BGeT0w+dTzLFLzw9iGjPxdlkPbIgSeFigabx +C1vMjVtD/cNfG/Fh4AWR8jcoRYEU2Dy5E+W2UzQMU1E4McsEKlrg948zPdEkKLBy +9LjDe6l8Q5d9PdnV6LM9ao0CgYAnY7NVMCMrcbbtHAdjn11oUuzCZo8lMeRnW+kf +dyYep9I2uLS6+OW9PxrjlLuy7JbSAnaQmdAtwgDQ7V0SrgBGgPRpXMnvieZ51JMo +qUNc/CaNxkXElhRGuzLsVCRmvRUMzsNS833IFeTPzLiRpYOVkBP+O1bIKBGR/DMH +La0LUQKBgQD0Jea309Qr3CZIDp8IYnthYHIezDPmRBbyMKK5kTj/GC19JIXJoonw +nUw9vpVp+WdBy+ZP/567eUp9RrG9xP+OrirWeUT8UFdmpc+JbI54b2tX0UgUePKm +oKXf/DlOM5K2gDaIL+wlFYuxdrLtFCxvFP+7ihueivunjbtENQqdGA== +-----END RSA PRIVATE KEY----- diff --git a/istio-1.24.3/samples/certs/workload-bar-root-certs.pem b/istio-1.24.3/samples/certs/workload-bar-root-certs.pem new file mode 100644 index 00000000..9a43073e --- /dev/null +++ b/istio-1.24.3/samples/certs/workload-bar-root-certs.pem @@ -0,0 +1,46 @@ +-----BEGIN CERTIFICATE----- +MIIDnzCCAoegAwIBAgIJAON1ifrBZ2/BMA0GCSqGSIb3DQEBCwUAMIGLMQswCQYD +VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJU3Vubnl2YWxl +MQ4wDAYDVQQKDAVJc3RpbzENMAsGA1UECwwEVGVzdDEQMA4GA1UEAwwHUm9vdCBD +QTEiMCAGCSqGSIb3DQEJARYTdGVzdHJvb3RjYUBpc3Rpby5pbzAgFw0xODAxMjQx +OTE1NTFaGA8yMTE3MTIzMTE5MTU1MVowWTELMAkGA1UEBhMCVVMxEzARBgNVBAgT +CkNhbGlmb3JuaWExEjAQBgNVBAcTCVN1bm55dmFsZTEOMAwGA1UEChMFSXN0aW8x +ETAPBgNVBAMTCElzdGlvIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC +AQEAyzCxr/xu0zy5rVBiso9ffgl00bRKvB/HF4AX9/ytmZ6Hqsy13XIQk8/u/By9 +iCvVwXIMvyT0CbiJq/aPEj5mJUy0lzbrUs13oneXqrPXf7ir3HzdRw+SBhXlsh9z +APZJXcF93DJU3GabPKwBvGJ0IVMJPIFCuDIPwW4kFAI7R/8A5LSdPrFx6EyMXl7K +M8jekC0y9DnTj83/fY72WcWX7YTpgZeBHAeeQOPTZ2KYbFal2gLsar69PgFS0Tom +ESO9M14Yit7mzB1WDK2z9g3r+zLxENdJ5JG/ZskKe+TO4Diqi5OJt/h8yspS1ck8 +LJtCole9919umByg5oruflqIlQIDAQABozUwMzALBgNVHQ8EBAMCAgQwDAYDVR0T +BAUwAwEB/zAWBgNVHREEDzANggtjYS5pc3Rpby5pbzANBgkqhkiG9w0BAQsFAAOC +AQEAltHEhhyAsve4K4bLgBXtHwWzo6SpFzdAfXpLShpOJNtQNERb3qg6iUGQdY+w +A2BpmSkKr3Rw/6ClP5+cCG7fGocPaZh+c+4Nxm9suMuZBZCtNOeYOMIfvCPcCS+8 +PQ/0hC4/0J3WJKzGBssaaMufJxzgFPPtDJ998kY8rlROghdSaVt423/jXIAYnP3Y +05n8TGERBj7TLdtIVbtUIx3JHAo3PWJywA6mEDovFMJhJERp9sDHIr1BbhXK1TFN +Z6HNH6gInkSSMtvC4Ptejb749PTaePRPF7ID//eq/3AH8UK50F3TQcLjEqWUsJUn +aFKltOc+RAjzDklcUPeG4Y6eMA== +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIID7TCCAtWgAwIBAgIJAOIRDhOcxsx6MA0GCSqGSIb3DQEBCwUAMIGLMQswCQYD +VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJU3Vubnl2YWxl +MQ4wDAYDVQQKDAVJc3RpbzENMAsGA1UECwwEVGVzdDEQMA4GA1UEAwwHUm9vdCBD +QTEiMCAGCSqGSIb3DQEJARYTdGVzdHJvb3RjYUBpc3Rpby5pbzAgFw0xODAxMjQx +OTE1NTFaGA8yMTE3MTIzMTE5MTU1MVowgYsxCzAJBgNVBAYTAlVTMRMwEQYDVQQI +DApDYWxpZm9ybmlhMRIwEAYDVQQHDAlTdW5ueXZhbGUxDjAMBgNVBAoMBUlzdGlv +MQ0wCwYDVQQLDARUZXN0MRAwDgYDVQQDDAdSb290IENBMSIwIAYJKoZIhvcNAQkB +FhN0ZXN0cm9vdGNhQGlzdGlvLmlvMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB +CgKCAQEA38uEfAatzQYqbaLou1nxJ348VyNzumYMmDDt5pbLYRrCo2pS3ki1ZVDN +8yxIENJFkpKw9UctTGdbNGuGCiSDP7uqF6BiVn+XKAU/3pnPFBbTd0S33NqbDEQu +IYraHSl/tSk5rARbC1DrQRdZ6nYD2KrapC4g0XbjY6Pu5l4y7KnFwSunnp9uqpZw +uERv/BgumJ5QlSeSeCmhnDhLxooG8w5tC2yVr1yDpsOHGimP/mc8Cds4V0zfIhQv +YzfIHphhE9DKjmnjBYLOdj4aycv44jHnOGc+wvA1Jqsl60t3wgms+zJTiWwABLdw +zgMAa7yxLyoV0+PiVQud6k+8ZoIFcwIDAQABo1AwTjAdBgNVHQ4EFgQUOUYGtUyh +euxO4lGe4Op1y8NVoagwHwYDVR0jBBgwFoAUOUYGtUyheuxO4lGe4Op1y8NVoagw +DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEANXLyfAs7J9rmBamGJvPZ +ltx390WxzzLFQsBRAaH6rgeipBq3dR9qEjAwb6BTF+ROmtQzX+fjstCRrJxCto9W +tC8KvXTdRfIjfCCZjhtIOBKqRxE4KJV/RBfv9xD5lyjtCPCQl3Ia6MSf42N+abAK +WCdU6KCojA8WB9YhSCzza3aQbPTzd26OC/JblJpVgtus5f8ILzCsz+pbMimgTkhy +AuhYRppJaQ24APijsEC9+GIaVKPg5IwWroiPoj+QXNpshuvqVQQXvGaRiq4zoSnx +xAJz+w8tjrDWcf826VN14IL+/Cmqlg/rIfB5CHdwVIfWwpuGB66q/UiPegZMNs8a +3g== +-----END CERTIFICATE----- diff --git a/istio-1.24.3/samples/certs/workload-foo-cert.pem b/istio-1.24.3/samples/certs/workload-foo-cert.pem new file mode 100644 index 00000000..50197b98 --- /dev/null +++ b/istio-1.24.3/samples/certs/workload-foo-cert.pem @@ -0,0 +1,43 @@ +-----BEGIN CERTIFICATE----- +MIIDXTCCAkWgAwIBAgIUVrmTEZowmbvjxihqy0tqCb6CDJEwDQYJKoZIhvcNAQEL +BQAwWTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExEjAQBgNVBAcT +CVN1bm55dmFsZTEOMAwGA1UEChMFSXN0aW8xETAPBgNVBAMTCElzdGlvIENBMB4X +DTIzMDIwMjE4MjA1N1oXDTMzMDEzMDE4MjA1N1owADCCASIwDQYJKoZIhvcNAQEB +BQADggEPADCCAQoCggEBAMRFee8ym0dNiLEaK46r3axHmSaPEu+8weYsq5Jz++pp +tpLYrRxV79UPKzKqMLmfca1KUs6PYkCipf/hsvNjLwkQf1RRpdScHk17VK/Aa0Er +3maIDw5TzReqd7MfgsIUStmy6T0WVyzMHVAjDV/aRkTwzWwp29bJgfkvI2/Qy9Mh +MONNOZ3+m+UcIK4opgg7GmNwynfrPxhWfUsgtYEpaTXEbJOjqQh/8Io56IK4AbS5 +IvNFfN2RKLi0wg9Yzgd+odoifpumaTP6iuJpohSyCgphr8a3jX5DuUNXduveiwMG ++PESc0QSGzAWA11/PWC1v0nU45oWTB31ibduGWenm2cCAwEAAaN2MHQwDgYDVR0P +AQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMB +Af8EAjAAMDUGA1UdEQEB/wQrMCmGJ3NwaWZmZTovL3RydXN0LWRvbWFpbi1mb28v +bnMvZm9vL3NhL2ZvbzANBgkqhkiG9w0BAQsFAAOCAQEAVwpzfheyDDAitN9zVirV +WZtk70CMabWPxEMk76/70MK2LBZmC1v1Zhjt9NOj1viTRA8jbi/WtNJhfkdH6UzC +FaHhPdg8FidIuSazyrXEfiP88L9BLQ2qvJEQq3+ZoyQoCX8bWLOh/8vqm+CgwJR/ +q9JzdYf4rjvXmrm3leHI9Q1AgC83bvNn1FUXBNoMyhHzPYB5/u0j2nlnaeSjc6og +MSgcq/yrq8CpLK4ZS3E5dk8DQPOlTtACFRCSahRn7O7aqZn3QKZ2dXVzu2Uo0GbE +Jgkh1hAemPL9zwSxcfz2uBF4J//ecfDM3xccXuBRaXs6qaDwoM1n+84R9VODKLqT +bw== +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDnzCCAoegAwIBAgIJAON1ifrBZ2/BMA0GCSqGSIb3DQEBCwUAMIGLMQswCQYD +VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJU3Vubnl2YWxl +MQ4wDAYDVQQKDAVJc3RpbzENMAsGA1UECwwEVGVzdDEQMA4GA1UEAwwHUm9vdCBD +QTEiMCAGCSqGSIb3DQEJARYTdGVzdHJvb3RjYUBpc3Rpby5pbzAgFw0xODAxMjQx +OTE1NTFaGA8yMTE3MTIzMTE5MTU1MVowWTELMAkGA1UEBhMCVVMxEzARBgNVBAgT +CkNhbGlmb3JuaWExEjAQBgNVBAcTCVN1bm55dmFsZTEOMAwGA1UEChMFSXN0aW8x +ETAPBgNVBAMTCElzdGlvIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC +AQEAyzCxr/xu0zy5rVBiso9ffgl00bRKvB/HF4AX9/ytmZ6Hqsy13XIQk8/u/By9 +iCvVwXIMvyT0CbiJq/aPEj5mJUy0lzbrUs13oneXqrPXf7ir3HzdRw+SBhXlsh9z +APZJXcF93DJU3GabPKwBvGJ0IVMJPIFCuDIPwW4kFAI7R/8A5LSdPrFx6EyMXl7K +M8jekC0y9DnTj83/fY72WcWX7YTpgZeBHAeeQOPTZ2KYbFal2gLsar69PgFS0Tom +ESO9M14Yit7mzB1WDK2z9g3r+zLxENdJ5JG/ZskKe+TO4Diqi5OJt/h8yspS1ck8 +LJtCole9919umByg5oruflqIlQIDAQABozUwMzALBgNVHQ8EBAMCAgQwDAYDVR0T +BAUwAwEB/zAWBgNVHREEDzANggtjYS5pc3Rpby5pbzANBgkqhkiG9w0BAQsFAAOC +AQEAltHEhhyAsve4K4bLgBXtHwWzo6SpFzdAfXpLShpOJNtQNERb3qg6iUGQdY+w +A2BpmSkKr3Rw/6ClP5+cCG7fGocPaZh+c+4Nxm9suMuZBZCtNOeYOMIfvCPcCS+8 +PQ/0hC4/0J3WJKzGBssaaMufJxzgFPPtDJ998kY8rlROghdSaVt423/jXIAYnP3Y +05n8TGERBj7TLdtIVbtUIx3JHAo3PWJywA6mEDovFMJhJERp9sDHIr1BbhXK1TFN +Z6HNH6gInkSSMtvC4Ptejb749PTaePRPF7ID//eq/3AH8UK50F3TQcLjEqWUsJUn +aFKltOc+RAjzDklcUPeG4Y6eMA== +-----END CERTIFICATE----- diff --git a/istio-1.24.3/samples/certs/workload-foo-key.pem b/istio-1.24.3/samples/certs/workload-foo-key.pem new file mode 100644 index 00000000..bac90f1e --- /dev/null +++ b/istio-1.24.3/samples/certs/workload-foo-key.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpgIBAAKCAQEAxEV57zKbR02IsRorjqvdrEeZJo8S77zB5iyrknP76mm2ktit +HFXv1Q8rMqowuZ9xrUpSzo9iQKKl/+Gy82MvCRB/VFGl1JweTXtUr8BrQSveZogP +DlPNF6p3sx+CwhRK2bLpPRZXLMwdUCMNX9pGRPDNbCnb1smB+S8jb9DL0yEw4005 +nf6b5RwgriimCDsaY3DKd+s/GFZ9SyC1gSlpNcRsk6OpCH/wijnogrgBtLki80V8 +3ZEouLTCD1jOB36h2iJ+m6ZpM/qK4mmiFLIKCmGvxreNfkO5Q1d2696LAwb48RJz +RBIbMBYDXX89YLW/SdTjmhZMHfWJt24ZZ6ebZwIDAQABAoIBAQC+W0vZrFFhpFcw +vVsFcrb6Qi7NcPJCxeWhIi39SrRHM+Q5JCExXD/RenbBGsNLJNMR6QXLBNGcMqOh +OvtehxG1TuTPmKinPgs9xqHqG0tq1+tJsig4ExrVGyYg+izNovS9k4IXFzXRYt4D +PRvZnU+NyabSgv6OoL2IOim6Zt1olBIHK0u57bNEFLoLJBHi+/qxVo1H1ZxW4eg/ +/hCkg8IlT7G1wrT9uwAU5ld6wpG6OYub4uHLPsoyWB4E2vl1/liZq4MnUJG0M5m5 +QWHy9wL3jow/LtjVvcn/I09YIJKI9BocUi6/ze/Boy1zo4cL+cryLpfplIhZ0u/N +a/S/222BAoGBAPPXTLJyfSEt70+H2iYPKEBMVo8UBAW2rSICOCMvKZJuCuqccB75 +Jy6h+BQtIJZf+rnNzlG4EH6Vjb4mC/YYBf0U1inpCsdKcw96hv7+EYzBtKf/lK9N +au+AEAgngr1xgA+M84jMWnosFMNw88pO6j260y1aMUmLD8onrnglPcEHAoGBAM4O +79WMqTXipgvQzx66KeQQs6Gf1nwh4Ut9NYs2nk4KQrkAHd4zuURFlxdnqr/mC4wb +nsLCdFOOZaiWIIG93lp0Ox0dLar2jJK88WfCzzerUBljMRv8xJZBLOe7rv5iawVC +mBnZE606m1kTrj6wY5M7TsZiIIeYQcmlJNmW9ZqhAoGBAMY+iqqiDj2FfQTp7F/4 +/r6X0d/tY//JLyVxLHbehyv3r4Riv31PD54ILQsqTU40pkGdo1opDa/8owqvIBZq +HaRO5neYchzo2HcDJPH3WglYCypyzk1f4crqER6wEMk4l+cMr4rOqdieMhtbn7kh +Q6wAUmSS6XNjTekLLfucO4LNAoGBAIjIgYxQg0Kx4WeWhObwzT4HmDaB0+8yzks+ +Inz3FL7ZMNF9slX+H82iJFn1BvO70Y6ABzNhwbZ1oCX5Ajsdvqxs25DH/bivUUFX +CyjFuKhLoDA6GC9r61OSkCyD+fYDfudO/YirANTNQrIuzkvu6yqhA/nMyas49vLU +HVITU5YBAoGBANJVeCLwpjoK2ROM6mIQrHtBR5Ft0a5DhjQWT/6FrsUXGYH3nsdt +cEUCJsBU7z46GcByRIT25xGimoitQppsw6Wcf0gtjNyqbF56aejjEkd5LNtm77gz +9wNya77NzyrtiAjG9TCnDPJUX7satEoXgEGMxmtoiQ+pbD3nvJsFjkZQ +-----END RSA PRIVATE KEY----- diff --git a/istio-1.24.3/samples/certs/workload-foo-root-certs.pem b/istio-1.24.3/samples/certs/workload-foo-root-certs.pem new file mode 100644 index 00000000..9a43073e --- /dev/null +++ b/istio-1.24.3/samples/certs/workload-foo-root-certs.pem @@ -0,0 +1,46 @@ +-----BEGIN CERTIFICATE----- +MIIDnzCCAoegAwIBAgIJAON1ifrBZ2/BMA0GCSqGSIb3DQEBCwUAMIGLMQswCQYD +VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJU3Vubnl2YWxl +MQ4wDAYDVQQKDAVJc3RpbzENMAsGA1UECwwEVGVzdDEQMA4GA1UEAwwHUm9vdCBD +QTEiMCAGCSqGSIb3DQEJARYTdGVzdHJvb3RjYUBpc3Rpby5pbzAgFw0xODAxMjQx +OTE1NTFaGA8yMTE3MTIzMTE5MTU1MVowWTELMAkGA1UEBhMCVVMxEzARBgNVBAgT +CkNhbGlmb3JuaWExEjAQBgNVBAcTCVN1bm55dmFsZTEOMAwGA1UEChMFSXN0aW8x +ETAPBgNVBAMTCElzdGlvIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC +AQEAyzCxr/xu0zy5rVBiso9ffgl00bRKvB/HF4AX9/ytmZ6Hqsy13XIQk8/u/By9 +iCvVwXIMvyT0CbiJq/aPEj5mJUy0lzbrUs13oneXqrPXf7ir3HzdRw+SBhXlsh9z +APZJXcF93DJU3GabPKwBvGJ0IVMJPIFCuDIPwW4kFAI7R/8A5LSdPrFx6EyMXl7K +M8jekC0y9DnTj83/fY72WcWX7YTpgZeBHAeeQOPTZ2KYbFal2gLsar69PgFS0Tom +ESO9M14Yit7mzB1WDK2z9g3r+zLxENdJ5JG/ZskKe+TO4Diqi5OJt/h8yspS1ck8 +LJtCole9919umByg5oruflqIlQIDAQABozUwMzALBgNVHQ8EBAMCAgQwDAYDVR0T +BAUwAwEB/zAWBgNVHREEDzANggtjYS5pc3Rpby5pbzANBgkqhkiG9w0BAQsFAAOC +AQEAltHEhhyAsve4K4bLgBXtHwWzo6SpFzdAfXpLShpOJNtQNERb3qg6iUGQdY+w +A2BpmSkKr3Rw/6ClP5+cCG7fGocPaZh+c+4Nxm9suMuZBZCtNOeYOMIfvCPcCS+8 +PQ/0hC4/0J3WJKzGBssaaMufJxzgFPPtDJ998kY8rlROghdSaVt423/jXIAYnP3Y +05n8TGERBj7TLdtIVbtUIx3JHAo3PWJywA6mEDovFMJhJERp9sDHIr1BbhXK1TFN +Z6HNH6gInkSSMtvC4Ptejb749PTaePRPF7ID//eq/3AH8UK50F3TQcLjEqWUsJUn +aFKltOc+RAjzDklcUPeG4Y6eMA== +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIID7TCCAtWgAwIBAgIJAOIRDhOcxsx6MA0GCSqGSIb3DQEBCwUAMIGLMQswCQYD +VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJU3Vubnl2YWxl +MQ4wDAYDVQQKDAVJc3RpbzENMAsGA1UECwwEVGVzdDEQMA4GA1UEAwwHUm9vdCBD +QTEiMCAGCSqGSIb3DQEJARYTdGVzdHJvb3RjYUBpc3Rpby5pbzAgFw0xODAxMjQx +OTE1NTFaGA8yMTE3MTIzMTE5MTU1MVowgYsxCzAJBgNVBAYTAlVTMRMwEQYDVQQI +DApDYWxpZm9ybmlhMRIwEAYDVQQHDAlTdW5ueXZhbGUxDjAMBgNVBAoMBUlzdGlv +MQ0wCwYDVQQLDARUZXN0MRAwDgYDVQQDDAdSb290IENBMSIwIAYJKoZIhvcNAQkB +FhN0ZXN0cm9vdGNhQGlzdGlvLmlvMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB +CgKCAQEA38uEfAatzQYqbaLou1nxJ348VyNzumYMmDDt5pbLYRrCo2pS3ki1ZVDN +8yxIENJFkpKw9UctTGdbNGuGCiSDP7uqF6BiVn+XKAU/3pnPFBbTd0S33NqbDEQu +IYraHSl/tSk5rARbC1DrQRdZ6nYD2KrapC4g0XbjY6Pu5l4y7KnFwSunnp9uqpZw +uERv/BgumJ5QlSeSeCmhnDhLxooG8w5tC2yVr1yDpsOHGimP/mc8Cds4V0zfIhQv +YzfIHphhE9DKjmnjBYLOdj4aycv44jHnOGc+wvA1Jqsl60t3wgms+zJTiWwABLdw +zgMAa7yxLyoV0+PiVQud6k+8ZoIFcwIDAQABo1AwTjAdBgNVHQ4EFgQUOUYGtUyh +euxO4lGe4Op1y8NVoagwHwYDVR0jBBgwFoAUOUYGtUyheuxO4lGe4Op1y8NVoagw +DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEANXLyfAs7J9rmBamGJvPZ +ltx390WxzzLFQsBRAaH6rgeipBq3dR9qEjAwb6BTF+ROmtQzX+fjstCRrJxCto9W +tC8KvXTdRfIjfCCZjhtIOBKqRxE4KJV/RBfv9xD5lyjtCPCQl3Ia6MSf42N+abAK +WCdU6KCojA8WB9YhSCzza3aQbPTzd26OC/JblJpVgtus5f8ILzCsz+pbMimgTkhy +AuhYRppJaQ24APijsEC9+GIaVKPg5IwWroiPoj+QXNpshuvqVQQXvGaRiq4zoSnx +xAJz+w8tjrDWcf826VN14IL+/Cmqlg/rIfB5CHdwVIfWwpuGB66q/UiPegZMNs8a +3g== +-----END CERTIFICATE----- diff --git a/istio-1.24.3/samples/cicd/skaffold/README.md b/istio-1.24.3/samples/cicd/skaffold/README.md new file mode 100644 index 00000000..a8fa19ab --- /dev/null +++ b/istio-1.24.3/samples/cicd/skaffold/README.md @@ -0,0 +1,45 @@ +# Skaffold + +This is intended for demonstration only, and is not tuned for performance or security. + +skaffold is a tool that enables fast development iteration and controls deployment to local or remote clusters + +If running `skaffold run` for deployment, manifests are pulled from remote charts, if running `skaffold dev` for development and hot reload, manifests are pulled from current branch. + +## Quick Start + +skaffold is built around modules and profiles + +1) istio-base + istio + + ```bash + skaffold run -m istiod + ``` + +2) istio-base + istio + ingress + + ```bash + skaffold run -m ingress + ``` + +3) istio-base + istio + ingress + kiali + + ```bash + skaffold run -m ingress,kiali + ``` + +4) istio-base + istio + ingress + kiali + bookinfo + + ```bash + skaffold run -m ingress,kiali,bookinfo + ``` + +## References + +- Github: [github.com/GoogleContainerTools/skaffold](https://github.com/GoogleContainerTools/skaffold) +- Site: [skaffold.dev](https://skaffold.dev/) + +### TODO + +- Add build and test stage for images in istiod (pilot and proxy) +- Addons diff --git a/istio-1.24.3/samples/cicd/skaffold/skaffold.yaml b/istio-1.24.3/samples/cicd/skaffold/skaffold.yaml new file mode 100644 index 00000000..b67aa289 --- /dev/null +++ b/istio-1.24.3/samples/cicd/skaffold/skaffold.yaml @@ -0,0 +1,145 @@ +# Skaffold - https://skaffold.dev/ +# ------------------------------------------------ # +# This is for illustration purposes only +# ------------------------------------------------ # +# Installation options & modules +# ------------------------------------------------ # +# istio - `skaffold run -m istiod` +# ingress - `skaffold run -m ingress` +# Addons: +# - kiali - `skaffold run -m kiali` +# - prometheus - `skaffold run -m prometheus` +# Demos: +# - bookinfo - `skaffold run -m bookinfo` +# ------------------------------------------------ # +# Development mode - skaffold dev # +# ------------------------------------------------- # +apiVersion: skaffold/v2beta22 +kind: Config +metadata: + name: istio-base +profiles: + - name: dev + activation: + - command: dev + deploy: + helm: + releases: + - name: istio-base + chartPath: ../../../manifests/charts/base + namespace: istio-system + createNamespace: true + - name: run + activation: + - command: run + deploy: + helm: + releases: + - name: istio-base + remoteChart: base + repo: https://istio-release.storage.googleapis.com/charts + namespace: istio-system + createNamespace: true +--- +apiVersion: skaffold/v2beta22 +kind: Config +metadata: + name: istiod +requires: + - configs: [istio-base] +profiles: + - name: dev + activation: + - command: dev + deploy: + helm: + releases: + - name: istiod + chartPath: ../../../manifests/charts/istio-control/istio-discovery + namespace: istio-system + - name: run + activation: + - command: run + deploy: + helm: + releases: + - name: istiod + remoteChart: istiod + repo: https://istio-release.storage.googleapis.com/charts + namespace: istio-system +--- +apiVersion: skaffold/v2beta22 +kind: Config +metadata: + name: ingress +requires: + - configs: [istiod] +profiles: + - name: dev + activation: + - command: dev + deploy: + helm: + releases: + - name: istio-ingressgateway + chartPath: ../../../manifests/charts/gateway + namespace: istio-system + - name: run + activation: + - command: run + deploy: + helm: + releases: + - name: istio-ingressgateway + remoteChart: gateway + repo: https://istio-release.storage.googleapis.com/charts + namespace: istio-system +--- +# https://istio.io/latest/docs/ops/integrations/prometheus/ +apiVersion: skaffold/v2beta22 +kind: Config +metadata: + name: prometheus +requires: + - configs: [istiod] +deploy: + kubectl: + manifests: ["../../../samples/addons/prometheus.yaml"] +--- +apiVersion: skaffold/v2beta22 +kind: Config +metadata: + name: kiali +requires: + - configs: [prometheus] +deploy: + helm: + releases: + - name: kiali-server + remoteChart: kiali-server + repo: https://kiali.org/helm-charts + namespace: istio-system + version: v1.44.0 + valuesFiles: [../../../manifests/addons/values-kiali.yaml] +--- +# Config for https://istio.io/latest/docs/examples/bookinfo/ +apiVersion: skaffold/v2beta22 +kind: Config +metadata: + name: bookinfo +requires: + - configs: [ingress] +deploy: + kubectl: + hooks: + before: + - host: + command: ["sh", "-c", "kubectl label namespace default istio-injection=enabled --overwrite"] + os: [darwin, linux] + - host: + command: ["cmd.exe", "/C", "kubectl label namespace default istio-injection=enabled --overwrite"] + os: [windows] + manifests: + - "../../../samples/bookinfo/platform/kube/bookinfo.yaml" + - "../../../samples/bookinfo/networking/bookinfo-gateway.yaml" + - "../../../samples/bookinfo/networking/destination-rule-all.yaml" diff --git a/istio-1.24.3/samples/curl/README.md b/istio-1.24.3/samples/curl/README.md new file mode 100644 index 00000000..05ed1534 --- /dev/null +++ b/istio-1.24.3/samples/curl/README.md @@ -0,0 +1,28 @@ +# Simple curl service + +This sample is a a request source for invoking other services, to experiment with Istio networking. +It consists of a pod that does nothing but sleep. You can get a shell on the pod (an Alpine container) and use `curl`. + +To use it: + +1. Install Istio by following the [installation instructions](https://istio.io/docs/setup/). + +1. Start the curl pod: + + ```bash + kubectl apply -f curl.yaml + ``` + +1. Start some other services, for example, the [Bookinfo sample](https://istio.io/docs/examples/bookinfo/). + + Now you can `kubectl exec` into the curl service to experiment with Istio networking. + For example, the following commands can be used to call the Bookinfo `ratings` service: + + ```bash + export CURL_POD=$(kubectl get pod -l app=curl -o jsonpath={.items..metadata.name}) + kubectl exec -it $CURL_POD -c curl -- curl http://ratings.default.svc.cluster.local:9080/ratings/1 + {"id":1,"ratings":{"Reviewer1":5,"Reviewer2":4}} + ``` + +You can also use the curl service to test accessing services outside of the mesh. +See [configuring egress](https://istio.io/docs/tasks/traffic-management/egress/) for details. diff --git a/istio-1.24.3/samples/curl/curl.yaml b/istio-1.24.3/samples/curl/curl.yaml new file mode 100644 index 00000000..306a5afc --- /dev/null +++ b/istio-1.24.3/samples/curl/curl.yaml @@ -0,0 +1,66 @@ +# Copyright Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################################################## +# Curl service +################################################################################################## +apiVersion: v1 +kind: ServiceAccount +metadata: + name: curl +--- +apiVersion: v1 +kind: Service +metadata: + name: curl + labels: + app: curl + service: curl +spec: + ports: + - port: 80 + name: http + selector: + app: curl +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: curl +spec: + replicas: 1 + selector: + matchLabels: + app: curl + template: + metadata: + labels: + app: curl + spec: + terminationGracePeriodSeconds: 0 + serviceAccountName: curl + containers: + - name: curl + image: curlimages/curl + command: ["/bin/sleep", "infinity"] + imagePullPolicy: IfNotPresent + volumeMounts: + - mountPath: /etc/curl/tls + name: secret-volume + volumes: + - name: secret-volume + secret: + secretName: curl-secret + optional: true +--- diff --git a/istio-1.24.3/samples/custom-bootstrap/README.md b/istio-1.24.3/samples/custom-bootstrap/README.md new file mode 100644 index 00000000..7d1c6236 --- /dev/null +++ b/istio-1.24.3/samples/custom-bootstrap/README.md @@ -0,0 +1,57 @@ +# Custom Envoy Bootstrap Configuration + +This sample creates a simple helloworld service that bootstraps the Envoy proxy with a custom configuration file. + +## Starting the service + +First, we need to create a `ConfigMap` resource with our bootstrap configuration. + +```bash +kubectl apply -f custom-bootstrap.yaml +``` + +Next, we can create a service that uses this bootstrap configuration. + +To do this, we need to add an annotation, `sidecar.istio.io/bootstrapOverride`, with the name of our ConfigMap as the value. + +We can create our helloworld app, using the custom config, with: + +```bash +kubectl apply -f example-app.yaml +``` + +If you don't have [automatic sidecar injection](https://istio.io/docs/setup/additional-setup/sidecar-injection/#automatic-sidecar-injection) +set in your cluster you will need to manually inject it to the services instead: + +```bash +istioctl kube-inject -f example-app.yaml -o example-app-istio.yaml +kubectl apply -f example-app-istio.yaml +``` + +## Checking the Bootstrap Configuration + +To see what bootstrap configuration a pod is using: + +```bash +istioctl proxy-config bootstrap +``` + +## Customizing the Bootstrap + +The configuration provided will be passed to envoy using the [`--config-yaml`](https://www.envoyproxy.io/docs/envoy/v1.7.1/operations/cli#cmdoption-config-yaml) flag. + +This will merge the passed in configuration with the default configuration. Singular values will replace the default values, while repeated values will be appended. + +For reference, [the default bootstrap configuration](../../tools/packaging/common/envoy_bootstrap.json) and Envoy's [configuration reference](https://www.envoyproxy.io/docs/envoy/latest/configuration/configuration#config) may be useful + +## Outside of Kubernetes + +The annotation above configures a volume mount and configures Istio to use it. +When running outside of Kubernetes or in custom setups, similar functionality can be achieved by setting the `ISTIO_BOOTSTRAP_OVERRIDE` variable pointing to a file containing the custom bootstrap. + +## Cleanup + +```bash +kubectl delete -f custom-bootstrap.yaml +kubectl delete -f example-app.yaml +``` diff --git a/istio-1.24.3/samples/custom-bootstrap/custom-bootstrap.yaml b/istio-1.24.3/samples/custom-bootstrap/custom-bootstrap.yaml new file mode 100644 index 00000000..5f406976 --- /dev/null +++ b/istio-1.24.3/samples/custom-bootstrap/custom-bootstrap.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-custom-bootstrap-config + namespace: default +data: + custom_bootstrap.json: | + "tracing": { + "http": { + "name": "envoy.tracers.zipkin", + "typed_config": { + "@type": "type.googleapis.com/envoy.config.trace.v3.ZipkinConfig", + "collector_cluster": "zipkin", + "collector_endpoint": "/api/v1/spans/custom", + "collector_endpoint_version": "HTTP_JSON", + "trace_id_128bit": true, + "shared_span_context": false + } + } + } diff --git a/istio-1.24.3/samples/custom-bootstrap/example-app.yaml b/istio-1.24.3/samples/custom-bootstrap/example-app.yaml new file mode 100644 index 00000000..3a351a31 --- /dev/null +++ b/istio-1.24.3/samples/custom-bootstrap/example-app.yaml @@ -0,0 +1,30 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: helloworld-v1 + labels: + app: helloworld + version: v1 +spec: + replicas: 1 + selector: + matchLabels: + app: helloworld + version: v1 + template: + metadata: + annotations: + sidecar.istio.io/bootstrapOverride: "istio-custom-bootstrap-config" + labels: + app: helloworld + version: v1 + spec: + containers: + - name: helloworld + image: docker.io/istio/examples-helloworld-v1 + resources: + requests: + cpu: "100m" + imagePullPolicy: IfNotPresent + ports: + - containerPort: 5000 diff --git a/istio-1.24.3/samples/extauthz/README.md b/istio-1.24.3/samples/extauthz/README.md new file mode 100644 index 00000000..8cefb664 --- /dev/null +++ b/istio-1.24.3/samples/extauthz/README.md @@ -0,0 +1,99 @@ +# Ext Authz Service + +[Ext Authz server](cmd/extauthz) implements the external server for the [Envoy ext_authz filter](https://www.envoyproxy.io/docs/envoy/v1.16.0/intro/arch_overview/security/ext_authz_filter) +as an example of integrating custom authorization system into Istio. + +The Ext Authz server supports authorization check request using either HTTP (port 8000) or gRPC v2/v3 (port 9000) API and +will allow the request if it includes the header `x-ext-authz: allow` or if the service account of the source workload is `a`. +Note that `a` is just a default value for testing. It can be changed with the flag `-allow_service_account` when running the ext authz server. + +## Usage + +1. Deploy the Ext Authz service in a dedicated pod: + + ```console + $ kubectl apply -f ext-authz.yaml + service/ext-authz created + deployment.apps/ext-authz created + ``` + + Note, you can also deploy the Ext Authz service locally with the application container in the same pod, see the example in `local-ext-authz.yaml`. + +1. Verify the Ext Authz server is up and running: + + Deploy a sleep pod to send the request: + + ```console + $ kubectl apply -f ../sleep/sleep.yaml + ``` + + Send a check request with header `x-ext-authz: allow` to the Ext Authz server: + + ```console + $ kubectl exec -it $(kubectl get pod -l app=sleep -o jsonpath={.items..metadata.name}) -c sleep -- curl -v ext-authz:8000 -H "x-ext-authz: allow" + * Trying 10.97.88.183:8000... + * Connected to ext-authz-server (10.97.88.183) port 8000 (#0) + > GET / HTTP/1.1 + > Host: ext-authz-server:8000 + > User-Agent: curl/7.73.0-DEV + > Accept: */* + > x-ext-authz: allow + > + * Mark bundle as not supporting multiuse + < HTTP/1.1 200 OK + < x-ext-authz-result: allowed + < date: Tue, 03 Nov 2020 03:06:11 GMT + < content-length: 0 + < x-envoy-upstream-service-time: 19 + < server: envoy + < + * Connection #0 to host ext-authz-server left intact + ``` + + As you observe, the check request with header `x-ext-authz: allow` is allowed by the Ext Authz server. + + Send another check request with `x-ext-authz: blabla` to the Ext Authz server: + + ```console + $ kubectl exec -it $(kubectl get pod -l app=sleep -o jsonpath={.items..metadata.name}) -c sleep -- curl -v ext-authz:8000 -H "x-ext-authz: bla" + > GET / HTTP/1.1 + > Host: ext-authz-server:8000 + > User-Agent: curl/7.73.0-DEV + > Accept: */* + > x-ext-authz: allowx + > + * Mark bundle as not supporting multiuse + < HTTP/1.1 403 Forbidden + < x-ext-authz-check-result: denied + < date: Tue, 03 Nov 2020 03:14:02 GMT + < content-length: 76 + < content-type: text/plain; charset=utf-8 + < x-envoy-upstream-service-time: 44 + < server: envoy + < + * Connection #0 to host ext-authz-server left intact + denied by ext_authz for not found header `x-ext-authz: allow` in the request + ``` + + As you observe, the check request with header `x-ext-authz: bla` is denied by the Ext Authz server. + +1. To clean up, execute the following commands: + + ```console + $ kubectl delete -f ../sleep/sleep.yaml + $ kubectl delete -f ext-authz.yaml + ``` + +## Advanced features + +The Ext Authz server supports the following advanced features that are useful for testing: + +- The ext authz server will add the `x-ext-authz-check-received` header to the user request. The content is the dump of + the check request it received from the ext-authz filter. This header is useful in verifying the ext-authz filter sending + the expected request to the ext authz server. + +- The ext authz server will add (or override if it already exists) the header `x-ext-authz-additional-header-override` to + the user request. The value of the header depends on the type of ext-authz server. + The ext authz HTTP server will set it to the value of the same `x-ext-authz-additional-header-override` header in the + check request. The ext authz gRPC server will set it to the constant value `grpc-additional-header-override-value`. + This header is useful in verifying the header override behavior in the ext-authz filter. diff --git a/istio-1.24.3/samples/extauthz/ext-authz.yaml b/istio-1.24.3/samples/extauthz/ext-authz.yaml new file mode 100644 index 00000000..0860df5c --- /dev/null +++ b/istio-1.24.3/samples/extauthz/ext-authz.yaml @@ -0,0 +1,55 @@ +# Copyright Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Example configurations for deploying ext-authz server separately in the mesh. + +apiVersion: v1 +kind: Service +metadata: + name: ext-authz + labels: + app: ext-authz +spec: + ports: + - name: http + port: 8000 + targetPort: 8000 + - name: grpc + port: 9000 + targetPort: 9000 + selector: + app: ext-authz +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: ext-authz +spec: + replicas: 1 + selector: + matchLabels: + app: ext-authz + template: + metadata: + labels: + app: ext-authz + spec: + containers: + - image: gcr.io/istio-testing/ext-authz:latest + imagePullPolicy: IfNotPresent + name: ext-authz + ports: + - containerPort: 8000 + - containerPort: 9000 +--- diff --git a/istio-1.24.3/samples/extauthz/local-ext-authz.yaml b/istio-1.24.3/samples/extauthz/local-ext-authz.yaml new file mode 100644 index 00000000..46797770 --- /dev/null +++ b/istio-1.24.3/samples/extauthz/local-ext-authz.yaml @@ -0,0 +1,111 @@ +# Copyright Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Example configurations for deploying ext-authz server locally with the application container in the same pod. + +# Define the service entry for the local ext-authz service on port 8000. +apiVersion: networking.istio.io/v1 +kind: ServiceEntry +metadata: + name: httpbin-ext-authz-http +spec: + hosts: + - "ext-authz-http.local" + endpoints: + - address: "127.0.0.1" + ports: + - name: http + number: 8000 + protocol: HTTP + resolution: STATIC +--- +# Define the service entry for the local ext-authz service on port 9000. +apiVersion: networking.istio.io/v1 +kind: ServiceEntry +metadata: + name: httpbin-ext-authz-grpc +spec: + hosts: + - "ext-authz-grpc.local" + endpoints: + - address: "127.0.0.1" + ports: + - name: grpc + number: 9000 + protocol: GRPC + resolution: STATIC +--- +# Deploy the ext-authz server locally with the application container in the same pod. +apiVersion: apps/v1 +kind: Deployment +metadata: + name: httpbin +spec: + replicas: 1 + selector: + matchLabels: + app: httpbin + version: v1 + template: + metadata: + labels: + app: httpbin + version: v1 + spec: + serviceAccountName: httpbin + containers: + - image: docker.io/mccutchen/go-httpbin:v2.15.0 + imagePullPolicy: IfNotPresent + name: httpbin + # Same as found in Dockerfile's CMD but using an unprivileged port + command: + - gunicorn + - -b + - 0.0.0.0:8080 + - httpbin:app + - -k + - gevent + env: + # Tells pipenv to use a writable directory instead of $HOME + - name: WORKON_HOME + value: /tmp + ports: + - containerPort: 8080 + - image: gcr.io/istio-testing/ext-authz:latest + imagePullPolicy: IfNotPresent + name: ext-authz + ports: + - containerPort: 8000 + - containerPort: 9000 +--- +apiVersion: v1 +kind: Service +metadata: + name: httpbin + labels: + app: httpbin + service: httpbin +spec: + ports: + - name: http + port: 8000 + targetPort: 8080 + selector: + app: httpbin +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: httpbin +--- diff --git a/istio-1.24.3/samples/external/README.md b/istio-1.24.3/samples/external/README.md new file mode 100644 index 00000000..8f7d9c48 --- /dev/null +++ b/istio-1.24.3/samples/external/README.md @@ -0,0 +1,34 @@ +# External Services + +By default, Istio-enabled services are unable to access services and URLs outside the cluster. Pods use iptables to transparently redirect all outbound traffic to the sidecar proxy, which only handles intra-cluster destinations. + +See [the Egress Task](https://istio.io/docs/tasks/traffic-management/egress/) for +information on configuring Istio to contact external services. + +This directory contains samples showing how to enable pods to contact a few well +known services. + +If Istio is not configured to allow pods to contact external services, the pods will +see errors such as 404s, HTTPS connection problems, and TCP connection problems. If +ServiceEntries are misconfigured pods may see problems with server names. + +## Try it out + +After an operator runs `kubectl create -f aptget.yaml` pods will be able to +succeed with `apt-get update` and `apt-get install`. + +After an operator runs `kubectl create -f github.yaml` pods will be able to +succeed with `git clone https://github.com/fortio/fortio.git`. + +Running `kubectl create -f pypi.yaml` allows pods to update Python libraries using `pip`. + +It is not a best practice to enable pods to update libraries dynamically. +We are providing these samples +because they have proven to be helpful with interactive troubleshooting. Security minded clusters should only allow traffic to service dependencies such as cloud +services. + +### Enable communication by default + +Note that [this note](https://istio.io/docs/tasks/traffic-management/egress/#install-istio-with-access-to-all-external-services-by-default) shows how to configure Istio to contact services by default. The technique +discussed there does not allow HTTP on port 80 or SSH on port 22. These examples will +allow external communication for ports 80 and 22. diff --git a/istio-1.24.3/samples/external/aptget.yaml b/istio-1.24.3/samples/external/aptget.yaml new file mode 100644 index 00000000..0b3bf3bb --- /dev/null +++ b/istio-1.24.3/samples/external/aptget.yaml @@ -0,0 +1,20 @@ +# This ServiceEntry exposes the hosts needed for installing packages with apt-get. +# After applying this file, Istio-enabled pods (configured apt-get) be able to execute +# `apt-get upgrade` and `apt-get install`. If this is not installed you may get +# "404 Not Found" + +apiVersion: networking.istio.io/v1 +kind: ServiceEntry +metadata: + name: make-aptget-work +spec: + hosts: + - deb.debian.org + - cdn-fastly.deb.debian.org + - security.debian.org + - archive.ubuntu.com + - security.ubuntu.com + ports: + - number: 80 + name: http + protocol: HTTP diff --git a/istio-1.24.3/samples/external/github.yaml b/istio-1.24.3/samples/external/github.yaml new file mode 100644 index 00000000..52dd5999 --- /dev/null +++ b/istio-1.24.3/samples/external/github.yaml @@ -0,0 +1,53 @@ +# This ServiceEntry exposes the hosts needed for github.com. +# After applying this file, Istio-enabled pods will be able to execute +# `git clone https://github.com/istio/api.git` and (with local identification +# config and certificate) `git clone git@github.com:istio/api.git` + +# HTTP and TLS, the host must be specified +# See https://istio.io/docs/tasks/traffic-management/egress/ +apiVersion: networking.istio.io/v1 +kind: ServiceEntry +metadata: + name: github-https +spec: + hosts: + - github.com + ports: + - number: 443 + name: https + protocol: HTTPS +--- +# For TCP services the IP ranges SHOULD be specified to avoid problems +# if multiple SEs use the same port number. +# See https://istio.io/blog/2018/egress-tcp/#mesh-external-service-entry-for-an-external-mysql-instance +apiVersion: networking.istio.io/v1 +kind: ServiceEntry +metadata: + name: github-tcp +spec: + hosts: + - dummy.github.com # not used + addresses: # from https://help.github.com/articles/about-github-s-ip-addresses/ + - "13.229.188.59/32" + - "13.250.177.223/32" + - "140.82.112.0/20" + - "18.194.104.89/32" + - "18.195.85.27/32" + - "185.199.108.0/22" + - "185.199.108.153/32" + - "185.199.109.153/32" + - "185.199.110.153/32" + - "185.199.111.153/32" + - "192.30.252.0/22" + - "192.30.252.153/32" + - "192.30.252.154/32" + - "23.20.92.3/32" + - "35.159.8.160/32" + - "52.74.223.119/32" + - "54.166.52.62/32" + - "54.87.5.173/32" + ports: + - name: tcp + number: 22 + protocol: tcp + location: MESH_EXTERNAL diff --git a/istio-1.24.3/samples/external/pypi.yaml b/istio-1.24.3/samples/external/pypi.yaml new file mode 100644 index 00000000..c502ad7c --- /dev/null +++ b/istio-1.24.3/samples/external/pypi.yaml @@ -0,0 +1,44 @@ +# This ServiceEntry exposes the hosts needed for Python `pip`. +# After applying this file, Istio-enabled pods will be able to execute +# `pip search istio`. + +# HTTP and TLS, the host must be specified +# See https://istio.io/docs/tasks/traffic-management/egress/ + +apiVersion: networking.istio.io/v1 +kind: ServiceEntry +metadata: + name: python-https +spec: + hosts: + - pypi.python.org + ports: + - number: 443 + name: https + protocol: HTTPS +--- +# pypi.python.org may 301 redirect to pypi.org, so we need this too. +apiVersion: networking.istio.io/v1 +kind: ServiceEntry +metadata: + name: pypi-https +spec: + hosts: + - pypi.org + ports: + - number: 443 + name: https + protocol: HTTPS +--- +# pip install may fetch files from files.pythonhosted.org +apiVersion: networking.istio.io/v1 +kind: ServiceEntry +metadata: + name: pythonhosted-https +spec: + hosts: + - files.pythonhosted.org + ports: + - number: 443 + name: https + protocol: HTTPS diff --git a/istio-1.24.3/samples/grpc-echo/README.md b/istio-1.24.3/samples/grpc-echo/README.md new file mode 100644 index 00000000..46631698 --- /dev/null +++ b/istio-1.24.3/samples/grpc-echo/README.md @@ -0,0 +1,7 @@ +# grpc-echo + +This sample demonstrates Istio's Proxyless gRPC support with a special injection template `grpc-agent`. +The template injects the `istio-proxy` sidecar, but the sidecar will only run `pilot-agent` and not envoy. + +See the [gRPC xDS feature status](https://github.com/grpc/grpc/blob/master/doc/grpc_xds_features.md) for more +information. diff --git a/istio-1.24.3/samples/grpc-echo/grpc-echo.yaml b/istio-1.24.3/samples/grpc-echo/grpc-echo.yaml new file mode 100644 index 00000000..2dc6fd9a --- /dev/null +++ b/istio-1.24.3/samples/grpc-echo/grpc-echo.yaml @@ -0,0 +1,191 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + app: echo + name: echo + namespace: echo-grpc +spec: + selector: + app: echo + type: ClusterIP + ports: + - name: http + port: 80 + targetPort: 18080 + - name: grpc + port: 7070 + targetPort: 17070 + - name: tcp + port: 9090 + targetPort: 19090 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: echo-v1 + namespace: echo-grpc +spec: + replicas: 1 + selector: + matchLabels: + app: echo + version: v1 + template: + metadata: + annotations: + inject.istio.io/templates: grpc-agent + proxy.istio.io/config: '{"holdApplicationUntilProxyStarts": true}' + labels: + app: echo + version: v1 + spec: + containers: + - args: + - --metrics=15014 + - --port + - "18080" + - --tcp + - "19090" + - --xds-grpc-server=17070 + - --grpc + - "17070" + - --grpc + - "17171" + - --port + - "3333" + - --port + - "8080" + - --version + - v1 + - --crt=/cert.crt + - --key=/cert.key + env: + - name: INSTANCE_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + image: gcr.io/istio-testing/app:latest + imagePullPolicy: Always + livenessProbe: + failureThreshold: 10 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + tcpSocket: + port: tcp-health-port + timeoutSeconds: 1 + name: app + ports: + - containerPort: 17070 + protocol: TCP + - containerPort: 17171 + protocol: TCP + - containerPort: 8080 + protocol: TCP + - containerPort: 3333 + name: tcp-health-port + protocol: TCP + readinessProbe: + failureThreshold: 10 + httpGet: + path: / + port: 8080 + scheme: HTTP + initialDelaySeconds: 1 + periodSeconds: 2 + successThreshold: 1 + timeoutSeconds: 1 + startupProbe: + failureThreshold: 10 + periodSeconds: 10 + successThreshold: 1 + tcpSocket: + port: tcp-health-port + timeoutSeconds: 1 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: echo-v2 + namespace: echo-grpc +spec: + replicas: 1 + selector: + matchLabels: + app: echo + version: v2 + template: + metadata: + annotations: + inject.istio.io/templates: grpc-agent + proxy.istio.io/config: '{"holdApplicationUntilProxyStarts": true}' + labels: + app: echo + version: v2 + spec: + containers: + - args: + - --metrics=15014 + - --xds-grpc-server=17070 + - --port + - "18080" + - --tcp + - "19090" + - --grpc + - "17070" + - --grpc + - "17171" + - --port + - "3333" + - --port + - "8080" + - --version + - v2 + - --crt=/cert.crt + - --key=/cert.key + env: + - name: INSTANCE_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + image: gcr.io/istio-testing/app:latest + imagePullPolicy: Always + livenessProbe: + failureThreshold: 10 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + tcpSocket: + port: tcp-health-port + timeoutSeconds: 1 + name: app + ports: + - containerPort: 17070 + protocol: TCP + - containerPort: 17171 + protocol: TCP + - containerPort: 8080 + protocol: TCP + - containerPort: 3333 + name: tcp-health-port + protocol: TCP + readinessProbe: + failureThreshold: 10 + httpGet: + path: / + port: 8080 + scheme: HTTP + initialDelaySeconds: 1 + periodSeconds: 2 + successThreshold: 1 + timeoutSeconds: 1 + startupProbe: + failureThreshold: 10 + periodSeconds: 10 + successThreshold: 1 + tcpSocket: + port: tcp-health-port + timeoutSeconds: 1 diff --git a/istio-1.24.3/samples/health-check/liveness-command.yaml b/istio-1.24.3/samples/health-check/liveness-command.yaml new file mode 100644 index 00000000..247b55e5 --- /dev/null +++ b/istio-1.24.3/samples/health-check/liveness-command.yaml @@ -0,0 +1,58 @@ +# Copyright Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################################################## +# Liveness service +################################################################################################## +apiVersion: v1 +kind: Service +metadata: + name: liveness + labels: + app: liveness + service: liveness +spec: + ports: + - port: 80 + name: http + selector: + app: liveness +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: liveness +spec: + selector: + matchLabels: + app: liveness + template: + metadata: + labels: + app: liveness + spec: + containers: + - name: liveness + image: registry.k8s.io/busybox + args: + - /bin/sh + - -c + - touch /tmp/healthy; sleep 3600 + livenessProbe: + exec: + command: + - cat + - /tmp/healthy + initialDelaySeconds: 5 + periodSeconds: 5 diff --git a/istio-1.24.3/samples/health-check/liveness-http-same-port.yaml b/istio-1.24.3/samples/health-check/liveness-http-same-port.yaml new file mode 100644 index 00000000..a39a3ff1 --- /dev/null +++ b/istio-1.24.3/samples/health-check/liveness-http-same-port.yaml @@ -0,0 +1,40 @@ +apiVersion: v1 +kind: Service +metadata: + name: liveness-http + labels: + app: liveness-http + service: liveness-http +spec: + ports: + - name: http + port: 8001 + selector: + app: liveness-http +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: liveness-http +spec: + selector: + matchLabels: + app: liveness-http + version: v1 + template: + metadata: + labels: + app: liveness-http + version: v1 + spec: + containers: + - name: liveness-http + image: docker.io/istio/health:example + ports: + - containerPort: 8001 + livenessProbe: + httpGet: + path: /foo + port: 8001 + initialDelaySeconds: 5 + periodSeconds: 5 diff --git a/istio-1.24.3/samples/helloworld/README.md b/istio-1.24.3/samples/helloworld/README.md new file mode 100644 index 00000000..2d4b2fbc --- /dev/null +++ b/istio-1.24.3/samples/helloworld/README.md @@ -0,0 +1,110 @@ +# Helloworld service + +This sample includes two versions of a simple helloworld service that returns its version +and instance (hostname) when called. +It can be used as a test service when experimenting with version routing. + +This service is also used to demonstrate canary deployments working in conjunction with autoscaling. +See [Canary deployments using Istio](https://istio.io/blog/2017/0.1-canary). + +## Start the helloworld service + +The following commands assume you have +[automatic sidecar injection](https://istio.io/docs/setup/additional-setup/sidecar-injection/#automatic-sidecar-injection) +enabled in your cluster. +If not, you'll need to modify them to include +[manual sidecar injection](https://istio.io/docs/setup/additional-setup/sidecar-injection/#manual-sidecar-injection). + +To run both versions of the helloworld service, use the following command: + +```bash +kubectl apply -f helloworld.yaml +``` + +Alternatively, you can run just one version at a time by first defining the service: + +```bash +kubectl apply -f helloworld.yaml -l service=helloworld +``` + +and then deploying version v1, v2, or both: + +```bash +kubectl apply -f helloworld.yaml -l version=v1 +kubectl apply -f helloworld.yaml -l version=v2 +``` + +For even more flexibility, there is also a script, `gen-helloworld.sh`, that will +generate YAML for the helloworld service. This script takes the following +arguments: + +| Argument | Default | Description | +|-----------------------|---------|------------------------------------------------------------------------| +| `-h`,`--help` | | Prints usage information. | +| `--version` | `v1` | Specifies the version that will be returned by the helloworld service. | +| `--includeService` | `true` | If `true` the service will be included in the YAML. | +| `--includeDeployment` | `true` | If `true` the deployment will be included in the YAML. | + +You can use this script to deploy a custom version: + +```bash +./gen-helloworld.sh --version customversion | \ + kubectl apply -f - +``` + +## Configure the helloworld gateway + +*___Note:___ Istio intends to make the Kubernetes [Gateway API](https://gateway-api.sigs.k8s.io/) the default API for traffic management [in the future](https://istio.io/latest/blog/2022/gateway-api-beta/). You can use the Gateway API to configure the helloworld service, instead of the classic Istio configuration model, by following the instructions in [./gateway-api/README.md](./gateway-api/README.md), instead of the instructions below.* + +Apply the helloworld gateway configuration: + +```bash +kubectl apply -f helloworld-gateway.yaml +``` + +Follow [these instructions](https://istio.io/docs/tasks/traffic-management/ingress/ingress-control/#determining-the-ingress-ip-and-ports) +to set the INGRESS_HOST and INGRESS_PORT variables and then confirm the sample is running using curl: + +```bash +export GATEWAY_URL=$INGRESS_HOST:$INGRESS_PORT +curl http://$GATEWAY_URL/hello +``` + +## Autoscale the services + +Note that a Kubernetes [Horizontal Pod Autoscaler](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) +only works if all containers in the pods request cpu. In this sample the deployment +containers in `helloworld.yaml` are configured with the request. +The injected istio-proxy containers also include cpu requests, +making the helloworld service ready for autoscaling. + +Enable autoscaling on both versions of the service: + +```bash +kubectl autoscale deployment helloworld-v1 --cpu-percent=50 --min=1 --max=10 +kubectl autoscale deployment helloworld-v2 --cpu-percent=50 --min=1 --max=10 +kubectl get hpa +``` + +## Generate load + +```bash +./loadgen.sh & +./loadgen.sh & # run it twice to generate lots of load +``` + +Wait for about 2 minutes and then check the number of replicas: + +```bash +kubectl get hpa +``` + +If the autoscaler is functioning correctly, the `REPLICAS` column should have a value > 1. + +## Cleanup + +```bash +kubectl delete -f helloworld.yaml +kubectl delete -f helloworld-gateway.yaml +kubectl delete hpa helloworld-v1 helloworld-v2 +``` diff --git a/istio-1.24.3/samples/helloworld/gateway-api/README.md b/istio-1.24.3/samples/helloworld/gateway-api/README.md new file mode 100644 index 00000000..ee37810e --- /dev/null +++ b/istio-1.24.3/samples/helloworld/gateway-api/README.md @@ -0,0 +1,74 @@ +# Configure helloworld using the Kubernetes Gateway API + +Istio intends to make the Kubernetes [Gateway API](https://gateway-api.sigs.k8s.io/) the default API for traffic management [in the future](https://istio.io/latest/blog/2022/gateway-api-beta/). +You can use the following instructions to configure the ingress gateway and routing for the helloworld sample. + +## Before you begin + +The Gateway API CRDs do not come installed by default on most Kubernetes clusters, so install them if not present: + +```bash +kubectl get crd gateways.gateway.networking.k8s.io || \ + { kubectl kustomize "github.com/kubernetes-sigs/gateway-api/config/crd?ref=v0.5.0" | kubectl apply -f -; } +``` + +Also make sure you are running two versions (v1 and v2) of the helloworld service: + +```bash +kubectl apply -f ../helloworld.yaml +``` + +## Configure the helloworld gateway + +Apply the helloworld gateway configuration: + +```bash +kubectl apply -f ./helloworld-gateway.yaml +``` + +Note that unlike an Istio `Gateway`, creating a Kubernetes `Gateway` resource will, by default, also [deploy an associated controller](https://istio.io/latest/docs/tasks/traffic-management/ingress/gateway-api/#automated-deployment). + +Set the INGRESS_HOST environment variables to the address of the helloworld gateway: + +```bash +kubectl wait --for=condition=ready gtw helloworld-gateway +export INGRESS_HOST=$(kubectl get gtw helloworld-gateway -o jsonpath='{.status.addresses[*].value}') +``` + +Confirm the sample is running using curl: + +```bash +for run in {1..10}; do curl http://$INGRESS_HOST/hello; done +``` + +Since no version routing has been configured, you should see an equal split of traffic, about half handled by helloworld-v1 and the other half handled by helloworld-v2. + +## Configure weight-based routing + +Declare the helloworld versions (Gateway API requires backend service definitions, unlike the Istio API which uses DestinationRule subsets for this): + +```bash +kubectl apply -f ./helloworld-versions.yaml +``` + +Apply the following route rule to distribute the helloworld traffic 90% to v1, 10% to v2: + +```bash +kubectl apply -f ./helloworld-route.yaml +``` + +Run the previous curl commands again: + +```bash +for run in {1..10}; do curl http://$INGRESS_HOST/hello; done +``` + +Now you should see about 9 out of 10 requests handled by helloworld-v1 and only about 1 in 10 handled by helloworld-v2. + +## Cleanup + +```bash +kubectl delete -f ./helloworld-gateway.yaml +kubectl delete -f ./helloworld-versions.yaml +kubectl delete -f ../helloworld.yaml +``` diff --git a/istio-1.24.3/samples/helloworld/gateway-api/helloworld-gateway.yaml b/istio-1.24.3/samples/helloworld/gateway-api/helloworld-gateway.yaml new file mode 100644 index 00000000..a21f1c67 --- /dev/null +++ b/istio-1.24.3/samples/helloworld/gateway-api/helloworld-gateway.yaml @@ -0,0 +1,29 @@ +apiVersion: gateway.networking.k8s.io/v1 +kind: Gateway +metadata: + name: helloworld-gateway +spec: + gatewayClassName: istio + listeners: + - name: http + port: 80 + protocol: HTTP + allowedRoutes: + namespaces: + from: Same +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: helloworld +spec: + parentRefs: + - name: helloworld-gateway + rules: + - matches: + - path: + type: Exact + value: /hello + backendRefs: + - name: helloworld + port: 5000 diff --git a/istio-1.24.3/samples/helloworld/gateway-api/helloworld-route.yaml b/istio-1.24.3/samples/helloworld/gateway-api/helloworld-route.yaml new file mode 100644 index 00000000..d6621bd3 --- /dev/null +++ b/istio-1.24.3/samples/helloworld/gateway-api/helloworld-route.yaml @@ -0,0 +1,19 @@ +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: helloworld +spec: + parentRefs: + - name: helloworld-gateway + rules: + - matches: + - path: + type: Exact + value: /hello + backendRefs: + - name: helloworld-v1 + port: 5000 + weight: 90 + - name: helloworld-v2 + port: 5000 + weight: 10 diff --git a/istio-1.24.3/samples/helloworld/gateway-api/helloworld-versions.yaml b/istio-1.24.3/samples/helloworld/gateway-api/helloworld-versions.yaml new file mode 100644 index 00000000..fc218515 --- /dev/null +++ b/istio-1.24.3/samples/helloworld/gateway-api/helloworld-versions.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Service +metadata: + name: helloworld-v1 +spec: + ports: + - port: 5000 + name: http + selector: + app: helloworld + version: v1 +--- +apiVersion: v1 +kind: Service +metadata: + name: helloworld-v2 +spec: + ports: + - port: 5000 + name: http + selector: + app: helloworld + version: v2 diff --git a/istio-1.24.3/samples/helloworld/gen-helloworld.sh b/istio-1.24.3/samples/helloworld/gen-helloworld.sh new file mode 100755 index 00000000..8634ddc7 --- /dev/null +++ b/istio-1.24.3/samples/helloworld/gen-helloworld.sh @@ -0,0 +1,131 @@ +#!/bin/bash +# +# Copyright Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -euo pipefail + +display_usage() { + echo + echo "USAGE: ./gen-helloworld.sh [--version] [--includeService value] [--includeDeployment value]" + echo " -h|--help: Prints usage information" + echo " --version: Specifies the version that will be returned by the helloworld service, default: 'v1'" + echo " --includeService: If 'true' the service will be included in the YAML, default: 'true'" + echo " --includeDeployment: If 'true' the deployment will be included in the YAML, default: 'true'" +} + +INCLUDE_SERVICE=${INCLUDE_SERVICE:-"true"} +INCLUDE_DEPLOYMENT=${INCLUDE_DEPLOYMENT:-"true"} +SERVICE_VERSION=${SERVICE_VERSION:-"v1"} +while (( "$#" )); do + case "$1" in + -h|--help) + display_usage + exit 0 + ;; + + --version) + SERVICE_VERSION=$2 + shift 2 + ;; + + --includeService) + INCLUDE_SERVICE=$2 + shift 2 + ;; + + --includeDeployment) + INCLUDE_DEPLOYMENT=$2 + shift 2 + ;; + + *) + echo "Error: Unsupported flag $1" >&2 + display_usage + exit 1 + ;; + esac +done + +SERVICE_YAML=$(cat </dev/null || true) +if [[ "${ENVOS}" != "Linux" ]]; then + echo "Your system is not supported by this script. Only Linux is supported" + exit 1 +fi + +# Check prerequisites +REQUISITES=("kubectl" "kind" "docker") +for item in "${REQUISITES[@]}"; do + if [[ -z $(which "${item}") ]]; then + echo "${item} cannot be found on your system, please install ${item}" + exit 1 + fi +done + +# Function to print the usage message +function printHelp() { + echo "Usage: " + echo " $0 --cluster-name cluster1 --k8s-release 1.22.1 --ip-space 255" + echo "" + echo "Where:" + echo " -n|--cluster-name - name of the k8s cluster to be created" + echo " -r|--k8s-release - the release of the k8s to setup, latest available if not given" + echo " -s|--ip-space - the 2nd to the last part for public ip addresses, 255 if not given, valid range: 0-255." + echo " -m|--mode - setup the required number of nodes per deployment model. Values are sidecar (1 node) or ambient (minimum of 2)" + echo " -w|--worker-nodes - the number of worker nodes to create. Default is 1" + echo " --pod-subnet - the pod subnet to specify. Default is 10.244.0.0/16 for IPv4 and fd00:10:244::/56 for IPv6" + echo " --service-subnet - the service subnet to specify. Default is 10.96.0.0/16 for IPv4 and fd00:10:96::/112 for IPv6" + echo " -i|--ip-family - ip family to be supported, default is ipv4 only. Value should be ipv4, ipv6, or dual" + echo " --ipv6gw - set ipv6 as the gateway, necessary for dual-stack IPv6-preferred clusters" + echo " -h|--help - print the usage of this script" +} + +# Setup default values +CLUSTERNAME="cluster1" +K8SRELEASE="" +IPSPACE=255 +IPFAMILY="ipv4" +MODE="sidecar" +NUMNODES="" +PODSUBNET="" +SERVICESUBNET="" +IPV6GW=false + +# Handling parameters +while [[ $# -gt 0 ]]; do + optkey="$1" + case $optkey in + -n|--cluster-name) + CLUSTERNAME="$2"; shift 2;; + -r|--k8s-release) + K8SRELEASE="--image=kindest/node:v$2"; shift 2;; + -s|--ip-space) + IPSPACE="$2"; shift 2;; + -m|--mode) + MODE="$2"; shift 2;; + -w|--worker-nodes) + NUMNODES="$2"; shift 2;; + --pod-subnet) + PODSUBNET="$2"; shift 2;; + --service-subnet) + SERVICESUBNET="$2"; shift 2;; + -i|--ip-family) + IPFAMILY="${2,,}";shift 2;; + --ipv6gw) + IPV6GW=true; shift;; + -h|--help) + printHelp; exit 0;; + *) # unknown option + echo "parameter $1 is not supported"; printHelp; exit 1;; + esac +done + +# This block is to setup kind to have a local image repo to push +# images using localhost:5000, to use this feature, start up +# a registry container such as gcr.io/istio-testing/registry, then +# connect it to the docker network where kind nodes are running on +# which normally will be called kind +FEATURES=$(cat << EOF +featureGates: + MixedProtocolLBService: true + GRPCContainerProbe: true +kubeadmConfigPatches: + - | + apiVersion: kubeadm.k8s.io/v1beta2 + kind: ClusterConfiguration + metadata: + name: config + etcd: + local: + # Run etcd in a tmpfs (in RAM) for performance improvements + dataDir: /tmp/kind-cluster-etcd + # We run single node, drop leader election to reduce overhead + controllerManagerExtraArgs: + leader-elect: "false" + schedulerExtraArgs: + leader-elect: "false" + apiServer: + extraArgs: + "service-account-issuer": "kubernetes.default.svc" + "service-account-signing-key-file": "/etc/kubernetes/pki/sa.key" +containerdConfigPatches: + - |- + [plugins."io.containerd.grpc.v1.cri".registry.mirrors."localhost:5000"] + endpoint = ["http://kind-registry:5000"] +EOF +) + +validIPFamilies=("ipv4" "ipv6" "dual") +# Validate if the ip family value is correct. +isValid="false" +for family in "${validIPFamilies[@]}"; do + if [[ "$family" == "${IPFAMILY}" ]]; then + isValid="true" + break + fi +done + +if [[ "${isValid}" == "false" ]]; then + echo "${IPFAMILY} is not valid ip family, valid values are ipv4, ipv6 or dual" + exit 1 +fi + +if [[ "${MODE}" == "ambient" ]]; then + NUMNODES=${NUMNODES:-2} +fi + +NODES=$(cat <<-EOM +nodes: +- role: control-plane +EOM +) + +if [[ -n "${NUMNODES}" ]]; then +for _ in $(seq 1 "${NUMNODES}"); do + NODES+=$(printf "\n%s" "- role: worker") +done +fi + +CONFIG=$(cat <<-EOM +kind: Cluster +apiVersion: kind.x-k8s.io/v1alpha4 +${FEATURES} +name: ${CLUSTERNAME} +${NODES} +networking: + ipFamily: ${IPFAMILY} +EOM +) + +if [[ -n "${PODSUBNET}" ]]; then + CONFIG+=$(printf "\n%s" " podSubnet: \"${PODSUBNET}\"") +fi + +if [[ -n "${SERVICESUBNET}" ]]; then + CONFIG+=$(printf "\n%s" " serviceSubnet: \"${SERVICESUBNET}\"") +fi + +# Create k8s cluster using the giving release and name +if [[ -z "${K8SRELEASE}" ]]; then + cat << EOF | kind create cluster --config - +${CONFIG} +EOF +else + cat << EOF | kind create cluster "${K8SRELEASE}" --config - +${CONFIG} +EOF +fi + +# Setup cluster context +kubectl cluster-info --context "kind-${CLUSTERNAME}" + +# Setup metallb using v0.13.11 +kubectl apply -f https://raw.githubusercontent.com/metallb/metallb/v0.13.11/config/manifests/metallb-native.yaml + +addrName="IPAddress" +ipv4Prefix="" +ipv6Prefix="" + +# Get both ipv4 and ipv6 gateway for the cluster +gatewaystr=$(docker network inspect -f '{{range .IPAM.Config }}{{ .Gateway }} {{end}}' kind | cut -f1,2) +read -r -a gateways <<< "${gatewaystr}" +for gateway in "${gateways[@]}"; do + if [[ "$gateway" == *"."* ]]; then + ipv4Prefix=$(echo "${gateway}" |cut -d'.' -f1,2) + else + ipv6Prefix=$(echo "${gateway}" |cut -d':' -f1,2,3,4) + fi +done + +if [[ "${IPFAMILY}" == "ipv4" ]]; then + addrName="IPAddress" + ipv4Range="- ${ipv4Prefix}.${IPSPACE}.200-${ipv4Prefix}.${IPSPACE}.240" + ipv6Range="" +elif [[ "${IPFAMILY}" == "ipv6" ]]; then + addrName="GlobalIPv6Address" + ipv4Range="" + ipv6Range="- ${ipv6Prefix}::${IPSPACE}:200-${ipv6Prefix}::${IPSPACE}:240" +else + if [[ "${IPV6GW}" == "true" ]]; then + addrName="GlobalIPv6Address" + fi + + ipv4Range="- ${ipv4Prefix}.${IPSPACE}.200-${ipv4Prefix}.${IPSPACE}.240" + ipv6Range="- ${ipv6Prefix}::${IPSPACE}:200-${ipv6Prefix}::${IPSPACE}:240" +fi + +# utility function to wait for pods to be ready +function waitForPods() { + ns=$1 + lb=$2 + waittime=$3 + # Wait for the pods to be ready in the given namespace with lable + while : ; do + res=$(kubectl wait --context "kind-${CLUSTERNAME}" -n "${ns}" pod \ + -l "${lb}" --for=condition=Ready --timeout="${waittime}s" 2>/dev/null ||true) + if [[ "${res}" == *"condition met"* ]]; then + break + fi + echo "Waiting for pods in namespace ${ns} with label ${lb} to be ready..." + sleep "${waittime}" + done +} + +waitForPods metallb-system app=metallb 10 + +# Now configure the loadbalancer public IP range +cat <&2 + exit 1 + ;; + esac +done + + +# single-cluster installations may need this gateway to allow VMs to get discovery +# for non-single cluster, we add additional topology information +SINGLE_CLUSTER="${SINGLE_CLUSTER:-0}" +if [[ "${SINGLE_CLUSTER}" -eq 0 ]]; then + if [[ -z "${NETWORK:-}" ]]; then + echo "Must specify either --single-cluster or --network." + exit 1 + fi +fi + +# base +IOP=$(cat < apply -f ../otel.yaml +``` + +In this example, we use `observability` as the namespace to deploy the `otel-collector` backend: + +```bash +kubectl create namespace observability +kubectl -n observability apply -f ../otel.yaml +``` + +The otel-collector will create a grpc receiver on port `4317`, and later the sidecars will report trace information to this grpc port. You can find more details from [here](https://github.com/open-telemetry/opentelemetry-collector). + +Below is the configuration: + +```yaml +receivers: + otlp: + protocols: + grpc: + http: +processors: + batch: +exporters: + logging: + loglevel: debug +service: + pipelines: + logs: + receivers: [otlp] + processors: [batch] + exporters: [logging] +``` + +In this example, `Jaeger` is the exporter for gathering the traces. Assuming you have already deployed Jaeger as your tracing system with [this](https://istio.io/latest/docs/ops/integrations/jaeger/) installation, you are good to go to the next steps. If you already have your own `Jaeger` deployed, you may need to modify the otel collector config. The configmap name is `opentelemetry-collector-conf` in the namespace you deployed the otel collector, and the related config is defined as: + +```yaml +exporters: + jaeger: + endpoint: jaeger-collector.istio-system.svc.cluster.local:14250 + tls: + insecure: true + sending_queue: + enabled: true + retry_on_failure: + enabled: true +service: + pipelines: + traces: + exporters: + - jaeger +``` + +You need to modify the jaeger exporter endpoint with the one you deployed, in this case it's `jaeger-collector.istio-system.svc.cluster.local:14250`. + +If you have not deployed the `Jaeger` service, you can follow [this](https://istio.io/latest/docs/ops/integrations/jaeger/) installation to install the service. + +You may also choose any existing tracing system if you have, and you should change the exporter settings in the configmap mentioned above. + +You may also choose to use your own otel collector if you have, and the key part is to have the `otlp` grpc protocol receiver to receive the traces. One important thing is to make sure your otel collector service's grpc port starts with `grpc-` prefix, which is like: + +```yaml +spec: + ports: + - name: grpc-otlp + port: 4317 + protocol: TCP + targetPort: 4317 +``` + +Otherwise the traces may not be reported. + +## Update mesh config + +Install or update Istio with the `demo` profile to make sure you have the OpenTelemetry tracing provider enabled: + +```bash +istioctl install --set profile=demo -y +``` + +Or ensure you have the following additional mesh config set in your Istio: + +```yaml +mesh: |- + extensionProviders: + - name: otel-tracing + opentelemetry: + port: 4317 + service: opentelemetry-collector.observability.svc.cluster.local +``` + +Make sure the service name matches the one you deployed if you select a different namespace. + +## Apply the Telemetry resource to report traces + +Next, add a Telemetry resource that tells Istio to send trace records to the OpenTelemetry collector. + +```bash +kubectl -n apply -f ./telemetry.yaml +``` + +In this example, we deploy it to the default namespace, which is where the sample apps +from the [getting started](https://istio.io/latest/docs/setup/getting-started) are also deployed. + +```bash +kubectl apply -f ./telemetry.yaml +``` + +The core config is: + +```yaml +tracing: +- providers: + - name: otel-tracing + randomSamplingPercentage: 0 +``` + +As you see, the `randomSamplingPercentage` is 0, which means the tracing is still not enabled because of `0` sampling percentage. The tracing can be opt-on by increasing the `randomSamplingPercentage` value to `1-100`. The `Telemetry` resource can also be manipulated in workload/namespace/global levels, you can check [here](https://istio.io/latest/docs/reference/config/telemetry/) for more config examples. + +## Check tracing results + +If you have followed [this](https://istio.io/latest/docs/setup/getting-started/) getting started steps, you have the sample bookinfo applications installed. Try to make some requests to the productpage to generate some traces. + +Then open up the `Jaeger` dashboard with: + +```bash +istioctl dashboard jaeger +``` + +You will see the requests' trace records. + +## Cleanup + +```bash +kubectl -n observability delete -f ./telemetry.yaml +kubectl -n observability delete -f ../otel.yaml +``` diff --git a/istio-1.24.3/samples/open-telemetry/tracing/telemetry.yaml b/istio-1.24.3/samples/open-telemetry/tracing/telemetry.yaml new file mode 100644 index 00000000..1c9e51d9 --- /dev/null +++ b/istio-1.24.3/samples/open-telemetry/tracing/telemetry.yaml @@ -0,0 +1,9 @@ +apiVersion: telemetry.istio.io/v1 +kind: Telemetry +metadata: + name: otel-demo +spec: + tracing: + - providers: + - name: otel-tracing + randomSamplingPercentage: 0 diff --git a/istio-1.24.3/samples/proxy-coredump/README.md b/istio-1.24.3/samples/proxy-coredump/README.md new file mode 100644 index 00000000..16704b2f --- /dev/null +++ b/istio-1.24.3/samples/proxy-coredump/README.md @@ -0,0 +1,16 @@ +# Enabling Coredumps + +If the istio-proxy crashes, it will dump a core file which can be used to diagnose why it crashed. +This is useful when filing a bug report. + +However, the proxy runs with a read-only filesystem, so the default core-dumping configuration will generally not enabled +the proxy to dump cores. + +Instead, a *per node* `sysctl` can be tuned to change the location of the core dump. +Warning: this impacts all processes on the entire node, not just Istio. + +This can be done by running `sysctl -w kernel.core_pattern=/var/lib/istio/data/core.proxy && ulimit -c unlimited` on the node. + +To do this for all nodes, a `DaemonSet` is provided. +Run `kubectl apply -f daemonset.yaml` to apply it. +Note: this requires elevated privileges. diff --git a/istio-1.24.3/samples/proxy-coredump/daemonset.yaml b/istio-1.24.3/samples/proxy-coredump/daemonset.yaml new file mode 100644 index 00000000..6f820ba8 --- /dev/null +++ b/istio-1.24.3/samples/proxy-coredump/daemonset.yaml @@ -0,0 +1,45 @@ +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: enable-istio-coredumps + namespace: istio-system + labels: + app: enable-istio-coredumps +spec: + selector: + matchLabels: + app: enable-istio-coredumps + template: + metadata: + labels: + app: enable-istio-coredumps + spec: + hostNetwork: true + # hostPID: true + # hostIPC: true + initContainers: + - name: setsysctls + command: + - sh + - -c + - sysctl -w kernel.core_pattern=/var/lib/istio/data/core.proxy && ulimit -c unlimited + image: alpine + imagePullPolicy: IfNotPresent + resources: {} + securityContext: + privileged: true + volumeMounts: + - name: sys + mountPath: /sys + containers: + - name: sleepforever + resources: + requests: + cpu: 1m + image: alpine + command: ["tail"] + args: ["-f", "/dev/null"] + volumes: + - name: sys + hostPath: + path: /sys diff --git a/istio-1.24.3/samples/ratelimit/local-rate-limit-service.yaml b/istio-1.24.3/samples/ratelimit/local-rate-limit-service.yaml new file mode 100644 index 00000000..94f2299f --- /dev/null +++ b/istio-1.24.3/samples/ratelimit/local-rate-limit-service.yaml @@ -0,0 +1,87 @@ +# This example shows how to use Istio local rate limiting with descriptors to limit by path. +# This uses the base book-info demo and adds rate limiting by path, specifically rate limiting the product page +# to 10 requests per minute, and the overall fdqn will be able to accept 100 requests per minute. +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: filter-local-ratelimit-svc + namespace: istio-system +spec: + workloadSelector: + labels: + app: productpage + configPatches: + - applyTo: HTTP_FILTER + match: + context: SIDECAR_INBOUND + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + patch: + operation: INSERT_BEFORE + value: + name: envoy.filters.http.local_ratelimit + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.local_ratelimit.v3.LocalRateLimit + value: + stat_prefix: http_local_rate_limiter + - applyTo: HTTP_ROUTE + match: + context: SIDECAR_INBOUND + routeConfiguration: + vhost: + name: "inbound|http|8000" + route: + action: ANY + patch: + operation: MERGE + value: + route: + rate_limits: + - actions: + - remote_address: {} + - actions: + - header_value_match: + descriptor_value: "productpage" + expect_match: true + headers: + - name: :path + string_match: + prefix: /productpage + ignore_case: true + + typed_per_filter_config: + envoy.filters.http.local_ratelimit: + "@type": type.googleapis.com/envoy.extensions.filters.http.local_ratelimit.v3.LocalRateLimit + stat_prefix: test_enabled + token_bucket: + max_tokens: 100 + tokens_per_fill: 100 + fill_interval: 60s + enable_x_ratelimit_headers: DRAFT_VERSION_03 # This adds the ability to see headers for how many tokens are left in the bucket, how often the bucket refills, and what is the token bucket max. + filter_enabled: + runtime_key: test_enabled + default_value: + numerator: 100 + denominator: HUNDRED + filter_enforced: + runtime_key: test_enabled + default_value: + numerator: 100 + denominator: HUNDRED + response_headers_to_add: + - append: false + header: + key: x-local-rate-limit + value: "true" + descriptors: + - entries: + - key: header_match + value: productpage + token_bucket: + max_tokens: 10 + tokens_per_fill: 10 + fill_interval: 60s + diff --git a/istio-1.24.3/samples/ratelimit/rate-limit-service.yaml b/istio-1.24.3/samples/ratelimit/rate-limit-service.yaml new file mode 100644 index 00000000..1045482b --- /dev/null +++ b/istio-1.24.3/samples/ratelimit/rate-limit-service.yaml @@ -0,0 +1,151 @@ +# Copyright Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################################################## +# Redis service and deployment +# Ratelimit service and deployment + +# Note: a configmap is needed to make the rate limit deployment work properly, for example: +# +# apiVersion: v1 +# kind: ConfigMap +# metadata: +# name: ratelimit-config +# data: +# config.yaml: | +# domain: echo-ratelimit +# descriptors: +# - key: PATH +# value: "/" +# rate_limit: +# unit: minute +# requests_per_unit: 1 +# - key: PATH +# rate_limit: +# unit: minute +# requests_per_unit: 100 +################################################################################################## +apiVersion: v1 +kind: Service +metadata: + name: redis + labels: + app: redis +spec: + ports: + - name: redis + port: 6379 + selector: + app: redis +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: redis +spec: + replicas: 1 + selector: + matchLabels: + app: redis + template: + metadata: + labels: + app: redis + spec: + containers: + - image: redis:alpine + imagePullPolicy: IfNotPresent + name: redis + ports: + - name: redis + containerPort: 6379 + restartPolicy: Always + serviceAccountName: "" +--- +apiVersion: v1 +kind: Service +metadata: + name: ratelimit + labels: + app: ratelimit +spec: + ports: + - name: http-port + port: 8080 + targetPort: 8080 + protocol: TCP + - name: grpc-port + port: 8081 + targetPort: 8081 + protocol: TCP + - name: http-debug + port: 6070 + targetPort: 6070 + protocol: TCP + selector: + app: ratelimit +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: ratelimit +spec: + replicas: 1 + selector: + matchLabels: + app: ratelimit + strategy: + type: Recreate + template: + metadata: + labels: + app: ratelimit + spec: + containers: + - image: envoyproxy/ratelimit:9d8d70a8 # 2022/08/16 + imagePullPolicy: IfNotPresent + name: ratelimit + command: ["/bin/ratelimit"] + env: + - name: LOG_LEVEL + value: debug + - name: REDIS_SOCKET_TYPE + value: tcp + - name: REDIS_URL + value: redis:6379 + - name: USE_STATSD + value: "false" + - name: RUNTIME_ROOT + value: /data + - name: RUNTIME_SUBDIRECTORY + value: ratelimit + - name: RUNTIME_WATCH_ROOT + value: "false" + - name: RUNTIME_IGNOREDOTFILES + value: "true" + - name: HOST + value: "::" + - name: GRPC_HOST + value: "::" + ports: + - containerPort: 8080 + - containerPort: 8081 + - containerPort: 6070 + volumeMounts: + - name: config-volume + mountPath: /data/ratelimit/config + volumes: + - name: config-volume + configMap: + name: ratelimit-config diff --git a/istio-1.24.3/samples/security/psp/sidecar-psp.yaml b/istio-1.24.3/samples/security/psp/sidecar-psp.yaml new file mode 100644 index 00000000..b44748f1 --- /dev/null +++ b/istio-1.24.3/samples/security/psp/sidecar-psp.yaml @@ -0,0 +1,46 @@ +apiVersion: policy/v1 +kind: PodSecurityPolicy +metadata: + name: istio-sidecar +spec: + # Allow the istio sidecar injector to work + allowedCapabilities: + - NET_ADMIN + - NET_RAW + seLinux: + rule: RunAsAny + supplementalGroups: + rule: RunAsAny + runAsUser: + rule: RunAsAny + fsGroup: + rule: RunAsAny + volumes: + - '*' +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: istio-sidecar-psp +rules: + - apiGroups: + - extensions + resources: + - podsecuritypolicies + resourceNames: + - istio-sidecar + verbs: + - use +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istio-sidecar-psp +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-sidecar-psp +subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: system:serviceaccounts diff --git a/istio-1.24.3/samples/security/spire/README.md b/istio-1.24.3/samples/security/spire/README.md new file mode 100644 index 00000000..b3e1978f --- /dev/null +++ b/istio-1.24.3/samples/security/spire/README.md @@ -0,0 +1,90 @@ +# Integrating SPIRE as a CA through Envoy's SDS API + +This sample deploys a setup of [SPIRE](https://github.com/spiffe/spire) (the SPIFFE Runtime Environment) as an example of integrating with [Envoy's SDS](https://www.envoyproxy.io/docs/envoy/latest/configuration/security/secret) API. For more information +on the SPIFFE specs, refer to the [SPIFFE Overview](https://spiffe.io/docs/latest/spiffe-about/overview/). + +Once SPIRE is deployed and integrated with Istio, this sample deploys a modified version of the [sleep](/samples/sleep/README.md) service and validates that its [identity](https://spiffe.io/docs/latest/spiffe-about/spiffe-concepts/#spiffe-verifiable-identity-document-svid) was issued by SPIRE. Workload registration is handled by the [SPIRE Controller Manager](https://github.com/spiffe/spire-controller-manager). + +See [Istio CA Integration with SPIRE](https://istio.io/latest/docs/ops/integrations/spire) for further details about this integration. + +## Deploy the integration + +1. Deploy SPIRE. For proper socket injection, this **must** be done prior to installing Istio in your cluster: + + ```bash + $ kubectl apply -f spire-quickstart.yaml + ``` + +1. Ensure that the deployment is completed before moving to the next step. This can be verified by waiting on the `spire-agent` pod to become ready: + + ```bash + $ kubectl wait pod --for=condition=ready -n spire -l app=spire-agent + ``` + +1. Use the configuration profile provided to install Istio (requires istioctl v1.14+): + + ```bash + $ istioctl install -f istio-spire-config.yaml + ``` + +1. Create a ClusterSPIFFEID to create a registration entry for all workloads with the `spiffe.io/spire-managed-identity: true` label: + + ```bash + $ kubectl apply -f clusterspiffeid.yaml + ``` + +1. Add the `spiffe.io/spire-managed-identity: true` label to the Ingress-gateway Deployment: + + ```bash + $ kubectl patch deployment istio-ingressgateway -n istio-system -p '{"spec":{"template":{"metadata":{"labels":{"spiffe.io/spire-managed-identity": "true"}}}}}' + ``` + +1. Deploy the `sleep-spire.yaml` version of the [sleep](/samples/sleep/README.md) service, which injects the custom istio-agent template defined in `istio-spire-config.yaml` and has the `spiffe.io/spire-managed-identity: true` label. + + If you have [automatic sidecar injection](https://istio.io/docs/setup/additional-setup/sidecar-injection/#automatic-sidecar-injection) enabled: + + ```bash + $ kubectl apply -f sleep-spire.yaml + ``` + + Otherwise, manually inject the sidecar before applying: + + ```bash + $ kubectl apply -f <(istioctl kube-inject -f sleep-spire.yaml) + ``` + +1. Retrieve sleep's SVID identity document using the `istioctl proxy-config secret` command: + + ```bash + $ export SLEEP_POD=$(kubectl get pod -l app=sleep -o jsonpath="{.items[0].metadata.name}") + $ istioctl pc secret $SLEEP_POD -o json | jq -r \ + '.dynamicActiveSecrets[0].secret.tlsCertificate.certificateChain.inlineBytes' | base64 --decode > chain.pem + ``` + +1. Inspect the certificate content and verify that SPIRE was the issuer: + + ```bash + $ openssl x509 -in chain.pem -text | grep SPIRE + Subject: C = US, O = SPIRE, CN = sleep-5d6df95bbf-kt2tt + ``` + +## Tear down + +1. Delete all deployments and configurations for the SPIRE Agent, Server, and namespace: + + ```bash + $ kubectl delete namespace spire + ``` + +1. Delete the ClusterRole, ClusterRoleBinding, Role, RoleBindings, ValidatingWebhookConfiguration, CSIDriver, and CustomResourceDefinition: + + ```bash + $ kubectl delete clusterrole spire-server-cluster-role spire-agent-cluster-role manager-role + $ kubectl delete clusterrolebinding spire-server-cluster-role-binding spire-agent-cluster-role-binding manager-role-binding + $ kubectl delete role spire-server-role leader-election-role + $ kubectl delete rolebinding spire-server-role-binding leader-election-role-binding + $ kubectl delete ValidatingWebhookConfiguration spire-controller-manager-webhook + $ kubectl delete csidriver csi.spiffe.io + $ kubectl delete CustomResourceDefinition clusterspiffeids.spire.spiffe.io + $ kubectl delete CustomResourceDefinition clusterfederatedtrustdomains.spire.spiffe.io + ``` diff --git a/istio-1.24.3/samples/security/spire/clusterspiffeid.yaml b/istio-1.24.3/samples/security/spire/clusterspiffeid.yaml new file mode 100644 index 00000000..bf67989e --- /dev/null +++ b/istio-1.24.3/samples/security/spire/clusterspiffeid.yaml @@ -0,0 +1,9 @@ +apiVersion: spire.spiffe.io/v1alpha1 +kind: ClusterSPIFFEID +metadata: + name: example +spec: + spiffeIDTemplate: "spiffe://{{ .TrustDomain }}/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}" + podSelector: + matchLabels: + spiffe.io/spire-managed-identity: "true" diff --git a/istio-1.24.3/samples/security/spire/curl-spire.yaml b/istio-1.24.3/samples/security/spire/curl-spire.yaml new file mode 100644 index 00000000..dcaf9558 --- /dev/null +++ b/istio-1.24.3/samples/security/spire/curl-spire.yaml @@ -0,0 +1,70 @@ +# Copyright Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################################################## +# curl service +################################################################################################## +apiVersion: v1 +kind: ServiceAccount +metadata: + name: curl +--- +apiVersion: v1 +kind: Service +metadata: + name: curl + labels: + app: curl + service: curl +spec: + ports: + - port: 80 + name: http + selector: + app: curl +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: curl +spec: + replicas: 1 + selector: + matchLabels: + app: curl + template: + metadata: + labels: + app: curl + spiffe.io/spire-managed-identity: "true" + # Injects custom sidecar template + annotations: + inject.istio.io/templates: "sidecar,spire" + spec: + terminationGracePeriodSeconds: 0 + serviceAccountName: curl + containers: + - name: curl + image: curlimages/curl + command: ["/bin/sleep", "infinity"] + imagePullPolicy: IfNotPresent + volumeMounts: + - name: tmp + mountPath: /tmp + securityContext: + runAsUser: 1000 + volumes: + - name: tmp + emptyDir: {} +--- \ No newline at end of file diff --git a/istio-1.24.3/samples/security/spire/istio-spire-config.yaml b/istio-1.24.3/samples/security/spire/istio-spire-config.yaml new file mode 100644 index 00000000..812c65ec --- /dev/null +++ b/istio-1.24.3/samples/security/spire/istio-spire-config.yaml @@ -0,0 +1,70 @@ +apiVersion: install.istio.io/v1alpha1 +kind: IstioOperator +metadata: + namespace: istio-system +spec: + profile: default + meshConfig: + trustDomain: example.org + values: + global: + # This is used to customize the sidecar template + sidecarInjectorWebhook: + templates: + spire: | + spec: + containers: + - name: istio-proxy + volumeMounts: + - name: workload-socket + mountPath: /run/secrets/workload-spiffe-uds + readOnly: true + volumes: + - name: workload-socket + csi: + driver: "csi.spiffe.io" + readOnly: true + components: + ingressGateways: + - name: istio-ingressgateway + enabled: true + label: + istio: ingressgateway + k8s: + overlays: + - apiVersion: apps/v1 + kind: Deployment + name: istio-ingressgateway + patches: + - path: spec.template.spec.volumes.[name:workload-socket] + value: + name: workload-socket + csi: + driver: "csi.spiffe.io" + readOnly: true + - path: spec.template.spec.containers.[name:istio-proxy].volumeMounts.[name:workload-socket] + value: + name: workload-socket + mountPath: "/run/secrets/workload-spiffe-uds" + readOnly: true + - path: spec.template.spec.initContainers + value: + - name: wait-for-spire-socket + image: busybox:1.28 + volumeMounts: + - name: workload-socket + mountPath: /run/secrets/workload-spiffe-uds + readOnly: true + env: + - name: CHECK_FILE + value: /run/secrets/workload-spiffe-uds/socket + command: + - sh + - "-c" + - |- + echo `date -Iseconds` Waiting for: ${CHECK_FILE} + while [[ ! -e ${CHECK_FILE} ]] ; do + echo `date -Iseconds` File does not exist: ${CHECK_FILE} + sleep 15 + done + ls -l ${CHECK_FILE} diff --git a/istio-1.24.3/samples/security/spire/sleep-spire.yaml b/istio-1.24.3/samples/security/spire/sleep-spire.yaml new file mode 100644 index 00000000..d1e1673f --- /dev/null +++ b/istio-1.24.3/samples/security/spire/sleep-spire.yaml @@ -0,0 +1,70 @@ +# Copyright Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################################################## +# Sleep service +################################################################################################## +apiVersion: v1 +kind: ServiceAccount +metadata: + name: sleep +--- +apiVersion: v1 +kind: Service +metadata: + name: sleep + labels: + app: sleep + service: sleep +spec: + ports: + - port: 80 + name: http + selector: + app: sleep +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: sleep +spec: + replicas: 1 + selector: + matchLabels: + app: sleep + template: + metadata: + labels: + app: sleep + spiffe.io/spire-managed-identity: "true" + # Injects custom sidecar template + annotations: + inject.istio.io/templates: "sidecar,spire" + spec: + terminationGracePeriodSeconds: 0 + serviceAccountName: sleep + containers: + - name: sleep + image: curlimages/curl + command: ["/bin/sleep", "infinity"] + imagePullPolicy: IfNotPresent + volumeMounts: + - name: tmp + mountPath: /tmp + securityContext: + runAsUser: 1000 + volumes: + - name: tmp + emptyDir: {} +--- \ No newline at end of file diff --git a/istio-1.24.3/samples/security/spire/spire-quickstart.yaml b/istio-1.24.3/samples/security/spire/spire-quickstart.yaml new file mode 100644 index 00000000..238c91b6 --- /dev/null +++ b/istio-1.24.3/samples/security/spire/spire-quickstart.yaml @@ -0,0 +1,985 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: spire + +--- +apiVersion: storage.k8s.io/v1 +kind: CSIDriver +metadata: + name: "csi.spiffe.io" +spec: + # Only ephemeral, inline volumes are supported. There is no need for a + # controller to provision and attach volumes. + attachRequired: false + + # Request the pod information which the CSI driver uses to verify that an + # ephemeral mount was requested. + podInfoOnMount: true + + # Don't change ownership on the contents of the mount since the Workload API + # Unix Domain Socket is typically open to all (i.e. 0777). + fsGroupPolicy: None + + # Declare support for ephemeral volumes only. + volumeLifecycleModes: + - Ephemeral + +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: spire-server + namespace: spire + +--- +# ConfigMap for spire-agent bootstrapping. +apiVersion: v1 +kind: ConfigMap +metadata: + name: spire-bundle + namespace: spire + +--- +# ClusterRole to allow spire-server to query k8s API server. +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: spire-server-cluster-role +rules: + # allow TokenReview requests (to verify service account tokens for PSAT + # attestation) +- apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["get", "create"] +- apiGroups: [""] + resources: ["nodes"] + verbs: ["get"] + +--- +# Binds above cluster role to spire-server service account. +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: spire-server-cluster-role-binding +subjects: +- kind: ServiceAccount + name: spire-server + namespace: spire +roleRef: + kind: ClusterRole + name: spire-server-cluster-role + apiGroup: rbac.authorization.k8s.io + +--- +# Role for the SPIRE server. +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + namespace: spire + name: spire-server-role +rules: + # allow "get" access to pods (to resolve selectors for PSAT attestation) +- apiGroups: [""] + resources: ["pods"] + verbs: ["get"] + # allow access to "get" and "patch" the spire-bundle ConfigMap (for SPIRE + # agent bootstrapping, see the spire-bundle ConfigMap) +- apiGroups: [""] + resources: ["configmaps"] + resourceNames: ["spire-bundle"] + verbs: ["get", "patch"] + +--- +# RoleBinding granting the spire-server-role to the SPIRE server +# service account. +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: spire-server-role-binding + namespace: spire +subjects: +- kind: ServiceAccount + name: spire-server + namespace: spire +roleRef: + kind: Role + name: spire-server-role + apiGroup: rbac.authorization.k8s.io + +--- +# ClusterRules for the SPIRE Controller Manager. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: manager-role +rules: + - apiGroups: [""] + resources: ["namespaces"] + verbs: ["get", "list", "watch"] + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + verbs: ["get", "list", "patch", "watch"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["pods"] + verbs: ["get", "list", "watch"] + - apiGroups: ["spire.spiffe.io"] + resources: ["clusterfederatedtrustdomains"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + - apiGroups: ["spire.spiffe.io"] + resources: ["clusterfederatedtrustdomains/finalizers"] + verbs: ["update"] + - apiGroups: ["spire.spiffe.io"] + resources: ["clusterfederatedtrustdomains/status"] + verbs: ["get", "patch", "update"] + - apiGroups: ["spire.spiffe.io"] + resources: ["clusterspiffeids"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + - apiGroups: ["spire.spiffe.io"] + resources: ["clusterspiffeids/finalizers"] + verbs: ["update"] + - apiGroups: ["spire.spiffe.io"] + resources: ["clusterspiffeids/status"] + verbs: ["get", "patch", "update"] + +--- +# Binds manager-role cluster role to spire-server service account. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: manager-role-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: manager-role +subjects: +- kind: ServiceAccount + name: spire-server + namespace: spire + +--- +# Permissions for the SPIRE server to do leader election. +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: leader-election-role + namespace: spire +rules: + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + - apiGroups: [""] + resources: ["events"] + verbs: ["create", "patch"] + +--- +# Binds leader-election-role to spire-server service account. +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: leader-election-role-binding + namespace: spire +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: leader-election-role +subjects: +- kind: ServiceAccount + name: spire-server + namespace: spire + +--- +# ConfigMap containing the SPIRE server configuration. +apiVersion: v1 +kind: ConfigMap +metadata: + name: spire-server + namespace: spire +data: + server.conf: | + server { + bind_address = "0.0.0.0" + bind_port = "8081" + trust_domain = "example.org" + data_dir = "/run/spire/server/data" + log_level = "DEBUG" + federation { + bundle_endpoint { + address = "0.0.0.0" + port = 8443 + } + } + } + + plugins { + DataStore "sql" { + plugin_data { + database_type = "sqlite3" + connection_string = "/run/spire/server/data/datastore.sqlite3" + } + } + + NodeAttestor "k8s_psat" { + plugin_data { + clusters = { + # NOTE: Change this to your cluster name + "demo-cluster" = { + service_account_allow_list = ["spire:spire-agent"] + } + } + } + } + + KeyManager "disk" { + plugin_data { + keys_path = "/run/spire/server/data/keys.json" + } + } + + Notifier "k8sbundle" { + plugin_data { + namespace = "spire" + } + } + } + + health_checks { + listener_enabled = true + bind_address = "0.0.0.0" + bind_port = "8080" + live_path = "/live" + ready_path = "/ready" + } + +--- +# Configuration for the SPIRE Controller Manager. +apiVersion: v1 +kind: ConfigMap +metadata: + name: spire-controller-manager-config + namespace: spire +data: + spire-controller-manager-config.yaml: | + apiVersion: spire.spiffe.io/v1alpha1 + kind: ControllerManagerConfig + metrics: + bindAddress: 127.0.0.1:8082 + healthProbe: + bindAddress: 127.0.0.1:8083 + leaderElection: + leaderElect: true + resourceName: 98c9c988.spiffe.io + resourceNamespace: spire + clusterName: demo-cluster + trustDomain: example.org + ignoreNamespaces: + - kube-system + - kube-public + - spire + - local-path-storage + +--- +# SPIRE Server Deployment. +apiVersion: apps/v1 +kind: Deployment +metadata: + name: spire-server + namespace: spire + labels: + app: spire-server +spec: + replicas: 1 + selector: + matchLabels: + app: spire-server + template: + metadata: + namespace: spire + labels: + app: spire-server + spec: + serviceAccountName: spire-server + shareProcessNamespace: true + containers: + - name: spire-server + image: ghcr.io/spiffe/spire-server:1.5.4 + imagePullPolicy: IfNotPresent + args: + - -config + - /run/spire/server/config/server.conf + livenessProbe: + httpGet: + path: /live + port: 8080 + failureThreshold: 2 + initialDelaySeconds: 15 + periodSeconds: 60 + timeoutSeconds: 3 + readinessProbe: + httpGet: + path: /ready + port: 8080 + initialDelaySeconds: 5 + periodSeconds: 5 + ports: + - containerPort: 8081 + volumeMounts: + - name: spire-config + mountPath: /run/spire/server/config + readOnly: true + - name: spire-server-socket + mountPath: /tmp/spire-server/private + readOnly: false + - name: spire-controller-manager + image: ghcr.io/spiffe/spire-controller-manager:0.2.3 + imagePullPolicy: IfNotPresent + args: + - "--config=spire-controller-manager-config.yaml" + ports: + - containerPort: 9443 + volumeMounts: + - name: spire-server-socket + mountPath: /spire-server + readOnly: true + - name: spire-controller-manager-config + mountPath: /spire-controller-manager-config.yaml + subPath: spire-controller-manager-config.yaml + volumes: + - name: spire-config + configMap: + name: spire-server + - name: spire-server-socket + emptyDir: {} + - name: spire-controller-manager-config + configMap: + name: spire-controller-manager-config + +--- +# Service definition for SPIRE server defining the gRPC port. +apiVersion: v1 +kind: Service +metadata: + name: spire-server + namespace: spire +spec: + type: NodePort + ports: + - name: grpc + port: 8081 + targetPort: 8081 + protocol: TCP + selector: + app: spire-server + +--- +# Service definition for SPIRE server bundle endpoint. +apiVersion: v1 +kind: Service +metadata: + name: spire-server-bundle-endpoint + namespace: spire +spec: + type: NodePort + ports: + - name: tcp-api + port: 8443 + protocol: TCP + selector: + app: spire-server + +--- +# Service definition for SPIRE controller manager webhook. +apiVersion: v1 +kind: Service +metadata: + name: spire-controller-manager-webhook-service + namespace: spire +spec: + ports: + - name: tcp + port: 443 + protocol: TCP + targetPort: 9443 + selector: + app: spire-server + +--- +# ClusterFederatedTrustDomains CRD. +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: clusterfederatedtrustdomains.spire.spiffe.io +spec: + group: spire.spiffe.io + names: + kind: ClusterFederatedTrustDomain + listKind: ClusterFederatedTrustDomainList + plural: clusterfederatedtrustdomains + singular: clusterfederatedtrustdomain + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.trustDomain + name: Trust Domain + type: string + - jsonPath: .spec.bundleEndpointURL + name: Endpoint URL + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: ClusterFederatedTrustDomain is the Schema for the clusterfederatedtrustdomains + API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ClusterFederatedTrustDomainSpec defines the desired state + of ClusterFederatedTrustDomain + properties: + bundleEndpointProfile: + description: BundleEndpointProfile is the profile for the bundle endpoint. + properties: + endpointSPIFFEID: + description: EndpointSPIFFEID is the SPIFFE ID of the bundle endpoint. + It is required for the "https_spiffe" profile. + type: string + type: + description: Type is the type of the bundle endpoint profile. + enum: + - https_spiffe + - https_web + type: string + required: + - type + type: object + bundleEndpointURL: + description: BundleEndpointURL is the URL of the bundle endpoint. + It must be an HTTPS URL and cannot contain userinfo (i.e. username/password). + type: string + trustDomain: + description: TrustDomain is the name of the trust domain to federate + with (e.g. example.org) + pattern: '[a-z0-9._-]{1,255}' + type: string + trustDomainBundle: + description: TrustDomainBundle is the contents of the bundle for the + referenced trust domain. This field is optional when the resource + is created. + type: string + required: + - bundleEndpointProfile + - bundleEndpointURL + - trustDomain + type: object + status: + description: ClusterFederatedTrustDomainStatus defines the observed state + of ClusterFederatedTrustDomain + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] + +--- +# ClusterSPIFFEID CRD. +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: clusterspiffeids.spire.spiffe.io +spec: + group: spire.spiffe.io + names: + kind: ClusterSPIFFEID + listKind: ClusterSPIFFEIDList + plural: clusterspiffeids + singular: clusterspiffeid + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: ClusterSPIFFEID is the Schema for the clusterspiffeids API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ClusterSPIFFEIDSpec defines the desired state of ClusterSPIFFEID + properties: + admin: + description: Admin indicates whether or not the SVID can be used to + access the SPIRE administrative APIs. Extra care should be taken + to only apply this SPIFFE ID to admin workloads. + type: boolean + dnsNameTemplates: + description: DNSNameTemplate represents templates for extra DNS names + that are applicable to SVIDs minted for this ClusterSPIFFEID. The + node and pod spec are made available to the template under .NodeSpec, + .PodSpec respectively. + items: + type: string + type: array + downstream: + description: Downstream indicates that the entry describes a downstream SPIRE server. + type: boolean + federatesWith: + description: FederatesWith is a list of trust domain names that workloads + that obtain this SPIFFE ID will federate with. + items: + type: string + type: array + namespaceSelector: + description: NamespaceSelector selects the namespaces that are targeted + by this CRD. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement is a selector that + contains values, a key, and an operator that relates the key + and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: operator represents a key's relationship to + a set of values. Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of string values. If the + operator is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. + type: object + type: object + podSelector: + description: PodSelector selects the pods that are targeted by this + CRD. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement is a selector that + contains values, a key, and an operator that relates the key + and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: operator represents a key's relationship to + a set of values. Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of string values. If the + operator is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. + type: object + type: object + spiffeIDTemplate: + description: SPIFFEID is the SPIFFE ID template. The node and pod + spec are made available to the template under .NodeSpec, .PodSpec + respectively. + type: string + ttl: + description: TTL indicates an upper-bound time-to-live for SVIDs minted + for this ClusterSPIFFEID. If unset, a default will be chosen. + type: string + workloadSelectorTemplates: + description: WorkloadSelectorTemplates are templates to produce arbitrary + workload selectors that apply to a given workload before it will + receive this SPIFFE ID. The rendered value is interpreted by SPIRE + and are of the form type:value, where the value may, and often does, + contain semicolons, .e.g., k8s:container-image:docker/hello-world + The node and pod spec are made available to the template under .NodeSpec, + .PodSpec respectively. + items: + type: string + type: array + required: + - spiffeIDTemplate + type: object + status: + description: ClusterSPIFFEIDStatus defines the observed state of ClusterSPIFFEID + properties: + stats: + description: Stats produced by the last entry reconciliation run + properties: + entriesMasked: + description: How many entries were masked by entries for other + ClusterSPIFFEIDs. This happens when one or more ClusterSPIFFEIDs + produce an entry for the same pod with the same set of workload + selectors. + type: integer + entriesToSet: + description: How many entries are to be set for this ClusterSPIFFEID. + In nominal conditions, this should reflect the number of pods + selected, but not always if there were problems encountered + rendering an entry for the pod (RenderFailures) or entries are + masked (EntriesMasked). + type: integer + entryFailures: + description: How many entries were unable to be set due to failures + to create or update the entries via the SPIRE Server API. + type: integer + namespacesIgnored: + description: How many (selected) namespaces were ignored (based + on configuration). + type: integer + namespacesSelected: + description: How many namespaces were selected. + type: integer + podEntryRenderFailures: + description: How many failures were encountered rendering an entry + selected pods. This could be due to either a bad template in + the ClusterSPIFFEID or Pod metadata that when applied to the + template did not produce valid entry values. + type: integer + podsSelected: + description: How many pods were selected out of the namespaces. + type: integer + type: object + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] + +--- +# ValidatingWebhookConfiguration for validating ClusterSPIFFEID and +# ClusterFederatedTrustDomain custom resources. +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: spire-controller-manager-webhook +webhooks: + - admissionReviewVersions: ["v1"] + clientConfig: + service: + name: spire-controller-manager-webhook-service + namespace: spire + path: /validate-spire-spiffe-io-v1alpha1-clusterfederatedtrustdomain + failurePolicy: Fail + name: vclusterfederatedtrustdomain.kb.io + rules: + - apiGroups: ["spire.spiffe.io"] + apiVersions: ["v1alpha1"] + operations: ["CREATE", "UPDATE"] + resources: ["clusterfederatedtrustdomains"] + sideEffects: None + - admissionReviewVersions: ["v1"] + clientConfig: + service: + name: spire-controller-manager-webhook-service + namespace: spire + path: /validate-spire-spiffe-io-v1alpha1-clusterspiffeid + failurePolicy: Fail + name: vclusterspiffeid.kb.io + rules: + - apiGroups: ["spire.spiffe.io"] + apiVersions: ["v1alpha1"] + operations: ["CREATE", "UPDATE"] + resources: ["clusterspiffeids"] + sideEffects: None + +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: spire-agent + namespace: spire + +--- +# Required cluster role to allow spire-agent to query k8s API server. +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: spire-agent-cluster-role +rules: +- apiGroups: [""] + resources: ["pods","nodes","nodes/proxy"] + verbs: ["get"] + +--- +# Binds above cluster role to spire-agent service account. +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: spire-agent-cluster-role-binding +subjects: +- kind: ServiceAccount + name: spire-agent + namespace: spire +roleRef: + kind: ClusterRole + name: spire-agent-cluster-role + apiGroup: rbac.authorization.k8s.io + +--- +# ConfigMap for the SPIRE agent featuring: +# 1) PSAT node attestation +# 2) K8S Workload Attestation over the secure kubelet port +apiVersion: v1 +kind: ConfigMap +metadata: + name: spire-agent + namespace: spire +data: + agent.conf: | + agent { + data_dir = "/run/spire" + log_level = "DEBUG" + server_address = "spire-server" + server_port = "8081" + socket_path = "/run/secrets/workload-spiffe-uds/socket" + trust_bundle_path = "/run/spire/bundle/bundle.crt" + trust_domain = "example.org" + } + + plugins { + NodeAttestor "k8s_psat" { + plugin_data { + # NOTE: Change this to your cluster name + cluster = "demo-cluster" + } + } + + KeyManager "memory" { + plugin_data { + } + } + + WorkloadAttestor "k8s" { + plugin_data { + # Defaults to the secure kubelet port by default. + # Minikube does not have a cert in the cluster CA bundle that + # can authenticate the kubelet cert, so skip validation. + skip_kubelet_verification = true + + # We need to set disable_container_selectors = true if we make holdApplicationUntilProxyStarts = true in istio + # see https://istio.io/latest/docs/reference/config/istio.mesh.v1alpha1/#ProxyConfig + # If true, container selectors are not produced. + # This can be used to produce pod selectors when the workload pod is known + # but the workload container is not ready at the time of attestation. + # disable_container_selectors = true + } + } + + WorkloadAttestor "unix" { + plugin_data { + } + } + + } + +--- +# SPIRE Agent DaemonSet. +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: spire-agent + namespace: spire + labels: + app: spire-agent +spec: + selector: + matchLabels: + app: spire-agent + template: + metadata: + namespace: spire + labels: + app: spire-agent + spec: + hostPID: true + hostNetwork: true + dnsPolicy: ClusterFirstWithHostNet + serviceAccountName: spire-agent + containers: + - name: spire-agent + image: ghcr.io/spiffe/spire-agent:1.5.4 + imagePullPolicy: IfNotPresent + args: ["-config", "/run/spire/config/agent.conf"] + volumeMounts: + - name: spire-config + mountPath: /run/spire/config + readOnly: true + - name: spire-bundle + mountPath: /run/spire/bundle + readOnly: true + - name: spire-agent-socket-dir + mountPath: /run/secrets/workload-spiffe-uds + - name: spire-token + mountPath: /var/run/secrets/tokens + # This is the container which runs the SPIFFE CSI driver. + - name: spiffe-csi-driver + image: ghcr.io/spiffe/spiffe-csi-driver:0.2.0 + imagePullPolicy: IfNotPresent + args: [ + "-workload-api-socket-dir", "/spire-agent-socket", + "-csi-socket-path", "/spiffe-csi/csi.sock", + ] + env: + # The CSI driver needs a unique node ID. The node name can be + # used for this purpose. + - name: MY_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + volumeMounts: + # The volume containing the SPIRE agent socket. The SPIFFE CSI + # driver will mount this directory into containers. + - mountPath: /spire-agent-socket + name: spire-agent-socket-dir + readOnly: true + # The volume that will contain the CSI driver socket shared + # with the kubelet and the driver registrar. + - mountPath: /spiffe-csi + name: spiffe-csi-socket-dir + # The volume containing mount points for containers. + - mountPath: /var/lib/kubelet/pods + mountPropagation: Bidirectional + name: mountpoint-dir + securityContext: + privileged: true + # This container runs the CSI Node Driver Registrar which takes care + # of all the little details required to register a CSI driver with + # the kubelet. + - name: node-driver-registrar + image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.4.0 + imagePullPolicy: IfNotPresent + args: [ + "-csi-address", "/spiffe-csi/csi.sock", + "-kubelet-registration-path", "/var/lib/kubelet/plugins/csi.spiffe.io/csi.sock", + ] + volumeMounts: + # The registrar needs access to the SPIFFE CSI driver socket + - mountPath: /spiffe-csi + name: spiffe-csi-socket-dir + # The registrar needs access to the Kubelet plugin registration + # directory + - name: kubelet-plugin-registration-dir + mountPath: /registration + volumes: + - name: spire-config + configMap: + name: spire-agent + - name: spire-bundle + configMap: + name: spire-bundle + - name: spire-token + projected: + sources: + - serviceAccountToken: + path: spire-agent + expirationSeconds: 7200 + audience: spire-server + # This volume is used to share the workload api socket between the + # CSI driver and SPIRE agent + - name: spire-agent-socket-dir + emptyDir: {} + # This volume is where the socket for kubelet->driver communication lives + - name: spiffe-csi-socket-dir + hostPath: + path: /var/lib/kubelet/plugins/csi.spiffe.io + type: DirectoryOrCreate + # This volume is where the SPIFFE CSI driver mounts volumes + - name: mountpoint-dir + hostPath: + path: /var/lib/kubelet/pods + type: Directory + # This volume is where the node-driver-registrar registers the plugin + # with kubelet + - name: kubelet-plugin-registration-dir + hostPath: + path: /var/lib/kubelet/plugins_registry + type: Directory diff --git a/istio-1.24.3/samples/sleep/README.md b/istio-1.24.3/samples/sleep/README.md new file mode 100644 index 00000000..b5c21550 --- /dev/null +++ b/istio-1.24.3/samples/sleep/README.md @@ -0,0 +1,6 @@ +# sleep has been replaced + +This sample has been replaced by the ["curl" sample](../curl/). +The new version is the same, except that the servie account, service, pod and container are now all called `curl` instead of `sleep`, to more accurately communicate the intended use in our documentation. + +The original file is still provided, but please update any documentation or samples accordingly. diff --git a/istio-1.24.3/samples/sleep/sleep.yaml b/istio-1.24.3/samples/sleep/sleep.yaml new file mode 100644 index 00000000..570086b9 --- /dev/null +++ b/istio-1.24.3/samples/sleep/sleep.yaml @@ -0,0 +1,66 @@ +# Copyright Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################################################## +# Sleep service +################################################################################################## +apiVersion: v1 +kind: ServiceAccount +metadata: + name: sleep +--- +apiVersion: v1 +kind: Service +metadata: + name: sleep + labels: + app: sleep + service: sleep +spec: + ports: + - port: 80 + name: http + selector: + app: sleep +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: sleep +spec: + replicas: 1 + selector: + matchLabels: + app: sleep + template: + metadata: + labels: + app: sleep + spec: + terminationGracePeriodSeconds: 0 + serviceAccountName: sleep + containers: + - name: sleep + image: curlimages/curl + command: ["/bin/sleep", "infinity"] + imagePullPolicy: IfNotPresent + volumeMounts: + - mountPath: /etc/sleep/tls + name: secret-volume + volumes: + - name: secret-volume + secret: + secretName: sleep-secret + optional: true +--- diff --git a/istio-1.24.3/samples/tcp-echo/README.md b/istio-1.24.3/samples/tcp-echo/README.md new file mode 100644 index 00000000..50f2d82a --- /dev/null +++ b/istio-1.24.3/samples/tcp-echo/README.md @@ -0,0 +1,38 @@ +# TCP Echo Service + +This sample runs [TCP Echo Server](src/) as an Istio service. TCP Echo Server +allows you to connect to it over TCP and echoes back data sent to it along with +a preconfigured prefix. + +## Usage + +To run the TCP Echo Service sample: + +1. Install Istio by following the [istio install instructions](https://istio.io/docs/setup/kubernetes/quick-start.html). + +1. Start the `tcp-echo-server` service inside the Istio service mesh: + + ```console + $ kubectl apply -f <(istioctl kube-inject -f tcp-echo.yaml) + service/tcp-echo created + deployment.apps/tcp-echo created + ``` + +1. Test by running the `nc` command from a `busybox` container from within the cluster. + + ```console + $ kubectl run -i --rm --restart=Never dummy --image=busybox -- sh -c "echo world | nc tcp-echo 9000" + hello world + pod "dummy" deleted + ``` + + As you observe, sending _world_ on a TCP connection to the server results in + the server prepending _hello_ and echoing back with _hello world_. + +1. To clean up, execute the following command: + + ```console + $ kubectl delete -f tcp-echo.yaml + service "tcp-echo" deleted + deployment.apps "tcp-echo" deleted + ``` diff --git a/istio-1.24.3/samples/tcp-echo/gateway-api/tcp-echo-20-v2.yaml b/istio-1.24.3/samples/tcp-echo/gateway-api/tcp-echo-20-v2.yaml new file mode 100644 index 00000000..11e27be3 --- /dev/null +++ b/istio-1.24.3/samples/tcp-echo/gateway-api/tcp-echo-20-v2.yaml @@ -0,0 +1,16 @@ +apiVersion: gateway.networking.k8s.io/v1alpha2 +kind: TCPRoute +metadata: + name: tcp-echo +spec: + parentRefs: + - name: tcp-echo-gateway + sectionName: tcp-31400 + rules: + - backendRefs: + - name: tcp-echo-v1 + port: 9000 + weight: 80 + - name: tcp-echo-v2 + port: 9000 + weight: 20 diff --git a/istio-1.24.3/samples/tcp-echo/gateway-api/tcp-echo-all-v1.yaml b/istio-1.24.3/samples/tcp-echo/gateway-api/tcp-echo-all-v1.yaml new file mode 100644 index 00000000..da089536 --- /dev/null +++ b/istio-1.24.3/samples/tcp-echo/gateway-api/tcp-echo-all-v1.yaml @@ -0,0 +1,50 @@ +apiVersion: gateway.networking.k8s.io/v1 +kind: Gateway +metadata: + name: tcp-echo-gateway +spec: + gatewayClassName: istio + listeners: + - name: tcp-31400 + protocol: TCP + port: 31400 + allowedRoutes: + kinds: + - kind: TCPRoute +--- +apiVersion: v1 +kind: Service +metadata: + name: tcp-echo-v1 +spec: + ports: + - port: 9000 + name: tcp + selector: + app: tcp-echo + version: v1 +--- +apiVersion: v1 +kind: Service +metadata: + name: tcp-echo-v2 +spec: + ports: + - port: 9000 + name: tcp + selector: + app: tcp-echo + version: v2 +--- +apiVersion: gateway.networking.k8s.io/v1alpha2 +kind: TCPRoute +metadata: + name: tcp-echo +spec: + parentRefs: + - name: tcp-echo-gateway + sectionName: tcp-31400 + rules: + - backendRefs: + - name: tcp-echo-v1 + port: 9000 diff --git a/istio-1.24.3/samples/tcp-echo/tcp-echo-20-v2.yaml b/istio-1.24.3/samples/tcp-echo/tcp-echo-20-v2.yaml new file mode 100644 index 00000000..96494cc7 --- /dev/null +++ b/istio-1.24.3/samples/tcp-echo/tcp-echo-20-v2.yaml @@ -0,0 +1,39 @@ +# Copyright 2018 Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: networking.istio.io/v1 +kind: VirtualService +metadata: + name: tcp-echo +spec: + hosts: + - "*" + gateways: + - tcp-echo-gateway + tcp: + - match: + - port: 31400 + route: + - destination: + host: tcp-echo + port: + number: 9000 + subset: v1 + weight: 80 + - destination: + host: tcp-echo + port: + number: 9000 + subset: v2 + weight: 20 diff --git a/istio-1.24.3/samples/tcp-echo/tcp-echo-all-v1.yaml b/istio-1.24.3/samples/tcp-echo/tcp-echo-all-v1.yaml new file mode 100644 index 00000000..f71f21f3 --- /dev/null +++ b/istio-1.24.3/samples/tcp-echo/tcp-echo-all-v1.yaml @@ -0,0 +1,61 @@ +# Copyright 2018 Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: networking.istio.io/v1 +kind: Gateway +metadata: + name: tcp-echo-gateway +spec: + selector: + istio: ingressgateway + servers: + - port: + number: 31400 + name: tcp + protocol: TCP + hosts: + - "*" +--- +apiVersion: networking.istio.io/v1 +kind: DestinationRule +metadata: + name: tcp-echo-destination +spec: + host: tcp-echo + subsets: + - name: v1 + labels: + version: v1 + - name: v2 + labels: + version: v2 +--- +apiVersion: networking.istio.io/v1 +kind: VirtualService +metadata: + name: tcp-echo +spec: + hosts: + - "*" + gateways: + - tcp-echo-gateway + tcp: + - match: + - port: 31400 + route: + - destination: + host: tcp-echo + port: + number: 9000 + subset: v1 diff --git a/istio-1.24.3/samples/tcp-echo/tcp-echo-dual-stack.yaml b/istio-1.24.3/samples/tcp-echo/tcp-echo-dual-stack.yaml new file mode 100644 index 00000000..94cdf7ea --- /dev/null +++ b/istio-1.24.3/samples/tcp-echo/tcp-echo-dual-stack.yaml @@ -0,0 +1,62 @@ +# Copyright Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################################ +# tcp-echo service +################################################################################ +apiVersion: v1 +kind: Service +metadata: + name: tcp-echo + labels: + app: tcp-echo + service: tcp-echo +spec: + ipFamilyPolicy: RequireDualStack + ipFamilies: + - IPv6 + - IPv4 + ports: + - name: tcp + port: 9000 + - name: tcp-other + port: 9001 + # Port 9002 is omitted intentionally for testing the pass through filter chain. + selector: + app: tcp-echo +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: tcp-echo +spec: + replicas: 1 + selector: + matchLabels: + app: tcp-echo + version: v1 + template: + metadata: + labels: + app: tcp-echo + version: v1 + spec: + containers: + - name: tcp-echo + image: docker.io/istio/tcp-echo-server:1.3 + imagePullPolicy: IfNotPresent + args: [ "9000,9001,9002", "hello" ] + ports: + - containerPort: 9000 + - containerPort: 9001 diff --git a/istio-1.24.3/samples/tcp-echo/tcp-echo-ipv4.yaml b/istio-1.24.3/samples/tcp-echo/tcp-echo-ipv4.yaml new file mode 100644 index 00000000..3745129c --- /dev/null +++ b/istio-1.24.3/samples/tcp-echo/tcp-echo-ipv4.yaml @@ -0,0 +1,61 @@ +# Copyright Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################################ +# tcp-echo service +################################################################################ +apiVersion: v1 +kind: Service +metadata: + name: tcp-echo + labels: + app: tcp-echo + service: tcp-echo +spec: + ipFamilyPolicy: SingleStack + ipFamilies: + - IPv4 + ports: + - name: tcp + port: 9000 + - name: tcp-other + port: 9001 + # Port 9002 is omitted intentionally for testing the pass through filter chain. + selector: + app: tcp-echo +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: tcp-echo +spec: + replicas: 1 + selector: + matchLabels: + app: tcp-echo + version: v1 + template: + metadata: + labels: + app: tcp-echo + version: v1 + spec: + containers: + - name: tcp-echo + image: docker.io/istio/tcp-echo-server:1.3 + imagePullPolicy: IfNotPresent + args: [ "9000,9001,9002", "hello" ] + ports: + - containerPort: 9000 + - containerPort: 9001 diff --git a/istio-1.24.3/samples/tcp-echo/tcp-echo-ipv6.yaml b/istio-1.24.3/samples/tcp-echo/tcp-echo-ipv6.yaml new file mode 100644 index 00000000..ad70e706 --- /dev/null +++ b/istio-1.24.3/samples/tcp-echo/tcp-echo-ipv6.yaml @@ -0,0 +1,61 @@ +# Copyright Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################################ +# tcp-echo service +################################################################################ +apiVersion: v1 +kind: Service +metadata: + name: tcp-echo + labels: + app: tcp-echo + service: tcp-echo +spec: + ipFamilyPolicy: SingleStack + ipFamilies: + - IPv6 + ports: + - name: tcp + port: 9000 + - name: tcp-other + port: 9001 + # Port 9002 is omitted intentionally for testing the pass through filter chain. + selector: + app: tcp-echo +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: tcp-echo +spec: + replicas: 1 + selector: + matchLabels: + app: tcp-echo + version: v1 + template: + metadata: + labels: + app: tcp-echo + version: v1 + spec: + containers: + - name: tcp-echo + image: docker.io/istio/tcp-echo-server:1.3 + imagePullPolicy: IfNotPresent + args: [ "9000,9001,9002", "hello" ] + ports: + - containerPort: 9000 + - containerPort: 9001 diff --git a/istio-1.24.3/samples/tcp-echo/tcp-echo-services.yaml b/istio-1.24.3/samples/tcp-echo/tcp-echo-services.yaml new file mode 100644 index 00000000..4ebde5ec --- /dev/null +++ b/istio-1.24.3/samples/tcp-echo/tcp-echo-services.yaml @@ -0,0 +1,86 @@ +# Copyright 2018 Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: Service +metadata: + name: tcp-echo + labels: + app: tcp-echo + service: tcp-echo +spec: + ports: + - name: tcp + port: 9000 + - name: tcp-other + port: 9001 + # Port 9002 is omitted intentionally for testing the pass through filter chain. + selector: + app: tcp-echo +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: tcp-echo-v1 + labels: + app: tcp-echo + version: v1 +spec: + replicas: 1 + selector: + matchLabels: + app: tcp-echo + version: v1 + template: + metadata: + labels: + app: tcp-echo + version: v1 + spec: + containers: + - name: tcp-echo + image: docker.io/istio/tcp-echo-server:1.3 + imagePullPolicy: IfNotPresent + args: [ "9000,9001,9002", "one" ] + ports: + - containerPort: 9000 + - containerPort: 9001 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: tcp-echo-v2 + labels: + app: tcp-echo + version: v2 +spec: + replicas: 1 + selector: + matchLabels: + app: tcp-echo + version: v2 + template: + metadata: + labels: + app: tcp-echo + version: v2 + spec: + containers: + - name: tcp-echo + image: docker.io/istio/tcp-echo-server:1.3 + imagePullPolicy: IfNotPresent + args: [ "9000,9001,9002", "two" ] + ports: + - containerPort: 9000 + - containerPort: 9001 diff --git a/istio-1.24.3/samples/tcp-echo/tcp-echo.yaml b/istio-1.24.3/samples/tcp-echo/tcp-echo.yaml new file mode 100644 index 00000000..05accba3 --- /dev/null +++ b/istio-1.24.3/samples/tcp-echo/tcp-echo.yaml @@ -0,0 +1,58 @@ +# Copyright 2018 Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################################ +# tcp-echo service +################################################################################ +apiVersion: v1 +kind: Service +metadata: + name: tcp-echo + labels: + app: tcp-echo + service: tcp-echo +spec: + ports: + - name: tcp + port: 9000 + - name: tcp-other + port: 9001 + # Port 9002 is omitted intentionally for testing the pass through filter chain. + selector: + app: tcp-echo +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: tcp-echo +spec: + replicas: 1 + selector: + matchLabels: + app: tcp-echo + version: v1 + template: + metadata: + labels: + app: tcp-echo + version: v1 + spec: + containers: + - name: tcp-echo + image: docker.io/istio/tcp-echo-server:1.3 + imagePullPolicy: IfNotPresent + args: [ "9000,9001,9002", "hello" ] + ports: + - containerPort: 9000 + - containerPort: 9001 diff --git a/istio-1.24.3/samples/wasm_modules/README.md b/istio-1.24.3/samples/wasm_modules/README.md new file mode 100644 index 00000000..4a8a8702 --- /dev/null +++ b/istio-1.24.3/samples/wasm_modules/README.md @@ -0,0 +1,3 @@ +# WASM demo + +`header_injector` is used for istio e2e tests, more tests can be found [here](https://github.com/istio-ecosystem/wasm-extensions). diff --git a/istio-1.24.3/samples/wasm_modules/header_injector/Makefile b/istio-1.24.3/samples/wasm_modules/header_injector/Makefile new file mode 100644 index 00000000..377495d2 --- /dev/null +++ b/istio-1.24.3/samples/wasm_modules/header_injector/Makefile @@ -0,0 +1,22 @@ +.PHONY: docker-push docker-build build clean + +VERSION_LIST := 1 2 +HUB ?= gcr.io/istio-testing +IMAGE_PREFIX ?= /wasm +IMG := $(HUB)$(IMAGE_PREFIX)/header-injector + +all: docker-push + +build: plugin.cc plugin.h BUILD WORKSPACE + rm -f *.wasm + $(foreach VERSION, $(VERSION_LIST), bazel build :plugin-0.0.$(VERSION).wasm && cp bazel-bin/plugin-0.0.$(VERSION).wasm .;) + +docker-build: build + $(foreach VERSION, $(VERSION_LIST), docker buildx build . -t $(IMG):0.0.$(VERSION) --build-arg WASM_BINARY=plugin-0.0.$(VERSION).wasm;) + +docker-push: docker-build + $(foreach VERSION, $(VERSION_LIST), docker push $(IMG):0.0.$(VERSION);) + +clean: + rm -rf bazel-* + rm -f *.wasm diff --git a/istio-1.24.3/samples/websockets/README.md b/istio-1.24.3/samples/websockets/README.md new file mode 100644 index 00000000..26a1f382 --- /dev/null +++ b/istio-1.24.3/samples/websockets/README.md @@ -0,0 +1,48 @@ +# Tornado - Demo Websockets App + +This is a sample application that demonstrates the use of an upgraded websockets connection on an ingress traffic when using Istio `VirtualService`. +The `app.yaml` creates a Kubernetes `Service` and a `Deployment` that is based on an existing Docker image for [Hiroakis's Tornado Websocket Example](https://github.com/hiroakis/tornado-websocket-example). + +__Notice:__ The addition of websockets upgrade support in v1alpha3 routing rules has only been added after the release of `Istio v0.8.0`. + +## Prerequisites + +Install Istio by following the [Istio Quick Start](https://istio.io/docs/setup/kubernetes/quick-start.html). + +## Installation + +1. First install the application service: + + - With manual sidecar injection: + + ```command + kubectl create -f <(istioctl kube-inject -f samples/websockets/app.yaml) + ``` + + - With automatic sidecar injection + + ```command + kubectl create -f samples/websockets/app.yaml + ``` + +1. Create the Ingress `Gateway` and `VirtualService` that enables the upgrade to Websocket for incoming traffic: + + ```command + kubectl create -f samples/websockets/route.yaml + ``` + +## Test + +- [Find your ingress gateway IP](https://istio.io/docs/tasks/traffic-management/ingress/#determining-the-ingress-ip-and-ports) + +- Access with your browser + +- The `WebSocket status` should show a green `open` status which means that a websocket connection to the server has been established. +To see the websocket in action see the instructions in the _REST API examples_ section of the demo app webpage for updating the server-side data and getting the updated data through the open websocket to the table in the webpage (without refreshing). + +## Cleanup + +```command +kubectl delete -f samples/websockets/route.yaml +kubectl delete -f samples/websockets/app.yaml +``` diff --git a/istio-1.24.3/samples/websockets/app.yaml b/istio-1.24.3/samples/websockets/app.yaml new file mode 100644 index 00000000..4f44ea7d --- /dev/null +++ b/istio-1.24.3/samples/websockets/app.yaml @@ -0,0 +1,37 @@ +apiVersion: v1 +kind: Service +metadata: + name: tornado + labels: + app: tornado + service: tornado +spec: + ports: + - port: 8888 + name: http + selector: + app: tornado +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: tornado +spec: + replicas: 1 + selector: + matchLabels: + app: tornado + version: v1 + template: + metadata: + labels: + app: tornado + version: v1 + spec: + containers: + - name: tornado + image: hiroakis/tornado-websocket-example + imagePullPolicy: IfNotPresent + ports: + - containerPort: 8888 +--- diff --git a/istio-1.24.3/samples/websockets/route.yaml b/istio-1.24.3/samples/websockets/route.yaml new file mode 100644 index 00000000..f71b1d91 --- /dev/null +++ b/istio-1.24.3/samples/websockets/route.yaml @@ -0,0 +1,32 @@ +apiVersion: networking.istio.io/v1 +kind: Gateway +metadata: + name: tornado-gateway +spec: + selector: + istio: ingressgateway + servers: + - port: + number: 80 + name: http + protocol: HTTP + hosts: + - "*" +--- +apiVersion: networking.istio.io/v1 +kind: VirtualService +metadata: + name: tornado +spec: + hosts: + - "*" + gateways: + - tornado-gateway + http: + - match: + - uri: + prefix: / + route: + - destination: + host: tornado + weight: 100 diff --git a/istio-1.24.3/tools/_istioctl b/istio-1.24.3/tools/_istioctl new file mode 100644 index 00000000..d1e29f21 --- /dev/null +++ b/istio-1.24.3/tools/_istioctl @@ -0,0 +1,212 @@ +#compdef istioctl +compdef _istioctl istioctl + +# zsh completion for istioctl -*- shell-script -*- + +__istioctl_debug() +{ + local file="$BASH_COMP_DEBUG_FILE" + if [[ -n ${file} ]]; then + echo "$*" >> "${file}" + fi +} + +_istioctl() +{ + local shellCompDirectiveError=1 + local shellCompDirectiveNoSpace=2 + local shellCompDirectiveNoFileComp=4 + local shellCompDirectiveFilterFileExt=8 + local shellCompDirectiveFilterDirs=16 + local shellCompDirectiveKeepOrder=32 + + local lastParam lastChar flagPrefix requestComp out directive comp lastComp noSpace keepOrder + local -a completions + + __istioctl_debug "\n========= starting completion logic ==========" + __istioctl_debug "CURRENT: ${CURRENT}, words[*]: ${words[*]}" + + # The user could have moved the cursor backwards on the command-line. + # We need to trigger completion from the $CURRENT location, so we need + # to truncate the command-line ($words) up to the $CURRENT location. + # (We cannot use $CURSOR as its value does not work when a command is an alias.) + words=("${=words[1,CURRENT]}") + __istioctl_debug "Truncated words[*]: ${words[*]}," + + lastParam=${words[-1]} + lastChar=${lastParam[-1]} + __istioctl_debug "lastParam: ${lastParam}, lastChar: ${lastChar}" + + # For zsh, when completing a flag with an = (e.g., istioctl -n=) + # completions must be prefixed with the flag + setopt local_options BASH_REMATCH + if [[ "${lastParam}" =~ '-.*=' ]]; then + # We are dealing with a flag with an = + flagPrefix="-P ${BASH_REMATCH}" + fi + + # Prepare the command to obtain completions + requestComp="${words[1]} __complete ${words[2,-1]}" + if [ "${lastChar}" = "" ]; then + # If the last parameter is complete (there is a space following it) + # We add an extra empty parameter so we can indicate this to the go completion code. + __istioctl_debug "Adding extra empty parameter" + requestComp="${requestComp} \"\"" + fi + + __istioctl_debug "About to call: eval ${requestComp}" + + # Use eval to handle any environment variables and such + out=$(eval ${requestComp} 2>/dev/null) + __istioctl_debug "completion output: ${out}" + + # Extract the directive integer following a : from the last line + local lastLine + while IFS='\n' read -r line; do + lastLine=${line} + done < <(printf "%s\n" "${out[@]}") + __istioctl_debug "last line: ${lastLine}" + + if [ "${lastLine[1]}" = : ]; then + directive=${lastLine[2,-1]} + # Remove the directive including the : and the newline + local suffix + (( suffix=${#lastLine}+2)) + out=${out[1,-$suffix]} + else + # There is no directive specified. Leave $out as is. + __istioctl_debug "No directive found. Setting do default" + directive=0 + fi + + __istioctl_debug "directive: ${directive}" + __istioctl_debug "completions: ${out}" + __istioctl_debug "flagPrefix: ${flagPrefix}" + + if [ $((directive & shellCompDirectiveError)) -ne 0 ]; then + __istioctl_debug "Completion received error. Ignoring completions." + return + fi + + local activeHelpMarker="_activeHelp_ " + local endIndex=${#activeHelpMarker} + local startIndex=$((${#activeHelpMarker}+1)) + local hasActiveHelp=0 + while IFS='\n' read -r comp; do + # Check if this is an activeHelp statement (i.e., prefixed with $activeHelpMarker) + if [ "${comp[1,$endIndex]}" = "$activeHelpMarker" ];then + __istioctl_debug "ActiveHelp found: $comp" + comp="${comp[$startIndex,-1]}" + if [ -n "$comp" ]; then + compadd -x "${comp}" + __istioctl_debug "ActiveHelp will need delimiter" + hasActiveHelp=1 + fi + + continue + fi + + if [ -n "$comp" ]; then + # If requested, completions are returned with a description. + # The description is preceded by a TAB character. + # For zsh's _describe, we need to use a : instead of a TAB. + # We first need to escape any : as part of the completion itself. + comp=${comp//:/\\:} + + local tab="$(printf '\t')" + comp=${comp//$tab/:} + + __istioctl_debug "Adding completion: ${comp}" + completions+=${comp} + lastComp=$comp + fi + done < <(printf "%s\n" "${out[@]}") + + # Add a delimiter after the activeHelp statements, but only if: + # - there are completions following the activeHelp statements, or + # - file completion will be performed (so there will be choices after the activeHelp) + if [ $hasActiveHelp -eq 1 ]; then + if [ ${#completions} -ne 0 ] || [ $((directive & shellCompDirectiveNoFileComp)) -eq 0 ]; then + __istioctl_debug "Adding activeHelp delimiter" + compadd -x "--" + hasActiveHelp=0 + fi + fi + + if [ $((directive & shellCompDirectiveNoSpace)) -ne 0 ]; then + __istioctl_debug "Activating nospace." + noSpace="-S ''" + fi + + if [ $((directive & shellCompDirectiveKeepOrder)) -ne 0 ]; then + __istioctl_debug "Activating keep order." + keepOrder="-V" + fi + + if [ $((directive & shellCompDirectiveFilterFileExt)) -ne 0 ]; then + # File extension filtering + local filteringCmd + filteringCmd='_files' + for filter in ${completions[@]}; do + if [ ${filter[1]} != '*' ]; then + # zsh requires a glob pattern to do file filtering + filter="\*.$filter" + fi + filteringCmd+=" -g $filter" + done + filteringCmd+=" ${flagPrefix}" + + __istioctl_debug "File filtering command: $filteringCmd" + _arguments '*:filename:'"$filteringCmd" + elif [ $((directive & shellCompDirectiveFilterDirs)) -ne 0 ]; then + # File completion for directories only + local subdir + subdir="${completions[1]}" + if [ -n "$subdir" ]; then + __istioctl_debug "Listing directories in $subdir" + pushd "${subdir}" >/dev/null 2>&1 + else + __istioctl_debug "Listing directories in ." + fi + + local result + _arguments '*:dirname:_files -/'" ${flagPrefix}" + result=$? + if [ -n "$subdir" ]; then + popd >/dev/null 2>&1 + fi + return $result + else + __istioctl_debug "Calling _describe" + if eval _describe $keepOrder "completions" completions $flagPrefix $noSpace; then + __istioctl_debug "_describe found some completions" + + # Return the success of having called _describe + return 0 + else + __istioctl_debug "_describe did not find completions." + __istioctl_debug "Checking if we should do file completion." + if [ $((directive & shellCompDirectiveNoFileComp)) -ne 0 ]; then + __istioctl_debug "deactivating file completion" + + # We must return an error code here to let zsh know that there were no + # completions found by _describe; this is what will trigger other + # matching algorithms to attempt to find completions. + # For example zsh can match letters in the middle of words. + return 1 + else + # Perform file completion + __istioctl_debug "Activating file completion" + + # We must return the result of this command, so it must be the + # last command, or else we must store its result to return it. + _arguments '*:filename:_files'" ${flagPrefix}" + fi + fi + fi +} + +# don't run the completion function when being source-ed or eval-ed +if [ "$funcstack[1]" = "_istioctl" ]; then + _istioctl +fi diff --git a/istio-1.24.3/tools/certs/Makefile.k8s.mk b/istio-1.24.3/tools/certs/Makefile.k8s.mk new file mode 100644 index 00000000..cdf8f9d5 --- /dev/null +++ b/istio-1.24.3/tools/certs/Makefile.k8s.mk @@ -0,0 +1,102 @@ +.SUFFIXES: .csr .pem .conf +.PRECIOUS: %/ca-key.pem %/ca-cert.pem %/cert-chain.pem +.PRECIOUS: %/workload-cert.pem %/key.pem %/workload-cert-chain.pem +.SECONDARY: root-cert.csr root-ca.conf %/cluster-ca.csr %/intermediate.conf + +.DEFAULT_GOAL := help + +SELF_DIR := $(dir $(lastword $(MAKEFILE_LIST))) + +include $(SELF_DIR)common.mk + +#------------------------------------------------------------------------ +##help: print this help message +.PHONY: help + +help: + @fgrep -h "##" $(MAKEFILE_LIST) | fgrep -v fgrep | sed -e 's/##//' + +#------------------------------------------------------------------------ +##fetch-root-ca: fetch root CA and key from a k8s cluster. +.PHONY: fetch-root-ca +rawcluster := $(shell kubectl config current-context) +cluster := $(subst /,-,$(rawcluster)) +pwd := $(shell pwd) +export KUBECONFIG + +fetch-root-ca: + @echo "fetching root ca from k8s cluster: "$(cluster)"" + @mkdir -p $(pwd)/$(cluster) + @res=$$(kubectl get secret istio-ca-secret -n $(ISTIO_NAMESPACE) >/dev/null 2>&1; echo $$?); \ + if [ $$res -eq 1 ]; then \ + kubectl get secret cacerts -n $(ISTIO_NAMESPACE) -o "jsonpath={.data['ca-cert\.pem']}" | base64 -d > $(cluster)/k8s-root-cert.pem; \ + kubectl get secret cacerts -n $(ISTIO_NAMESPACE) -o "jsonpath={.data['ca-key\.pem']}" | base64 -d > $(cluster)/k8s-root-key.pem; \ + else \ + kubectl get secret istio-ca-secret -n $(ISTIO_NAMESPACE) -o "jsonpath={.data['ca-cert\.pem']}" | base64 -d > $(cluster)/k8s-root-cert.pem; \ + kubectl get secret istio-ca-secret -n $(ISTIO_NAMESPACE) -o "jsonpath={.data['ca-key\.pem']}" | base64 -d > $(cluster)/k8s-root-key.pem; \ + fi + +k8s-root-cert.pem: + @cat $(cluster)/k8s-root-cert.pem > $@ + +k8s-root-key.pem: + @cat $(cluster)/k8s-root-key.pem > $@ +#------------------------------------------------------------------------ +##-cacerts: generate intermediate certificates for a cluster or VM with signed with istio root cert from the specified k8s cluster and store them under directory +.PHONY: %-cacerts + +%-cacerts: %/cert-chain.pem + @echo "done" + +%/cert-chain.pem: %/ca-cert.pem k8s-root-cert.pem + @echo "generating $@" + @cat $^ > $@ + @echo "Intermediate certs stored in $(dir $<)" + @cp k8s-root-cert.pem $(dir $<)/root-cert.pem + +%/ca-cert.pem: %/cluster-ca.csr k8s-root-key.pem k8s-root-cert.pem + @echo "generating $@" + @openssl x509 -req -days $(INTERMEDIATE_DAYS) \ + -CA k8s-root-cert.pem -CAkey k8s-root-key.pem -CAcreateserial\ + -extensions req_ext -extfile $(dir $<)/intermediate.conf \ + -in $< -out $@ + +%/cluster-ca.csr: L=$(dir $@) +%/cluster-ca.csr: %/ca-key.pem %/intermediate.conf + @echo "generating $@" + @openssl req -new -config $(L)/intermediate.conf -key $< -out $@ + +%/ca-key.pem: fetch-root-ca + @echo "generating $@" + @mkdir -p $(dir $@) + @openssl genrsa -out $@ 4096 + +#------------------------------------------------------------------------ +##-certs: generate intermediate certificates and sign certificates for a virtual machine connected to the namespace ` using serviceAccount `$SERVICE_ACCOUNT` using root cert from k8s cluster. +.PHONY: %-certs + +%-certs: fetch-root-ca %/workload-cert-chain.pem k8s-root-cert.pem + @echo "done" + +%/workload-cert-chain.pem: k8s-root-cert.pem %/ca-cert.pem %/workload-cert.pem + @echo "generating $@" + @cat $^ > $@ + @echo "Intermediate and workload certs stored in $(dir $<)" + @cp k8s-root-cert.pem $(dir $@)/root-cert.pem + +%/workload-cert.pem: %/workload.csr + @echo "generating $@" + @openssl x509 -req -days $(WORKLOAD_DAYS) \ + -CA $(dir $<)/ca-cert.pem -CAkey $(dir $<)/ca-key.pem -CAcreateserial\ + -extensions req_ext -extfile $(dir $<)/workload.conf \ + -in $< -out $@ + +%/workload.csr: L=$(dir $@) +%/workload.csr: %/key.pem %/workload.conf + @echo "generating $@" + @openssl req -new -config $(L)/workload.conf -key $< -out $@ + +%/key.pem: + @echo "generating $@" + @mkdir -p $(dir $@) + @openssl genrsa -out $@ 4096 \ No newline at end of file diff --git a/istio-1.24.3/tools/certs/Makefile.selfsigned.mk b/istio-1.24.3/tools/certs/Makefile.selfsigned.mk new file mode 100644 index 00000000..2a87d071 --- /dev/null +++ b/istio-1.24.3/tools/certs/Makefile.selfsigned.mk @@ -0,0 +1,98 @@ +.SUFFIXES: .csr .pem .conf +.PRECIOUS: %/ca-key.pem %/ca-cert.pem %/cert-chain.pem +.PRECIOUS: %/workload-cert.pem %/key.pem %/workload-cert-chain.pem +.SECONDARY: root-cert.csr root-ca.conf %/cluster-ca.csr %/intermediate.conf + +.DEFAULT_GOAL := help + +SELF_DIR := $(dir $(lastword $(MAKEFILE_LIST))) + +include $(SELF_DIR)common.mk + +#------------------------------------------------------------------------ +##help: print this help message +.PHONY: help + +help: + @fgrep -h "##" $(MAKEFILE_LIST) | fgrep -v fgrep | sed -e 's/##//' + +#------------------------------------------------------------------------ +##root-ca: generate root CA files (key and certificate) in current directory. +.PHONY: root-ca + +root-ca: root-key.pem root-cert.pem + +root-cert.pem: root-cert.csr root-key.pem + @echo "generating $@" + @openssl x509 -req -sha256 -days $(ROOTCA_DAYS) -signkey root-key.pem \ + -extensions req_ext -extfile root-ca.conf \ + -in $< -out $@ + +root-cert.csr: root-key.pem root-ca.conf + @echo "generating $@" + @openssl req -sha256 -new -key $< -config root-ca.conf -out $@ + +root-key.pem: + @echo "generating $@" + @openssl genrsa -out $@ 4096 +#------------------------------------------------------------------------ +##-cacerts: generate self signed intermediate certificates for and store them under directory. +.PHONY: %-cacerts + +%-cacerts: %/cert-chain.pem + @echo "done" + +%/cert-chain.pem: %/ca-cert.pem root-cert.pem + @echo "generating $@" + @cat $^ > $@ + @echo "Intermediate inputs stored in $(dir $<)" + @cp root-cert.pem $(dir $<) + + +%/ca-cert.pem: %/cluster-ca.csr root-key.pem root-cert.pem + @echo "generating $@" + @openssl x509 -req -sha256 -days $(INTERMEDIATE_DAYS) \ + -CA root-cert.pem -CAkey root-key.pem -CAcreateserial\ + -extensions req_ext -extfile $(dir $<)/intermediate.conf \ + -in $< -out $@ + +%/cluster-ca.csr: L=$(dir $@) +%/cluster-ca.csr: %/ca-key.pem %/intermediate.conf + @echo "generating $@" + @openssl req -sha256 -new -config $(L)/intermediate.conf -key $< -out $@ + +%/ca-key.pem: + @echo "generating $@" + @mkdir -p $(dir $@) + @openssl genrsa -out $@ 4096 + +#------------------------------------------------------------------------ +##-certs: generate intermediate certificates and sign certificates for a virtual machine connected to the namespace ` using serviceAccount `$SERVICE_ACCOUNT` using self signed root certs. +.PHONY: %-certs + +%-certs: %/ca-cert.pem %/workload-cert-chain.pem root-cert.pem + @echo "done" + +%/workload-cert-chain.pem: %/workload-cert.pem %/ca-cert.pem root-cert.pem + @echo "generating $@" + @cat $^ > $@ + @echo "Intermediate and workload certs stored in $(dir $<)" + @cp root-cert.pem $(dir $@)/root-cert.pem + + +%/workload-cert.pem: %/workload.csr + @echo "generating $@" + @openssl x509 -sha256 -req -days $(WORKLOAD_DAYS) \ + -CA $(dir $<)/ca-cert.pem -CAkey $(dir $<)/ca-key.pem -CAcreateserial\ + -extensions req_ext -extfile $(dir $<)/workload.conf \ + -in $< -out $@ + +%/workload.csr: L=$(dir $@) +%/workload.csr: %/key.pem %/workload.conf + @echo "generating $@" + @openssl req -sha256 -new -config $(L)/workload.conf -key $< -out $@ + +%/key.pem: + @echo "generating $@" + @mkdir -p $(dir $@) + @openssl genrsa -out $@ 4096 diff --git a/istio-1.24.3/tools/certs/README.md b/istio-1.24.3/tools/certs/README.md new file mode 100644 index 00000000..f8dfcd08 --- /dev/null +++ b/istio-1.24.3/tools/certs/README.md @@ -0,0 +1,46 @@ +# Generating Certificates for Bootstrapping Multicluster / Mesh Expansion Chain of Trust + +The directory contains two Makefiles for generating new root, intermediate certificates and workload certificates: +- `Makefile.k8s.mk`: Creates certificates based on a root-ca from a k8s cluster. The current context in the default +`kubeconfig` is used for accessing the cluster. +- `Makefile.selfsigned.mk`: Creates certificates based on a generated self-signed root. + +The table below describes the targets supported by both Makefiles. + +Make Target | Makefile | Description +------ | -------- | ----------- +`root-ca` | `Makefile.selfsigned.mk` | Generates a self-signed root CA key and certificate. +`fetch-root-ca` | `Makefile.k8s.mk` | Fetches the Istio CA from the Kubernetes cluster, using the current context in the default `kubeconfig`. +`$NAME-cacerts` | Both | Generates intermediate certificates signed by the root CA for a cluster or VM with `$NAME` (e.g., `us-east`, `cluster01`, etc.). They are stored under `$NAME` directory. To differentiate between clusters, we include a `Location` (`L`) designation in the certificates `Subject` field, with the cluster's name. +`$NAMESPACE-certs` | Both | Generates intermediate certificates and sign certificates for a virtual machine connected to the namespace `$NAMESPACE` using serviceAccount `$SERVICE_ACCOUNT` using the root cert and store them under `$NAMESPACE` directory. +`clean` | Both | Removes any generated root certificates, keys, and intermediate files. + +For example: + +```bash +make -f Makefile.selfsigned.mk root-ca +``` + +Note that the Makefile generates long-lived intermediate certificates. While this might be +acceptable for demonstration purposes, a more realistic and secure deployment would use +short-lived and automatically renewed certificates for the intermediate CAs. + +## Creating Certificates Using an Existing Istio CA + +```bash +make -f Makefile.k8s.mk fetch-root-ca +``` + +The `fetch-root-ca` target retrieves the root CA certificate and key from an Istio-enabled Kubernetes cluster. This process is useful when establishing a trusted certificate chain across multiple clusters or environments using an existing Istio root certificate. **By default, it fetches the certificate and key from the `istio-ca-secret`, and if that is not available, it retrieves them from the `cacerts` secret.** + +The command generates the certificate and key files in a directory named after the **current context** from your `kubeconfig` file. + +```bash +make -f Makefile.k8s.mk $(cluster name)-cacerts +``` + +Afterwards, running the above command will generate an **Intermediate CA** certificate based on the root CA. For example, if you want to create an intermediate CA for `cluster01`, you would run the following command: + +```bash +make -f Makefile.k8s.mk cluster01-cacerts +``` diff --git a/istio-1.24.3/tools/certs/common.mk b/istio-1.24.3/tools/certs/common.mk new file mode 100644 index 00000000..ba3f90c9 --- /dev/null +++ b/istio-1.24.3/tools/certs/common.mk @@ -0,0 +1,101 @@ +#------------------------------------------------------------------------ +# variables: root CA +ROOTCA_DAYS ?= 3650 +ROOTCA_KEYSZ ?= 4096 +ROOTCA_ORG ?= Istio +ROOTCA_CN ?= Root CA +KUBECONFIG ?= $(HOME)/.kube/config +ISTIO_NAMESPACE ?= istio-system +# Additional variables are defined in root-ca.conf target below. + +#------------------------------------------------------------------------ +# variables: intermediate CA +INTERMEDIATE_DAYS ?= 3650 +INTERMEDIATE_KEYSZ ?= 4096 +INTERMEDIATE_ORG ?= Istio +INTERMEDIATE_CN ?= Intermediate CA +INTERMEDIATE_SAN_DNS ?= istiod.istio-system.svc +# Additional variables are defined in %/intermediate.conf target below. + +#------------------------------------------------------------------------ +# variables: workload certs: eg VM +WORKLOAD_DAYS ?= 1 +SERVICE_ACCOUNT ?= default +WORKLOAD_CN ?= Workload + +#------------------------------------------------------------------------ +# variables: files to clean +FILES_TO_CLEAN+=k8s-root-cert.pem \ + k8s-root-cert.srl \ + k8s-root-key.pem root-ca.conf root-cert.csr root-cert.pem root-cert.srl root-key.pem +#------------------------------------------------------------------------ +# clean +.PHONY: clean + +clean: ## Cleans all the intermediate files and folders previously generated. + @rm -f $(FILES_TO_CLEAN) + +root-ca.conf: + @echo "[ req ]" > $@ + @echo "encrypt_key = no" >> $@ + @echo "prompt = no" >> $@ + @echo "utf8 = yes" >> $@ + @echo "default_md = sha256" >> $@ + @echo "default_bits = $(ROOTCA_KEYSZ)" >> $@ + @echo "req_extensions = req_ext" >> $@ + @echo "x509_extensions = req_ext" >> $@ + @echo "distinguished_name = req_dn" >> $@ + @echo "[ req_ext ]" >> $@ + @echo "subjectKeyIdentifier = hash" >> $@ + @echo "basicConstraints = critical, CA:true" >> $@ + @echo "keyUsage = critical, digitalSignature, nonRepudiation, keyEncipherment, keyCertSign" >> $@ + @echo "[ req_dn ]" >> $@ + @echo "O = $(ROOTCA_ORG)" >> $@ + @echo "CN = $(ROOTCA_CN)" >> $@ + +%/intermediate.conf: L=$(dir $@) +%/intermediate.conf: + @echo "[ req ]" > $@ + @echo "encrypt_key = no" >> $@ + @echo "prompt = no" >> $@ + @echo "utf8 = yes" >> $@ + @echo "default_md = sha256" >> $@ + @echo "default_bits = $(INTERMEDIATE_KEYSZ)" >> $@ + @echo "req_extensions = req_ext" >> $@ + @echo "x509_extensions = req_ext" >> $@ + @echo "distinguished_name = req_dn" >> $@ + @echo "[ req_ext ]" >> $@ + @echo "subjectKeyIdentifier = hash" >> $@ + @echo "basicConstraints = critical, CA:true, pathlen:0" >> $@ + @echo "keyUsage = critical, digitalSignature, nonRepudiation, keyEncipherment, keyCertSign" >> $@ + @echo "subjectAltName=@san" >> $@ + @echo "[ san ]" >> $@ + @echo "DNS.1 = $(INTERMEDIATE_SAN_DNS)" >> $@ + @echo "[ req_dn ]" >> $@ + @echo "O = $(INTERMEDIATE_ORG)" >> $@ + @echo "CN = $(INTERMEDIATE_CN)" >> $@ + @echo "L = $(L:/=)" >> $@ + +%/workload.conf: L=$(dir $@) +%/workload.conf: + @echo "[ req ]" > $@ + @echo "encrypt_key = no" >> $@ + @echo "prompt = no" >> $@ + @echo "utf8 = yes" >> $@ + @echo "default_md = sha256" >> $@ + @echo "default_bits = $(INTERMEDIATE_KEYSZ)" >> $@ + @echo "req_extensions = req_ext" >> $@ + @echo "x509_extensions = req_ext" >> $@ + @echo "distinguished_name = req_dn" >> $@ + @echo "[ req_ext ]" >> $@ + @echo "subjectKeyIdentifier = hash" >> $@ + @echo "basicConstraints = critical, CA:false" >> $@ + @echo "keyUsage = digitalSignature, keyEncipherment" >> $@ + @echo "extendedKeyUsage = serverAuth, clientAuth" >> $@ + @echo "subjectAltName=@san" >> $@ + @echo "[ san ]" >> $@ + @echo "URI.1 = spiffe://cluster.local/ns/$(L)sa/$(SERVICE_ACCOUNT)" >> $@ + @echo "[ req_dn ]" >> $@ + @echo "O = $(INTERMEDIATE_ORG)" >> $@ + @echo "CN = $(WORKLOAD_CN)" >> $@ + @echo "L = $(L:/=)" >> $@ diff --git a/istio-1.24.3/tools/istioctl.bash b/istio-1.24.3/tools/istioctl.bash new file mode 100644 index 00000000..60a13d0f --- /dev/null +++ b/istio-1.24.3/tools/istioctl.bash @@ -0,0 +1,338 @@ +# bash completion V2 for istioctl -*- shell-script -*- + +__istioctl_debug() +{ + if [[ -n ${BASH_COMP_DEBUG_FILE-} ]]; then + echo "$*" >> "${BASH_COMP_DEBUG_FILE}" + fi +} + +# Macs have bash3 for which the bash-completion package doesn't include +# _init_completion. This is a minimal version of that function. +__istioctl_init_completion() +{ + COMPREPLY=() + _get_comp_words_by_ref "$@" cur prev words cword +} + +# This function calls the istioctl program to obtain the completion +# results and the directive. It fills the 'out' and 'directive' vars. +__istioctl_get_completion_results() { + local requestComp lastParam lastChar args + + # Prepare the command to request completions for the program. + # Calling ${words[0]} instead of directly istioctl allows handling aliases + args=("${words[@]:1}") + requestComp="${words[0]} __complete ${args[*]}" + + lastParam=${words[$((${#words[@]}-1))]} + lastChar=${lastParam:$((${#lastParam}-1)):1} + __istioctl_debug "lastParam ${lastParam}, lastChar ${lastChar}" + + if [[ -z ${cur} && ${lastChar} != = ]]; then + # If the last parameter is complete (there is a space following it) + # We add an extra empty parameter so we can indicate this to the go method. + __istioctl_debug "Adding extra empty parameter" + requestComp="${requestComp} ''" + fi + + # When completing a flag with an = (e.g., istioctl -n=) + # bash focuses on the part after the =, so we need to remove + # the flag part from $cur + if [[ ${cur} == -*=* ]]; then + cur="${cur#*=}" + fi + + __istioctl_debug "Calling ${requestComp}" + # Use eval to handle any environment variables and such + out=$(eval "${requestComp}" 2>/dev/null) + + # Extract the directive integer at the very end of the output following a colon (:) + directive=${out##*:} + # Remove the directive + out=${out%:*} + if [[ ${directive} == "${out}" ]]; then + # There is not directive specified + directive=0 + fi + __istioctl_debug "The completion directive is: ${directive}" + __istioctl_debug "The completions are: ${out}" +} + +__istioctl_process_completion_results() { + local shellCompDirectiveError=1 + local shellCompDirectiveNoSpace=2 + local shellCompDirectiveNoFileComp=4 + local shellCompDirectiveFilterFileExt=8 + local shellCompDirectiveFilterDirs=16 + local shellCompDirectiveKeepOrder=32 + + if (((directive & shellCompDirectiveError) != 0)); then + # Error code. No completion. + __istioctl_debug "Received error from custom completion go code" + return + else + if (((directive & shellCompDirectiveNoSpace) != 0)); then + if [[ $(type -t compopt) == builtin ]]; then + __istioctl_debug "Activating no space" + compopt -o nospace + else + __istioctl_debug "No space directive not supported in this version of bash" + fi + fi + if (((directive & shellCompDirectiveKeepOrder) != 0)); then + if [[ $(type -t compopt) == builtin ]]; then + # no sort isn't supported for bash less than < 4.4 + if [[ ${BASH_VERSINFO[0]} -lt 4 || ( ${BASH_VERSINFO[0]} -eq 4 && ${BASH_VERSINFO[1]} -lt 4 ) ]]; then + __istioctl_debug "No sort directive not supported in this version of bash" + else + __istioctl_debug "Activating keep order" + compopt -o nosort + fi + else + __istioctl_debug "No sort directive not supported in this version of bash" + fi + fi + if (((directive & shellCompDirectiveNoFileComp) != 0)); then + if [[ $(type -t compopt) == builtin ]]; then + __istioctl_debug "Activating no file completion" + compopt +o default + else + __istioctl_debug "No file completion directive not supported in this version of bash" + fi + fi + fi + + # Separate activeHelp from normal completions + local completions=() + local activeHelp=() + __istioctl_extract_activeHelp + + if (((directive & shellCompDirectiveFilterFileExt) != 0)); then + # File extension filtering + local fullFilter filter filteringCmd + + # Do not use quotes around the $completions variable or else newline + # characters will be kept. + for filter in ${completions[*]}; do + fullFilter+="$filter|" + done + + filteringCmd="_filedir $fullFilter" + __istioctl_debug "File filtering command: $filteringCmd" + $filteringCmd + elif (((directive & shellCompDirectiveFilterDirs) != 0)); then + # File completion for directories only + + local subdir + subdir=${completions[0]} + if [[ -n $subdir ]]; then + __istioctl_debug "Listing directories in $subdir" + pushd "$subdir" >/dev/null 2>&1 && _filedir -d && popd >/dev/null 2>&1 || return + else + __istioctl_debug "Listing directories in ." + _filedir -d + fi + else + __istioctl_handle_completion_types + fi + + __istioctl_handle_special_char "$cur" : + __istioctl_handle_special_char "$cur" = + + # Print the activeHelp statements before we finish + if ((${#activeHelp[*]} != 0)); then + printf "\n"; + printf "%s\n" "${activeHelp[@]}" + printf "\n" + + # The prompt format is only available from bash 4.4. + # We test if it is available before using it. + if (x=${PS1@P}) 2> /dev/null; then + printf "%s" "${PS1@P}${COMP_LINE[@]}" + else + # Can't print the prompt. Just print the + # text the user had typed, it is workable enough. + printf "%s" "${COMP_LINE[@]}" + fi + fi +} + +# Separate activeHelp lines from real completions. +# Fills the $activeHelp and $completions arrays. +__istioctl_extract_activeHelp() { + local activeHelpMarker="_activeHelp_ " + local endIndex=${#activeHelpMarker} + + while IFS='' read -r comp; do + if [[ ${comp:0:endIndex} == $activeHelpMarker ]]; then + comp=${comp:endIndex} + __istioctl_debug "ActiveHelp found: $comp" + if [[ -n $comp ]]; then + activeHelp+=("$comp") + fi + else + # Not an activeHelp line but a normal completion + completions+=("$comp") + fi + done <<<"${out}" +} + +__istioctl_handle_completion_types() { + __istioctl_debug "__istioctl_handle_completion_types: COMP_TYPE is $COMP_TYPE" + + case $COMP_TYPE in + 37|42) + # Type: menu-complete/menu-complete-backward and insert-completions + # If the user requested inserting one completion at a time, or all + # completions at once on the command-line we must remove the descriptions. + # https://github.com/spf13/cobra/issues/1508 + local tab=$'\t' comp + while IFS='' read -r comp; do + [[ -z $comp ]] && continue + # Strip any description + comp=${comp%%$tab*} + # Only consider the completions that match + if [[ $comp == "$cur"* ]]; then + COMPREPLY+=("$comp") + fi + done < <(printf "%s\n" "${completions[@]}") + ;; + + *) + # Type: complete (normal completion) + __istioctl_handle_standard_completion_case + ;; + esac +} + +__istioctl_handle_standard_completion_case() { + local tab=$'\t' comp + + # Short circuit to optimize if we don't have descriptions + if [[ "${completions[*]}" != *$tab* ]]; then + IFS=$'\n' read -ra COMPREPLY -d '' < <(compgen -W "${completions[*]}" -- "$cur") + return 0 + fi + + local longest=0 + local compline + # Look for the longest completion so that we can format things nicely + while IFS='' read -r compline; do + [[ -z $compline ]] && continue + # Strip any description before checking the length + comp=${compline%%$tab*} + # Only consider the completions that match + [[ $comp == "$cur"* ]] || continue + COMPREPLY+=("$compline") + if ((${#comp}>longest)); then + longest=${#comp} + fi + done < <(printf "%s\n" "${completions[@]}") + + # If there is a single completion left, remove the description text + if ((${#COMPREPLY[*]} == 1)); then + __istioctl_debug "COMPREPLY[0]: ${COMPREPLY[0]}" + comp="${COMPREPLY[0]%%$tab*}" + __istioctl_debug "Removed description from single completion, which is now: ${comp}" + COMPREPLY[0]=$comp + else # Format the descriptions + __istioctl_format_comp_descriptions $longest + fi +} + +__istioctl_handle_special_char() +{ + local comp="$1" + local char=$2 + if [[ "$comp" == *${char}* && "$COMP_WORDBREAKS" == *${char}* ]]; then + local word=${comp%"${comp##*${char}}"} + local idx=${#COMPREPLY[*]} + while ((--idx >= 0)); do + COMPREPLY[idx]=${COMPREPLY[idx]#"$word"} + done + fi +} + +__istioctl_format_comp_descriptions() +{ + local tab=$'\t' + local comp desc maxdesclength + local longest=$1 + + local i ci + for ci in ${!COMPREPLY[*]}; do + comp=${COMPREPLY[ci]} + # Properly format the description string which follows a tab character if there is one + if [[ "$comp" == *$tab* ]]; then + __istioctl_debug "Original comp: $comp" + desc=${comp#*$tab} + comp=${comp%%$tab*} + + # $COLUMNS stores the current shell width. + # Remove an extra 4 because we add 2 spaces and 2 parentheses. + maxdesclength=$(( COLUMNS - longest - 4 )) + + # Make sure we can fit a description of at least 8 characters + # if we are to align the descriptions. + if ((maxdesclength > 8)); then + # Add the proper number of spaces to align the descriptions + for ((i = ${#comp} ; i < longest ; i++)); do + comp+=" " + done + else + # Don't pad the descriptions so we can fit more text after the completion + maxdesclength=$(( COLUMNS - ${#comp} - 4 )) + fi + + # If there is enough space for any description text, + # truncate the descriptions that are too long for the shell width + if ((maxdesclength > 0)); then + if ((${#desc} > maxdesclength)); then + desc=${desc:0:$(( maxdesclength - 1 ))} + desc+="…" + fi + comp+=" ($desc)" + fi + COMPREPLY[ci]=$comp + __istioctl_debug "Final comp: $comp" + fi + done +} + +__start_istioctl() +{ + local cur prev words cword split + + COMPREPLY=() + + # Call _init_completion from the bash-completion package + # to prepare the arguments properly + if declare -F _init_completion >/dev/null 2>&1; then + _init_completion -n =: || return + else + __istioctl_init_completion -n =: || return + fi + + __istioctl_debug + __istioctl_debug "========= starting completion logic ==========" + __istioctl_debug "cur is ${cur}, words[*] is ${words[*]}, #words[@] is ${#words[@]}, cword is $cword" + + # The user could have moved the cursor backwards on the command-line. + # We need to trigger completion from the $cword location, so we need + # to truncate the command-line ($words) up to the $cword location. + words=("${words[@]:0:$cword+1}") + __istioctl_debug "Truncated words[*]: ${words[*]}," + + local out directive + __istioctl_get_completion_results + __istioctl_process_completion_results +} + +if [[ $(type -t compopt) = "builtin" ]]; then + complete -o default -F __start_istioctl istioctl +else + complete -o default -o nospace -F __start_istioctl istioctl +fi + +# ex: ts=4 sw=4 et filetype=sh From 0351e2d0ebdcb758e7c338a592bda7172614c03b Mon Sep 17 00:00:00 2001 From: German Date: Fri, 13 Feb 2026 10:07:47 -0800 Subject: [PATCH 6/9] chore: remove accidentally committed istio-1.24.3 folder --- istio-1.24.3/LICENSE | 202 --- istio-1.24.3/README.md | 123 -- istio-1.24.3/manifest.yaml | 36 - istio-1.24.3/manifests/profiles/ambient.yaml | 13 - istio-1.24.3/manifests/profiles/default.yaml | 32 - istio-1.24.3/manifests/profiles/demo.yaml | 9 - istio-1.24.3/manifests/profiles/empty.yaml | 13 - istio-1.24.3/manifests/profiles/minimal.yaml | 8 - .../manifests/profiles/openshift-ambient.yaml | 18 - .../manifests/profiles/openshift.yaml | 10 - istio-1.24.3/manifests/profiles/preview.yaml | 8 - istio-1.24.3/manifests/profiles/remote.yaml | 15 - istio-1.24.3/manifests/profiles/stable.yaml | 5 - istio-1.24.3/samples/README.md | 3 - istio-1.24.3/samples/addons/README.md | 102 -- .../addons/extras/prometheus-operator.yaml | 66 - .../samples/addons/extras/skywalking.yaml | 133 -- .../samples/addons/extras/zipkin.yaml | 61 - istio-1.24.3/samples/addons/grafana.yaml | 1112 ----------------- istio-1.24.3/samples/addons/jaeger.yaml | 121 -- istio-1.24.3/samples/addons/kiali.yaml | 425 ------- istio-1.24.3/samples/addons/loki.yaml | 382 ------ istio-1.24.3/samples/addons/prometheus.yaml | 570 --------- istio-1.24.3/samples/ambient-argo/README.md | 99 -- .../ambient-argo/application/application.yaml | 22 - .../application/bookinfo-versions.yaml | 72 -- .../application/details-waypoint.yaml | 12 - .../ambient-argo/application/details.yaml | 50 - .../application/ingress-gateway.yaml | 41 - .../ambient-argo/application/namespace.yaml | 4 - .../ambient-argo/application/productpage.yaml | 60 - .../ambient-argo/application/ratings.yaml | 50 - .../application/reviews-waypoint.yaml | 12 - .../ambient-argo/application/reviews.yaml | 143 --- .../application/route-reviews-90-10.yaml | 17 - .../samples/ambient-argo/istio/cni.yaml | 33 - .../istio/control-plane-appset.yaml | 39 - .../samples/ambient-argo/istio/extras.yaml | 24 - .../samples/ambient-argo/istio/tags.yaml | 33 - .../samples/ambient-argo/istio/ztunnel.yaml | 25 - .../ambient-argo/meta-application.yaml | 31 - .../samples/ambient-argo/tag-chart/Chart.yaml | 11 - .../tag-chart/templates/mutatingwebhooks.yaml | 109 -- .../tag-chart/templates/shimservice.yaml | 31 - .../templates/validatingwebhook.yaml | 48 - .../ambient-argo/tag-chart/values.yaml | 41 - istio-1.24.3/samples/bookinfo/README.md | 234 ---- .../bookinfo/demo-profile-no-gateways.yaml | 12 - .../gateway-api/bookinfo-gateway.yaml | 41 - .../bookinfo/gateway-api/route-all-v1.yaml | 60 - .../gateway-api/route-reviews-50-v3.yaml | 18 - .../gateway-api/route-reviews-90-10.yaml | 18 - .../gateway-api/route-reviews-v1.yaml | 14 - .../gateway-api/route-reviews-v3.yaml | 14 - .../bookinfo/networking/bookinfo-gateway.yaml | 43 - .../networking/certmanager-gateway.yaml | 35 - .../networking/destination-rule-all-mtls.yaml | 74 -- .../networking/destination-rule-all.yaml | 62 - .../networking/destination-rule-reviews.yaml | 19 - .../networking/egress-rule-google-apis.yaml | 46 - .../fault-injection-details-v1.yaml | 32 - .../networking/virtual-service-all-v1.yaml | 52 - .../virtual-service-details-v2.yaml | 12 - .../virtual-service-ratings-db.yaml | 26 - .../virtual-service-ratings-mysql-vm.yaml | 26 - .../virtual-service-ratings-mysql.yaml | 26 - .../virtual-service-ratings-test-abort.yaml | 25 - .../virtual-service-ratings-test-delay.yaml | 25 - .../virtual-service-reviews-50-v3.yaml | 17 - .../virtual-service-reviews-80-20.yaml | 17 - .../virtual-service-reviews-90-10.yaml | 17 - .../virtual-service-reviews-jason-v2-v3.yaml | 20 - .../virtual-service-reviews-test-v2.yaml | 20 - .../virtual-service-reviews-v2-v3.yaml | 17 - .../virtual-service-reviews-v3.yaml | 12 - .../samples/bookinfo/platform/kube/README.md | 2 - .../platform/kube/bookinfo-certificate.yaml | 37 - .../bookinfo/platform/kube/bookinfo-db.yaml | 63 - .../kube/bookinfo-details-dualstack.yaml | 59 - .../platform/kube/bookinfo-details-v2.yaml | 46 - .../platform/kube/bookinfo-details.yaml | 57 - .../platform/kube/bookinfo-dualstack.yaml | 343 ----- .../platform/kube/bookinfo-ingress.yaml | 63 - .../platform/kube/bookinfo-mysql.yaml | 79 -- .../bookinfo/platform/kube/bookinfo-psa.yaml | 363 ------ .../bookinfo-ratings-discovery-dualstack.yaml | 33 - .../kube/bookinfo-ratings-discovery.yaml | 31 - .../kube/bookinfo-ratings-dualstack.yaml | 59 - .../kube/bookinfo-ratings-v2-mysql-vm.yaml | 53 - .../kube/bookinfo-ratings-v2-mysql.yaml | 56 - .../platform/kube/bookinfo-ratings-v2.yaml | 63 - .../platform/kube/bookinfo-ratings.yaml | 57 - .../platform/kube/bookinfo-reviews-v2.yaml | 56 - .../platform/kube/bookinfo-versions.yaml | 72 -- .../bookinfo/platform/kube/bookinfo.yaml | 335 ----- .../samples/bookinfo/platform/kube/cleanup.sh | 85 -- .../platform/kube/productpage-nodeport.yaml | 32 - .../policy/productpage_envoy_ratelimit.yaml | 88 -- .../samples/bookinfo/src/build-services.sh | 42 - .../bookinfo/src/mongodb/ratings_data.json | 2 - .../samples/bookinfo/src/mongodb/script.sh | 18 - .../bookinfo/src/productpage/requirements.txt | 633 ---------- .../src/productpage/test-requirements.txt | 122 -- .../samples/bookinfo/src/ratings/package.json | 11 - istio-1.24.3/samples/bookinfo/swagger.yaml | 248 ---- istio-1.24.3/samples/builder/README.md | 31 - istio-1.24.3/samples/certs/README.md | 38 - istio-1.24.3/samples/certs/ca-cert-alt-2.pem | 32 - istio-1.24.3/samples/certs/ca-cert-alt.pem | 32 - istio-1.24.3/samples/certs/ca-cert.pem | 22 - istio-1.24.3/samples/certs/ca-key-alt-2.pem | 52 - istio-1.24.3/samples/certs/ca-key-alt.pem | 52 - istio-1.24.3/samples/certs/ca-key.pem | 27 - .../samples/certs/cert-chain-alt-2.pem | 62 - istio-1.24.3/samples/certs/cert-chain-alt.pem | 62 - istio-1.24.3/samples/certs/cert-chain.pem | 22 - .../samples/certs/generate-workload.sh | 111 -- .../samples/certs/leaf-workload-bar-cert.pem | 21 - .../samples/certs/leaf-workload-foo-cert.pem | 21 - istio-1.24.3/samples/certs/root-cert-alt.pem | 30 - .../samples/certs/root-cert-combined-2.pem | 84 -- .../samples/certs/root-cert-combined.pem | 54 - istio-1.24.3/samples/certs/root-cert.pem | 24 - .../samples/certs/workload-bar-cert.pem | 43 - .../samples/certs/workload-bar-key.pem | 27 - .../samples/certs/workload-bar-root-certs.pem | 46 - .../samples/certs/workload-foo-cert.pem | 43 - .../samples/certs/workload-foo-key.pem | 27 - .../samples/certs/workload-foo-root-certs.pem | 46 - istio-1.24.3/samples/cicd/skaffold/README.md | 45 - .../samples/cicd/skaffold/skaffold.yaml | 145 --- istio-1.24.3/samples/curl/README.md | 28 - istio-1.24.3/samples/curl/curl.yaml | 66 - .../samples/custom-bootstrap/README.md | 57 - .../custom-bootstrap/custom-bootstrap.yaml | 20 - .../samples/custom-bootstrap/example-app.yaml | 30 - istio-1.24.3/samples/extauthz/README.md | 99 -- istio-1.24.3/samples/extauthz/ext-authz.yaml | 55 - .../samples/extauthz/local-ext-authz.yaml | 111 -- istio-1.24.3/samples/external/README.md | 34 - istio-1.24.3/samples/external/aptget.yaml | 20 - istio-1.24.3/samples/external/github.yaml | 53 - istio-1.24.3/samples/external/pypi.yaml | 44 - istio-1.24.3/samples/grpc-echo/README.md | 7 - istio-1.24.3/samples/grpc-echo/grpc-echo.yaml | 191 --- .../health-check/liveness-command.yaml | 58 - .../health-check/liveness-http-same-port.yaml | 40 - istio-1.24.3/samples/helloworld/README.md | 110 -- .../samples/helloworld/gateway-api/README.md | 74 -- .../gateway-api/helloworld-gateway.yaml | 29 - .../gateway-api/helloworld-route.yaml | 19 - .../gateway-api/helloworld-versions.yaml | 23 - .../samples/helloworld/gen-helloworld.sh | 131 -- .../helloworld/helloworld-dual-stack.yaml | 75 -- .../helloworld/helloworld-gateway.yaml | 33 - .../samples/helloworld/helloworld.yaml | 71 -- istio-1.24.3/samples/helloworld/loadgen.sh | 17 - .../samples/helloworld/src/requirements.txt | 467 ------- istio-1.24.3/samples/httpbin/README.md | 41 - .../httpbin/gateway-api/httpbin-gateway.yaml | 25 - .../samples/httpbin/httpbin-gateway.yaml | 30 - .../samples/httpbin/httpbin-nodeport.yaml | 55 - istio-1.24.3/samples/httpbin/httpbin.yaml | 60 - .../httpbin/sample-client/fortio-deploy.yaml | 49 - .../samples/jwt-server/jwt-server.yaml | 125 -- istio-1.24.3/samples/jwt-server/src/Makefile | 19 - istio-1.24.3/samples/kind-lb/README.md | 59 - istio-1.24.3/samples/kind-lb/setupkind.sh | 271 ---- istio-1.24.3/samples/multicluster/README.md | 47 - .../multicluster/expose-istiod-https.yaml | 76 -- .../samples/multicluster/expose-istiod.yaml | 54 - .../samples/multicluster/expose-services.yaml | 16 - .../multicluster/gen-eastwest-gateway.sh | 146 --- .../samples/open-telemetry/als/README.md | 79 -- .../samples/open-telemetry/loki/REAME.md | 99 -- .../samples/open-telemetry/loki/iop.yaml | 15 - .../samples/open-telemetry/loki/otel.yaml | 122 -- .../open-telemetry/loki/telemetry.yaml | 9 - istio-1.24.3/samples/open-telemetry/otel.yaml | 143 --- .../samples/open-telemetry/tracing/README.md | 145 --- .../open-telemetry/tracing/telemetry.yaml | 9 - istio-1.24.3/samples/proxy-coredump/README.md | 16 - .../samples/proxy-coredump/daemonset.yaml | 45 - .../ratelimit/local-rate-limit-service.yaml | 87 -- .../samples/ratelimit/rate-limit-service.yaml | 151 --- .../samples/security/psp/sidecar-psp.yaml | 46 - istio-1.24.3/samples/security/spire/README.md | 90 -- .../security/spire/clusterspiffeid.yaml | 9 - .../samples/security/spire/curl-spire.yaml | 70 -- .../security/spire/istio-spire-config.yaml | 70 -- .../samples/security/spire/sleep-spire.yaml | 70 -- .../security/spire/spire-quickstart.yaml | 985 --------------- istio-1.24.3/samples/sleep/README.md | 6 - istio-1.24.3/samples/sleep/sleep.yaml | 66 - istio-1.24.3/samples/tcp-echo/README.md | 38 - .../tcp-echo/gateway-api/tcp-echo-20-v2.yaml | 16 - .../tcp-echo/gateway-api/tcp-echo-all-v1.yaml | 50 - .../samples/tcp-echo/tcp-echo-20-v2.yaml | 39 - .../samples/tcp-echo/tcp-echo-all-v1.yaml | 61 - .../samples/tcp-echo/tcp-echo-dual-stack.yaml | 62 - .../samples/tcp-echo/tcp-echo-ipv4.yaml | 61 - .../samples/tcp-echo/tcp-echo-ipv6.yaml | 61 - .../samples/tcp-echo/tcp-echo-services.yaml | 86 -- istio-1.24.3/samples/tcp-echo/tcp-echo.yaml | 58 - istio-1.24.3/samples/wasm_modules/README.md | 3 - .../wasm_modules/header_injector/Makefile | 22 - istio-1.24.3/samples/websockets/README.md | 48 - istio-1.24.3/samples/websockets/app.yaml | 37 - istio-1.24.3/samples/websockets/route.yaml | 32 - istio-1.24.3/tools/_istioctl | 212 ---- istio-1.24.3/tools/certs/Makefile.k8s.mk | 102 -- .../tools/certs/Makefile.selfsigned.mk | 98 -- istio-1.24.3/tools/certs/README.md | 46 - istio-1.24.3/tools/certs/common.mk | 101 -- istio-1.24.3/tools/istioctl.bash | 338 ----- 215 files changed, 16853 deletions(-) delete mode 100644 istio-1.24.3/LICENSE delete mode 100644 istio-1.24.3/README.md delete mode 100644 istio-1.24.3/manifest.yaml delete mode 100644 istio-1.24.3/manifests/profiles/ambient.yaml delete mode 100644 istio-1.24.3/manifests/profiles/default.yaml delete mode 100644 istio-1.24.3/manifests/profiles/demo.yaml delete mode 100644 istio-1.24.3/manifests/profiles/empty.yaml delete mode 100644 istio-1.24.3/manifests/profiles/minimal.yaml delete mode 100644 istio-1.24.3/manifests/profiles/openshift-ambient.yaml delete mode 100644 istio-1.24.3/manifests/profiles/openshift.yaml delete mode 100644 istio-1.24.3/manifests/profiles/preview.yaml delete mode 100644 istio-1.24.3/manifests/profiles/remote.yaml delete mode 100644 istio-1.24.3/manifests/profiles/stable.yaml delete mode 100644 istio-1.24.3/samples/README.md delete mode 100644 istio-1.24.3/samples/addons/README.md delete mode 100644 istio-1.24.3/samples/addons/extras/prometheus-operator.yaml delete mode 100644 istio-1.24.3/samples/addons/extras/skywalking.yaml delete mode 100644 istio-1.24.3/samples/addons/extras/zipkin.yaml delete mode 100644 istio-1.24.3/samples/addons/grafana.yaml delete mode 100644 istio-1.24.3/samples/addons/jaeger.yaml delete mode 100644 istio-1.24.3/samples/addons/kiali.yaml delete mode 100644 istio-1.24.3/samples/addons/loki.yaml delete mode 100644 istio-1.24.3/samples/addons/prometheus.yaml delete mode 100644 istio-1.24.3/samples/ambient-argo/README.md delete mode 100644 istio-1.24.3/samples/ambient-argo/application/application.yaml delete mode 100644 istio-1.24.3/samples/ambient-argo/application/bookinfo-versions.yaml delete mode 100644 istio-1.24.3/samples/ambient-argo/application/details-waypoint.yaml delete mode 100644 istio-1.24.3/samples/ambient-argo/application/details.yaml delete mode 100644 istio-1.24.3/samples/ambient-argo/application/ingress-gateway.yaml delete mode 100644 istio-1.24.3/samples/ambient-argo/application/namespace.yaml delete mode 100644 istio-1.24.3/samples/ambient-argo/application/productpage.yaml delete mode 100644 istio-1.24.3/samples/ambient-argo/application/ratings.yaml delete mode 100644 istio-1.24.3/samples/ambient-argo/application/reviews-waypoint.yaml delete mode 100644 istio-1.24.3/samples/ambient-argo/application/reviews.yaml delete mode 100644 istio-1.24.3/samples/ambient-argo/application/route-reviews-90-10.yaml delete mode 100644 istio-1.24.3/samples/ambient-argo/istio/cni.yaml delete mode 100644 istio-1.24.3/samples/ambient-argo/istio/control-plane-appset.yaml delete mode 100644 istio-1.24.3/samples/ambient-argo/istio/extras.yaml delete mode 100644 istio-1.24.3/samples/ambient-argo/istio/tags.yaml delete mode 100644 istio-1.24.3/samples/ambient-argo/istio/ztunnel.yaml delete mode 100644 istio-1.24.3/samples/ambient-argo/meta-application.yaml delete mode 100644 istio-1.24.3/samples/ambient-argo/tag-chart/Chart.yaml delete mode 100644 istio-1.24.3/samples/ambient-argo/tag-chart/templates/mutatingwebhooks.yaml delete mode 100644 istio-1.24.3/samples/ambient-argo/tag-chart/templates/shimservice.yaml delete mode 100644 istio-1.24.3/samples/ambient-argo/tag-chart/templates/validatingwebhook.yaml delete mode 100644 istio-1.24.3/samples/ambient-argo/tag-chart/values.yaml delete mode 100644 istio-1.24.3/samples/bookinfo/README.md delete mode 100644 istio-1.24.3/samples/bookinfo/demo-profile-no-gateways.yaml delete mode 100644 istio-1.24.3/samples/bookinfo/gateway-api/bookinfo-gateway.yaml delete mode 100644 istio-1.24.3/samples/bookinfo/gateway-api/route-all-v1.yaml delete mode 100644 istio-1.24.3/samples/bookinfo/gateway-api/route-reviews-50-v3.yaml delete mode 100644 istio-1.24.3/samples/bookinfo/gateway-api/route-reviews-90-10.yaml delete mode 100644 istio-1.24.3/samples/bookinfo/gateway-api/route-reviews-v1.yaml delete mode 100644 istio-1.24.3/samples/bookinfo/gateway-api/route-reviews-v3.yaml delete mode 100644 istio-1.24.3/samples/bookinfo/networking/bookinfo-gateway.yaml delete mode 100644 istio-1.24.3/samples/bookinfo/networking/certmanager-gateway.yaml delete mode 100644 istio-1.24.3/samples/bookinfo/networking/destination-rule-all-mtls.yaml delete mode 100644 istio-1.24.3/samples/bookinfo/networking/destination-rule-all.yaml delete mode 100644 istio-1.24.3/samples/bookinfo/networking/destination-rule-reviews.yaml delete mode 100644 istio-1.24.3/samples/bookinfo/networking/egress-rule-google-apis.yaml delete mode 100644 istio-1.24.3/samples/bookinfo/networking/fault-injection-details-v1.yaml delete mode 100644 istio-1.24.3/samples/bookinfo/networking/virtual-service-all-v1.yaml delete mode 100644 istio-1.24.3/samples/bookinfo/networking/virtual-service-details-v2.yaml delete mode 100644 istio-1.24.3/samples/bookinfo/networking/virtual-service-ratings-db.yaml delete mode 100644 istio-1.24.3/samples/bookinfo/networking/virtual-service-ratings-mysql-vm.yaml delete mode 100644 istio-1.24.3/samples/bookinfo/networking/virtual-service-ratings-mysql.yaml delete mode 100644 istio-1.24.3/samples/bookinfo/networking/virtual-service-ratings-test-abort.yaml delete mode 100644 istio-1.24.3/samples/bookinfo/networking/virtual-service-ratings-test-delay.yaml delete mode 100644 istio-1.24.3/samples/bookinfo/networking/virtual-service-reviews-50-v3.yaml delete mode 100644 istio-1.24.3/samples/bookinfo/networking/virtual-service-reviews-80-20.yaml delete mode 100644 istio-1.24.3/samples/bookinfo/networking/virtual-service-reviews-90-10.yaml delete mode 100644 istio-1.24.3/samples/bookinfo/networking/virtual-service-reviews-jason-v2-v3.yaml delete mode 100644 istio-1.24.3/samples/bookinfo/networking/virtual-service-reviews-test-v2.yaml delete mode 100644 istio-1.24.3/samples/bookinfo/networking/virtual-service-reviews-v2-v3.yaml delete mode 100644 istio-1.24.3/samples/bookinfo/networking/virtual-service-reviews-v3.yaml delete mode 100644 istio-1.24.3/samples/bookinfo/platform/kube/README.md delete mode 100644 istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-certificate.yaml delete mode 100644 istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-db.yaml delete mode 100644 istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-details-dualstack.yaml delete mode 100644 istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-details-v2.yaml delete mode 100644 istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-details.yaml delete mode 100644 istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-dualstack.yaml delete mode 100644 istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-ingress.yaml delete mode 100644 istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-mysql.yaml delete mode 100644 istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-psa.yaml delete mode 100644 istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-ratings-discovery-dualstack.yaml delete mode 100644 istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-ratings-discovery.yaml delete mode 100644 istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-ratings-dualstack.yaml delete mode 100644 istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-ratings-v2-mysql-vm.yaml delete mode 100644 istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-ratings-v2-mysql.yaml delete mode 100644 istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-ratings-v2.yaml delete mode 100644 istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-ratings.yaml delete mode 100644 istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-reviews-v2.yaml delete mode 100644 istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-versions.yaml delete mode 100644 istio-1.24.3/samples/bookinfo/platform/kube/bookinfo.yaml delete mode 100755 istio-1.24.3/samples/bookinfo/platform/kube/cleanup.sh delete mode 100644 istio-1.24.3/samples/bookinfo/platform/kube/productpage-nodeport.yaml delete mode 100644 istio-1.24.3/samples/bookinfo/policy/productpage_envoy_ratelimit.yaml delete mode 100755 istio-1.24.3/samples/bookinfo/src/build-services.sh delete mode 100644 istio-1.24.3/samples/bookinfo/src/mongodb/ratings_data.json delete mode 100644 istio-1.24.3/samples/bookinfo/src/mongodb/script.sh delete mode 100644 istio-1.24.3/samples/bookinfo/src/productpage/requirements.txt delete mode 100644 istio-1.24.3/samples/bookinfo/src/productpage/test-requirements.txt delete mode 100644 istio-1.24.3/samples/bookinfo/src/ratings/package.json delete mode 100644 istio-1.24.3/samples/bookinfo/swagger.yaml delete mode 100644 istio-1.24.3/samples/builder/README.md delete mode 100644 istio-1.24.3/samples/certs/README.md delete mode 100644 istio-1.24.3/samples/certs/ca-cert-alt-2.pem delete mode 100644 istio-1.24.3/samples/certs/ca-cert-alt.pem delete mode 100644 istio-1.24.3/samples/certs/ca-cert.pem delete mode 100644 istio-1.24.3/samples/certs/ca-key-alt-2.pem delete mode 100644 istio-1.24.3/samples/certs/ca-key-alt.pem delete mode 100644 istio-1.24.3/samples/certs/ca-key.pem delete mode 100644 istio-1.24.3/samples/certs/cert-chain-alt-2.pem delete mode 100644 istio-1.24.3/samples/certs/cert-chain-alt.pem delete mode 100644 istio-1.24.3/samples/certs/cert-chain.pem delete mode 100755 istio-1.24.3/samples/certs/generate-workload.sh delete mode 100644 istio-1.24.3/samples/certs/leaf-workload-bar-cert.pem delete mode 100644 istio-1.24.3/samples/certs/leaf-workload-foo-cert.pem delete mode 100644 istio-1.24.3/samples/certs/root-cert-alt.pem delete mode 100644 istio-1.24.3/samples/certs/root-cert-combined-2.pem delete mode 100644 istio-1.24.3/samples/certs/root-cert-combined.pem delete mode 100644 istio-1.24.3/samples/certs/root-cert.pem delete mode 100644 istio-1.24.3/samples/certs/workload-bar-cert.pem delete mode 100644 istio-1.24.3/samples/certs/workload-bar-key.pem delete mode 100644 istio-1.24.3/samples/certs/workload-bar-root-certs.pem delete mode 100644 istio-1.24.3/samples/certs/workload-foo-cert.pem delete mode 100644 istio-1.24.3/samples/certs/workload-foo-key.pem delete mode 100644 istio-1.24.3/samples/certs/workload-foo-root-certs.pem delete mode 100644 istio-1.24.3/samples/cicd/skaffold/README.md delete mode 100644 istio-1.24.3/samples/cicd/skaffold/skaffold.yaml delete mode 100644 istio-1.24.3/samples/curl/README.md delete mode 100644 istio-1.24.3/samples/curl/curl.yaml delete mode 100644 istio-1.24.3/samples/custom-bootstrap/README.md delete mode 100644 istio-1.24.3/samples/custom-bootstrap/custom-bootstrap.yaml delete mode 100644 istio-1.24.3/samples/custom-bootstrap/example-app.yaml delete mode 100644 istio-1.24.3/samples/extauthz/README.md delete mode 100644 istio-1.24.3/samples/extauthz/ext-authz.yaml delete mode 100644 istio-1.24.3/samples/extauthz/local-ext-authz.yaml delete mode 100644 istio-1.24.3/samples/external/README.md delete mode 100644 istio-1.24.3/samples/external/aptget.yaml delete mode 100644 istio-1.24.3/samples/external/github.yaml delete mode 100644 istio-1.24.3/samples/external/pypi.yaml delete mode 100644 istio-1.24.3/samples/grpc-echo/README.md delete mode 100644 istio-1.24.3/samples/grpc-echo/grpc-echo.yaml delete mode 100644 istio-1.24.3/samples/health-check/liveness-command.yaml delete mode 100644 istio-1.24.3/samples/health-check/liveness-http-same-port.yaml delete mode 100644 istio-1.24.3/samples/helloworld/README.md delete mode 100644 istio-1.24.3/samples/helloworld/gateway-api/README.md delete mode 100644 istio-1.24.3/samples/helloworld/gateway-api/helloworld-gateway.yaml delete mode 100644 istio-1.24.3/samples/helloworld/gateway-api/helloworld-route.yaml delete mode 100644 istio-1.24.3/samples/helloworld/gateway-api/helloworld-versions.yaml delete mode 100755 istio-1.24.3/samples/helloworld/gen-helloworld.sh delete mode 100644 istio-1.24.3/samples/helloworld/helloworld-dual-stack.yaml delete mode 100644 istio-1.24.3/samples/helloworld/helloworld-gateway.yaml delete mode 100644 istio-1.24.3/samples/helloworld/helloworld.yaml delete mode 100755 istio-1.24.3/samples/helloworld/loadgen.sh delete mode 100644 istio-1.24.3/samples/helloworld/src/requirements.txt delete mode 100644 istio-1.24.3/samples/httpbin/README.md delete mode 100644 istio-1.24.3/samples/httpbin/gateway-api/httpbin-gateway.yaml delete mode 100644 istio-1.24.3/samples/httpbin/httpbin-gateway.yaml delete mode 100644 istio-1.24.3/samples/httpbin/httpbin-nodeport.yaml delete mode 100644 istio-1.24.3/samples/httpbin/httpbin.yaml delete mode 100644 istio-1.24.3/samples/httpbin/sample-client/fortio-deploy.yaml delete mode 100644 istio-1.24.3/samples/jwt-server/jwt-server.yaml delete mode 100644 istio-1.24.3/samples/jwt-server/src/Makefile delete mode 100644 istio-1.24.3/samples/kind-lb/README.md delete mode 100755 istio-1.24.3/samples/kind-lb/setupkind.sh delete mode 100644 istio-1.24.3/samples/multicluster/README.md delete mode 100644 istio-1.24.3/samples/multicluster/expose-istiod-https.yaml delete mode 100644 istio-1.24.3/samples/multicluster/expose-istiod.yaml delete mode 100644 istio-1.24.3/samples/multicluster/expose-services.yaml delete mode 100755 istio-1.24.3/samples/multicluster/gen-eastwest-gateway.sh delete mode 100644 istio-1.24.3/samples/open-telemetry/als/README.md delete mode 100644 istio-1.24.3/samples/open-telemetry/loki/REAME.md delete mode 100644 istio-1.24.3/samples/open-telemetry/loki/iop.yaml delete mode 100644 istio-1.24.3/samples/open-telemetry/loki/otel.yaml delete mode 100644 istio-1.24.3/samples/open-telemetry/loki/telemetry.yaml delete mode 100644 istio-1.24.3/samples/open-telemetry/otel.yaml delete mode 100644 istio-1.24.3/samples/open-telemetry/tracing/README.md delete mode 100644 istio-1.24.3/samples/open-telemetry/tracing/telemetry.yaml delete mode 100644 istio-1.24.3/samples/proxy-coredump/README.md delete mode 100644 istio-1.24.3/samples/proxy-coredump/daemonset.yaml delete mode 100644 istio-1.24.3/samples/ratelimit/local-rate-limit-service.yaml delete mode 100644 istio-1.24.3/samples/ratelimit/rate-limit-service.yaml delete mode 100644 istio-1.24.3/samples/security/psp/sidecar-psp.yaml delete mode 100644 istio-1.24.3/samples/security/spire/README.md delete mode 100644 istio-1.24.3/samples/security/spire/clusterspiffeid.yaml delete mode 100644 istio-1.24.3/samples/security/spire/curl-spire.yaml delete mode 100644 istio-1.24.3/samples/security/spire/istio-spire-config.yaml delete mode 100644 istio-1.24.3/samples/security/spire/sleep-spire.yaml delete mode 100644 istio-1.24.3/samples/security/spire/spire-quickstart.yaml delete mode 100644 istio-1.24.3/samples/sleep/README.md delete mode 100644 istio-1.24.3/samples/sleep/sleep.yaml delete mode 100644 istio-1.24.3/samples/tcp-echo/README.md delete mode 100644 istio-1.24.3/samples/tcp-echo/gateway-api/tcp-echo-20-v2.yaml delete mode 100644 istio-1.24.3/samples/tcp-echo/gateway-api/tcp-echo-all-v1.yaml delete mode 100644 istio-1.24.3/samples/tcp-echo/tcp-echo-20-v2.yaml delete mode 100644 istio-1.24.3/samples/tcp-echo/tcp-echo-all-v1.yaml delete mode 100644 istio-1.24.3/samples/tcp-echo/tcp-echo-dual-stack.yaml delete mode 100644 istio-1.24.3/samples/tcp-echo/tcp-echo-ipv4.yaml delete mode 100644 istio-1.24.3/samples/tcp-echo/tcp-echo-ipv6.yaml delete mode 100644 istio-1.24.3/samples/tcp-echo/tcp-echo-services.yaml delete mode 100644 istio-1.24.3/samples/tcp-echo/tcp-echo.yaml delete mode 100644 istio-1.24.3/samples/wasm_modules/README.md delete mode 100644 istio-1.24.3/samples/wasm_modules/header_injector/Makefile delete mode 100644 istio-1.24.3/samples/websockets/README.md delete mode 100644 istio-1.24.3/samples/websockets/app.yaml delete mode 100644 istio-1.24.3/samples/websockets/route.yaml delete mode 100644 istio-1.24.3/tools/_istioctl delete mode 100644 istio-1.24.3/tools/certs/Makefile.k8s.mk delete mode 100644 istio-1.24.3/tools/certs/Makefile.selfsigned.mk delete mode 100644 istio-1.24.3/tools/certs/README.md delete mode 100644 istio-1.24.3/tools/certs/common.mk delete mode 100644 istio-1.24.3/tools/istioctl.bash diff --git a/istio-1.24.3/LICENSE b/istio-1.24.3/LICENSE deleted file mode 100644 index 75bfd113..00000000 --- a/istio-1.24.3/LICENSE +++ /dev/null @@ -1,202 +0,0 @@ - - Apache License - Version 2.0, January 2004 - http://www.apache.org/licenses/ - - TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION - - 1. Definitions. - - "License" shall mean the terms and conditions for use, reproduction, - and distribution as defined by Sections 1 through 9 of this document. - - "Licensor" shall mean the copyright owner or entity authorized by - the copyright owner that is granting the License. - - "Legal Entity" shall mean the union of the acting entity and all - other entities that control, are controlled by, or are under common - control with that entity. For the purposes of this definition, - "control" means (i) the power, direct or indirect, to cause the - direction or management of such entity, whether by contract or - otherwise, or (ii) ownership of fifty percent (50%) or more of the - outstanding shares, or (iii) beneficial ownership of such entity. - - "You" (or "Your") shall mean an individual or Legal Entity - exercising permissions granted by this License. - - "Source" form shall mean the preferred form for making modifications, - including but not limited to software source code, documentation - source, and configuration files. - - "Object" form shall mean any form resulting from mechanical - transformation or translation of a Source form, including but - not limited to compiled object code, generated documentation, - and conversions to other media types. - - "Work" shall mean the work of authorship, whether in Source or - Object form, made available under the License, as indicated by a - copyright notice that is included in or attached to the work - (an example is provided in the Appendix below). - - "Derivative Works" shall mean any work, whether in Source or Object - form, that is based on (or derived from) the Work and for which the - editorial revisions, annotations, elaborations, or other modifications - represent, as a whole, an original work of authorship. For the purposes - of this License, Derivative Works shall not include works that remain - separable from, or merely link (or bind by name) to the interfaces of, - the Work and Derivative Works thereof. - - "Contribution" shall mean any work of authorship, including - the original version of the Work and any modifications or additions - to that Work or Derivative Works thereof, that is intentionally - submitted to Licensor for inclusion in the Work by the copyright owner - or by an individual or Legal Entity authorized to submit on behalf of - the copyright owner. For the purposes of this definition, "submitted" - means any form of electronic, verbal, or written communication sent - to the Licensor or its representatives, including but not limited to - communication on electronic mailing lists, source code control systems, - and issue tracking systems that are managed by, or on behalf of, the - Licensor for the purpose of discussing and improving the Work, but - excluding communication that is conspicuously marked or otherwise - designated in writing by the copyright owner as "Not a Contribution." - - "Contributor" shall mean Licensor and any individual or Legal Entity - on behalf of whom a Contribution has been received by Licensor and - subsequently incorporated within the Work. - - 2. Grant of Copyright License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - copyright license to reproduce, prepare Derivative Works of, - publicly display, publicly perform, sublicense, and distribute the - Work and such Derivative Works in Source or Object form. - - 3. Grant of Patent License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - (except as stated in this section) patent license to make, have made, - use, offer to sell, sell, import, and otherwise transfer the Work, - where such license applies only to those patent claims licensable - by such Contributor that are necessarily infringed by their - Contribution(s) alone or by combination of their Contribution(s) - with the Work to which such Contribution(s) was submitted. If You - institute patent litigation against any entity (including a - cross-claim or counterclaim in a lawsuit) alleging that the Work - or a Contribution incorporated within the Work constitutes direct - or contributory patent infringement, then any patent licenses - granted to You under this License for that Work shall terminate - as of the date such litigation is filed. - - 4. Redistribution. You may reproduce and distribute copies of the - Work or Derivative Works thereof in any medium, with or without - modifications, and in Source or Object form, provided that You - meet the following conditions: - - (a) You must give any other recipients of the Work or - Derivative Works a copy of this License; and - - (b) You must cause any modified files to carry prominent notices - stating that You changed the files; and - - (c) You must retain, in the Source form of any Derivative Works - that You distribute, all copyright, patent, trademark, and - attribution notices from the Source form of the Work, - excluding those notices that do not pertain to any part of - the Derivative Works; and - - (d) If the Work includes a "NOTICE" text file as part of its - distribution, then any Derivative Works that You distribute must - include a readable copy of the attribution notices contained - within such NOTICE file, excluding those notices that do not - pertain to any part of the Derivative Works, in at least one - of the following places: within a NOTICE text file distributed - as part of the Derivative Works; within the Source form or - documentation, if provided along with the Derivative Works; or, - within a display generated by the Derivative Works, if and - wherever such third-party notices normally appear. The contents - of the NOTICE file are for informational purposes only and - do not modify the License. You may add Your own attribution - notices within Derivative Works that You distribute, alongside - or as an addendum to the NOTICE text from the Work, provided - that such additional attribution notices cannot be construed - as modifying the License. - - You may add Your own copyright statement to Your modifications and - may provide additional or different license terms and conditions - for use, reproduction, or distribution of Your modifications, or - for any such Derivative Works as a whole, provided Your use, - reproduction, and distribution of the Work otherwise complies with - the conditions stated in this License. - - 5. Submission of Contributions. Unless You explicitly state otherwise, - any Contribution intentionally submitted for inclusion in the Work - by You to the Licensor shall be under the terms and conditions of - this License, without any additional terms or conditions. - Notwithstanding the above, nothing herein shall supersede or modify - the terms of any separate license agreement you may have executed - with Licensor regarding such Contributions. - - 6. Trademarks. This License does not grant permission to use the trade - names, trademarks, service marks, or product names of the Licensor, - except as required for reasonable and customary use in describing the - origin of the Work and reproducing the content of the NOTICE file. - - 7. Disclaimer of Warranty. Unless required by applicable law or - agreed to in writing, Licensor provides the Work (and each - Contributor provides its Contributions) on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - implied, including, without limitation, any warranties or conditions - of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A - PARTICULAR PURPOSE. You are solely responsible for determining the - appropriateness of using or redistributing the Work and assume any - risks associated with Your exercise of permissions under this License. - - 8. Limitation of Liability. In no event and under no legal theory, - whether in tort (including negligence), contract, or otherwise, - unless required by applicable law (such as deliberate and grossly - negligent acts) or agreed to in writing, shall any Contributor be - liable to You for damages, including any direct, indirect, special, - incidental, or consequential damages of any character arising as a - result of this License or out of the use or inability to use the - Work (including but not limited to damages for loss of goodwill, - work stoppage, computer failure or malfunction, or any and all - other commercial damages or losses), even if such Contributor - has been advised of the possibility of such damages. - - 9. Accepting Warranty or Additional Liability. While redistributing - the Work or Derivative Works thereof, You may choose to offer, - and charge a fee for, acceptance of support, warranty, indemnity, - or other liability obligations and/or rights consistent with this - License. However, in accepting such obligations, You may act only - on Your own behalf and on Your sole responsibility, not on behalf - of any other Contributor, and only if You agree to indemnify, - defend, and hold each Contributor harmless for any liability - incurred by, or claims asserted against, such Contributor by reason - of your accepting any such warranty or additional liability. - - END OF TERMS AND CONDITIONS - - APPENDIX: How to apply the Apache License to your work. - - To apply the Apache License to your work, attach the following - boilerplate notice, with the fields enclosed by brackets "{}" - replaced with your own identifying information. (Don't include - the brackets!) The text should be enclosed in the appropriate - comment syntax for the file format. We also recommend that a - file or class name and description of purpose be included on the - same "printed page" as the copyright notice for easier - identification within third-party archives. - - Copyright {yyyy} {name of copyright owner} - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. diff --git a/istio-1.24.3/README.md b/istio-1.24.3/README.md deleted file mode 100644 index 3e1c9ad3..00000000 --- a/istio-1.24.3/README.md +++ /dev/null @@ -1,123 +0,0 @@ -# Istio - -[![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/1395/badge)](https://bestpractices.coreinfrastructure.org/projects/1395) -[![Go Report Card](https://goreportcard.com/badge/github.com/istio/istio)](https://goreportcard.com/report/github.com/istio/istio) -[![GoDoc](https://godoc.org/istio.io/istio?status.svg)](https://godoc.org/istio.io/istio) - - - Istio logo - - ---- - -Istio is an open source service mesh that layers transparently onto existing distributed applications. Istio’s powerful features provide a uniform and more efficient way to secure, connect, and monitor services. Istio is the path to load balancing, service-to-service authentication, and monitoring – with few or no service code changes. - -- For in-depth information about how to use Istio, visit [istio.io](https://istio.io) -- To ask questions and get assistance from our community, visit [Github Discussions](https://github.com/istio/istio/discussions) -- To learn how to participate in our overall community, visit [our community page](https://istio.io/about/community) - -In this README: - -- [Introduction](#introduction) -- [Repositories](#repositories) -- [Issue management](#issue-management) - -In addition, here are some other documents you may wish to read: - -- [Istio Community](https://github.com/istio/community#istio-community) - describes how to get involved and contribute to the Istio project -- [Istio Developer's Guide](https://github.com/istio/istio/wiki/Preparing-for-Development) - explains how to set up and use an Istio development environment -- [Project Conventions](https://github.com/istio/istio/wiki/Development-Conventions) - describes the conventions we use within the code base -- [Creating Fast and Lean Code](https://github.com/istio/istio/wiki/Writing-Fast-and-Lean-Code) - performance-oriented advice and guidelines for the code base - -You'll find many other useful documents on our [Wiki](https://github.com/istio/istio/wiki). - -## Introduction - -[Istio](https://istio.io/latest/docs/concepts/what-is-istio/) is an open platform for providing a uniform way to [integrate -microservices](https://istio.io/latest/docs/examples/microservices-istio/), manage [traffic flow](https://istio.io/latest/docs/concepts/traffic-management/) across microservices, enforce policies -and aggregate telemetry data. Istio's control plane provides an abstraction -layer over the underlying cluster management platform, such as Kubernetes. - -Istio is composed of these components: - -- **Envoy** - Sidecar proxies per microservice to handle ingress/egress traffic - between services in the cluster and from a service to external - services. The proxies form a _secure microservice mesh_ providing a rich - set of functions like discovery, rich layer-7 routing, circuit breakers, - policy enforcement and telemetry recording/reporting - functions. - - > Note: The service mesh is not an overlay network. It - > simplifies and enhances how microservices in an application talk to each - > other over the network provided by the underlying platform. - -- **Istiod** - The Istio control plane. It provides service discovery, configuration and certificate management. It consists of the following sub-components: - - - **Pilot** - Responsible for configuring the proxies at runtime. - - - **Citadel** - Responsible for certificate issuance and rotation. - - - **Galley** - Responsible for validating, ingesting, aggregating, transforming and distributing config within Istio. - -- **Operator** - The component provides user friendly options to operate the Istio service mesh. - -## Repositories - -The Istio project is divided across a few GitHub repositories: - -- [istio/api](https://github.com/istio/api). This repository defines -component-level APIs and common configuration formats for the Istio platform. - -- [istio/community](https://github.com/istio/community). This repository contains -information on the Istio community, including the various documents that govern -the Istio open source project. - -- [istio/istio](README.md). This is the main code repository. It hosts Istio's -core components, install artifacts, and sample programs. It includes: - - - [istioctl](istioctl/). This directory contains code for the -[_istioctl_](https://istio.io/latest/docs/reference/commands/istioctl/) command line utility. - - - [pilot](pilot/). This directory -contains platform-specific code to populate the -[abstract service model](https://istio.io/docs/concepts/traffic-management/#pilot), dynamically reconfigure the proxies -when the application topology changes, as well as translate -[routing rules](https://istio.io/latest/docs/reference/config/networking/) into proxy specific configuration. - - - [security](security/). This directory contains [security](https://istio.io/latest/docs/concepts/security/) related code, -including Citadel (acting as Certificate Authority), citadel agent, etc. - -- [istio/proxy](https://github.com/istio/proxy). The Istio proxy contains -extensions to the [Envoy proxy](https://github.com/envoyproxy/envoy) (in the form of -Envoy filters) that support authentication, authorization, and telemetry collection. - -- [istio/ztunnel](https://github.com/istio/ztunnel). The repository contains the Rust implementation of the ztunnel -component of Ambient mesh. - -- [istio/client-go](https://github.com/istio/client-go). This repository defines - auto-generated Kubernetes clients for interacting with Istio resources programmatically. - -> [!NOTE] -> Only the `istio/api` and `istio/client-go` repositories expose stable interfaces intended for direct usage as libraries. - -## Issue management - -We use GitHub to track all of our bugs and feature requests. Each issue we track has a variety of metadata: - -- **Epic**. An epic represents a feature area for Istio as a whole. Epics are fairly broad in scope and are basically product-level things. -Each issue is ultimately part of an epic. - -- **Milestone**. Each issue is assigned a milestone. This is 0.1, 0.2, ..., or 'Nebulous Future'. The milestone indicates when we -think the issue should get addressed. - -- **Priority**. Each issue has a priority which is represented by the column in the [Prioritization](https://github.com/orgs/istio/projects/6) project. Priority can be one of -P0, P1, P2, or >P2. The priority indicates how important it is to address the issue within the milestone. P0 says that the -milestone cannot be considered achieved if the issue isn't resolved. - ---- - -
- Cloud Native Computing Foundation logo -

Istio is a Cloud Native Computing Foundation project.

-
diff --git a/istio-1.24.3/manifest.yaml b/istio-1.24.3/manifest.yaml deleted file mode 100644 index 3423f03b..00000000 --- a/istio-1.24.3/manifest.yaml +++ /dev/null @@ -1,36 +0,0 @@ -architectures: -- linux/amd64 -- linux/arm64 -dashboards: - istio-extension-dashboard: 13277 - istio-mesh-dashboard: 7639 - istio-performance-dashboard: 11829 - istio-service-dashboard: 7636 - istio-workload-dashboard: 7630 - pilot-dashboard: 7645 - ztunnel-dashboard: 21306 -dependencies: - api: - goversionenabled: true - sha: fef7700e8ddfc6489ebbf6376e0c2fd65e593630 - client-go: - goversionenabled: true - sha: e8de2e86eed8b60c035b955f896cdb725c3a4041 - envoy: - sha: 35c166bb5c90573151afbd94a0936741f9fab8bc - istio: - sha: 44d0e58e49d0dc89e27fc4f8679c68132d46b887 - proxy: - sha: 1c795e96d02ca3ddac6b8610b8368a65b91f990a - release-builder: - sha: dbfedb6f3a69e0192fa1b252b068b01c05dfc9c2 - test-infra: - sha: 144e6559bd90520b8d3e79ad7b27b98abfb3ecca - tools: - sha: 6abbfc29dd6ec45f2d0c9f8771b5ca702b83906a - ztunnel: - sha: 1ddf2f33fbbe75688a54c60fab2b805b2405f861 -docker: docker.io/istio -dockerOutput: tar -skipGenerateBillOfMaterials: false -version: 1.24.3 diff --git a/istio-1.24.3/manifests/profiles/ambient.yaml b/istio-1.24.3/manifests/profiles/ambient.yaml deleted file mode 100644 index fbdbf3a3..00000000 --- a/istio-1.24.3/manifests/profiles/ambient.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: install.istio.io/v1alpha1 -kind: IstioOperator -spec: - components: - cni: - enabled: true - ztunnel: - enabled: true - ingressGateways: - - name: istio-ingressgateway - enabled: false - values: - profile: ambient diff --git a/istio-1.24.3/manifests/profiles/default.yaml b/istio-1.24.3/manifests/profiles/default.yaml deleted file mode 100644 index f8108eb3..00000000 --- a/istio-1.24.3/manifests/profiles/default.yaml +++ /dev/null @@ -1,32 +0,0 @@ -apiVersion: install.istio.io/v1alpha1 -kind: IstioOperator -metadata: - namespace: istio-system -spec: - hub: docker.io/istio - tag: 1.24.3 - - # Turn on default components: base, pilot, and ingress gateway - components: - base: - enabled: true - pilot: - enabled: true - # Istio Gateway feature - ingressGateways: - - name: istio-ingressgateway - enabled: true - egressGateways: - - name: istio-egressgateway - enabled: false - - # Most default values come from the helm chart's values.yaml - # Below are the things that differ - values: - defaultRevision: "" - global: - istioNamespace: istio-system - configValidation: true - gateways: - istio-ingressgateway: {} - istio-egressgateway: {} diff --git a/istio-1.24.3/manifests/profiles/demo.yaml b/istio-1.24.3/manifests/profiles/demo.yaml deleted file mode 100644 index e5de1182..00000000 --- a/istio-1.24.3/manifests/profiles/demo.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: install.istio.io/v1alpha1 -kind: IstioOperator -spec: - components: - egressGateways: - - name: istio-egressgateway - enabled: true - values: - profile: demo \ No newline at end of file diff --git a/istio-1.24.3/manifests/profiles/empty.yaml b/istio-1.24.3/manifests/profiles/empty.yaml deleted file mode 100644 index 07de5b1e..00000000 --- a/istio-1.24.3/manifests/profiles/empty.yaml +++ /dev/null @@ -1,13 +0,0 @@ -# The empty profile has everything disabled -# This is useful as a base for custom user configuration -apiVersion: install.istio.io/v1alpha1 -kind: IstioOperator -spec: - components: - base: - enabled: false - pilot: - enabled: false - ingressGateways: - - name: istio-ingressgateway - enabled: false diff --git a/istio-1.24.3/manifests/profiles/minimal.yaml b/istio-1.24.3/manifests/profiles/minimal.yaml deleted file mode 100644 index 075881ee..00000000 --- a/istio-1.24.3/manifests/profiles/minimal.yaml +++ /dev/null @@ -1,8 +0,0 @@ -# The minimal profile will install just the core control plane -apiVersion: install.istio.io/v1alpha1 -kind: IstioOperator -spec: - components: - ingressGateways: - - name: istio-ingressgateway - enabled: false diff --git a/istio-1.24.3/manifests/profiles/openshift-ambient.yaml b/istio-1.24.3/manifests/profiles/openshift-ambient.yaml deleted file mode 100644 index 6e00707f..00000000 --- a/istio-1.24.3/manifests/profiles/openshift-ambient.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: install.istio.io/v1alpha1 -kind: IstioOperator -spec: - components: - cni: - enabled: true - namespace: kube-system - ztunnel: - enabled: true - namespace: kube-system - ingressGateways: - - name: istio-ingressgateway - enabled: false - values: - profile: ambient - global: - platform: openshift - diff --git a/istio-1.24.3/manifests/profiles/openshift.yaml b/istio-1.24.3/manifests/profiles/openshift.yaml deleted file mode 100644 index 2304deda..00000000 --- a/istio-1.24.3/manifests/profiles/openshift.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: install.istio.io/v1alpha1 -kind: IstioOperator -spec: - components: - cni: - enabled: true - namespace: kube-system - values: - global: - platform: openshift diff --git a/istio-1.24.3/manifests/profiles/preview.yaml b/istio-1.24.3/manifests/profiles/preview.yaml deleted file mode 100644 index d48d8412..00000000 --- a/istio-1.24.3/manifests/profiles/preview.yaml +++ /dev/null @@ -1,8 +0,0 @@ -# The preview profile contains features that are experimental. -# This is intended to explore new features coming to Istio. -# Stability, security, and performance are not guaranteed - use at your own risk. -apiVersion: install.istio.io/v1alpha1 -kind: IstioOperator -spec: - values: - profile: preview diff --git a/istio-1.24.3/manifests/profiles/remote.yaml b/istio-1.24.3/manifests/profiles/remote.yaml deleted file mode 100644 index 46be8baa..00000000 --- a/istio-1.24.3/manifests/profiles/remote.yaml +++ /dev/null @@ -1,15 +0,0 @@ -# The remote profile is used to configure a mesh cluster without a locally deployed control plane. -# Only the injector mutating webhook configuration is installed. -apiVersion: install.istio.io/v1alpha1 -kind: IstioOperator -spec: - components: - base: - enabled: true - pilot: - enabled: true - ingressGateways: - - name: istio-ingressgateway - enabled: false - values: - profile: remote diff --git a/istio-1.24.3/manifests/profiles/stable.yaml b/istio-1.24.3/manifests/profiles/stable.yaml deleted file mode 100644 index f4c4ef1f..00000000 --- a/istio-1.24.3/manifests/profiles/stable.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: install.istio.io/v1alpha1 -kind: IstioOperator -spec: - values: - profile: stable diff --git a/istio-1.24.3/samples/README.md b/istio-1.24.3/samples/README.md deleted file mode 100644 index a1a140f8..00000000 --- a/istio-1.24.3/samples/README.md +++ /dev/null @@ -1,3 +0,0 @@ -# Istio Samples - -This directory contains sample applications highlighting various Istio features. diff --git a/istio-1.24.3/samples/addons/README.md b/istio-1.24.3/samples/addons/README.md deleted file mode 100644 index 6259c014..00000000 --- a/istio-1.24.3/samples/addons/README.md +++ /dev/null @@ -1,102 +0,0 @@ -# Telemetry Addons - -This directory contains sample deployments of various addons that integrate with Istio. While these applications -are not a part of Istio, they are essential to making the most of Istio's observability features. - -The deployments here are meant to quickly get up and running, and are optimized for this case. As a result, -they may not be suitable for production. See below for more info on integrating a production grade version of each -addon. - -## Getting started - -To quickly deploy all addons: - -```shell script -kubectl apply -f samples/addons -``` - -Alternatively, you can deploy individual addons: - -```shell script -kubectl apply -f samples/addons/prometheus.yaml -``` - -## Addons - -### Prometheus - -[Prometheus](https://prometheus.io/) is an open source monitoring system and time series database. -You can use Prometheus with Istio to record metrics that track the health of Istio and of applications within the service mesh. -You can visualize metrics using tools like [Grafana](#grafana) and [Kiali](#kiali). - -For more information about integrating with Prometheus, please see the [Prometheus integration page](https://istio.io/docs/ops/integrations/prometheus/). - -### Grafana - -[Grafana](http://grafana.com/) is an open source monitoring solution that can be used to configure dashboards for Istio. -You can use Grafana to monitor the health of Istio and of applications within the service mesh. - -This sample provides the following dashboards: - -* [Mesh Dashboard](https://grafana.com/grafana/dashboards/7639) provides an overview of all services in the mesh. -* [Service Dashboard](https://grafana.com/grafana/dashboards/7636) provides a detailed breakdown of metrics for a service. -* [Workload Dashboard](https://grafana.com/grafana/dashboards/7630) provides a detailed breakdown of metrics for a workload. -* [Performance Dashboard](https://grafana.com/grafana/dashboards/11829) monitors the resource usage of the mesh. -* [Control Plane Dashboard](https://grafana.com/grafana/dashboards/7645) monitors the health and performance of the control plane. -* [WASM Extension Dashboard](https://grafana.com/grafana/dashboards/13277) provides an overview of mesh wide WebAssembly extension runtime and loading state. - -For more information about integrating with Grafana, please see the [Grafana integration page](https://istio.io/docs/ops/integrations/grafana/). - -### Kiali - -[Kiali](https://kiali.io/) is an observability console for Istio with service mesh configuration capabilities. -It helps you to understand the structure of your service mesh by inferring the topology, and also provides the health of your mesh. -Kiali provides detailed metrics, and a basic [Grafana](#grafana) integration is available for advanced queries. -Distributed tracing is provided by integrating [Jaeger](#jaeger). - -For more information about using Kiali, see the [Visualizing Your Mesh](https://istio.io/docs/tasks/observability/kiali/) task. - -### Jaeger - -[Jaeger](https://www.jaegertracing.io/) is an open source end to end distributed tracing system, allowing users to monitor and troubleshoot transactions in complex distributed systems. - -Jaeger helps in a variety of tasks including: - -* Distributed context propagation -* Distributed transaction monitoring -* Root cause analysis -* Service dependency analysis -* Performance / latency optimization - -For more information about integrating with Jaeger, please see the [Jaeger integration page](https://istio.io/docs/tasks/observability/distributed-tracing/jaeger/). - -### Zipkin - -[Zipkin](https://zipkin.io/) is a distributed tracing system. It helps gather timing data needed to troubleshoot latency problems in service architectures. Features include both the collection and lookup of this data. - -Zipkin is an alternative to Jaeger and is not deployed by default. To replace Jaeger with Zipkin, run `kubectl apply -f samples/addons/extras/zipkin.yaml`. -You may also want to remove the Jaeger deployment, which will not be used, with `kubectl delete deployment jaeger`, or avoid installing it -to begin with by following the selective installation steps in [Getting Started](#getting-started). - -For more information about integrating with Zipkin, please see the [Zipkin integration page](https://istio.io/docs/tasks/observability/distributed-tracing/zipkin/). - -### Prometheus Operator - -The [Prometheus Operator](https://github.com/coreos/prometheus-operator) manages and operators a Prometheus instance. - -As an alternative to the standard Prometheus deployment, we provide a `ServiceMonitor` to monitor the Istio control plane and `PodMonitor` -Envoy proxies. To use these, make sure you have the Prometheus operator deployed, then run `kubectl apply -f samples/addons/extras/prometheus-operator.yaml`. - -> **Note** -> -> The example `PodMonitor` requires [metrics merging](https://istio.io/latest/docs/ops/integrations/prometheus/#option-1-metrics-merging) to be enabled. This is enabled by default. -> -> **Note** -> -> The configurations here are only for Istio deployments, and do not scrape metrics from the Kubernetes components. -> See the [Cluster Monitoring](https://coreos.com/operators/prometheus/docs/latest/user-guides/cluster-monitoring.html) documentation for configuring this. -> -> **Warning** -> -> When the example `PodMonitor` is used with OpenShift Monitoring, it must be created in all namespaces where istio-proxies exist. -> This is because `namespaceSelector` is ignored for tenancy isolation. diff --git a/istio-1.24.3/samples/addons/extras/prometheus-operator.yaml b/istio-1.24.3/samples/addons/extras/prometheus-operator.yaml deleted file mode 100644 index 73a926ef..00000000 --- a/istio-1.24.3/samples/addons/extras/prometheus-operator.yaml +++ /dev/null @@ -1,66 +0,0 @@ -apiVersion: monitoring.coreos.com/v1 -kind: PodMonitor -metadata: - name: envoy-stats-monitor - namespace: istio-system - labels: - monitoring: istio-proxies - release: istio -spec: - selector: - matchExpressions: - - {key: istio-prometheus-ignore, operator: DoesNotExist} - namespaceSelector: - any: true - jobLabel: envoy-stats - podMetricsEndpoints: - - path: /stats/prometheus - interval: 15s - relabelings: - - action: keep - sourceLabels: [__meta_kubernetes_pod_container_name] - regex: "istio-proxy" - - action: keep - sourceLabels: [__meta_kubernetes_pod_annotationpresent_prometheus_io_scrape] - - action: replace - regex: (\d+);(([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}) - replacement: '[$2]:$1' - sourceLabels: - - __meta_kubernetes_pod_annotation_prometheus_io_port - - __meta_kubernetes_pod_ip - targetLabel: __address__ - - action: replace - regex: (\d+);((([0-9]+?)(\.|$)){4}) - replacement: $2:$1 - sourceLabels: - - __meta_kubernetes_pod_annotation_prometheus_io_port - - __meta_kubernetes_pod_ip - targetLabel: __address__ - - action: labeldrop - regex: "__meta_kubernetes_pod_label_(.+)" - - sourceLabels: [__meta_kubernetes_namespace] - action: replace - targetLabel: namespace - - sourceLabels: [__meta_kubernetes_pod_name] - action: replace - targetLabel: pod_name ---- -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: istio-component-monitor - namespace: istio-system - labels: - monitoring: istio-components - release: istio -spec: - jobLabel: istio - targetLabels: [app] - selector: - matchExpressions: - - {key: istio, operator: In, values: [pilot]} - namespaceSelector: - any: true - endpoints: - - port: http-monitoring - interval: 15s diff --git a/istio-1.24.3/samples/addons/extras/skywalking.yaml b/istio-1.24.3/samples/addons/extras/skywalking.yaml deleted file mode 100644 index 2bc0c4df..00000000 --- a/istio-1.24.3/samples/addons/extras/skywalking.yaml +++ /dev/null @@ -1,133 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: skywalking-oap - namespace: istio-system - labels: - app: skywalking-oap -spec: - selector: - matchLabels: - app: skywalking-oap - template: - metadata: - labels: - app: skywalking-oap - sidecar.istio.io/inject: "false" - spec: - containers: - - name: skywalking-oap - image: apache/skywalking-oap-server:9.7.0 - env: - - name: SW_HEALTH_CHECKER - value: default - readinessProbe: - exec: - command: - - /skywalking/bin/swctl - - health - initialDelaySeconds: 30 - periodSeconds: 5 - ---- -apiVersion: v1 -kind: Service -metadata: - name: tracing - namespace: istio-system - labels: - app: skywalking-oap -spec: - type: ClusterIP - ports: - - name: grpc - port: 11800 - protocol: TCP - targetPort: 11800 - - name: http-query - port: 12800 - protocol: TCP - targetPort: 12800 - selector: - app: skywalking-oap ---- -apiVersion: v1 -kind: Service -metadata: - labels: - name: skywalking-oap - name: skywalking-oap - namespace: istio-system -spec: - ports: - - port: 11800 - targetPort: 11800 - name: grpc - - port: 12800 - targetPort: 12800 - name: http-query - selector: - app: skywalking-oap ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: skywalking-ui - namespace: istio-system - labels: - app: skywalking-ui -spec: - selector: - matchLabels: - app: skywalking-ui - template: - metadata: - labels: - app: skywalking-ui - annotations: - sidecar.istio.io/inject: "false" - spec: - containers: - - name: skywalking-ui - image: apache/skywalking-ui:9.1.0 - env: - - name: SW_OAP_ADDRESS - value: http://skywalking-oap:12800 - readinessProbe: - httpGet: - path: / - port: 8080 - initialDelaySeconds: 30 - periodSeconds: 5 ---- -apiVersion: v1 -kind: Service -metadata: - name: tracing-ui - namespace: istio-system - labels: - app: skywalking-ui -spec: - type: ClusterIP - ports: - - name: http - port: 8080 - protocol: TCP - targetPort: 8080 - selector: - app: skywalking-ui ---- -apiVersion: v1 -kind: Service -metadata: - labels: - name: skywalking-ui - name: skywalking-ui - namespace: istio-system -spec: - ports: - - port: 8080 - targetPort: 8080 - name: http - selector: - app: skywalking-ui diff --git a/istio-1.24.3/samples/addons/extras/zipkin.yaml b/istio-1.24.3/samples/addons/extras/zipkin.yaml deleted file mode 100644 index 3a9d259b..00000000 --- a/istio-1.24.3/samples/addons/extras/zipkin.yaml +++ /dev/null @@ -1,61 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: zipkin - namespace: istio-system - labels: - app: zipkin -spec: - selector: - matchLabels: - app: zipkin - template: - metadata: - labels: - app: zipkin - sidecar.istio.io/inject: "false" - spec: - containers: - - name: zipkin - image: openzipkin/zipkin-slim:3.4.0 - env: - - name: STORAGE_METHOD - value: "mem" - readinessProbe: - httpGet: - path: /health - port: 9411 - initialDelaySeconds: 5 - periodSeconds: 5 ---- -apiVersion: v1 -kind: Service -metadata: - name: tracing - namespace: istio-system - labels: - app: zipkin -spec: - type: ClusterIP - ports: - - name: http-query - port: 80 - protocol: TCP - targetPort: 9411 - selector: - app: zipkin ---- -apiVersion: v1 -kind: Service -metadata: - labels: - name: zipkin - name: zipkin - namespace: istio-system -spec: - ports: - - port: 9411 - targetPort: 9411 - name: http-query - selector: - app: zipkin diff --git a/istio-1.24.3/samples/addons/grafana.yaml b/istio-1.24.3/samples/addons/grafana.yaml deleted file mode 100644 index c19ae7d1..00000000 --- a/istio-1.24.3/samples/addons/grafana.yaml +++ /dev/null @@ -1,1112 +0,0 @@ ---- -# Source: grafana/templates/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -automountServiceAccountToken: false -metadata: - labels: - helm.sh/chart: grafana-8.5.8 - app.kubernetes.io/name: grafana - app.kubernetes.io/instance: grafana - app.kubernetes.io/version: "11.2.2-security-01" - app.kubernetes.io/managed-by: Helm - name: grafana - namespace: istio-system ---- -# Source: grafana/templates/configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: grafana - namespace: istio-system - labels: - helm.sh/chart: grafana-8.5.8 - app.kubernetes.io/name: grafana - app.kubernetes.io/instance: grafana - app.kubernetes.io/version: "11.2.2-security-01" - app.kubernetes.io/managed-by: Helm -data: - - grafana.ini: | - [analytics] - check_for_updates = true - [grafana_net] - url = https://grafana.net - [log] - mode = console - [paths] - data = /var/lib/grafana/ - logs = /var/log/grafana - plugins = /var/lib/grafana/plugins - provisioning = /etc/grafana/provisioning - [server] - domain = '' - datasources.yaml: | - apiVersion: 1 - datasources: - - access: proxy - editable: true - isDefault: true - jsonData: - timeInterval: 15s - name: Prometheus - orgId: 1 - type: prometheus - url: http://prometheus:9090 - - access: proxy - editable: true - isDefault: false - jsonData: - timeInterval: 5s - name: Loki - orgId: 1 - type: loki - url: http://loki:3100 - dashboardproviders.yaml: | - apiVersion: 1 - providers: - - disableDeletion: false - folder: istio - name: istio - options: - path: /var/lib/grafana/dashboards/istio - orgId: 1 - type: file - - disableDeletion: false - folder: istio - name: istio-services - options: - path: /var/lib/grafana/dashboards/istio-services - orgId: 1 - type: file ---- -# Source: grafana/templates/service.yaml -apiVersion: v1 -kind: Service -metadata: - name: grafana - namespace: istio-system - labels: - helm.sh/chart: grafana-8.5.8 - app.kubernetes.io/name: grafana - app.kubernetes.io/instance: grafana - app.kubernetes.io/version: "11.2.2-security-01" - app.kubernetes.io/managed-by: Helm -spec: - type: ClusterIP - ports: - - name: service - port: 3000 - protocol: TCP - targetPort: 3000 - selector: - app.kubernetes.io/name: grafana - app.kubernetes.io/instance: grafana ---- -# Source: grafana/templates/deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: grafana - namespace: istio-system - labels: - helm.sh/chart: grafana-8.5.8 - app.kubernetes.io/name: grafana - app.kubernetes.io/instance: grafana - app.kubernetes.io/version: "11.2.2-security-01" - app.kubernetes.io/managed-by: Helm -spec: - replicas: 1 - revisionHistoryLimit: 10 - selector: - matchLabels: - app.kubernetes.io/name: grafana - app.kubernetes.io/instance: grafana - strategy: - type: RollingUpdate - template: - metadata: - labels: - app.kubernetes.io/name: grafana - app.kubernetes.io/instance: grafana - sidecar.istio.io/inject: "false" - annotations: - checksum/config: 68c00ea91b7ba5c04efc55555ef2307f52aaf738b04e9665e91bb756c8f32b22 - checksum/sc-dashboard-provider-config: e70bf6a851099d385178a76de9757bb0bef8299da6d8443602590e44f05fdf24 - kubectl.kubernetes.io/default-container: grafana - spec: - - serviceAccountName: grafana - automountServiceAccountToken: true - enableServiceLinks: true - containers: - - name: grafana - image: "docker.io/grafana/grafana:11.2.2-security-01" - imagePullPolicy: IfNotPresent - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - seccompProfile: - type: RuntimeDefault - volumeMounts: - - name: config - mountPath: "/etc/grafana/grafana.ini" - subPath: grafana.ini - - name: storage - mountPath: "/var/lib/grafana" - - name: dashboards-istio - mountPath: "/var/lib/grafana/dashboards/istio" - - name: dashboards-istio-services - mountPath: "/var/lib/grafana/dashboards/istio-services" - - name: config - mountPath: "/etc/grafana/provisioning/datasources/datasources.yaml" - subPath: "datasources.yaml" - - name: config - mountPath: "/etc/grafana/provisioning/dashboards/dashboardproviders.yaml" - subPath: "dashboardproviders.yaml" - ports: - - name: grafana - containerPort: 3000 - protocol: TCP - - name: gossip-tcp - containerPort: 9094 - protocol: TCP - - name: gossip-udp - containerPort: 9094 - protocol: UDP - env: - - name: POD_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: GF_PATHS_DATA - value: /var/lib/grafana/ - - name: GF_PATHS_LOGS - value: /var/log/grafana - - name: GF_PATHS_PLUGINS - value: /var/lib/grafana/plugins - - name: GF_PATHS_PROVISIONING - value: /etc/grafana/provisioning - - name: "GF_AUTH_ANONYMOUS_ENABLED" - value: "true" - - name: "GF_AUTH_ANONYMOUS_ORG_ROLE" - value: "Admin" - - name: "GF_AUTH_BASIC_ENABLED" - value: "false" - - name: "GF_SECURITY_ADMIN_PASSWORD" - value: "admin" - - name: "GF_SECURITY_ADMIN_USER" - value: "admin" - livenessProbe: - failureThreshold: 10 - httpGet: - path: /api/health - port: 3000 - initialDelaySeconds: 60 - timeoutSeconds: 30 - readinessProbe: - httpGet: - path: /api/health - port: 3000 - volumes: - - name: config - configMap: - name: grafana - - name: dashboards-istio - configMap: - name: istio-grafana-dashboards - - name: dashboards-istio-services - configMap: - name: istio-services-grafana-dashboards - - name: storage - emptyDir: {} - ---- - -apiVersion: v1 -data: - istio-performance-dashboard.json: | - {"annotations":{"list":[{"builtIn":1,"datasource":{"type":"datasource","uid":"grafana"},"enable":true,"hide":true,"iconColor":"rgba(0, 211, 255, 1)","name":"Annotations & Alerts","type":"dashboard"}]},"editable":true,"fiscalYearStartMonth":0,"graphTooltip":0,"links":[],"liveNow":false,"panels":[{"collapsed":false,"datasource":{"type":"prometheus","uid":"${datasource}"},"gridPos":{"h":1,"w":24,"x":0,"y":0},"id":21,"panels":[],"targets":[{"datasource":{"type":"prometheus","uid":"${datasource}"},"refId":"A"}],"title":"Performance Dashboard Notes","type":"row"},{"gridPos":{"h":6,"w":24,"x":0,"y":1},"id":19,"links":[],"options":{"code":{"language":"plaintext","showLineNumbers":false,"showMiniMap":false},"content":"The charts on this dashboard are intended to show Istio main components cost in terms of resources utilization under steady load.\n\n- **vCPU / 1k rps:** shows vCPU utilization by the main Istio components normalized by 1000 requests/second. When idle or low traffic, this chart will be blank. The curve for istio-proxy refers to the services sidecars only.\n- **vCPU:** vCPU utilization by Istio components, not normalized.\n- **Memory:** memory footprint for the components. Telemetry and policy are normalized by 1k rps, and no data is shown when there is no traffic. For ingress and istio-proxy, the data is per instance.\n- **Bytes transferred / sec:** shows the number of bytes flowing through each Istio component.\n\n\n","mode":"markdown"},"pluginVersion":"10.1.5","title":"Performance Dashboard README","transparent":true,"type":"text"},{"collapsed":false,"datasource":{"type":"prometheus","uid":"${datasource}"},"gridPos":{"h":1,"w":24,"x":0,"y":7},"id":6,"panels":[],"targets":[{"datasource":{"type":"prometheus","uid":"${datasource}"},"refId":"A"}],"title":"vCPU Usage","type":"row"},{"datasource":{"type":"prometheus","uid":"${datasource}"},"fieldConfig":{"defaults":{"color":{"mode":"palette-classic"},"custom":{"axisCenteredZero":false,"axisColorMode":"text","axisLabel":"","axisPlacement":"auto","barAlignment":0,"drawStyle":"line","fillOpacity":10,"gradientMode":"none","hideFrom":{"legend":false,"tooltip":false,"viz":false},"insertNulls":false,"lineInterpolation":"linear","lineWidth":1,"pointSize":5,"scaleDistribution":{"type":"linear"},"showPoints":"never","spanNulls":false,"stacking":{"group":"A","mode":"none"},"thresholdsStyle":{"mode":"off"}},"mappings":[],"thresholds":{"mode":"absolute","steps":[{"color":"green","value":null},{"color":"red","value":80}]},"unit":"short"},"overrides":[]},"gridPos":{"h":8,"w":12,"x":0,"y":8},"id":4,"links":[],"options":{"legend":{"calcs":[],"displayMode":"list","placement":"bottom","showLegend":true},"tooltip":{"mode":"multi","sort":"none"}},"pluginVersion":"10.1.5","targets":[{"datasource":{"type":"prometheus","uid":"${datasource}"},"expr":"(sum(irate(container_cpu_usage_seconds_total{pod=~\"istio-ingressgateway-.*\",container=\"istio-proxy\"}[1m])) / (round(sum(irate(istio_requests_total{source_workload=\"istio-ingressgateway\", reporter=\"source\"}[1m])), 0.001)/1000))","format":"time_series","hide":false,"intervalFactor":1,"legendFormat":"istio-ingressgateway","refId":"A"},{"datasource":{"type":"prometheus","uid":"${datasource}"},"expr":"(sum(irate(container_cpu_usage_seconds_total{namespace!=\"istio-system\",container=\"istio-proxy\"}[1m]))/ (round(sum(irate(istio_requests_total[1m])), 0.001)/1000))/ (sum(irate(istio_requests_total{source_workload=\"istio-ingressgateway\"}[1m])) >bool 10)","format":"time_series","intervalFactor":1,"legendFormat":"istio-proxy","refId":"B"}],"title":"vCPU / 1k rps","type":"timeseries"},{"datasource":{"type":"prometheus","uid":"${datasource}"},"fieldConfig":{"defaults":{"color":{"mode":"palette-classic"},"custom":{"axisCenteredZero":false,"axisColorMode":"text","axisLabel":"","axisPlacement":"auto","barAlignment":0,"drawStyle":"line","fillOpacity":10,"gradientMode":"none","hideFrom":{"legend":false,"tooltip":false,"viz":false},"insertNulls":false,"lineInterpolation":"linear","lineWidth":1,"pointSize":5,"scaleDistribution":{"type":"linear"},"showPoints":"never","spanNulls":false,"stacking":{"group":"A","mode":"none"},"thresholdsStyle":{"mode":"off"}},"mappings":[],"thresholds":{"mode":"absolute","steps":[{"color":"green","value":null},{"color":"red","value":80}]},"unit":"short"},"overrides":[]},"gridPos":{"h":8,"w":12,"x":12,"y":8},"id":7,"links":[],"options":{"legend":{"calcs":[],"displayMode":"list","placement":"bottom","showLegend":true},"tooltip":{"mode":"multi","sort":"none"}},"pluginVersion":"10.1.5","targets":[{"datasource":{"type":"prometheus","uid":"${datasource}"},"expr":"sum(rate(container_cpu_usage_seconds_total{pod=~\"istio-ingressgateway-.*\",container=\"istio-proxy\"}[1m]))","format":"time_series","intervalFactor":1,"legendFormat":"istio-ingressgateway","refId":"A"},{"datasource":{"type":"prometheus","uid":"${datasource}"},"expr":"sum(rate(container_cpu_usage_seconds_total{namespace!=\"istio-system\",container=\"istio-proxy\"}[1m]))","format":"time_series","intervalFactor":1,"legendFormat":"istio-proxy","refId":"B"}],"title":"vCPU","type":"timeseries"},{"collapsed":false,"datasource":{"type":"prometheus","uid":"${datasource}"},"gridPos":{"h":1,"w":24,"x":0,"y":16},"id":13,"panels":[],"targets":[{"datasource":{"type":"prometheus","uid":"${datasource}"},"refId":"A"}],"title":"Memory and Data Rates","type":"row"},{"datasource":{"type":"prometheus","uid":"${datasource}"},"fieldConfig":{"defaults":{"color":{"mode":"palette-classic"},"custom":{"axisCenteredZero":false,"axisColorMode":"text","axisLabel":"","axisPlacement":"auto","barAlignment":0,"drawStyle":"line","fillOpacity":10,"gradientMode":"none","hideFrom":{"legend":false,"tooltip":false,"viz":false},"insertNulls":false,"lineInterpolation":"linear","lineWidth":1,"pointSize":5,"scaleDistribution":{"type":"linear"},"showPoints":"never","spanNulls":false,"stacking":{"group":"A","mode":"none"},"thresholdsStyle":{"mode":"off"}},"mappings":[],"thresholds":{"mode":"absolute","steps":[{"color":"green","value":null},{"color":"red","value":80}]},"unit":"bytes"},"overrides":[]},"gridPos":{"h":8,"w":12,"x":0,"y":17},"id":902,"links":[],"options":{"legend":{"calcs":[],"displayMode":"list","placement":"bottom","showLegend":true},"tooltip":{"mode":"multi","sort":"none"}},"pluginVersion":"10.1.5","targets":[{"datasource":{"type":"prometheus","uid":"${datasource}"},"expr":"sum(container_memory_working_set_bytes{pod=~\"istio-ingressgateway-.*\"}) / count(container_memory_working_set_bytes{pod=~\"istio-ingressgateway-.*\",container!=\"POD\"})","format":"time_series","intervalFactor":1,"legendFormat":"per istio-ingressgateway","refId":"A"},{"datasource":{"type":"prometheus","uid":"${datasource}"},"expr":"sum(container_memory_working_set_bytes{namespace!=\"istio-system\",container=\"istio-proxy\"}) / count(container_memory_working_set_bytes{namespace!=\"istio-system\",container=\"istio-proxy\"})","format":"time_series","intervalFactor":1,"legendFormat":"per istio proxy","refId":"B"}],"title":"Memory Usage","type":"timeseries"},{"datasource":{"type":"prometheus","uid":"${datasource}"},"fieldConfig":{"defaults":{"color":{"mode":"palette-classic"},"custom":{"axisCenteredZero":false,"axisColorMode":"text","axisLabel":"","axisPlacement":"auto","barAlignment":0,"drawStyle":"line","fillOpacity":10,"gradientMode":"none","hideFrom":{"legend":false,"tooltip":false,"viz":false},"insertNulls":false,"lineInterpolation":"linear","lineWidth":1,"pointSize":5,"scaleDistribution":{"type":"linear"},"showPoints":"never","spanNulls":false,"stacking":{"group":"A","mode":"none"},"thresholdsStyle":{"mode":"off"}},"mappings":[],"thresholds":{"mode":"absolute","steps":[{"color":"green","value":null},{"color":"red","value":80}]},"unit":"Bps"},"overrides":[]},"gridPos":{"h":8,"w":12,"x":12,"y":17},"id":11,"links":[],"options":{"legend":{"calcs":[],"displayMode":"list","placement":"bottom","showLegend":true},"tooltip":{"mode":"multi","sort":"none"}},"pluginVersion":"10.1.5","targets":[{"datasource":{"type":"prometheus","uid":"${datasource}"},"expr":"sum(irate(istio_response_bytes_sum{source_workload=\"istio-ingressgateway\", reporter=\"source\"}[1m]))","format":"time_series","intervalFactor":1,"legendFormat":"istio-ingressgateway","refId":"A"},{"datasource":{"type":"prometheus","uid":"${datasource}"},"expr":"sum(irate(istio_response_bytes_sum{source_workload_namespace!=\"istio-system\", reporter=\"source\"}[1m])) + sum(irate(istio_request_bytes_sum{source_workload_namespace!=\"istio-system\", reporter=\"source\"}[1m]))","format":"time_series","intervalFactor":1,"legendFormat":"istio-proxy","refId":"B"}],"title":"Bytes transferred / sec","type":"timeseries"},{"collapsed":false,"datasource":{"type":"prometheus","uid":"${datasource}"},"gridPos":{"h":1,"w":24,"x":0,"y":25},"id":17,"panels":[],"targets":[{"datasource":{"type":"prometheus","uid":"${datasource}"},"refId":"A"}],"title":"Istio Component Versions","type":"row"},{"datasource":{"type":"prometheus","uid":"${datasource}"},"fieldConfig":{"defaults":{"color":{"mode":"palette-classic"},"custom":{"axisCenteredZero":false,"axisColorMode":"text","axisLabel":"","axisPlacement":"auto","barAlignment":0,"drawStyle":"line","fillOpacity":10,"gradientMode":"none","hideFrom":{"legend":false,"tooltip":false,"viz":false},"insertNulls":false,"lineInterpolation":"linear","lineWidth":1,"pointSize":5,"scaleDistribution":{"type":"linear"},"showPoints":"never","spanNulls":false,"stacking":{"group":"A","mode":"none"},"thresholdsStyle":{"mode":"off"}},"mappings":[],"thresholds":{"mode":"absolute","steps":[{"color":"green","value":null},{"color":"red","value":80}]},"unit":"short"},"overrides":[]},"gridPos":{"h":8,"w":24,"x":0,"y":26},"id":15,"links":[],"options":{"legend":{"calcs":[],"displayMode":"list","placement":"bottom","showLegend":true},"tooltip":{"mode":"multi","sort":"none"}},"pluginVersion":"10.1.5","targets":[{"datasource":{"type":"prometheus","uid":"${datasource}"},"expr":"sum(istio_build) by (component, tag)","format":"time_series","intervalFactor":1,"legendFormat":"{{ component }}: {{ tag }}","refId":"A"}],"title":"Istio Components by Version","type":"timeseries"},{"collapsed":false,"datasource":{"type":"prometheus","uid":"${datasource}"},"gridPos":{"h":1,"w":24,"x":0,"y":34},"id":71,"panels":[],"targets":[{"datasource":{"type":"prometheus","uid":"${datasource}"},"refId":"A"}],"title":"Proxy Resource Usage","type":"row"},{"datasource":{"type":"prometheus","uid":"${datasource}"},"fieldConfig":{"defaults":{"color":{"mode":"palette-classic"},"custom":{"axisCenteredZero":false,"axisColorMode":"text","axisLabel":"","axisPlacement":"auto","barAlignment":0,"drawStyle":"line","fillOpacity":10,"gradientMode":"none","hideFrom":{"legend":false,"tooltip":false,"viz":false},"insertNulls":false,"lineInterpolation":"linear","lineWidth":1,"pointSize":5,"scaleDistribution":{"type":"linear"},"showPoints":"never","spanNulls":false,"stacking":{"group":"A","mode":"none"},"thresholdsStyle":{"mode":"off"}},"mappings":[],"thresholds":{"mode":"absolute","steps":[{"color":"green","value":null},{"color":"red","value":80}]},"unit":"bytes"},"overrides":[]},"gridPos":{"h":7,"w":6,"x":0,"y":35},"id":72,"links":[],"options":{"legend":{"calcs":[],"displayMode":"list","placement":"bottom","showLegend":true},"tooltip":{"mode":"multi","sort":"none"}},"pluginVersion":"10.1.5","targets":[{"datasource":{"type":"prometheus","uid":"${datasource}"},"expr":"sum(container_memory_working_set_bytes{container=\"istio-proxy\"})","format":"time_series","hide":false,"intervalFactor":2,"legendFormat":"Total (k8s)","refId":"A","step":2}],"title":"Memory","type":"timeseries"},{"datasource":{"type":"prometheus","uid":"${datasource}"},"fieldConfig":{"defaults":{"color":{"mode":"palette-classic"},"custom":{"axisCenteredZero":false,"axisColorMode":"text","axisLabel":"","axisPlacement":"auto","barAlignment":0,"drawStyle":"line","fillOpacity":10,"gradientMode":"none","hideFrom":{"legend":false,"tooltip":false,"viz":false},"insertNulls":false,"lineInterpolation":"linear","lineWidth":1,"pointSize":5,"scaleDistribution":{"type":"linear"},"showPoints":"never","spanNulls":false,"stacking":{"group":"A","mode":"none"},"thresholdsStyle":{"mode":"off"}},"mappings":[],"thresholds":{"mode":"absolute","steps":[{"color":"green","value":null},{"color":"red","value":80}]},"unit":"short"},"overrides":[]},"gridPos":{"h":7,"w":6,"x":6,"y":35},"id":73,"links":[],"options":{"legend":{"calcs":[],"displayMode":"list","placement":"bottom","showLegend":true},"tooltip":{"mode":"multi","sort":"none"}},"pluginVersion":"10.1.5","targets":[{"datasource":{"type":"prometheus","uid":"${datasource}"},"expr":"sum(rate(container_cpu_usage_seconds_total{container=\"istio-proxy\"}[1m]))","format":"time_series","hide":false,"intervalFactor":2,"legendFormat":"Total (k8s)","refId":"A","step":2}],"title":"vCPU","type":"timeseries"},{"datasource":{"type":"prometheus","uid":"${datasource}"},"fieldConfig":{"defaults":{"color":{"mode":"palette-classic"},"custom":{"axisCenteredZero":false,"axisColorMode":"text","axisLabel":"","axisPlacement":"auto","barAlignment":0,"drawStyle":"line","fillOpacity":10,"gradientMode":"none","hideFrom":{"legend":false,"tooltip":false,"viz":false},"insertNulls":false,"lineInterpolation":"linear","lineWidth":1,"pointSize":5,"scaleDistribution":{"type":"linear"},"showPoints":"never","spanNulls":false,"stacking":{"group":"A","mode":"none"},"thresholdsStyle":{"mode":"off"}},"mappings":[],"thresholds":{"mode":"absolute","steps":[{"color":"green","value":null},{"color":"red","value":80}]},"unit":"bytes"},"overrides":[]},"gridPos":{"h":7,"w":6,"x":12,"y":35},"id":702,"links":[],"options":{"legend":{"calcs":[],"displayMode":"list","placement":"bottom","showLegend":true},"tooltip":{"mode":"multi","sort":"none"}},"pluginVersion":"10.1.5","targets":[{"datasource":{"type":"prometheus","uid":"${datasource}"},"expr":"sum(container_fs_usage_bytes{container=\"istio-proxy\"})","format":"time_series","intervalFactor":2,"legendFormat":"Total (k8s)","refId":"A","step":2}],"title":"Disk","type":"timeseries"},{"collapsed":false,"datasource":{"type":"prometheus","uid":"${datasource}"},"gridPos":{"h":1,"w":24,"x":0,"y":42},"id":69,"panels":[],"targets":[{"datasource":{"type":"prometheus","uid":"${datasource}"},"refId":"A"}],"title":"Istiod Resource Usage","type":"row"},{"datasource":{"type":"prometheus","uid":"${datasource}"},"fieldConfig":{"defaults":{"color":{"mode":"palette-classic"},"custom":{"axisCenteredZero":false,"axisColorMode":"text","axisLabel":"","axisPlacement":"auto","barAlignment":0,"drawStyle":"line","fillOpacity":10,"gradientMode":"none","hideFrom":{"legend":false,"tooltip":false,"viz":false},"insertNulls":false,"lineInterpolation":"linear","lineWidth":1,"pointSize":5,"scaleDistribution":{"type":"linear"},"showPoints":"never","spanNulls":false,"stacking":{"group":"A","mode":"none"},"thresholdsStyle":{"mode":"off"}},"mappings":[],"thresholds":{"mode":"absolute","steps":[{"color":"green","value":null},{"color":"red","value":80}]},"unit":"bytes"},"overrides":[]},"gridPos":{"h":7,"w":6,"x":0,"y":43},"id":5,"links":[],"options":{"legend":{"calcs":[],"displayMode":"list","placement":"bottom","showLegend":true},"tooltip":{"mode":"multi","sort":"none"}},"pluginVersion":"10.1.5","targets":[{"datasource":{"type":"prometheus","uid":"${datasource}"},"expr":"process_virtual_memory_bytes{app=\"istiod\"}","format":"time_series","instant":false,"intervalFactor":2,"legendFormat":"Virtual Memory","refId":"I","step":2},{"datasource":{"type":"prometheus","uid":"${datasource}"},"expr":"process_resident_memory_bytes{app=\"istiod\"}","format":"time_series","intervalFactor":2,"legendFormat":"Resident Memory","refId":"H","step":2},{"datasource":{"type":"prometheus","uid":"${datasource}"},"expr":"go_memstats_heap_sys_bytes{app=\"istiod\"}","format":"time_series","hide":true,"intervalFactor":2,"legendFormat":"heap sys","refId":"A"},{"datasource":{"type":"prometheus","uid":"${datasource}"},"expr":"go_memstats_heap_alloc_bytes{app=\"istiod\"}","format":"time_series","hide":true,"intervalFactor":2,"legendFormat":"heap alloc","refId":"D"},{"datasource":{"type":"prometheus","uid":"${datasource}"},"expr":"go_memstats_alloc_bytes{app=\"istiod\"}","format":"time_series","intervalFactor":2,"legendFormat":"Alloc","refId":"F","step":2},{"datasource":{"type":"prometheus","uid":"${datasource}"},"expr":"go_memstats_heap_inuse_bytes{app=\"istiod\"}","format":"time_series","hide":false,"intervalFactor":2,"legendFormat":"Heap in-use","refId":"E","step":2},{"datasource":{"type":"prometheus","uid":"${datasource}"},"expr":"go_memstats_stack_inuse_bytes{app=\"istiod\"}","format":"time_series","intervalFactor":2,"legendFormat":"Stack in-use","refId":"G","step":2},{"datasource":{"type":"prometheus","uid":"${datasource}"},"expr":"sum(container_memory_working_set_bytes{container=~\"discovery|istio-proxy\", pod=~\"istiod-.*\"})","format":"time_series","hide":false,"intervalFactor":2,"legendFormat":"Total (k8s)","refId":"C","step":2},{"datasource":{"type":"prometheus","uid":"${datasource}"},"expr":"container_memory_working_set_bytes{container=~\"discovery|istio-proxy\", pod=~\"istiod-.*\"}","format":"time_series","hide":false,"intervalFactor":2,"legendFormat":"{{ container }} (k8s)","refId":"B","step":2}],"title":"Memory","type":"timeseries"},{"datasource":{"type":"prometheus","uid":"${datasource}"},"fieldConfig":{"defaults":{"color":{"mode":"palette-classic"},"custom":{"axisCenteredZero":false,"axisColorMode":"text","axisLabel":"","axisPlacement":"auto","barAlignment":0,"drawStyle":"line","fillOpacity":10,"gradientMode":"none","hideFrom":{"legend":false,"tooltip":false,"viz":false},"insertNulls":false,"lineInterpolation":"linear","lineWidth":1,"pointSize":5,"scaleDistribution":{"type":"linear"},"showPoints":"never","spanNulls":false,"stacking":{"group":"A","mode":"none"},"thresholdsStyle":{"mode":"off"}},"mappings":[],"thresholds":{"mode":"absolute","steps":[{"color":"green","value":null},{"color":"red","value":80}]},"unit":"short"},"overrides":[]},"gridPos":{"h":7,"w":6,"x":6,"y":43},"id":602,"links":[],"options":{"legend":{"calcs":[],"displayMode":"list","placement":"bottom","showLegend":true},"tooltip":{"mode":"multi","sort":"none"}},"pluginVersion":"10.1.5","targets":[{"datasource":{"type":"prometheus","uid":"${datasource}"},"expr":"sum(rate(container_cpu_usage_seconds_total{container=~\"discovery|istio-proxy\", pod=~\"istiod-.*\"}[1m]))","format":"time_series","hide":false,"intervalFactor":2,"legendFormat":"Total (k8s)","refId":"A","step":2},{"datasource":{"type":"prometheus","uid":"${datasource}"},"expr":"sum(rate(container_cpu_usage_seconds_total{container=~\"discovery|istio-proxy\", pod=~\"istiod-.*\"}[1m])) by (container)","format":"time_series","hide":false,"intervalFactor":2,"legendFormat":"{{ container }} (k8s)","refId":"B","step":2},{"datasource":{"type":"prometheus","uid":"${datasource}"},"expr":"irate(process_cpu_seconds_total{app=\"istiod\"}[1m])","format":"time_series","hide":false,"intervalFactor":2,"legendFormat":"pilot (self-reported)","refId":"C","step":2}],"title":"vCPU","type":"timeseries"},{"datasource":{"type":"prometheus","uid":"${datasource}"},"fieldConfig":{"defaults":{"color":{"mode":"palette-classic"},"custom":{"axisCenteredZero":false,"axisColorMode":"text","axisLabel":"","axisPlacement":"auto","barAlignment":0,"drawStyle":"line","fillOpacity":10,"gradientMode":"none","hideFrom":{"legend":false,"tooltip":false,"viz":false},"insertNulls":false,"lineInterpolation":"linear","lineWidth":1,"pointSize":5,"scaleDistribution":{"type":"linear"},"showPoints":"never","spanNulls":false,"stacking":{"group":"A","mode":"none"},"thresholdsStyle":{"mode":"off"}},"mappings":[],"thresholds":{"mode":"absolute","steps":[{"color":"green","value":null},{"color":"red","value":80}]},"unit":"bytes"},"overrides":[]},"gridPos":{"h":7,"w":6,"x":12,"y":43},"id":74,"links":[],"options":{"legend":{"calcs":[],"displayMode":"list","placement":"bottom","showLegend":true},"tooltip":{"mode":"multi","sort":"none"}},"pluginVersion":"10.1.5","targets":[{"datasource":{"type":"prometheus","uid":"${datasource}"},"expr":"process_open_fds{app=\"istiod\"}","format":"time_series","hide":true,"instant":false,"interval":"","intervalFactor":2,"legendFormat":"Open FDs (pilot)","refId":"A"},{"datasource":{"type":"prometheus","uid":"${datasource}"},"expr":"container_fs_usage_bytes{ container=~\"discovery|istio-proxy\", pod=~\"istiod-.*\"}","format":"time_series","intervalFactor":2,"legendFormat":"{{ container }}","refId":"B","step":2}],"title":"Disk","type":"timeseries"},{"datasource":{"type":"prometheus","uid":"${datasource}"},"fieldConfig":{"defaults":{"color":{"mode":"palette-classic"},"custom":{"axisCenteredZero":false,"axisColorMode":"text","axisLabel":"","axisPlacement":"auto","barAlignment":0,"drawStyle":"line","fillOpacity":10,"gradientMode":"none","hideFrom":{"legend":false,"tooltip":false,"viz":false},"insertNulls":false,"lineInterpolation":"linear","lineWidth":1,"pointSize":5,"scaleDistribution":{"type":"linear"},"showPoints":"never","spanNulls":false,"stacking":{"group":"A","mode":"none"},"thresholdsStyle":{"mode":"off"}},"mappings":[],"thresholds":{"mode":"absolute","steps":[{"color":"green","value":null},{"color":"red","value":80}]},"unit":"short"},"overrides":[]},"gridPos":{"h":7,"w":6,"x":18,"y":43},"id":402,"links":[],"options":{"legend":{"calcs":[],"displayMode":"list","placement":"bottom","showLegend":false},"tooltip":{"mode":"multi","sort":"none"}},"pluginVersion":"10.1.5","targets":[{"datasource":{"type":"prometheus","uid":"${datasource}"},"expr":"go_goroutines{app=\"istiod\"}","format":"time_series","intervalFactor":2,"legendFormat":"Number of Goroutines","refId":"A","step":2}],"title":"Goroutines","type":"timeseries"}],"refresh":"","schemaVersion":38,"style":"dark","tags":[],"templating":{"list":[{"hide":0,"includeAll":false,"multi":false,"name":"datasource","options":[],"query":"prometheus","queryValue":"","refresh":1,"regex":"","skipUrlSync":false,"type":"datasource"}]},"time":{"from":"now-30m","to":"now"},"timepicker":{"refresh_intervals":["30s","1m","5m","15m","30m","1h","2h","1d"],"time_options":["5m","15m","1h","6h","12h","24h","2d","7d","30d"]},"timezone":"","title":"Istio Performance Dashboard","version":1,"weekStart":""} - pilot-dashboard.json: | - {"graphTooltip":1,"panels":[{"collapsed":false,"gridPos":{"h":1,"w":24,"x":0,"y":0},"id":1,"panels":[],"title":"Deployed Versions","type":"row"},{"datasource":{"type":"datasource","uid":"-- Mixed --"},"description":"Version number of each running instance","fieldConfig":{"defaults":{"custom":{"fillOpacity":10,"gradientMode":"hue","showPoints":"never"}}},"gridPos":{"h":5,"w":24,"x":0,"y":1},"id":2,"interval":"5s","options":{"legend":{"calcs":[],"displayMode":"list"}},"pluginVersion":"v11.0.0","targets":[{"datasource":{"type":"prometheus","uid":"$datasource"},"expr":"sum by (tag) (istio_build{component=\"pilot\"})","legendFormat":"Version ({{tag}})"}],"title":"Pilot Versions","type":"timeseries"},{"collapsed":false,"gridPos":{"h":1,"w":24,"x":0,"y":1},"id":3,"panels":[],"title":"Resource Usage","type":"row"},{"datasource":{"type":"datasource","uid":"-- Mixed --"},"description":"Memory usage of each running instance","fieldConfig":{"defaults":{"custom":{"fillOpacity":10,"gradientMode":"hue","showPoints":"never"},"unit":"bytes"}},"gridPos":{"h":10,"w":6,"x":0,"y":2},"id":4,"interval":"5s","options":{"legend":{"calcs":["last","max"],"displayMode":"table"}},"pluginVersion":"v11.0.0","targets":[{"datasource":{"type":"prometheus","uid":"$datasource"},"expr":"sum by (pod) (container_memory_working_set_bytes{container=\"discovery\",pod=~\"istiod-.*\"})","legendFormat":"Container ({{pod}})"},{"datasource":{"type":"prometheus","uid":"$datasource"},"expr":"sum by (pod) (go_memstats_stack_inuse_bytes{app=\"istiod\"})","legendFormat":"Stack ({{pod}})"},{"datasource":{"type":"prometheus","uid":"$datasource"},"expr":"sum by (pod) (go_memstats_heap_inuse_bytes{app=\"istiod\"})","legendFormat":"Heap (In Use) ({{pod}})"},{"datasource":{"type":"prometheus","uid":"$datasource"},"expr":"sum by (pod) (go_memstats_heap_alloc_bytes{app=\"istiod\"})","legendFormat":"Heap (Allocated) ({{pod}})"}],"title":"Memory Usage","type":"timeseries"},{"datasource":{"type":"datasource","uid":"-- Mixed --"},"description":"Details about memory allocations","fieldConfig":{"defaults":{"custom":{"fillOpacity":10,"gradientMode":"hue","showPoints":"never"},"unit":"Bps"},"overrides":[{"matcher":{"id":"byFrameRefID","options":"B"},"properties":[{"id":"custom.axisPlacement","value":"right"},{"id":"unit","value":"c/s"}]}]},"gridPos":{"h":10,"w":6,"x":6,"y":2},"id":5,"interval":"5s","options":{"legend":{"calcs":["last","max"],"displayMode":"table"}},"pluginVersion":"v11.0.0","targets":[{"datasource":{"type":"prometheus","uid":"$datasource"},"expr":"sum by (pod) (rate(go_memstats_alloc_bytes_total{app=\"istiod\"}[$__rate_interval]))","legendFormat":"Bytes ({{pod}})"},{"datasource":{"type":"prometheus","uid":"$datasource"},"expr":"sum by (pod) (rate(go_memstats_mallocs_total{app=\"istiod\"}[$__rate_interval]))","legendFormat":"Objects ({{pod}})"}],"title":"Memory Allocations","type":"timeseries"},{"datasource":{"type":"datasource","uid":"-- Mixed --"},"description":"CPU usage of each running instance","fieldConfig":{"defaults":{"custom":{"fillOpacity":10,"gradientMode":"hue","showPoints":"never"}}},"gridPos":{"h":10,"w":6,"x":12,"y":2},"id":6,"interval":"5s","options":{"legend":{"calcs":["last","max"],"displayMode":"table"}},"pluginVersion":"v11.0.0","targets":[{"datasource":{"type":"prometheus","uid":"$datasource"},"expr":"sum by (pod) (irate(container_cpu_usage_seconds_total{container=\"discovery\",pod=~\"istiod-.*\"}[$__rate_interval]))","legendFormat":"Container ({{pod}})"}],"title":"CPU Usage","type":"timeseries"},{"datasource":{"type":"datasource","uid":"-- Mixed --"},"description":"Goroutine count for each running instance","fieldConfig":{"defaults":{"custom":{"fillOpacity":10,"gradientMode":"hue","showPoints":"never"}}},"gridPos":{"h":10,"w":6,"x":18,"y":2},"id":7,"interval":"5s","options":{"legend":{"calcs":["last","max"],"displayMode":"table"}},"pluginVersion":"v11.0.0","targets":[{"datasource":{"type":"prometheus","uid":"$datasource"},"expr":"sum by (pod) (go_goroutines{app=\"istiod\"})","legendFormat":"Goroutines ({{pod}})"}],"title":"Goroutines","type":"timeseries"},{"collapsed":false,"gridPos":{"h":1,"w":24,"x":0,"y":3},"id":8,"panels":[],"title":"Push Information","type":"row"},{"datasource":{"type":"datasource","uid":"-- Mixed --"},"fieldConfig":{"defaults":{"custom":{"drawStyle":"bars","fillOpacity":100,"gradientMode":"none","showPoints":"never","stacking":{"mode":"normal"}},"unit":"ops"},"overrides":[{"matcher":{"id":"byName","options":"cds"},"properties":[{"id":"displayName","value":"Clusters"}]},{"matcher":{"id":"byName","options":"eds"},"properties":[{"id":"displayName","value":"Endpoints"}]},{"matcher":{"id":"byName","options":"lds"},"properties":[{"id":"displayName","value":"Listeners"}]},{"matcher":{"id":"byName","options":"rds"},"properties":[{"id":"displayName","value":"Routes"}]},{"matcher":{"id":"byName","options":"nds"},"properties":[{"id":"displayName","value":"DNS Tables"}]},{"matcher":{"id":"byName","options":"istio.io/debug"},"properties":[{"id":"displayName","value":"Debug"}]},{"matcher":{"id":"byName","options":"istio.io/debug/syncz"},"properties":[{"id":"displayName","value":"Debug"}]},{"matcher":{"id":"byName","options":"wads"},"properties":[{"id":"displayName","value":"Authorization"}]},{"matcher":{"id":"byName","options":"wds"},"properties":[{"id":"displayName","value":"Workloads"}]},{"matcher":{"id":"byName","options":"type.googleapis.com/istio.security.Authorization"},"properties":[{"id":"displayName","value":"Authorizations"}]},{"matcher":{"id":"byName","options":"type.googleapis.com/istio.workload.Address"},"properties":[{"id":"displayName","value":"Addresses"}]}]},"gridPos":{"h":10,"w":8,"x":0,"y":4},"id":9,"interval":"15s","options":{"legend":{"calcs":[],"displayMode":"list"}},"pluginVersion":"v11.0.0","targets":[{"datasource":{"type":"prometheus","uid":"$datasource"},"expr":"sum by (type) (irate(pilot_xds_pushes[$__rate_interval]))","legendFormat":"{{type}}"}],"title":"XDS Pushes","type":"timeseries"},{"datasource":{"type":"datasource","uid":"-- Mixed --"},"description":"Size of each xDS push.\n","fieldConfig":{"defaults":{"custom":{"fillOpacity":10,"gradientMode":"hue","showPoints":"never"}}},"gridPos":{"h":10,"w":8,"x":8,"y":4},"id":10,"interval":"5s","options":{"legend":{"calcs":["last","max"],"displayMode":"table"}},"pluginVersion":"v11.0.0","targets":[{"datasource":{"type":"prometheus","uid":"$datasource"},"expr":"sum by (type,event) (rate(pilot_k8s_reg_events[$__rate_interval]))","legendFormat":"{{event}} {{type}}"},{"datasource":{"type":"prometheus","uid":"$datasource"},"expr":"sum by (type,event) (rate(pilot_k8s_cfg_events[$__rate_interval]))","legendFormat":"{{event}} {{type}}"},{"datasource":{"type":"prometheus","uid":"$datasource"},"expr":"sum by (type) (rate(pilot_push_triggers[$__rate_interval]))","legendFormat":"Push {{type}}"}],"title":"Events","type":"timeseries"},{"datasource":{"type":"datasource","uid":"-- Mixed --"},"description":"Total number of XDS connections\n","fieldConfig":{"defaults":{"custom":{"fillOpacity":10,"gradientMode":"hue","showPoints":"never"}}},"gridPos":{"h":10,"w":8,"x":16,"y":4},"id":11,"interval":"5s","options":{"legend":{"calcs":["last","max"],"displayMode":"table"}},"pluginVersion":"v11.0.0","targets":[{"datasource":{"type":"prometheus","uid":"$datasource"},"expr":"sum(envoy_cluster_upstream_cx_active{cluster_name=\"xds-grpc\"})","legendFormat":"Connections (client reported)"},{"datasource":{"type":"prometheus","uid":"$datasource"},"expr":"sum (pilot_xds)","legendFormat":"Connections (server reported)"}],"title":"Connections","type":"timeseries"},{"datasource":{"type":"datasource","uid":"-- Mixed --"},"description":"Number of push errors. Many of these are at least potentional fatal and should be explored in-depth via Istiod logs.\nNote: metrics here do not use rate() to avoid missing transition from \"No series\"; series are not reported if there are no errors at all.\n","fieldConfig":{"defaults":{"custom":{"fillOpacity":10,"gradientMode":"hue","showPoints":"never"}}},"gridPos":{"h":10,"w":8,"x":0,"y":14},"id":12,"interval":"5s","options":{"legend":{"calcs":["last","max"],"displayMode":"table"}},"pluginVersion":"v11.0.0","targets":[{"datasource":{"type":"prometheus","uid":"$datasource"},"expr":"sum by (type) (pilot_total_xds_rejects)","legendFormat":"Rejected Config ({{type}})"},{"datasource":{"type":"prometheus","uid":"$datasource"},"expr":"pilot_total_xds_internal_errors","legendFormat":"Internal Errors"},{"datasource":{"type":"prometheus","uid":"$datasource"},"expr":"pilot_xds_push_context_errors","legendFormat":"Push Context Errors"}],"title":"Push Errors","type":"timeseries"},{"datasource":{"type":"datasource","uid":"-- Mixed --"},"description":"Count of active and pending proxies managed by each instance.\nPending is expected to converge to zero.\n","gridPos":{"h":10,"w":8,"x":8,"y":14},"id":13,"interval":"1m","options":{"calculation":{"xBuckets":{"mode":"size","value":"1min"}},"cellGap":0,"color":{"mode":"scheme","scheme":"Spectral","steps":128},"yAxis":{"decimals":0,"unit":"s"}},"pluginVersion":"v11.0.0","targets":[{"datasource":{"type":"prometheus","uid":"$datasource"},"expr":"sum(rate(pilot_xds_push_time_bucket{}[1m])) by (le)","format":"heatmap","legendFormat":"{{le}}"}],"title":"Push Time","type":"heatmap"},{"datasource":{"type":"datasource","uid":"-- Mixed --"},"description":"Size of each xDS push.\n","gridPos":{"h":10,"w":8,"x":16,"y":14},"id":14,"interval":"1m","options":{"calculation":{"xBuckets":{"mode":"size","value":"1min"}},"cellGap":0,"color":{"mode":"scheme","scheme":"Spectral","steps":128},"yAxis":{"decimals":0,"unit":"bytes"}},"pluginVersion":"v11.0.0","targets":[{"datasource":{"type":"prometheus","uid":"$datasource"},"expr":"sum(rate(pilot_xds_config_size_bytes_bucket{}[1m])) by (le)","format":"heatmap","legendFormat":"{{le}}"}],"title":"Push Size","type":"heatmap"},{"collapsed":false,"gridPos":{"h":1,"w":24,"x":0,"y":100},"id":15,"panels":[],"title":"Webhooks","type":"row"},{"datasource":{"type":"datasource","uid":"-- Mixed --"},"description":"Rate of XDS push operations, by type. This is incremented on a per-proxy basis.\n","fieldConfig":{"defaults":{"custom":{"fillOpacity":10,"gradientMode":"hue","showPoints":"never"}}},"gridPos":{"h":8,"w":12,"x":0,"y":101},"id":16,"interval":"5s","options":{"legend":{"calcs":[],"displayMode":"list"}},"pluginVersion":"v11.0.0","targets":[{"datasource":{"type":"prometheus","uid":"$datasource"},"expr":"sum (rate(galley_validation_passed[$__rate_interval]))","legendFormat":"Success"},{"datasource":{"type":"prometheus","uid":"$datasource"},"expr":"sum (rate(galley_validation_failed[$__rate_interval]))","legendFormat":"Failure"}],"title":"Validation","type":"timeseries"},{"datasource":{"type":"datasource","uid":"-- Mixed --"},"description":"Size of each xDS push.\n","fieldConfig":{"defaults":{"custom":{"fillOpacity":10,"gradientMode":"hue","showPoints":"never"}}},"gridPos":{"h":8,"w":12,"x":12,"y":101},"id":17,"interval":"5s","options":{"legend":{"calcs":[],"displayMode":"list"}},"pluginVersion":"v11.0.0","targets":[{"datasource":{"type":"prometheus","uid":"$datasource"},"expr":"sum (rate(sidecar_injection_success_total[$__rate_interval]))","legendFormat":"Success"},{"datasource":{"type":"prometheus","uid":"$datasource"},"expr":"sum (rate(sidecar_injection_failure_total[$__rate_interval]))","legendFormat":"Failure"}],"title":"Injection","type":"timeseries"}],"refresh":"15s","schemaVersion":39,"templating":{"list":[{"name":"datasource","query":"prometheus","type":"datasource"}]},"time":{"from":"now-30m","to":"now"},"timezone":"utc","title":"Istio Control Plane Dashboard","uid":"1813f692a8e4ac77155348d4c7d2fba8"} - ztunnel-dashboard.json: | - {"graphTooltip":1,"panels":[{"collapsed":false,"gridPos":{"h":1,"w":24,"x":0,"y":0},"id":1,"panels":[],"title":"Process","type":"row"},{"datasource":{"type":"datasource","uid":"-- Mixed --"},"description":"Version number of each running instance","fieldConfig":{"defaults":{"custom":{"fillOpacity":10,"gradientMode":"hue","showPoints":"never"}}},"gridPos":{"h":8,"w":8,"x":0,"y":1},"id":2,"interval":"5s","options":{"legend":{"calcs":["last","max"],"displayMode":"table"}},"pluginVersion":"v11.0.0","targets":[{"datasource":{"type":"prometheus","uid":"$datasource"},"expr":"sum by (tag) (istio_build{component=\"ztunnel\"})","legendFormat":"Version ({{tag}})"}],"title":"Ztunnel Versions","type":"timeseries"},{"datasource":{"type":"datasource","uid":"-- Mixed --"},"description":"Memory usage of each running instance","fieldConfig":{"defaults":{"custom":{"fillOpacity":10,"gradientMode":"hue","showPoints":"never"},"unit":"bytes"}},"gridPos":{"h":8,"w":8,"x":8,"y":1},"id":3,"interval":"5s","options":{"legend":{"calcs":["last","max"],"displayMode":"table"}},"pluginVersion":"v11.0.0","targets":[{"datasource":{"type":"prometheus","uid":"$datasource"},"expr":"sum by (pod) (container_memory_working_set_bytes{container=\"istio-proxy\",pod=~\"ztunnel-.*\"})","legendFormat":"Container ({{pod}})"}],"title":"Memory Usage","type":"timeseries"},{"datasource":{"type":"datasource","uid":"-- Mixed --"},"description":"CPU usage of each running instance","fieldConfig":{"defaults":{"custom":{"fillOpacity":10,"gradientMode":"hue","showPoints":"never"}}},"gridPos":{"h":8,"w":8,"x":16,"y":1},"id":4,"interval":"5s","options":{"legend":{"calcs":["last","max"],"displayMode":"table"}},"pluginVersion":"v11.0.0","targets":[{"datasource":{"type":"prometheus","uid":"$datasource"},"expr":"sum by (pod) (irate(container_cpu_usage_seconds_total{container=\"istio-proxy\",pod=~\"ztunnel-.*\"}[$__rate_interval]))","legendFormat":"Container ({{pod}})"}],"title":"CPU Usage","type":"timeseries"},{"collapsed":false,"gridPos":{"h":1,"w":24,"x":0,"y":9},"id":5,"panels":[],"title":"Network","type":"row"},{"datasource":{"type":"datasource","uid":"-- Mixed --"},"description":"Connections opened and closed per instance","fieldConfig":{"defaults":{"custom":{"fillOpacity":10,"gradientMode":"hue","showPoints":"never"},"unit":"cps"}},"gridPos":{"h":8,"w":8,"x":0,"y":10},"id":6,"interval":"5s","options":{"legend":{"calcs":["last","max"],"displayMode":"table"}},"pluginVersion":"v11.0.0","targets":[{"datasource":{"type":"prometheus","uid":"$datasource"},"expr":"sum by (pod) (rate(istio_tcp_connections_opened_total{pod=~\"ztunnel-.*\"}[$__rate_interval]))","legendFormat":"Opened ({{pod}})"},{"datasource":{"type":"prometheus","uid":"$datasource"},"expr":"-sum by (pod) (rate(istio_tcp_connections_closed_total{pod=~\"ztunnel-.*\"}[$__rate_interval]))","legendFormat":"Closed ({{pod}})"}],"title":"Connections","type":"timeseries"},{"datasource":{"type":"datasource","uid":"-- Mixed --"},"description":"Bytes sent and received per instance","fieldConfig":{"defaults":{"custom":{"fillOpacity":10,"gradientMode":"hue","showPoints":"never"},"unit":"Bps"}},"gridPos":{"h":8,"w":8,"x":8,"y":10},"id":7,"interval":"5s","options":{"legend":{"calcs":["last","max"],"displayMode":"table"}},"pluginVersion":"v11.0.0","targets":[{"datasource":{"type":"prometheus","uid":"$datasource"},"expr":"sum by (pod) (rate(istio_tcp_sent_bytes_total{pod=~\"ztunnel-.*\"}[$__rate_interval]))","legendFormat":"Sent ({{pod}})"},{"datasource":{"type":"prometheus","uid":"$datasource"},"expr":"sum by (pod) (rate(istio_tcp_received_bytes_total{pod=~\"ztunnel-.*\"}[$__rate_interval]))","legendFormat":"Received ({{pod}})"}],"title":"Bytes Transmitted","type":"timeseries"},{"datasource":{"type":"datasource","uid":"-- Mixed --"},"description":"DNS queries received per instance","fieldConfig":{"defaults":{"custom":{"fillOpacity":10,"gradientMode":"hue","showPoints":"never"},"unit":"qps"}},"gridPos":{"h":8,"w":8,"x":16,"y":10},"id":8,"interval":"5s","options":{"legend":{"calcs":["last","max"],"displayMode":"table"}},"pluginVersion":"v11.0.0","targets":[{"datasource":{"type":"prometheus","uid":"$datasource"},"expr":"sum by (pod) (rate(istio_dns_requests_total{pod=~\"ztunnel-.*\"}[$__rate_interval]))","legendFormat":"Request ({{pod}})"}],"title":"DNS Request","type":"timeseries"},{"collapsed":false,"gridPos":{"h":1,"w":24,"x":0,"y":18},"id":9,"panels":[],"title":"Operations","type":"row"},{"datasource":{"type":"datasource","uid":"-- Mixed --"},"description":"Count of XDS connection terminations.\nThis will typically spike every 30min for each instance.\n","fieldConfig":{"defaults":{"custom":{"fillOpacity":10,"gradientMode":"hue","showPoints":"never"}}},"gridPos":{"h":8,"w":8,"x":0,"y":19},"id":10,"interval":"5s","options":{"legend":{"calcs":["last","max"],"displayMode":"table"}},"pluginVersion":"v11.0.0","targets":[{"datasource":{"type":"prometheus","uid":"$datasource"},"expr":"sum by (pod) (rate(istio_xds_connection_terminations_total{pod=~\"ztunnel-.*\"}[$__rate_interval]))","legendFormat":"XDS Connection Terminations ({{pod}})"}],"title":"XDS Connections","type":"timeseries"},{"datasource":{"type":"datasource","uid":"-- Mixed --"},"fieldConfig":{"defaults":{"custom":{"drawStyle":"bars","fillOpacity":100,"gradientMode":"none","showPoints":"never","stacking":{"mode":"normal"}},"unit":"ops"},"overrides":[{"matcher":{"id":"byName","options":"cds"},"properties":[{"id":"displayName","value":"Clusters"}]},{"matcher":{"id":"byName","options":"eds"},"properties":[{"id":"displayName","value":"Endpoints"}]},{"matcher":{"id":"byName","options":"lds"},"properties":[{"id":"displayName","value":"Listeners"}]},{"matcher":{"id":"byName","options":"rds"},"properties":[{"id":"displayName","value":"Routes"}]},{"matcher":{"id":"byName","options":"nds"},"properties":[{"id":"displayName","value":"DNS Tables"}]},{"matcher":{"id":"byName","options":"istio.io/debug"},"properties":[{"id":"displayName","value":"Debug"}]},{"matcher":{"id":"byName","options":"istio.io/debug/syncz"},"properties":[{"id":"displayName","value":"Debug"}]},{"matcher":{"id":"byName","options":"wads"},"properties":[{"id":"displayName","value":"Authorization"}]},{"matcher":{"id":"byName","options":"wds"},"properties":[{"id":"displayName","value":"Workloads"}]},{"matcher":{"id":"byName","options":"type.googleapis.com/istio.security.Authorization"},"properties":[{"id":"displayName","value":"Authorizations"}]},{"matcher":{"id":"byName","options":"type.googleapis.com/istio.workload.Address"},"properties":[{"id":"displayName","value":"Addresses"}]}]},"gridPos":{"h":8,"w":8,"x":8,"y":19},"id":11,"interval":"15s","options":{"legend":{"calcs":[],"displayMode":"list"}},"pluginVersion":"v11.0.0","targets":[{"datasource":{"type":"prometheus","uid":"$datasource"},"expr":"sum by (url) (irate(istio_xds_message_total{pod=~\"ztunnel-.*\"}[$__rate_interval]))","legendFormat":"{{url}}"}],"title":"XDS Pushes","type":"timeseries"},{"datasource":{"type":"datasource","uid":"-- Mixed --"},"description":"Count of active and pending proxies managed by each instance.\nPending is expected to converge to zero.\n","fieldConfig":{"defaults":{"custom":{"fillOpacity":10,"gradientMode":"hue","showPoints":"never"}}},"gridPos":{"h":8,"w":8,"x":16,"y":19},"id":12,"interval":"5s","options":{"legend":{"calcs":["last","max"],"displayMode":"table"}},"pluginVersion":"v11.0.0","targets":[{"datasource":{"type":"prometheus","uid":"$datasource"},"expr":"sum by (pod) (workload_manager_active_proxy_count{pod=~\"ztunnel-.*\"})","legendFormat":"Active Proxies ({{pod}})"},{"datasource":{"type":"prometheus","uid":"$datasource"},"expr":"sum by (pod) (workload_manager_pending_proxy_count{pod=~\"ztunnel-.*\"})","legendFormat":"Pending Proxies ({{pod}})"}],"title":"Workload Manager","type":"timeseries"}],"refresh":"15s","schemaVersion":39,"templating":{"list":[{"name":"datasource","query":"prometheus","type":"datasource"}]},"time":{"from":"now-30m","to":"now"},"timezone":"utc","title":"Istio Ztunnel Dashboard","uid":"12c58766acc81a1c835dd5059eaf2741"} -kind: ConfigMap -metadata: - creationTimestamp: null - name: istio-grafana-dashboards - namespace: istio-system - ---- - -apiVersion: v1 -data: - istio-extension-dashboard.json: | - {"annotations":{"list":[{"builtIn":1,"datasource":{"type":"datasource","uid":"grafana"},"enable":true,"hide":true,"iconColor":"rgba(0, 211, 255, 1)","name":"Annotations & Alerts","type":"dashboard"}]},"editable":true,"fiscalYearStartMonth":0,"graphTooltip":0,"links":[],"liveNow":false,"panels":[{"collapsed":false,"datasource":{"type":"prometheus","uid":"${datasource}"},"gridPos":{"h":1,"w":24,"x":0,"y":0},"id":3,"panels":[],"targets":[{"datasource":{"type":"prometheus","uid":"${datasource}"},"refId":"A"}],"title":"Wasm VMs","type":"row"},{"datasource":{"type":"prometheus","uid":"${datasource}"},"description":"","fieldConfig":{"defaults":{"color":{"mode":"palette-classic"},"custom":{"axisCenteredZero":false,"axisColorMode":"text","axisLabel":"","axisPlacement":"auto","barAlignment":0,"drawStyle":"line","fillOpacity":10,"gradientMode":"none","hideFrom":{"legend":false,"tooltip":false,"viz":false},"insertNulls":false,"lineInterpolation":"linear","lineWidth":1,"pointSize":5,"scaleDistribution":{"type":"linear"},"showPoints":"never","spanNulls":false,"stacking":{"group":"A","mode":"none"},"thresholdsStyle":{"mode":"off"}},"links":[],"mappings":[],"thresholds":{"mode":"absolute","steps":[{"color":"green","value":null},{"color":"red","value":80}]},"unit":"short"},"overrides":[]},"gridPos":{"h":8,"w":12,"x":0,"y":1},"id":2,"options":{"legend":{"calcs":[],"displayMode":"list","placement":"bottom","showLegend":true},"tooltip":{"mode":"multi","sort":"none"}},"pluginVersion":"10.1.5","targets":[{"datasource":{"type":"prometheus","uid":"${datasource}"},"expr":"avg(envoy_wasm_envoy_wasm_runtime_null_active)","interval":"","legendFormat":"native","refId":"A"},{"datasource":{"type":"prometheus","uid":"${datasource}"},"expr":"avg(envoy_wasm_envoy_wasm_runtime_v8_active)","interval":"","legendFormat":"v8","refId":"B"}],"title":"Active","type":"timeseries"},{"datasource":{"type":"prometheus","uid":"${datasource}"},"fieldConfig":{"defaults":{"color":{"mode":"palette-classic"},"custom":{"axisCenteredZero":false,"axisColorMode":"text","axisLabel":"","axisPlacement":"auto","barAlignment":0,"drawStyle":"line","fillOpacity":10,"gradientMode":"none","hideFrom":{"legend":false,"tooltip":false,"viz":false},"insertNulls":false,"lineInterpolation":"linear","lineWidth":1,"pointSize":5,"scaleDistribution":{"type":"linear"},"showPoints":"never","spanNulls":false,"stacking":{"group":"A","mode":"none"},"thresholdsStyle":{"mode":"off"}},"links":[],"mappings":[],"thresholds":{"mode":"absolute","steps":[{"color":"green","value":null},{"color":"red","value":80}]},"unit":"short"},"overrides":[]},"gridPos":{"h":8,"w":12,"x":12,"y":1},"id":6,"options":{"legend":{"calcs":[],"displayMode":"list","placement":"bottom","showLegend":true},"tooltip":{"mode":"multi","sort":"none"}},"pluginVersion":"10.1.5","targets":[{"datasource":{"type":"prometheus","uid":"${datasource}"},"expr":"avg(envoy_wasm_envoy_wasm_runtime_null_created)","interval":"","legendFormat":"native","refId":"A"},{"datasource":{"type":"prometheus","uid":"${datasource}"},"expr":"avg(envoy_wasm_envoy_wasm_runtime_v8_created)","interval":"","legendFormat":"v8","refId":"B"}],"title":"Created","type":"timeseries"},{"collapsed":false,"datasource":{"type":"prometheus","uid":"${datasource}"},"gridPos":{"h":1,"w":24,"x":0,"y":9},"id":7,"panels":[],"targets":[{"datasource":{"type":"prometheus","uid":"${datasource}"},"refId":"A"}],"title":"Wasm Module Remote Load","type":"row"},{"datasource":{"type":"prometheus","uid":"${datasource}"},"fieldConfig":{"defaults":{"color":{"mode":"palette-classic"},"custom":{"axisCenteredZero":false,"axisColorMode":"text","axisLabel":"","axisPlacement":"auto","barAlignment":0,"drawStyle":"line","fillOpacity":10,"gradientMode":"none","hideFrom":{"legend":false,"tooltip":false,"viz":false},"insertNulls":false,"lineInterpolation":"linear","lineWidth":1,"pointSize":5,"scaleDistribution":{"type":"linear"},"showPoints":"never","spanNulls":false,"stacking":{"group":"A","mode":"none"},"thresholdsStyle":{"mode":"off"}},"links":[],"mappings":[],"thresholds":{"mode":"absolute","steps":[{"color":"green","value":null},{"color":"red","value":80}]},"unit":"short"},"overrides":[]},"gridPos":{"h":8,"w":8,"x":0,"y":10},"id":11,"options":{"legend":{"calcs":[],"displayMode":"list","placement":"bottom","showLegend":true},"tooltip":{"mode":"multi","sort":"none"}},"pluginVersion":"10.1.5","targets":[{"datasource":{"type":"prometheus","uid":"${datasource}"},"expr":"avg(envoy_wasm_remote_load_cache_entries)","interval":"","legendFormat":"entries","refId":"A"}],"title":"Cache Entry","type":"timeseries"},{"datasource":{"type":"prometheus","uid":"${datasource}"},"fieldConfig":{"defaults":{"color":{"mode":"palette-classic"},"custom":{"axisCenteredZero":false,"axisColorMode":"text","axisLabel":"","axisPlacement":"auto","barAlignment":0,"drawStyle":"line","fillOpacity":10,"gradientMode":"none","hideFrom":{"legend":false,"tooltip":false,"viz":false},"insertNulls":false,"lineInterpolation":"linear","lineWidth":1,"pointSize":5,"scaleDistribution":{"type":"linear"},"showPoints":"never","spanNulls":false,"stacking":{"group":"A","mode":"none"},"thresholdsStyle":{"mode":"off"}},"links":[],"mappings":[],"thresholds":{"mode":"absolute","steps":[{"color":"green","value":null},{"color":"red","value":80}]},"unit":"short"},"overrides":[]},"gridPos":{"h":8,"w":8,"x":8,"y":10},"id":8,"options":{"legend":{"calcs":[],"displayMode":"list","placement":"bottom","showLegend":true},"tooltip":{"mode":"multi","sort":"none"}},"pluginVersion":"10.1.5","targets":[{"datasource":{"type":"prometheus","uid":"${datasource}"},"expr":"avg(envoy_wasm_remote_load_cache_hits)","interval":"","legendFormat":"hits","refId":"A"},{"datasource":{"type":"prometheus","uid":"${datasource}"},"expr":"avg(envoy_wasm_remote_load_cache_misses)","interval":"","legendFormat":"misses","refId":"B"},{"datasource":{"type":"prometheus","uid":"${datasource}"},"expr":"avg(envoy_wasm_remote_load_cache_negative_hits)","interval":"","legendFormat":"negative hits","refId":"C"}],"title":"Cache Visit","type":"timeseries"},{"datasource":{"type":"prometheus","uid":"${datasource}"},"fieldConfig":{"defaults":{"color":{"mode":"palette-classic"},"custom":{"axisCenteredZero":false,"axisColorMode":"text","axisLabel":"","axisPlacement":"auto","barAlignment":0,"drawStyle":"line","fillOpacity":10,"gradientMode":"none","hideFrom":{"legend":false,"tooltip":false,"viz":false},"insertNulls":false,"lineInterpolation":"linear","lineWidth":1,"pointSize":5,"scaleDistribution":{"type":"linear"},"showPoints":"never","spanNulls":false,"stacking":{"group":"A","mode":"none"},"thresholdsStyle":{"mode":"off"}},"links":[],"mappings":[],"thresholds":{"mode":"absolute","steps":[{"color":"green","value":null},{"color":"red","value":80}]},"unit":"short"},"overrides":[]},"gridPos":{"h":8,"w":8,"x":16,"y":10},"id":10,"options":{"legend":{"calcs":[],"displayMode":"list","placement":"bottom","showLegend":true},"tooltip":{"mode":"multi","sort":"none"}},"pluginVersion":"10.1.5","targets":[{"datasource":{"type":"prometheus","uid":"${datasource}"},"expr":"avg(envoy_wasm_remote_load_fetch_failures)","interval":"","legendFormat":"failures","refId":"A"},{"datasource":{"type":"prometheus","uid":"${datasource}"},"expr":"avg(envoy_wasm_remote_load_fetch_successes)","interval":"","legendFormat":"successes","refId":"B"}],"title":"Remote Fetch","type":"timeseries"},{"collapsed":false,"datasource":{"type":"prometheus","uid":"${datasource}"},"gridPos":{"h":1,"w":24,"x":0,"y":18},"id":71,"panels":[],"targets":[{"datasource":{"type":"prometheus","uid":"${datasource}"},"refId":"A"}],"title":"Proxy Resource Usage","type":"row"},{"datasource":{"type":"prometheus","uid":"${datasource}"},"fieldConfig":{"defaults":{"color":{"mode":"palette-classic"},"custom":{"axisCenteredZero":false,"axisColorMode":"text","axisLabel":"","axisPlacement":"auto","barAlignment":0,"drawStyle":"line","fillOpacity":10,"gradientMode":"none","hideFrom":{"legend":false,"tooltip":false,"viz":false},"insertNulls":false,"lineInterpolation":"linear","lineWidth":1,"pointSize":5,"scaleDistribution":{"type":"linear"},"showPoints":"never","spanNulls":false,"stacking":{"group":"A","mode":"none"},"thresholdsStyle":{"mode":"off"}},"mappings":[],"thresholds":{"mode":"absolute","steps":[{"color":"green","value":null},{"color":"red","value":80}]},"unit":"bytes"},"overrides":[]},"gridPos":{"h":8,"w":12,"x":0,"y":19},"id":72,"links":[],"options":{"legend":{"calcs":[],"displayMode":"list","placement":"bottom","showLegend":true},"tooltip":{"mode":"multi","sort":"none"}},"pluginVersion":"10.1.5","targets":[{"datasource":{"type":"prometheus","uid":"${datasource}"},"expr":"sum(container_memory_working_set_bytes{container=\"istio-proxy\"})","format":"time_series","hide":false,"intervalFactor":2,"legendFormat":"Total (k8s)","refId":"A","step":2}],"title":"Memory","type":"timeseries"},{"datasource":{"type":"prometheus","uid":"${datasource}"},"fieldConfig":{"defaults":{"color":{"mode":"palette-classic"},"custom":{"axisCenteredZero":false,"axisColorMode":"text","axisLabel":"","axisPlacement":"auto","barAlignment":0,"drawStyle":"line","fillOpacity":10,"gradientMode":"none","hideFrom":{"legend":false,"tooltip":false,"viz":false},"insertNulls":false,"lineInterpolation":"linear","lineWidth":1,"pointSize":5,"scaleDistribution":{"type":"linear"},"showPoints":"never","spanNulls":false,"stacking":{"group":"A","mode":"none"},"thresholdsStyle":{"mode":"off"}},"mappings":[],"thresholds":{"mode":"absolute","steps":[{"color":"green","value":null},{"color":"red","value":80}]},"unit":"short"},"overrides":[]},"gridPos":{"h":8,"w":12,"x":12,"y":19},"id":73,"links":[],"options":{"legend":{"calcs":[],"displayMode":"list","placement":"bottom","showLegend":true},"tooltip":{"mode":"multi","sort":"none"}},"pluginVersion":"10.1.5","targets":[{"datasource":{"type":"prometheus","uid":"${datasource}"},"expr":"sum(rate(container_cpu_usage_seconds_total{container=\"istio-proxy\"}[1m]))","format":"time_series","hide":false,"intervalFactor":2,"legendFormat":"Total (k8s)","refId":"A","step":2}],"title":"vCPU","type":"timeseries"}],"refresh":"","schemaVersion":38,"style":"dark","tags":[],"templating":{"list":[{"current":{"selected":false,"text":"default","value":"default"},"hide":0,"includeAll":false,"multi":false,"name":"datasource","options":[],"query":"prometheus","queryValue":"","refresh":1,"regex":"","skipUrlSync":false,"type":"datasource"}]},"time":{"from":"now-5m","to":"now"},"timepicker":{"refresh_intervals":["30s","1m","5m","15m","30m","1h","2h","1d"]},"timezone":"","title":"Istio Wasm Extension Dashboard","version":1,"weekStart":""} - istio-mesh-dashboard.json: | - {"graphTooltip":1,"panels":[{"collapsed":false,"gridPos":{"h":1,"w":24,"x":0,"y":0},"id":1,"panels":[],"title":"Global Traffic","type":"row"},{"datasource":{"type":"datasource","uid":"-- Mixed --"},"description":"Total requests in the cluster","fieldConfig":{"defaults":{"color":{"fixedColor":"blue","mode":"fixed"},"custom":{"fillOpacity":10,"gradientMode":"hue","showPoints":"never"},"unit":"reqps"}},"gridPos":{"h":5,"w":6,"x":0,"y":1},"id":2,"interval":"5s","options":{"legend":{"calcs":["last","max"],"displayMode":"table"}},"pluginVersion":"v11.0.0","targets":[{"datasource":{"type":"prometheus","uid":"$datasource"},"expr":"round(sum (rate(istio_requests_total{reporter=~\"source|waypoint\"}[$__rate_interval])), 0.01)"}],"title":"Traffic Volume","type":"stat"},{"datasource":{"type":"datasource","uid":"-- Mixed --"},"description":"Total success rate of requests in the cluster","fieldConfig":{"defaults":{"color":{"fixedColor":"blue","mode":"fixed"},"custom":{"fillOpacity":10,"gradientMode":"hue","showPoints":"never"},"unit":"percentunit"}},"gridPos":{"h":5,"w":6,"x":6,"y":1},"id":3,"interval":"5s","options":{"legend":{"calcs":["last","max"],"displayMode":"table"}},"pluginVersion":"v11.0.0","targets":[{"datasource":{"type":"prometheus","uid":"$datasource"},"expr":"sum (rate(istio_requests_total{reporter=~\"source|waypoint\",response_code!~\"5..\"}[$__rate_interval])) / sum (rate(istio_requests_total{reporter=~\"source|waypoint\"}[$__rate_interval]))"}],"title":"Success Rate","type":"stat"},{"datasource":{"type":"datasource","uid":"-- Mixed --"},"description":"Total 4xx requests in in the cluster","fieldConfig":{"defaults":{"color":{"fixedColor":"blue","mode":"fixed"},"custom":{"fillOpacity":10,"gradientMode":"hue","showPoints":"never"},"unit":"reqps"}},"gridPos":{"h":5,"w":6,"x":12,"y":1},"id":4,"interval":"5s","options":{"legend":{"calcs":["last","max"],"displayMode":"table"}},"pluginVersion":"v11.0.0","targets":[{"datasource":{"type":"prometheus","uid":"$datasource"},"expr":"round(sum (rate(istio_requests_total{reporter=~\"source|waypoint\",response_code=~\"4..\"}[$__rate_interval])), 0.01)or vector(0)"}],"title":"4xxs","type":"stat"},{"datasource":{"type":"datasource","uid":"-- Mixed --"},"description":"Total 5xx requests in in the cluster","fieldConfig":{"defaults":{"color":{"fixedColor":"blue","mode":"fixed"},"custom":{"fillOpacity":10,"gradientMode":"hue","showPoints":"never"},"unit":"reqps"}},"gridPos":{"h":5,"w":6,"x":18,"y":1},"id":5,"interval":"5s","options":{"legend":{"calcs":["last","max"],"displayMode":"table"}},"pluginVersion":"v11.0.0","targets":[{"datasource":{"type":"prometheus","uid":"$datasource"},"expr":"round(sum (rate(istio_requests_total{reporter=~\"source|waypoint\",response_code=~\"5..\"}[$__rate_interval])), 0.01)or vector(0)"}],"title":"5xxs","type":"stat"},{"datasource":{"type":"datasource","uid":"-- Mixed --"},"description":"Request information for HTTP services","fieldConfig":{"overrides":[{"matcher":{"id":"byName","options":"Value #requests"},"properties":[{"id":"displayName","value":"Requests"},{"id":"decimals","value":2},{"id":"unit","value":"reqps"}]},{"matcher":{"id":"byName","options":"Value #p50"},"properties":[{"id":"displayName","value":"P50 Latency"},{"id":"decimals","value":2},{"id":"unit","value":"ms"}]},{"matcher":{"id":"byName","options":"Value #p90"},"properties":[{"id":"displayName","value":"P90 Latency"},{"id":"decimals","value":2},{"id":"unit","value":"ms"}]},{"matcher":{"id":"byName","options":"Value #p99"},"properties":[{"id":"displayName","value":"P99 Latency"},{"id":"decimals","value":2},{"id":"unit","value":"ms"}]},{"matcher":{"id":"byName","options":"Value #success"},"properties":[{"id":"displayName","value":"Success Rate"},{"id":"decimals","value":2},{"id":"unit","value":"percentunit"},{"id":"custom.cellOptions","value":{"type":"color-background"}},{"id":"thresholds","value":{"mode":"absolute","steps":[{"color":"red","value":null},{"color":"yellow","value":"0.95"},{"color":"green","value":1}]}}]},{"matcher":{"id":"byName","options":"destination_workload_var"},"properties":[{"id":"displayName","value":"Workload"}]},{"matcher":{"id":"byName","options":"destination_service"},"properties":[{"id":"displayName","value":"Service"},{"id":"custom.minWidth","value":400}]},{"matcher":{"id":"byName","options":"destination_workload_namespace"},"properties":[{"id":"custom.hidden","value":true}]},{"matcher":{"id":"byName","options":"destination_workload"},"properties":[{"id":"custom.hidden","value":true}]},{"matcher":{"id":"byName","options":"Time"},"properties":[{"id":"custom.hidden","value":true}]}]},"gridPos":{"h":16,"w":24,"y":10},"id":6,"interval":"5s","pluginVersion":"v11.0.0","targets":[{"datasource":{"type":"prometheus","uid":"$datasource"},"expr":"label_join(sum by (destination_workload,destination_workload_namespace,destination_service) (rate(istio_requests_total{reporter=~\"source|waypoint\"}[$__rate_interval])), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")","format":"table","instant":true,"legendFormat":"{{ destination_workload}}.{{ destination_workload_namespace }}","refId":"requests"},{"datasource":{"type":"prometheus","uid":"$datasource"},"expr":"label_join(histogram_quantile(0.5, sum by (le,destination_workload,destination_workload_namespace) (rate(istio_request_duration_milliseconds_bucket{reporter=~\"source|waypoint\"}[$__rate_interval]))), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")","format":"table","instant":true,"legendFormat":"{{ destination_workload}}.{{ destination_workload_namespace }}","refId":"p50"},{"datasource":{"type":"prometheus","uid":"$datasource"},"expr":"label_join(histogram_quantile(0.9, sum by (le,destination_workload,destination_workload_namespace) (rate(istio_request_duration_milliseconds_bucket{reporter=~\"source|waypoint\"}[$__rate_interval]))), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")","format":"table","instant":true,"legendFormat":"{{ destination_workload}}.{{ destination_workload_namespace }}","refId":"p90"},{"datasource":{"type":"prometheus","uid":"$datasource"},"expr":"label_join(histogram_quantile(0.99, sum by (le,destination_workload,destination_workload_namespace) (rate(istio_request_duration_milliseconds_bucket{reporter=~\"source|waypoint\"}[$__rate_interval]))), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")","format":"table","instant":true,"legendFormat":"{{ destination_workload}}.{{ destination_workload_namespace }}","refId":"p99"},{"datasource":{"type":"prometheus","uid":"$datasource"},"expr":"label_join(sum by (destination_workload,destination_workload_namespace) (rate(istio_requests_total{reporter=~\"source|waypoint\",response_code!~\"5..\"}[$__rate_interval]))/sum by (destination_workload,destination_workload_namespace) (rate(istio_requests_total{reporter=~\"source|waypoint\"}[$__rate_interval])), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")","format":"table","instant":true,"legendFormat":"{{ destination_workload}}.{{ destination_workload_namespace }}","refId":"success"}],"title":"HTTP/gRPC Workloads","transformations":[{"id":"merge"}],"type":"table"},{"datasource":{"type":"datasource","uid":"-- Mixed --"},"description":"Bytes sent and recieived information for TCP services","fieldConfig":{"overrides":[{"matcher":{"id":"byName","options":"Value #recv"},"properties":[{"id":"displayName","value":"Bytes Received"},{"id":"decimals","value":2},{"id":"unit","value":"bps"}]},{"matcher":{"id":"byName","options":"Value #sent"},"properties":[{"id":"displayName","value":"Bytes Sent"},{"id":"decimals","value":2},{"id":"unit","value":"bps"}]},{"matcher":{"id":"byName","options":"destination_workload_var"},"properties":[{"id":"displayName","value":"Workload"}]},{"matcher":{"id":"byName","options":"destination_service"},"properties":[{"id":"displayName","value":"Service"},{"id":"custom.minWidth","value":400}]},{"matcher":{"id":"byName","options":"destination_workload_namespace"},"properties":[{"id":"custom.hidden","value":true}]},{"matcher":{"id":"byName","options":"destination_workload"},"properties":[{"id":"custom.hidden","value":true}]},{"matcher":{"id":"byName","options":"Time"},"properties":[{"id":"custom.hidden","value":true}]}]},"gridPos":{"h":16,"w":24,"y":26},"id":7,"interval":"5s","pluginVersion":"v11.0.0","targets":[{"datasource":{"type":"prometheus","uid":"$datasource"},"expr":"label_join(sum by (destination_workload,destination_workload_namespace,destination_service) (rate(istio_tcp_received_bytes_total{reporter=~\"source|waypoint\"}[$__rate_interval])), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")","format":"table","instant":true,"legendFormat":"{{ destination_workload}}.{{ destination_workload_namespace }}","refId":"recv"},{"datasource":{"type":"prometheus","uid":"$datasource"},"expr":"label_join(sum by (destination_workload,destination_workload_namespace,destination_service) (rate(istio_tcp_sent_bytes_total{reporter=~\"source|waypoint\"}[$__rate_interval])), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")","format":"table","instant":true,"legendFormat":"{{ destination_workload}}.{{ destination_workload_namespace }}","refId":"sent"}],"title":"TCP Workloads","transformations":[{"id":"merge"}],"type":"table"},{"collapsed":false,"gridPos":{"h":1,"w":24,"x":0,"y":42},"id":8,"panels":[],"title":"Istio Component Versions","type":"row"},{"datasource":{"type":"datasource","uid":"-- Mixed --"},"description":"Version number of each running instance","fieldConfig":{"defaults":{"custom":{"fillOpacity":10,"gradientMode":"hue","showPoints":"never"}}},"gridPos":{"h":8,"w":24,"x":0,"y":43},"id":9,"interval":"5s","options":{"legend":{"calcs":[],"displayMode":"list"}},"pluginVersion":"v11.0.0","targets":[{"datasource":{"type":"prometheus","uid":"$datasource"},"expr":"sum by (component,tag) (istio_build)","legendFormat":"{{component}} ({{tag}})"}],"title":"Istio Component Versions","type":"timeseries"}],"refresh":"15s","schemaVersion":39,"templating":{"list":[{"name":"datasource","query":"prometheus","type":"datasource"}]},"time":{"from":"now-30m","to":"now"},"timezone":"utc","title":"Istio Mesh Dashboard","uid":"1a9a8ea49444aae205c7737573e894f9"} - istio-service-dashboard.json: "{\"annotations\":{\"list\":[{\"builtIn\":1,\"datasource\":{\"type\":\"datasource\",\"uid\":\"grafana\"},\"enable\":true,\"hide\":true,\"iconColor\":\"rgba(0, - 211, 255, 1)\",\"name\":\"Annotations & Alerts\",\"type\":\"dashboard\"}]},\"editable\":true,\"fiscalYearStartMonth\":0,\"graphTooltip\":0,\"links\":[],\"liveNow\":false,\"panels\":[{\"collapsed\":false,\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"gridPos\":{\"h\":1,\"w\":24,\"x\":0,\"y\":0},\"id\":106,\"panels\":[],\"targets\":[{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"refId\":\"A\"}],\"title\":\"General\",\"type\":\"row\"},{\"gridPos\":{\"h\":3,\"w\":24,\"x\":0,\"y\":1},\"id\":89,\"links\":[],\"options\":{\"code\":{\"language\":\"plaintext\",\"showLineNumbers\":false,\"showMiniMap\":false},\"content\":\"
\\nSERVICE: $service\\n
\",\"mode\":\"html\"},\"pluginVersion\":\"10.1.5\",\"transparent\":true,\"type\":\"text\"},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"fieldConfig\":{\"defaults\":{\"color\":{\"fixedColor\":\"rgb(31, - 120, 193)\",\"mode\":\"fixed\"},\"mappings\":[{\"options\":{\"match\":\"null\",\"result\":{\"text\":\"N/A\"}},\"type\":\"special\"}],\"thresholds\":{\"mode\":\"absolute\",\"steps\":[{\"color\":\"green\",\"value\":null},{\"color\":\"red\",\"value\":80}]},\"unit\":\"ops\"},\"overrides\":[]},\"gridPos\":{\"h\":4,\"w\":6,\"x\":0,\"y\":4},\"id\":12,\"links\":[],\"maxDataPoints\":100,\"options\":{\"colorMode\":\"none\",\"graphMode\":\"area\",\"justifyMode\":\"auto\",\"orientation\":\"horizontal\",\"reduceOptions\":{\"calcs\":[\"lastNotNull\"],\"fields\":\"\",\"values\":false},\"textMode\":\"auto\"},\"pluginVersion\":\"10.1.5\",\"targets\":[{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"round(sum(irate(istio_requests_total{reporter=~\\\"$qrep\\\",destination_service=~\\\"$service\\\"}[5m])), - 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"refId\":\"A\",\"step\":4}],\"title\":\"Client - Request Volume\",\"type\":\"stat\"},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"fieldConfig\":{\"defaults\":{\"color\":{\"fixedColor\":\"rgb(31, - 120, 193)\",\"mode\":\"fixed\"},\"mappings\":[],\"noValue\":\"0\",\"thresholds\":{\"mode\":\"absolute\",\"steps\":[{\"color\":\"dark-red\",\"value\":null},{\"color\":\"dark-yellow\",\"value\":0.95},{\"color\":\"dark-green\",\"value\":0.99}]},\"unit\":\"percentunit\"},\"overrides\":[]},\"gridPos\":{\"h\":4,\"w\":6,\"x\":6,\"y\":4},\"id\":14,\"links\":[],\"maxDataPoints\":100,\"options\":{\"colorMode\":\"none\",\"graphMode\":\"area\",\"justifyMode\":\"auto\",\"orientation\":\"horizontal\",\"reduceOptions\":{\"calcs\":[\"lastNotNull\"],\"fields\":\"\",\"values\":false},\"textMode\":\"auto\"},\"pluginVersion\":\"10.1.5\",\"targets\":[{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"editorMode\":\"code\",\"expr\":\"sum(irate(istio_requests_total{reporter=~\\\"$qrep\\\",destination_service=~\\\"$service\\\",response_code!~\\\"5.*\\\"}[5m])) - / (sum(irate(istio_requests_total{reporter=~\\\"$qrep\\\",destination_service=~\\\"$service\\\"}[5m])) - or on () vector(1))\",\"format\":\"time_series\",\"intervalFactor\":1,\"range\":true,\"refId\":\"A\"}],\"title\":\"Client - Success Rate (non-5xx responses)\",\"type\":\"stat\"},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"fieldConfig\":{\"defaults\":{\"color\":{\"mode\":\"palette-classic\"},\"custom\":{\"axisCenteredZero\":false,\"axisColorMode\":\"text\",\"axisLabel\":\"\",\"axisPlacement\":\"auto\",\"barAlignment\":0,\"drawStyle\":\"line\",\"fillOpacity\":10,\"gradientMode\":\"none\",\"hideFrom\":{\"legend\":false,\"tooltip\":false,\"viz\":false},\"insertNulls\":false,\"lineInterpolation\":\"linear\",\"lineWidth\":1,\"pointSize\":5,\"scaleDistribution\":{\"type\":\"linear\"},\"showPoints\":\"never\",\"spanNulls\":false,\"stacking\":{\"group\":\"A\",\"mode\":\"none\"},\"thresholdsStyle\":{\"mode\":\"off\"}},\"mappings\":[],\"thresholds\":{\"mode\":\"absolute\",\"steps\":[{\"color\":\"green\",\"value\":null},{\"color\":\"red\",\"value\":80}]},\"unit\":\"s\"},\"overrides\":[]},\"gridPos\":{\"h\":4,\"w\":6,\"x\":12,\"y\":4},\"id\":87,\"links\":[],\"options\":{\"legend\":{\"calcs\":[],\"displayMode\":\"list\",\"placement\":\"right\",\"showLegend\":true},\"tooltip\":{\"mode\":\"multi\",\"sort\":\"none\"}},\"pluginVersion\":\"10.1.5\",\"targets\":[{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"(histogram_quantile(0.50, - sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\",destination_service=~\\\"$service\\\"}[1m])) - by (le)) / 1000) or histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\",destination_service=~\\\"$service\\\"}[1m])) - by (le))\",\"format\":\"time_series\",\"interval\":\"\",\"intervalFactor\":1,\"legendFormat\":\"P50\",\"refId\":\"A\"},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"(histogram_quantile(0.90, - sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\",destination_service=~\\\"$service\\\"}[1m])) - by (le)) / 1000) or histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\",destination_service=~\\\"$service\\\"}[1m])) - by (le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"P90\",\"refId\":\"B\"},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"(histogram_quantile(0.99, - sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\",destination_service=~\\\"$service\\\"}[1m])) - by (le)) / 1000) or histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\",destination_service=~\\\"$service\\\"}[1m])) - by (le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"P99\",\"refId\":\"C\"}],\"title\":\"Client - Request Duration\",\"type\":\"timeseries\"},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"fieldConfig\":{\"defaults\":{\"color\":{\"fixedColor\":\"rgb(31, - 120, 193)\",\"mode\":\"fixed\"},\"mappings\":[{\"options\":{\"match\":\"null\",\"result\":{\"text\":\"N/A\"}},\"type\":\"special\"}],\"thresholds\":{\"mode\":\"absolute\",\"steps\":[{\"color\":\"green\",\"value\":null},{\"color\":\"red\",\"value\":80}]},\"unit\":\"Bps\"},\"overrides\":[]},\"gridPos\":{\"h\":4,\"w\":6,\"x\":18,\"y\":4},\"id\":84,\"links\":[],\"maxDataPoints\":100,\"options\":{\"colorMode\":\"none\",\"graphMode\":\"area\",\"justifyMode\":\"auto\",\"orientation\":\"horizontal\",\"reduceOptions\":{\"calcs\":[\"mean\"],\"fields\":\"\",\"values\":false},\"textMode\":\"auto\"},\"pluginVersion\":\"10.1.5\",\"targets\":[{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"sum(irate(istio_tcp_received_bytes_total{reporter=~\\\"$qrep\\\", - destination_service=~\\\"$service\\\"}[1m]))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"\",\"refId\":\"A\"}],\"title\":\"TCP - Received Bytes\",\"type\":\"stat\"},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"fieldConfig\":{\"defaults\":{\"color\":{\"fixedColor\":\"rgb(31, - 120, 193)\",\"mode\":\"fixed\"},\"mappings\":[{\"options\":{\"match\":\"null\",\"result\":{\"text\":\"N/A\"}},\"type\":\"special\"}],\"thresholds\":{\"mode\":\"absolute\",\"steps\":[{\"color\":\"green\",\"value\":null},{\"color\":\"red\",\"value\":80}]},\"unit\":\"ops\"},\"overrides\":[]},\"gridPos\":{\"h\":4,\"w\":6,\"x\":0,\"y\":8},\"id\":97,\"links\":[],\"maxDataPoints\":100,\"options\":{\"colorMode\":\"none\",\"graphMode\":\"area\",\"justifyMode\":\"auto\",\"orientation\":\"horizontal\",\"reduceOptions\":{\"calcs\":[\"lastNotNull\"],\"fields\":\"\",\"values\":false},\"textMode\":\"auto\"},\"pluginVersion\":\"10.1.5\",\"targets\":[{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"round(sum(irate(istio_requests_total{reporter=\\\"destination\\\",destination_service=~\\\"$service\\\"}[5m])), - 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"refId\":\"A\",\"step\":4}],\"title\":\"Server - Request Volume\",\"type\":\"stat\"},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"fieldConfig\":{\"defaults\":{\"color\":{\"fixedColor\":\"rgb(31, - 120, 193)\",\"mode\":\"fixed\"},\"mappings\":[],\"noValue\":\"0\",\"thresholds\":{\"mode\":\"absolute\",\"steps\":[{\"color\":\"rgba(50, - 172, 45, 0.97)\",\"value\":null},{\"color\":\"rgba(237, 129, 40, 0.89)\",\"value\":95},{\"color\":\"rgba(245, - 54, 54, 0.9)\",\"value\":99}]},\"unit\":\"percentunit\"},\"overrides\":[]},\"gridPos\":{\"h\":4,\"w\":6,\"x\":6,\"y\":8},\"id\":98,\"links\":[],\"maxDataPoints\":100,\"options\":{\"colorMode\":\"none\",\"graphMode\":\"area\",\"justifyMode\":\"auto\",\"orientation\":\"horizontal\",\"reduceOptions\":{\"calcs\":[\"lastNotNull\"],\"fields\":\"\",\"values\":false},\"textMode\":\"auto\"},\"pluginVersion\":\"10.1.5\",\"targets\":[{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"editorMode\":\"code\",\"expr\":\"sum(irate(istio_requests_total{reporter=\\\"destination\\\",destination_service=~\\\"$service\\\",response_code!~\\\"5.*\\\"}[5m])) - / (sum(irate(istio_requests_total{reporter=\\\"destination\\\",destination_service=~\\\"$service\\\"}[5m])) - or on () vector(1))\",\"format\":\"time_series\",\"intervalFactor\":1,\"range\":true,\"refId\":\"A\"}],\"title\":\"Server - Success Rate (non-5xx responses)\",\"type\":\"stat\"},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"fieldConfig\":{\"defaults\":{\"color\":{\"mode\":\"palette-classic\"},\"custom\":{\"axisCenteredZero\":false,\"axisColorMode\":\"text\",\"axisLabel\":\"\",\"axisPlacement\":\"auto\",\"barAlignment\":0,\"drawStyle\":\"line\",\"fillOpacity\":10,\"gradientMode\":\"none\",\"hideFrom\":{\"legend\":false,\"tooltip\":false,\"viz\":false},\"insertNulls\":false,\"lineInterpolation\":\"linear\",\"lineWidth\":1,\"pointSize\":5,\"scaleDistribution\":{\"type\":\"linear\"},\"showPoints\":\"never\",\"spanNulls\":false,\"stacking\":{\"group\":\"A\",\"mode\":\"none\"},\"thresholdsStyle\":{\"mode\":\"off\"}},\"mappings\":[],\"thresholds\":{\"mode\":\"absolute\",\"steps\":[{\"color\":\"green\",\"value\":null},{\"color\":\"red\",\"value\":80}]},\"unit\":\"s\"},\"overrides\":[]},\"gridPos\":{\"h\":4,\"w\":6,\"x\":12,\"y\":8},\"id\":99,\"links\":[],\"options\":{\"legend\":{\"calcs\":[],\"displayMode\":\"list\",\"placement\":\"right\",\"showLegend\":true},\"tooltip\":{\"mode\":\"multi\",\"sort\":\"none\"}},\"pluginVersion\":\"10.1.5\",\"targets\":[{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"(histogram_quantile(0.50, - sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"destination\\\",destination_service=~\\\"$service\\\"}[1m])) - by (le)) / 1000) or histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"destination\\\",destination_service=~\\\"$service\\\"}[1m])) - by (le))\",\"format\":\"time_series\",\"interval\":\"\",\"intervalFactor\":1,\"legendFormat\":\"P50\",\"refId\":\"A\"},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"(histogram_quantile(0.90, - sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"destination\\\",destination_service=~\\\"$service\\\"}[1m])) - by (le)) / 1000) or histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"destination\\\",destination_service=~\\\"$service\\\"}[1m])) - by (le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"P90\",\"refId\":\"B\"},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"(histogram_quantile(0.99, - sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"destination\\\",destination_service=~\\\"$service\\\"}[1m])) - by (le)) / 1000) or histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"destination\\\",destination_service=~\\\"$service\\\"}[1m])) - by (le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"P99\",\"refId\":\"C\"}],\"title\":\"Server - Request Duration\",\"type\":\"timeseries\"},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"fieldConfig\":{\"defaults\":{\"color\":{\"fixedColor\":\"rgb(31, - 120, 193)\",\"mode\":\"fixed\"},\"mappings\":[{\"options\":{\"match\":\"null\",\"result\":{\"text\":\"N/A\"}},\"type\":\"special\"}],\"thresholds\":{\"mode\":\"absolute\",\"steps\":[{\"color\":\"green\",\"value\":null},{\"color\":\"red\",\"value\":80}]},\"unit\":\"Bps\"},\"overrides\":[]},\"gridPos\":{\"h\":4,\"w\":6,\"x\":18,\"y\":8},\"id\":100,\"links\":[],\"maxDataPoints\":100,\"options\":{\"colorMode\":\"none\",\"graphMode\":\"area\",\"justifyMode\":\"auto\",\"orientation\":\"horizontal\",\"reduceOptions\":{\"calcs\":[\"mean\"],\"fields\":\"\",\"values\":false},\"textMode\":\"auto\"},\"pluginVersion\":\"10.1.5\",\"targets\":[{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"sum(irate(istio_tcp_sent_bytes_total{reporter=~\\\"$qrep\\\", - destination_service=~\\\"$service\\\"}[1m]))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"\",\"refId\":\"A\"}],\"title\":\"TCP - Sent Bytes\",\"type\":\"stat\"},{\"collapsed\":false,\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"gridPos\":{\"h\":1,\"w\":24,\"x\":0,\"y\":12},\"id\":104,\"panels\":[],\"targets\":[{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"refId\":\"A\"}],\"title\":\"Client - Workloads\",\"type\":\"row\"},{\"gridPos\":{\"h\":3,\"w\":24,\"x\":0,\"y\":13},\"id\":45,\"links\":[],\"options\":{\"code\":{\"language\":\"plaintext\",\"showLineNumbers\":false,\"showMiniMap\":false},\"content\":\"
\\nCLIENT WORKLOADS\\n
\",\"mode\":\"html\"},\"pluginVersion\":\"10.1.5\",\"transparent\":true,\"type\":\"text\"},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"fieldConfig\":{\"defaults\":{\"color\":{\"mode\":\"palette-classic\"},\"custom\":{\"axisCenteredZero\":false,\"axisColorMode\":\"text\",\"axisLabel\":\"\",\"axisPlacement\":\"auto\",\"barAlignment\":0,\"drawStyle\":\"line\",\"fillOpacity\":0,\"gradientMode\":\"none\",\"hideFrom\":{\"legend\":false,\"tooltip\":false,\"viz\":false},\"insertNulls\":false,\"lineInterpolation\":\"linear\",\"lineWidth\":1,\"pointSize\":5,\"scaleDistribution\":{\"type\":\"linear\"},\"showPoints\":\"never\",\"spanNulls\":false,\"stacking\":{\"group\":\"A\",\"mode\":\"none\"},\"thresholdsStyle\":{\"mode\":\"off\"}},\"mappings\":[],\"min\":0,\"thresholds\":{\"mode\":\"absolute\",\"steps\":[{\"color\":\"green\",\"value\":null},{\"color\":\"red\",\"value\":80}]},\"unit\":\"ops\"},\"overrides\":[{\"matcher\":{\"id\":\"byValue\",\"options\":{\"op\":\"gte\",\"reducer\":\"allIsNull\",\"value\":0}},\"properties\":[{\"id\":\"custom.hideFrom\",\"value\":{\"legend\":true,\"tooltip\":true,\"viz\":false}}]}]},\"gridPos\":{\"h\":6,\"w\":12,\"x\":0,\"y\":16},\"id\":25,\"links\":[],\"options\":{\"legend\":{\"calcs\":[],\"displayMode\":\"list\",\"placement\":\"bottom\",\"showLegend\":true},\"tooltip\":{\"mode\":\"single\",\"sort\":\"none\"}},\"pluginVersion\":\"10.1.5\",\"targets\":[{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"round(sum(irate(istio_requests_total{connection_security_policy=\\\"mutual_tls\\\",destination_service=~\\\"$service\\\",reporter=~\\\"$qrep\\\",source_workload=~\\\"$srcwl\\\",source_workload_namespace=~\\\"$srcns\\\"}[5m])) - by (source_workload, source_workload_namespace, response_code), 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{ - source_workload }}.{{ source_workload_namespace }} : {{ response_code }} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"round(sum(irate(istio_requests_total{connection_security_policy!=\\\"mutual_tls\\\", - destination_service=~\\\"$service\\\", reporter=~\\\"$qrep\\\", source_workload=~\\\"$srcwl\\\", - source_workload_namespace=~\\\"$srcns\\\"}[5m])) by (source_workload, source_workload_namespace, - response_code), 0.001)\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - source_workload }}.{{ source_workload_namespace }} : {{ response_code }}\",\"refId\":\"B\",\"step\":2}],\"title\":\"Incoming - Requests By Source And Response Code\",\"type\":\"timeseries\"},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"fieldConfig\":{\"defaults\":{\"color\":{\"mode\":\"palette-classic\"},\"custom\":{\"axisCenteredZero\":false,\"axisColorMode\":\"text\",\"axisLabel\":\"\",\"axisPlacement\":\"auto\",\"barAlignment\":0,\"drawStyle\":\"line\",\"fillOpacity\":10,\"gradientMode\":\"none\",\"hideFrom\":{\"legend\":false,\"tooltip\":false,\"viz\":false},\"insertNulls\":false,\"lineInterpolation\":\"linear\",\"lineWidth\":1,\"pointSize\":5,\"scaleDistribution\":{\"type\":\"linear\"},\"showPoints\":\"never\",\"spanNulls\":false,\"stacking\":{\"group\":\"A\",\"mode\":\"none\"},\"thresholdsStyle\":{\"mode\":\"off\"}},\"mappings\":[],\"max\":1.01,\"min\":0,\"thresholds\":{\"mode\":\"absolute\",\"steps\":[{\"color\":\"green\",\"value\":null},{\"color\":\"red\",\"value\":80}]},\"unit\":\"percentunit\"},\"overrides\":[{\"matcher\":{\"id\":\"byValue\",\"options\":{\"op\":\"gte\",\"reducer\":\"allIsNull\",\"value\":0}},\"properties\":[{\"id\":\"custom.hideFrom\",\"value\":{\"legend\":true,\"tooltip\":true,\"viz\":false}}]}]},\"gridPos\":{\"h\":6,\"w\":12,\"x\":12,\"y\":16},\"id\":26,\"links\":[],\"options\":{\"legend\":{\"calcs\":[],\"displayMode\":\"list\",\"placement\":\"bottom\",\"showLegend\":true},\"tooltip\":{\"mode\":\"multi\",\"sort\":\"none\"}},\"pluginVersion\":\"10.1.5\",\"targets\":[{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"sum(irate(istio_requests_total{reporter=~\\\"$qrep\\\", - connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\",response_code!~\\\"5.*\\\", - source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[5m])) - by (source_workload, source_workload_namespace) / sum(irate(istio_requests_total{reporter=~\\\"$qrep\\\", - connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", - source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[5m])) - by (source_workload, source_workload_namespace)\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - source_workload }}.{{ source_workload_namespace }} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"sum(irate(istio_requests_total{reporter=~\\\"$qrep\\\", - connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\",response_code!~\\\"5.*\\\", - source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[5m])) - by (source_workload, source_workload_namespace) / sum(irate(istio_requests_total{reporter=~\\\"$qrep\\\", - connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", - source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[5m])) - by (source_workload, source_workload_namespace)\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - source_workload }}.{{ source_workload_namespace }}\",\"refId\":\"B\",\"step\":2}],\"title\":\"Incoming - Success Rate (non-5xx responses) By Source\",\"type\":\"timeseries\"},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"description\":\"\",\"fieldConfig\":{\"defaults\":{\"color\":{\"mode\":\"palette-classic\"},\"custom\":{\"axisCenteredZero\":false,\"axisColorMode\":\"text\",\"axisLabel\":\"\",\"axisPlacement\":\"auto\",\"barAlignment\":0,\"drawStyle\":\"line\",\"fillOpacity\":10,\"gradientMode\":\"none\",\"hideFrom\":{\"legend\":false,\"tooltip\":false,\"viz\":false},\"insertNulls\":false,\"lineInterpolation\":\"linear\",\"lineWidth\":1,\"pointSize\":5,\"scaleDistribution\":{\"type\":\"linear\"},\"showPoints\":\"never\",\"spanNulls\":false,\"stacking\":{\"group\":\"A\",\"mode\":\"none\"},\"thresholdsStyle\":{\"mode\":\"off\"}},\"mappings\":[],\"min\":0,\"thresholds\":{\"mode\":\"absolute\",\"steps\":[{\"color\":\"green\",\"value\":null},{\"color\":\"red\",\"value\":80}]},\"unit\":\"s\"},\"overrides\":[{\"matcher\":{\"id\":\"byValue\",\"options\":{\"op\":\"gte\",\"reducer\":\"allIsNull\",\"value\":0}},\"properties\":[{\"id\":\"custom.hideFrom\",\"value\":{\"legend\":true,\"tooltip\":true,\"viz\":false}}]}]},\"gridPos\":{\"h\":6,\"w\":8,\"x\":0,\"y\":22},\"id\":27,\"links\":[],\"options\":{\"legend\":{\"calcs\":[],\"displayMode\":\"list\",\"placement\":\"bottom\",\"showLegend\":true},\"tooltip\":{\"mode\":\"multi\",\"sort\":\"none\"}},\"pluginVersion\":\"10.1.5\",\"targets\":[{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"(histogram_quantile(0.50, - sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\", - connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", - source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le)) / 1000) or histogram_quantile(0.50, - sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", - destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - P50 (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"(histogram_quantile(0.90, - sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\", - connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", - source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le)) / 1000) or histogram_quantile(0.90, - sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", - destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - P90 (\U0001F510mTLS)\",\"refId\":\"B\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"(histogram_quantile(0.95, - sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\", - connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", - source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le)) / 1000) or histogram_quantile(0.95, - sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", - destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - P95 (\U0001F510mTLS)\",\"refId\":\"C\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"(histogram_quantile(0.99, - sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\", - connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", - source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le)) / 1000) or histogram_quantile(0.99, - sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", - destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - P99 (\U0001F510mTLS)\",\"refId\":\"D\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"(histogram_quantile(0.50, - sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\", - connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", - source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le)) / 1000) or histogram_quantile(0.50, - sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\", connection_security_policy!=\\\"mutual_tls\\\", - destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - P50\",\"refId\":\"E\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"(histogram_quantile(0.90, - sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\", - connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", - source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le)) / 1000) or histogram_quantile(0.90, - sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\", connection_security_policy!=\\\"mutual_tls\\\", - destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - P90\",\"refId\":\"F\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"(histogram_quantile(0.95, - sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\", - connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", - source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le)) / 1000) or histogram_quantile(0.95, - sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\", connection_security_policy!=\\\"mutual_tls\\\", - destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - P95\",\"refId\":\"G\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"(histogram_quantile(0.99, - sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\", - connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", - source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le)) / 1000) or histogram_quantile(0.99, - sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\", connection_security_policy!=\\\"mutual_tls\\\", - destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - P99\",\"refId\":\"H\",\"step\":2}],\"title\":\"Incoming Request Duration By Source\",\"type\":\"timeseries\"},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"fieldConfig\":{\"defaults\":{\"color\":{\"mode\":\"palette-classic\"},\"custom\":{\"axisCenteredZero\":false,\"axisColorMode\":\"text\",\"axisLabel\":\"\",\"axisPlacement\":\"auto\",\"barAlignment\":0,\"drawStyle\":\"line\",\"fillOpacity\":10,\"gradientMode\":\"none\",\"hideFrom\":{\"legend\":false,\"tooltip\":false,\"viz\":false},\"insertNulls\":false,\"lineInterpolation\":\"linear\",\"lineWidth\":1,\"pointSize\":5,\"scaleDistribution\":{\"type\":\"linear\"},\"showPoints\":\"never\",\"spanNulls\":false,\"stacking\":{\"group\":\"A\",\"mode\":\"none\"},\"thresholdsStyle\":{\"mode\":\"off\"}},\"mappings\":[],\"min\":0,\"thresholds\":{\"mode\":\"absolute\",\"steps\":[{\"color\":\"green\",\"value\":null},{\"color\":\"red\",\"value\":80}]},\"unit\":\"decbytes\"},\"overrides\":[{\"matcher\":{\"id\":\"byValue\",\"options\":{\"op\":\"gte\",\"reducer\":\"allIsNull\",\"value\":0}},\"properties\":[{\"id\":\"custom.hideFrom\",\"value\":{\"legend\":true,\"tooltip\":true,\"viz\":false}}]}]},\"gridPos\":{\"h\":6,\"w\":8,\"x\":8,\"y\":22},\"id\":28,\"links\":[],\"options\":{\"legend\":{\"calcs\":[],\"displayMode\":\"list\",\"placement\":\"bottom\",\"showLegend\":true},\"tooltip\":{\"mode\":\"multi\",\"sort\":\"none\"}},\"pluginVersion\":\"10.1.5\",\"targets\":[{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.50, - sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", - destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - P50 (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.90, - sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", - destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - \ P90 (\U0001F510mTLS)\",\"refId\":\"B\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.95, - sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", - destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - P95 (\U0001F510mTLS)\",\"refId\":\"C\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.99, - sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", - destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - \ P99 (\U0001F510mTLS)\",\"refId\":\"D\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.50, - sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy!=\\\"mutual_tls\\\", - destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - P50\",\"refId\":\"E\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.90, - sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy!=\\\"mutual_tls\\\", - destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - P90\",\"refId\":\"F\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.95, - sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy!=\\\"mutual_tls\\\", - destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - P95\",\"refId\":\"G\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.99, - sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy!=\\\"mutual_tls\\\", - destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - P99\",\"refId\":\"H\",\"step\":2}],\"title\":\"Incoming Request Size By Source\",\"type\":\"timeseries\"},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"fieldConfig\":{\"defaults\":{\"color\":{\"mode\":\"palette-classic\"},\"custom\":{\"axisCenteredZero\":false,\"axisColorMode\":\"text\",\"axisLabel\":\"\",\"axisPlacement\":\"auto\",\"barAlignment\":0,\"drawStyle\":\"line\",\"fillOpacity\":10,\"gradientMode\":\"none\",\"hideFrom\":{\"legend\":false,\"tooltip\":false,\"viz\":false},\"insertNulls\":false,\"lineInterpolation\":\"linear\",\"lineWidth\":1,\"pointSize\":5,\"scaleDistribution\":{\"type\":\"linear\"},\"showPoints\":\"never\",\"spanNulls\":false,\"stacking\":{\"group\":\"A\",\"mode\":\"none\"},\"thresholdsStyle\":{\"mode\":\"off\"}},\"mappings\":[],\"min\":0,\"thresholds\":{\"mode\":\"absolute\",\"steps\":[{\"color\":\"green\",\"value\":null},{\"color\":\"red\",\"value\":80}]},\"unit\":\"decbytes\"},\"overrides\":[{\"matcher\":{\"id\":\"byValue\",\"options\":{\"op\":\"gte\",\"reducer\":\"allIsNull\",\"value\":0}},\"properties\":[{\"id\":\"custom.hideFrom\",\"value\":{\"legend\":true,\"tooltip\":true,\"viz\":false}}]}]},\"gridPos\":{\"h\":6,\"w\":8,\"x\":16,\"y\":22},\"id\":68,\"links\":[],\"options\":{\"legend\":{\"calcs\":[],\"displayMode\":\"list\",\"placement\":\"bottom\",\"showLegend\":true},\"tooltip\":{\"mode\":\"multi\",\"sort\":\"none\"}},\"pluginVersion\":\"10.1.5\",\"targets\":[{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.50, - sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", - destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - P50 (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.90, - sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", - destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - \ P90 (\U0001F510mTLS)\",\"refId\":\"B\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.95, - sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", - destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - P95 (\U0001F510mTLS)\",\"refId\":\"C\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.99, - sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", - destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - \ P99 (\U0001F510mTLS)\",\"refId\":\"D\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.50, - sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy!=\\\"mutual_tls\\\", - destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - P50\",\"refId\":\"E\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.90, - sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy!=\\\"mutual_tls\\\", - destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - P90\",\"refId\":\"F\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.95, - sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy!=\\\"mutual_tls\\\", - destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - P95\",\"refId\":\"G\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.99, - sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy!=\\\"mutual_tls\\\", - destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - P99\",\"refId\":\"H\",\"step\":2}],\"title\":\"Response Size By Source\",\"type\":\"timeseries\"},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"fieldConfig\":{\"defaults\":{\"color\":{\"mode\":\"palette-classic\"},\"custom\":{\"axisCenteredZero\":false,\"axisColorMode\":\"text\",\"axisLabel\":\"\",\"axisPlacement\":\"auto\",\"barAlignment\":0,\"drawStyle\":\"line\",\"fillOpacity\":10,\"gradientMode\":\"none\",\"hideFrom\":{\"legend\":false,\"tooltip\":false,\"viz\":false},\"insertNulls\":false,\"lineInterpolation\":\"linear\",\"lineWidth\":1,\"pointSize\":5,\"scaleDistribution\":{\"type\":\"linear\"},\"showPoints\":\"never\",\"spanNulls\":false,\"stacking\":{\"group\":\"A\",\"mode\":\"none\"},\"thresholdsStyle\":{\"mode\":\"off\"}},\"mappings\":[],\"min\":0,\"thresholds\":{\"mode\":\"absolute\",\"steps\":[{\"color\":\"green\",\"value\":null},{\"color\":\"red\",\"value\":80}]},\"unit\":\"Bps\"},\"overrides\":[]},\"gridPos\":{\"h\":6,\"w\":12,\"x\":0,\"y\":28},\"id\":80,\"links\":[],\"options\":{\"legend\":{\"calcs\":[],\"displayMode\":\"list\",\"placement\":\"bottom\",\"showLegend\":true},\"tooltip\":{\"mode\":\"multi\",\"sort\":\"none\"}},\"pluginVersion\":\"10.1.5\",\"targets\":[{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"round(sum(irate(istio_tcp_received_bytes_total{reporter=~\\\"$qrep\\\", - connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", - source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace), 0.001)\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - source_workload }}.{{ source_workload_namespace}} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"round(sum(irate(istio_tcp_received_bytes_total{reporter=~\\\"$qrep\\\", - connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", - source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace), 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{ - source_workload }}.{{ source_workload_namespace}}\",\"refId\":\"B\",\"step\":2}],\"title\":\"Bytes - Received from Incoming TCP Connection\",\"type\":\"timeseries\"},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"fieldConfig\":{\"defaults\":{\"color\":{\"mode\":\"palette-classic\"},\"custom\":{\"axisCenteredZero\":false,\"axisColorMode\":\"text\",\"axisLabel\":\"\",\"axisPlacement\":\"auto\",\"barAlignment\":0,\"drawStyle\":\"line\",\"fillOpacity\":10,\"gradientMode\":\"none\",\"hideFrom\":{\"legend\":false,\"tooltip\":false,\"viz\":false},\"insertNulls\":false,\"lineInterpolation\":\"linear\",\"lineWidth\":1,\"pointSize\":5,\"scaleDistribution\":{\"type\":\"linear\"},\"showPoints\":\"never\",\"spanNulls\":false,\"stacking\":{\"group\":\"A\",\"mode\":\"none\"},\"thresholdsStyle\":{\"mode\":\"off\"}},\"mappings\":[],\"min\":0,\"thresholds\":{\"mode\":\"absolute\",\"steps\":[{\"color\":\"green\",\"value\":null},{\"color\":\"red\",\"value\":80}]},\"unit\":\"Bps\"},\"overrides\":[]},\"gridPos\":{\"h\":6,\"w\":12,\"x\":12,\"y\":28},\"id\":82,\"links\":[],\"options\":{\"legend\":{\"calcs\":[],\"displayMode\":\"list\",\"placement\":\"bottom\",\"showLegend\":true},\"tooltip\":{\"mode\":\"multi\",\"sort\":\"none\"}},\"pluginVersion\":\"10.1.5\",\"targets\":[{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy=\\\"mutual_tls\\\", - reporter=~\\\"$qrep\\\", destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", - source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace), - 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{ - source_workload }}.{{ source_workload_namespace}} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy!=\\\"mutual_tls\\\", - reporter=~\\\"$qrep\\\", destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", - source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace), - 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{ - source_workload }}.{{ source_workload_namespace}}\",\"refId\":\"B\",\"step\":2}],\"title\":\"Bytes - Sent to Incoming TCP Connection\",\"type\":\"timeseries\"},{\"collapsed\":false,\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"gridPos\":{\"h\":1,\"w\":24,\"x\":0,\"y\":34},\"id\":102,\"panels\":[],\"targets\":[{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"refId\":\"A\"}],\"title\":\"Service - Workloads\",\"type\":\"row\"},{\"gridPos\":{\"h\":3,\"w\":24,\"x\":0,\"y\":35},\"id\":69,\"links\":[],\"options\":{\"code\":{\"language\":\"plaintext\",\"showLineNumbers\":false,\"showMiniMap\":false},\"content\":\"
\\nSERVICE WORKLOADS\\n
\",\"mode\":\"html\"},\"pluginVersion\":\"10.1.5\",\"transparent\":true,\"type\":\"text\"},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"fieldConfig\":{\"defaults\":{\"color\":{\"mode\":\"palette-classic\"},\"custom\":{\"axisCenteredZero\":false,\"axisColorMode\":\"text\",\"axisLabel\":\"\",\"axisPlacement\":\"auto\",\"barAlignment\":0,\"drawStyle\":\"line\",\"fillOpacity\":0,\"gradientMode\":\"none\",\"hideFrom\":{\"legend\":false,\"tooltip\":false,\"viz\":false},\"insertNulls\":false,\"lineInterpolation\":\"linear\",\"lineWidth\":1,\"pointSize\":5,\"scaleDistribution\":{\"type\":\"linear\"},\"showPoints\":\"never\",\"spanNulls\":false,\"stacking\":{\"group\":\"A\",\"mode\":\"none\"},\"thresholdsStyle\":{\"mode\":\"off\"}},\"mappings\":[],\"min\":0,\"thresholds\":{\"mode\":\"absolute\",\"steps\":[{\"color\":\"green\",\"value\":null},{\"color\":\"red\",\"value\":80}]},\"unit\":\"ops\"},\"overrides\":[{\"matcher\":{\"id\":\"byValue\",\"options\":{\"op\":\"gte\",\"reducer\":\"allIsNull\",\"value\":0}},\"properties\":[{\"id\":\"custom.hideFrom\",\"value\":{\"legend\":true,\"tooltip\":true,\"viz\":false}}]}]},\"gridPos\":{\"h\":6,\"w\":12,\"x\":0,\"y\":38},\"id\":90,\"links\":[],\"options\":{\"legend\":{\"calcs\":[],\"displayMode\":\"list\",\"placement\":\"bottom\",\"showLegend\":true},\"tooltip\":{\"mode\":\"single\",\"sort\":\"none\"}},\"pluginVersion\":\"10.1.5\",\"targets\":[{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"round(sum(irate(istio_requests_total{connection_security_policy=\\\"mutual_tls\\\",destination_service=~\\\"$service\\\",reporter=\\\"destination\\\",destination_workload=~\\\"$dstwl\\\",destination_workload_namespace=~\\\"$dstns\\\"}[5m])) - by (destination_workload, destination_workload_namespace, response_code), 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_workload }}.{{ destination_workload_namespace }} : {{ response_code - }} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"round(sum(irate(istio_requests_total{connection_security_policy!=\\\"mutual_tls\\\", - destination_service=~\\\"$service\\\", reporter=\\\"destination\\\", destination_workload=~\\\"$dstwl\\\", - destination_workload_namespace=~\\\"$dstns\\\"}[5m])) by (destination_workload, - destination_workload_namespace, response_code), 0.001)\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_workload }}.{{ destination_workload_namespace }} : {{ response_code - }}\",\"refId\":\"B\",\"step\":2}],\"title\":\"Incoming Requests By Destination - Workload And Response Code\",\"type\":\"timeseries\"},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"fieldConfig\":{\"defaults\":{\"color\":{\"mode\":\"palette-classic\"},\"custom\":{\"axisCenteredZero\":false,\"axisColorMode\":\"text\",\"axisLabel\":\"\",\"axisPlacement\":\"auto\",\"barAlignment\":0,\"drawStyle\":\"line\",\"fillOpacity\":10,\"gradientMode\":\"none\",\"hideFrom\":{\"legend\":false,\"tooltip\":false,\"viz\":false},\"insertNulls\":false,\"lineInterpolation\":\"linear\",\"lineWidth\":1,\"pointSize\":5,\"scaleDistribution\":{\"type\":\"linear\"},\"showPoints\":\"never\",\"spanNulls\":false,\"stacking\":{\"group\":\"A\",\"mode\":\"none\"},\"thresholdsStyle\":{\"mode\":\"off\"}},\"mappings\":[],\"max\":1.01,\"min\":0,\"thresholds\":{\"mode\":\"absolute\",\"steps\":[{\"color\":\"green\",\"value\":null},{\"color\":\"red\",\"value\":80}]},\"unit\":\"percentunit\"},\"overrides\":[{\"matcher\":{\"id\":\"byValue\",\"options\":{\"op\":\"gte\",\"reducer\":\"allIsNull\",\"value\":0}},\"properties\":[{\"id\":\"custom.hideFrom\",\"value\":{\"legend\":true,\"tooltip\":true,\"viz\":false}}]}]},\"gridPos\":{\"h\":6,\"w\":12,\"x\":12,\"y\":38},\"id\":91,\"links\":[],\"options\":{\"legend\":{\"calcs\":[],\"displayMode\":\"list\",\"placement\":\"bottom\",\"showLegend\":true},\"tooltip\":{\"mode\":\"multi\",\"sort\":\"none\"}},\"pluginVersion\":\"10.1.5\",\"targets\":[{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"sum(irate(istio_requests_total{reporter=\\\"destination\\\", - connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\",response_code!~\\\"5.*\\\", - destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[5m])) - by (destination_workload, destination_workload_namespace) / sum(irate(istio_requests_total{reporter=\\\"destination\\\", - connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", - destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[5m])) - by (destination_workload, destination_workload_namespace)\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_workload }}.{{ destination_workload_namespace }} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"sum(irate(istio_requests_total{reporter=\\\"destination\\\", - connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\",response_code!~\\\"5.*\\\", - destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[5m])) - by (destination_workload, destination_workload_namespace) / sum(irate(istio_requests_total{reporter=\\\"destination\\\", - connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", - destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[5m])) - by (destination_workload, destination_workload_namespace)\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_workload }}.{{ destination_workload_namespace }}\",\"refId\":\"B\",\"step\":2}],\"title\":\"Incoming - Success Rate (non-5xx responses) By Destination Workload\",\"type\":\"timeseries\"},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"description\":\"\",\"fieldConfig\":{\"defaults\":{\"color\":{\"mode\":\"palette-classic\"},\"custom\":{\"axisCenteredZero\":false,\"axisColorMode\":\"text\",\"axisLabel\":\"\",\"axisPlacement\":\"auto\",\"barAlignment\":0,\"drawStyle\":\"line\",\"fillOpacity\":10,\"gradientMode\":\"none\",\"hideFrom\":{\"legend\":false,\"tooltip\":false,\"viz\":false},\"insertNulls\":false,\"lineInterpolation\":\"linear\",\"lineWidth\":1,\"pointSize\":5,\"scaleDistribution\":{\"type\":\"linear\"},\"showPoints\":\"never\",\"spanNulls\":false,\"stacking\":{\"group\":\"A\",\"mode\":\"none\"},\"thresholdsStyle\":{\"mode\":\"off\"}},\"mappings\":[],\"min\":0,\"thresholds\":{\"mode\":\"absolute\",\"steps\":[{\"color\":\"green\",\"value\":null},{\"color\":\"red\",\"value\":80}]},\"unit\":\"s\"},\"overrides\":[{\"matcher\":{\"id\":\"byValue\",\"options\":{\"op\":\"gte\",\"reducer\":\"allIsNull\",\"value\":0}},\"properties\":[{\"id\":\"custom.hideFrom\",\"value\":{\"legend\":true,\"tooltip\":true,\"viz\":false}}]}]},\"gridPos\":{\"h\":6,\"w\":8,\"x\":0,\"y\":44},\"id\":94,\"links\":[],\"options\":{\"legend\":{\"calcs\":[],\"displayMode\":\"list\",\"placement\":\"bottom\",\"showLegend\":true},\"tooltip\":{\"mode\":\"multi\",\"sort\":\"none\"}},\"pluginVersion\":\"10.1.5\",\"targets\":[{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"(histogram_quantile(0.50, - sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"destination\\\", - connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", - destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) - by (destination_workload, destination_workload_namespace, le)) / 1000) or histogram_quantile(0.50, - sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"destination\\\", - connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", - destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) - by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_workload }}.{{ destination_workload_namespace }} P50 (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"(histogram_quantile(0.90, - sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"destination\\\", - connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", - destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) - by (destination_workload, destination_workload_namespace, le)) / 1000) or histogram_quantile(0.90, - sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"destination\\\", - connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", - destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) - by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_workload }}.{{ destination_workload_namespace }} P90 (\U0001F510mTLS)\",\"refId\":\"B\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"(histogram_quantile(0.95, - sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"destination\\\", - connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", - destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) - by (destination_workload, destination_workload_namespace, le)) / 1000) or histogram_quantile(0.95, - sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"destination\\\", - connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", - destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) - by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_workload }}.{{ destination_workload_namespace }} P95 (\U0001F510mTLS)\",\"refId\":\"C\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"(histogram_quantile(0.99, - sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"destination\\\", - connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", - destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) - by (destination_workload, destination_workload_namespace, le)) / 1000) or histogram_quantile(0.99, - sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"destination\\\", - connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", - destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) - by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_workload }}.{{ destination_workload_namespace }} P99 (\U0001F510mTLS)\",\"refId\":\"D\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"(histogram_quantile(0.50, - sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"destination\\\", - connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", - destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) - by (destination_workload, destination_workload_namespace, le)) / 1000) or histogram_quantile(0.50, - sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"destination\\\", - connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", - destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) - by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_workload }}.{{ destination_workload_namespace }} P50\",\"refId\":\"E\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"(histogram_quantile(0.90, - sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"destination\\\", - connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", - destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) - by (destination_workload, destination_workload_namespace, le)) / 1000) or histogram_quantile(0.90, - sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"destination\\\", - connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", - destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) - by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_workload }}.{{ destination_workload_namespace }} P90\",\"refId\":\"F\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"(histogram_quantile(0.95, - sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"destination\\\", - connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", - destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) - by (destination_workload, destination_workload_namespace, le)) / 1000) or histogram_quantile(0.95, - sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"destination\\\", - connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", - destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) - by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_workload }}.{{ destination_workload_namespace }} P95\",\"refId\":\"G\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"(histogram_quantile(0.99, - sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"destination\\\", - connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", - destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) - by (destination_workload, destination_workload_namespace, le)) / 1000) or histogram_quantile(0.99, - sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"destination\\\", - connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", - destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) - by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_workload }}.{{ destination_workload_namespace }} P99\",\"refId\":\"H\",\"step\":2}],\"title\":\"Incoming - Request Duration By Service Workload\",\"type\":\"timeseries\"},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"fieldConfig\":{\"defaults\":{\"color\":{\"mode\":\"palette-classic\"},\"custom\":{\"axisCenteredZero\":false,\"axisColorMode\":\"text\",\"axisLabel\":\"\",\"axisPlacement\":\"auto\",\"barAlignment\":0,\"drawStyle\":\"line\",\"fillOpacity\":10,\"gradientMode\":\"none\",\"hideFrom\":{\"legend\":false,\"tooltip\":false,\"viz\":false},\"insertNulls\":false,\"lineInterpolation\":\"linear\",\"lineWidth\":1,\"pointSize\":5,\"scaleDistribution\":{\"type\":\"linear\"},\"showPoints\":\"never\",\"spanNulls\":false,\"stacking\":{\"group\":\"A\",\"mode\":\"none\"},\"thresholdsStyle\":{\"mode\":\"off\"}},\"mappings\":[],\"min\":0,\"thresholds\":{\"mode\":\"absolute\",\"steps\":[{\"color\":\"green\",\"value\":null},{\"color\":\"red\",\"value\":80}]},\"unit\":\"decbytes\"},\"overrides\":[{\"matcher\":{\"id\":\"byValue\",\"options\":{\"op\":\"gte\",\"reducer\":\"allIsNull\",\"value\":0}},\"properties\":[{\"id\":\"custom.hideFrom\",\"value\":{\"legend\":true,\"tooltip\":true,\"viz\":false}}]}]},\"gridPos\":{\"h\":6,\"w\":8,\"x\":8,\"y\":44},\"id\":95,\"links\":[],\"options\":{\"legend\":{\"calcs\":[],\"displayMode\":\"list\",\"placement\":\"bottom\",\"showLegend\":true},\"tooltip\":{\"mode\":\"multi\",\"sort\":\"none\"}},\"pluginVersion\":\"10.1.5\",\"targets\":[{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.50, - sum(irate(istio_request_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy=\\\"mutual_tls\\\", - destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) - by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_workload }}.{{ destination_workload_namespace }} P50 (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.90, - sum(irate(istio_request_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy=\\\"mutual_tls\\\", - destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) - by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_workload }}.{{ destination_workload_namespace }} P90 (\U0001F510mTLS)\",\"refId\":\"B\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.95, - sum(irate(istio_request_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy=\\\"mutual_tls\\\", - destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) - by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_workload }}.{{ destination_workload_namespace }} P95 (\U0001F510mTLS)\",\"refId\":\"C\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.99, - sum(irate(istio_request_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy=\\\"mutual_tls\\\", - destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) - by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_workload }}.{{ destination_workload_namespace }} P99 (\U0001F510mTLS)\",\"refId\":\"D\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.50, - sum(irate(istio_request_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy!=\\\"mutual_tls\\\", - destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) - by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_workload }}.{{ destination_workload_namespace }} P50\",\"refId\":\"E\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.90, - sum(irate(istio_request_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy!=\\\"mutual_tls\\\", - destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) - by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_workload }}.{{ destination_workload_namespace }} P90\",\"refId\":\"F\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.95, - sum(irate(istio_request_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy!=\\\"mutual_tls\\\", - destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) - by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_workload }}.{{ destination_workload_namespace }} P95\",\"refId\":\"G\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.99, - sum(irate(istio_request_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy!=\\\"mutual_tls\\\", - destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) - by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_workload }}.{{ destination_workload_namespace }} P99\",\"refId\":\"H\",\"step\":2}],\"title\":\"Incoming - Request Size By Service Workload\",\"type\":\"timeseries\"},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"fieldConfig\":{\"defaults\":{\"color\":{\"mode\":\"palette-classic\"},\"custom\":{\"axisCenteredZero\":false,\"axisColorMode\":\"text\",\"axisLabel\":\"\",\"axisPlacement\":\"auto\",\"barAlignment\":0,\"drawStyle\":\"line\",\"fillOpacity\":10,\"gradientMode\":\"none\",\"hideFrom\":{\"legend\":false,\"tooltip\":false,\"viz\":false},\"insertNulls\":false,\"lineInterpolation\":\"linear\",\"lineWidth\":1,\"pointSize\":5,\"scaleDistribution\":{\"type\":\"linear\"},\"showPoints\":\"never\",\"spanNulls\":false,\"stacking\":{\"group\":\"A\",\"mode\":\"none\"},\"thresholdsStyle\":{\"mode\":\"off\"}},\"mappings\":[],\"min\":0,\"thresholds\":{\"mode\":\"absolute\",\"steps\":[{\"color\":\"green\",\"value\":null},{\"color\":\"red\",\"value\":80}]},\"unit\":\"decbytes\"},\"overrides\":[{\"matcher\":{\"id\":\"byValue\",\"options\":{\"op\":\"gte\",\"reducer\":\"allIsNull\",\"value\":0}},\"properties\":[{\"id\":\"custom.hideFrom\",\"value\":{\"legend\":true,\"tooltip\":true,\"viz\":false}}]}]},\"gridPos\":{\"h\":6,\"w\":8,\"x\":16,\"y\":44},\"id\":96,\"links\":[],\"options\":{\"legend\":{\"calcs\":[],\"displayMode\":\"list\",\"placement\":\"bottom\",\"showLegend\":true},\"tooltip\":{\"mode\":\"multi\",\"sort\":\"none\"}},\"pluginVersion\":\"10.1.5\",\"targets\":[{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.50, - sum(irate(istio_response_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy=\\\"mutual_tls\\\", - destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) - by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_workload }}.{{ destination_workload_namespace }} P50 (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.90, - sum(irate(istio_response_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy=\\\"mutual_tls\\\", - destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) - by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_workload }}.{{ destination_workload_namespace }} P90 (\U0001F510mTLS)\",\"refId\":\"B\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.95, - sum(irate(istio_response_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy=\\\"mutual_tls\\\", - destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) - by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_workload }}.{{ destination_workload_namespace }} P95 (\U0001F510mTLS)\",\"refId\":\"C\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.99, - sum(irate(istio_response_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy=\\\"mutual_tls\\\", - destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) - by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_workload }}.{{ destination_workload_namespace }} P99 (\U0001F510mTLS)\",\"refId\":\"D\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.50, - sum(irate(istio_response_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy!=\\\"mutual_tls\\\", - destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) - by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_workload }}.{{ destination_workload_namespace }} P50\",\"refId\":\"E\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.90, - sum(irate(istio_response_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy!=\\\"mutual_tls\\\", - destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) - by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_workload }}.{{ destination_workload_namespace }} P90\",\"refId\":\"F\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.95, - sum(irate(istio_response_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy!=\\\"mutual_tls\\\", - destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) - by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_workload }}.{{ destination_workload_namespace }} P95\",\"refId\":\"G\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.99, - sum(irate(istio_response_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy!=\\\"mutual_tls\\\", - destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) - by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_workload }}.{{ destination_workload_namespace }} P99\",\"refId\":\"H\",\"step\":2}],\"title\":\"Response - Size By Service Workload\",\"type\":\"timeseries\"},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"fieldConfig\":{\"defaults\":{\"color\":{\"mode\":\"palette-classic\"},\"custom\":{\"axisCenteredZero\":false,\"axisColorMode\":\"text\",\"axisLabel\":\"\",\"axisPlacement\":\"auto\",\"barAlignment\":0,\"drawStyle\":\"line\",\"fillOpacity\":10,\"gradientMode\":\"none\",\"hideFrom\":{\"legend\":false,\"tooltip\":false,\"viz\":false},\"insertNulls\":false,\"lineInterpolation\":\"linear\",\"lineWidth\":1,\"pointSize\":5,\"scaleDistribution\":{\"type\":\"linear\"},\"showPoints\":\"never\",\"spanNulls\":false,\"stacking\":{\"group\":\"A\",\"mode\":\"none\"},\"thresholdsStyle\":{\"mode\":\"off\"}},\"mappings\":[],\"min\":0,\"thresholds\":{\"mode\":\"absolute\",\"steps\":[{\"color\":\"green\",\"value\":null},{\"color\":\"red\",\"value\":80}]},\"unit\":\"Bps\"},\"overrides\":[]},\"gridPos\":{\"h\":6,\"w\":12,\"x\":0,\"y\":50},\"id\":92,\"links\":[],\"options\":{\"legend\":{\"calcs\":[],\"displayMode\":\"list\",\"placement\":\"bottom\",\"showLegend\":true},\"tooltip\":{\"mode\":\"multi\",\"sort\":\"none\"}},\"pluginVersion\":\"10.1.5\",\"targets\":[{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"round(sum(irate(istio_tcp_received_bytes_total{reporter=\\\"destination\\\", - connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", - destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) - by (destination_workload, destination_workload_namespace), 0.001)\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_workload }}.{{ destination_workload_namespace}} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"round(sum(irate(istio_tcp_received_bytes_total{reporter=\\\"destination\\\", - connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", - destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) - by (destination_workload, destination_workload_namespace), 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_workload }}.{{ destination_workload_namespace}}\",\"refId\":\"B\",\"step\":2}],\"title\":\"Bytes - Received from Incoming TCP Connection\",\"type\":\"timeseries\"},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"fieldConfig\":{\"defaults\":{\"color\":{\"mode\":\"palette-classic\"},\"custom\":{\"axisCenteredZero\":false,\"axisColorMode\":\"text\",\"axisLabel\":\"\",\"axisPlacement\":\"auto\",\"barAlignment\":0,\"drawStyle\":\"line\",\"fillOpacity\":10,\"gradientMode\":\"none\",\"hideFrom\":{\"legend\":false,\"tooltip\":false,\"viz\":false},\"insertNulls\":false,\"lineInterpolation\":\"linear\",\"lineWidth\":1,\"pointSize\":5,\"scaleDistribution\":{\"type\":\"linear\"},\"showPoints\":\"never\",\"spanNulls\":false,\"stacking\":{\"group\":\"A\",\"mode\":\"none\"},\"thresholdsStyle\":{\"mode\":\"off\"}},\"mappings\":[],\"min\":0,\"thresholds\":{\"mode\":\"absolute\",\"steps\":[{\"color\":\"green\",\"value\":null},{\"color\":\"red\",\"value\":80}]},\"unit\":\"Bps\"},\"overrides\":[]},\"gridPos\":{\"h\":6,\"w\":12,\"x\":12,\"y\":50},\"id\":93,\"links\":[],\"options\":{\"legend\":{\"calcs\":[],\"displayMode\":\"list\",\"placement\":\"bottom\",\"showLegend\":true},\"tooltip\":{\"mode\":\"multi\",\"sort\":\"none\"}},\"pluginVersion\":\"10.1.5\",\"targets\":[{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy=\\\"mutual_tls\\\", - reporter=\\\"destination\\\", destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", - destination_workload_namespace=~\\\"$dstns\\\"}[1m])) by (destination_workload, - destination_workload_namespace), 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_workload }}.{{destination_workload_namespace }} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy!=\\\"mutual_tls\\\", - reporter=\\\"destination\\\", destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", - destination_workload_namespace=~\\\"$dstns\\\"}[1m])) by (destination_workload, - destination_workload_namespace), 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_workload }}.{{destination_workload_namespace }}\",\"refId\":\"B\",\"step\":2}],\"title\":\"Bytes - Sent to Incoming TCP Connection\",\"type\":\"timeseries\"}],\"refresh\":\"1m\",\"schemaVersion\":38,\"style\":\"dark\",\"tags\":[],\"templating\":{\"list\":[{\"hide\":0,\"includeAll\":false,\"multi\":false,\"name\":\"datasource\",\"options\":[],\"query\":\"prometheus\",\"queryValue\":\"\",\"refresh\":1,\"regex\":\"\",\"skipUrlSync\":false,\"type\":\"datasource\"},{\"current\":{\"selected\":false,\"text\":\"details.default.svc.cluster.local\",\"value\":\"details.default.svc.cluster.local\"},\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"definition\":\"\",\"hide\":0,\"includeAll\":false,\"label\":\"Service\",\"multi\":false,\"name\":\"service\",\"options\":[],\"query\":\"query_result(sum(istio_requests_total{}) - by (destination_service) or sum(istio_tcp_sent_bytes_total{}) by (destination_service))\",\"refresh\":1,\"regex\":\"/.*destination_service=\\\"([^\\\"]*).*/\",\"skipUrlSync\":false,\"sort\":0,\"tagValuesQuery\":\"\",\"tagsQuery\":\"\",\"type\":\"query\",\"useTags\":false},{\"current\":{\"selected\":false,\"text\":\"destination\",\"value\":\"destination\"},\"datasource\":\"Prometheus\",\"definition\":\"\",\"hide\":0,\"includeAll\":false,\"label\":\"Reporter\",\"multi\":true,\"name\":\"qrep\",\"options\":[{\"selected\":false,\"text\":\"source\",\"value\":\"source\"},{\"selected\":true,\"text\":\"destination\",\"value\":\"destination\"}],\"query\":\"source,destination\",\"refresh\":1,\"regex\":\"\",\"skipUrlSync\":false,\"sort\":1,\"tagValuesQuery\":\"\",\"tagsQuery\":\"\",\"type\":\"custom\",\"useTags\":false},{\"current\":{\"selected\":false,\"text\":\"All\",\"value\":\"$__all\"},\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"definition\":\"\",\"hide\":0,\"includeAll\":true,\"label\":\"Client - Cluster\",\"multi\":true,\"name\":\"srccluster\",\"options\":[],\"query\":\"query_result(sum(istio_requests_total{reporter=~\\\"$qrep\\\", - destination_service=\\\"$service\\\"}) by (source_cluster) or sum(istio_tcp_sent_bytes_total{reporter=~\\\"$qrep\\\", - destination_service=~\\\"$service\\\"}) by (source_cluster))\",\"refresh\":1,\"regex\":\"/.*cluster=\\\"([^\\\"]*).*/\",\"skipUrlSync\":false,\"sort\":2,\"tagValuesQuery\":\"\",\"tagsQuery\":\"\",\"type\":\"query\",\"useTags\":false},{\"current\":{\"selected\":false,\"text\":\"All\",\"value\":\"$__all\"},\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"definition\":\"\",\"hide\":0,\"includeAll\":true,\"label\":\"Client - Workload Namespace\",\"multi\":true,\"name\":\"srcns\",\"options\":[],\"query\":\"query_result(sum(istio_requests_total{reporter=~\\\"$qrep\\\", - destination_service=\\\"$service\\\"}) by (source_workload_namespace) or sum(istio_tcp_sent_bytes_total{reporter=~\\\"$qrep\\\", - destination_service=~\\\"$service\\\"}) by (source_workload_namespace))\",\"refresh\":1,\"regex\":\"/.*namespace=\\\"([^\\\"]*).*/\",\"skipUrlSync\":false,\"sort\":3,\"tagValuesQuery\":\"\",\"tagsQuery\":\"\",\"type\":\"query\",\"useTags\":false},{\"current\":{\"selected\":false,\"text\":\"All\",\"value\":\"$__all\"},\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"definition\":\"\",\"hide\":0,\"includeAll\":true,\"label\":\"Client - Workload\",\"multi\":true,\"name\":\"srcwl\",\"options\":[],\"query\":\"query_result(sum(istio_requests_total{reporter=~\\\"$qrep\\\", - destination_service=~\\\"$service\\\", source_workload_namespace=~\\\"$srcns\\\"}) - by (source_workload) or sum(istio_tcp_sent_bytes_total{reporter=~\\\"$qrep\\\", - destination_service=~\\\"$service\\\", source_workload_namespace=~\\\"$srcns\\\"}) - by (source_workload))\",\"refresh\":1,\"regex\":\"/.*workload=\\\"([^\\\"]*).*/\",\"skipUrlSync\":false,\"sort\":4,\"tagValuesQuery\":\"\",\"tagsQuery\":\"\",\"type\":\"query\",\"useTags\":false},{\"current\":{\"selected\":false,\"text\":\"All\",\"value\":\"$__all\"},\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"definition\":\"\",\"hide\":0,\"includeAll\":true,\"label\":\"Service - Workload Cluster\",\"multi\":true,\"name\":\"dstcluster\",\"options\":[],\"query\":\"query_result(sum(istio_requests_total{reporter=\\\"destination\\\", - destination_service=\\\"$service\\\"}) by (destination_cluster) or sum(istio_tcp_sent_bytes_total{reporter=\\\"destination\\\", - destination_service=~\\\"$service\\\"}) by (destination_cluster))\",\"refresh\":1,\"regex\":\"/.*cluster=\\\"([^\\\"]*).*/\",\"skipUrlSync\":false,\"sort\":2,\"tagValuesQuery\":\"\",\"tagsQuery\":\"\",\"type\":\"query\",\"useTags\":false},{\"current\":{\"selected\":false,\"text\":\"All\",\"value\":\"$__all\"},\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"definition\":\"\",\"hide\":0,\"includeAll\":true,\"label\":\"Service - Workload Namespace\",\"multi\":true,\"name\":\"dstns\",\"options\":[],\"query\":\"query_result(sum(istio_requests_total{reporter=\\\"destination\\\", - destination_service=\\\"$service\\\"}) by (destination_workload_namespace) or - sum(istio_tcp_sent_bytes_total{reporter=\\\"destination\\\", destination_service=~\\\"$service\\\"}) - by (destination_workload_namespace))\",\"refresh\":1,\"regex\":\"/.*namespace=\\\"([^\\\"]*).*/\",\"skipUrlSync\":false,\"sort\":3,\"tagValuesQuery\":\"\",\"tagsQuery\":\"\",\"type\":\"query\",\"useTags\":false},{\"current\":{\"selected\":false,\"text\":\"All\",\"value\":\"$__all\"},\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"definition\":\"\",\"hide\":0,\"includeAll\":true,\"label\":\"Service - Workload\",\"multi\":true,\"name\":\"dstwl\",\"options\":[],\"query\":\"query_result( - sum(istio_requests_total{reporter=\\\"destination\\\", destination_service=~\\\"$service\\\", - destination_cluster=~\\\"$dstcluster\\\", destination_workload_namespace=~\\\"$dstns\\\"}) - by (destination_workload) or sum(istio_tcp_sent_bytes_total{reporter=\\\"destination\\\", - destination_service=~\\\"$service\\\", destination_cluster=~\\\"$dstcluster\\\", - destination_workload_namespace=~\\\"$dstns\\\"}) by (destination_workload))\",\"refresh\":1,\"regex\":\"/.*workload=\\\"([^\\\"]*).*/\",\"skipUrlSync\":false,\"sort\":4,\"tagValuesQuery\":\"\",\"tagsQuery\":\"\",\"type\":\"query\",\"useTags\":false}]},\"time\":{\"from\":\"now-15m\",\"to\":\"now\"},\"timepicker\":{\"refresh_intervals\":[\"5m\",\"15m\",\"30m\",\"1h\",\"2h\",\"1d\"],\"time_options\":[\"5m\",\"15m\",\"1h\",\"6h\",\"12h\",\"24h\",\"2d\",\"7d\",\"30d\"]},\"timezone\":\"\",\"title\":\"Istio - Service Dashboard\",\"version\":1,\"weekStart\":\"\"}\n" - istio-workload-dashboard.json: "{\"annotations\":{\"list\":[{\"builtIn\":1,\"datasource\":{\"type\":\"datasource\",\"uid\":\"grafana\"},\"enable\":true,\"hide\":true,\"iconColor\":\"rgba(0, - 211, 255, 1)\",\"name\":\"Annotations & Alerts\",\"type\":\"dashboard\"}]},\"editable\":true,\"fiscalYearStartMonth\":0,\"graphTooltip\":0,\"links\":[],\"liveNow\":false,\"panels\":[{\"collapsed\":false,\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"gridPos\":{\"h\":1,\"w\":24,\"x\":0,\"y\":0},\"id\":95,\"panels\":[],\"targets\":[{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"refId\":\"A\"}],\"title\":\"General\",\"type\":\"row\"},{\"gridPos\":{\"h\":3,\"w\":24,\"x\":0,\"y\":1},\"id\":89,\"links\":[],\"options\":{\"code\":{\"language\":\"plaintext\",\"showLineNumbers\":false,\"showMiniMap\":false},\"content\":\"
\\nWORKLOAD: $workload.$namespace\\n
\",\"mode\":\"html\"},\"pluginVersion\":\"10.1.5\",\"transparent\":true,\"type\":\"text\"},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"fieldConfig\":{\"defaults\":{\"color\":{\"fixedColor\":\"rgb(31, - 120, 193)\",\"mode\":\"fixed\"},\"mappings\":[{\"options\":{\"match\":\"null\",\"result\":{\"text\":\"N/A\"}},\"type\":\"special\"}],\"thresholds\":{\"mode\":\"absolute\",\"steps\":[{\"color\":\"green\",\"value\":null},{\"color\":\"red\",\"value\":80}]},\"unit\":\"ops\"},\"overrides\":[]},\"gridPos\":{\"h\":4,\"w\":8,\"x\":0,\"y\":4},\"id\":12,\"links\":[],\"maxDataPoints\":100,\"options\":{\"colorMode\":\"none\",\"graphMode\":\"area\",\"justifyMode\":\"auto\",\"orientation\":\"horizontal\",\"reduceOptions\":{\"calcs\":[\"lastNotNull\"],\"fields\":\"\",\"values\":false},\"textMode\":\"auto\"},\"pluginVersion\":\"10.1.5\",\"targets\":[{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"round(sum(irate(istio_requests_total{reporter=~\\\"$qrep\\\",destination_workload_namespace=~\\\"$namespace\\\",destination_workload=~\\\"$workload\\\"}[5m])), - 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"refId\":\"A\",\"step\":4}],\"title\":\"Incoming - Request Volume\",\"type\":\"stat\"},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"fieldConfig\":{\"defaults\":{\"color\":{\"fixedColor\":\"rgb(31, - 120, 193)\",\"mode\":\"fixed\"},\"mappings\":[{\"options\":{\"match\":\"null\",\"result\":{\"text\":\"N/A\"}},\"type\":\"special\"}],\"thresholds\":{\"mode\":\"absolute\",\"steps\":[{\"color\":\"rgba(50, - 172, 45, 0.97)\",\"value\":null},{\"color\":\"rgba(237, 129, 40, 0.89)\",\"value\":95},{\"color\":\"rgba(245, - 54, 54, 0.9)\",\"value\":99}]},\"unit\":\"percentunit\"},\"overrides\":[]},\"gridPos\":{\"h\":4,\"w\":8,\"x\":8,\"y\":4},\"id\":14,\"links\":[],\"maxDataPoints\":100,\"options\":{\"colorMode\":\"none\",\"graphMode\":\"area\",\"justifyMode\":\"auto\",\"orientation\":\"horizontal\",\"reduceOptions\":{\"calcs\":[\"mean\"],\"fields\":\"\",\"values\":false},\"textMode\":\"auto\"},\"pluginVersion\":\"10.1.5\",\"targets\":[{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"sum(irate(istio_requests_total{reporter=~\\\"$qrep\\\",destination_workload_namespace=~\\\"$namespace\\\",destination_workload=~\\\"$workload\\\",response_code!~\\\"5.*\\\"}[5m])) - / sum(irate(istio_requests_total{reporter=~\\\"$qrep\\\",destination_workload_namespace=~\\\"$namespace\\\",destination_workload=~\\\"$workload\\\"}[5m]))\",\"format\":\"time_series\",\"intervalFactor\":1,\"refId\":\"A\"}],\"title\":\"Incoming - Success Rate (non-5xx responses)\",\"type\":\"stat\"},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"fieldConfig\":{\"defaults\":{\"color\":{\"mode\":\"palette-classic\"},\"custom\":{\"axisCenteredZero\":false,\"axisColorMode\":\"text\",\"axisLabel\":\"\",\"axisPlacement\":\"auto\",\"barAlignment\":0,\"drawStyle\":\"line\",\"fillOpacity\":10,\"gradientMode\":\"none\",\"hideFrom\":{\"legend\":false,\"tooltip\":false,\"viz\":false},\"insertNulls\":false,\"lineInterpolation\":\"linear\",\"lineWidth\":1,\"pointSize\":5,\"scaleDistribution\":{\"type\":\"linear\"},\"showPoints\":\"never\",\"spanNulls\":false,\"stacking\":{\"group\":\"A\",\"mode\":\"none\"},\"thresholdsStyle\":{\"mode\":\"off\"}},\"mappings\":[],\"thresholds\":{\"mode\":\"absolute\",\"steps\":[{\"color\":\"green\",\"value\":null},{\"color\":\"red\",\"value\":80}]},\"unit\":\"s\"},\"overrides\":[]},\"gridPos\":{\"h\":4,\"w\":8,\"x\":16,\"y\":4},\"id\":87,\"links\":[],\"options\":{\"legend\":{\"calcs\":[],\"displayMode\":\"list\",\"placement\":\"right\",\"showLegend\":true},\"tooltip\":{\"mode\":\"multi\",\"sort\":\"none\"}},\"pluginVersion\":\"10.1.5\",\"targets\":[{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"(histogram_quantile(0.50, - sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\",destination_workload=~\\\"$workload\\\", - destination_workload_namespace=~\\\"$namespace\\\"}[1m])) by (le)) / 1000) or - histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\",destination_workload=~\\\"$workload\\\", - destination_workload_namespace=~\\\"$namespace\\\"}[1m])) by (le))\",\"format\":\"time_series\",\"interval\":\"\",\"intervalFactor\":1,\"legendFormat\":\"P50\",\"refId\":\"A\"},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"(histogram_quantile(0.90, - sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\",destination_workload=~\\\"$workload\\\", - destination_workload_namespace=~\\\"$namespace\\\"}[1m])) by (le)) / 1000) or - histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\",destination_workload=~\\\"$workload\\\", - destination_workload_namespace=~\\\"$namespace\\\"}[1m])) by (le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"P90\",\"refId\":\"B\"},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"(histogram_quantile(0.99, - sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\",destination_workload=~\\\"$workload\\\", - destination_workload_namespace=~\\\"$namespace\\\"}[1m])) by (le)) / 1000) or - histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\",destination_workload=~\\\"$workload\\\", - destination_workload_namespace=~\\\"$namespace\\\"}[1m])) by (le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"P99\",\"refId\":\"C\"}],\"title\":\"Request - Duration\",\"type\":\"timeseries\"},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"fieldConfig\":{\"defaults\":{\"color\":{\"fixedColor\":\"rgb(31, - 120, 193)\",\"mode\":\"fixed\"},\"mappings\":[{\"options\":{\"match\":\"null\",\"result\":{\"text\":\"N/A\"}},\"type\":\"special\"}],\"thresholds\":{\"mode\":\"absolute\",\"steps\":[{\"color\":\"green\",\"value\":null},{\"color\":\"red\",\"value\":80}]},\"unit\":\"Bps\"},\"overrides\":[]},\"gridPos\":{\"h\":4,\"w\":12,\"x\":0,\"y\":8},\"id\":84,\"links\":[],\"maxDataPoints\":100,\"options\":{\"colorMode\":\"none\",\"graphMode\":\"area\",\"justifyMode\":\"auto\",\"orientation\":\"horizontal\",\"reduceOptions\":{\"calcs\":[\"mean\"],\"fields\":\"\",\"values\":false},\"textMode\":\"auto\"},\"pluginVersion\":\"10.1.5\",\"targets\":[{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"sum(irate(istio_tcp_sent_bytes_total{reporter=~\\\"$qrep\\\", - destination_workload_namespace=~\\\"$namespace\\\", destination_workload=~\\\"$workload\\\"}[1m])) - + sum(irate(istio_tcp_received_bytes_total{reporter=~\\\"$qrep\\\", destination_workload_namespace=~\\\"$namespace\\\", - destination_workload=~\\\"$workload\\\"}[1m]))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"\",\"refId\":\"A\"}],\"title\":\"TCP - Server Traffic\",\"type\":\"stat\"},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"fieldConfig\":{\"defaults\":{\"color\":{\"fixedColor\":\"rgb(31, - 120, 193)\",\"mode\":\"fixed\"},\"mappings\":[{\"options\":{\"match\":\"null\",\"result\":{\"text\":\"N/A\"}},\"type\":\"special\"}],\"thresholds\":{\"mode\":\"absolute\",\"steps\":[{\"color\":\"green\",\"value\":null},{\"color\":\"red\",\"value\":80}]},\"unit\":\"Bps\"},\"overrides\":[]},\"gridPos\":{\"h\":4,\"w\":12,\"x\":12,\"y\":8},\"id\":85,\"links\":[],\"maxDataPoints\":100,\"options\":{\"colorMode\":\"none\",\"graphMode\":\"area\",\"justifyMode\":\"auto\",\"orientation\":\"horizontal\",\"reduceOptions\":{\"calcs\":[\"mean\"],\"fields\":\"\",\"values\":false},\"textMode\":\"auto\"},\"pluginVersion\":\"10.1.5\",\"targets\":[{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"sum(irate(istio_tcp_sent_bytes_total{reporter=~\\\"$qrep\\\", - source_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$workload\\\"}[1m])) - + sum(irate(istio_tcp_received_bytes_total{reporter=~\\\"$qrep\\\", source_workload_namespace=~\\\"$namespace\\\", - source_workload=~\\\"$workload\\\"}[1m]))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"\",\"refId\":\"A\"}],\"title\":\"TCP - Client Traffic\",\"type\":\"stat\"},{\"collapsed\":false,\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"gridPos\":{\"h\":1,\"w\":24,\"x\":0,\"y\":12},\"id\":93,\"panels\":[],\"targets\":[{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"refId\":\"A\"}],\"title\":\"Inbound - Workloads\",\"type\":\"row\"},{\"gridPos\":{\"h\":3,\"w\":24,\"x\":0,\"y\":13},\"id\":45,\"links\":[],\"options\":{\"code\":{\"language\":\"plaintext\",\"showLineNumbers\":false,\"showMiniMap\":false},\"content\":\"
\\nINBOUND WORKLOADS\\n
\",\"mode\":\"html\"},\"pluginVersion\":\"10.1.5\",\"transparent\":true,\"type\":\"text\"},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"fieldConfig\":{\"defaults\":{\"color\":{\"mode\":\"palette-classic\"},\"custom\":{\"axisCenteredZero\":false,\"axisColorMode\":\"text\",\"axisLabel\":\"\",\"axisPlacement\":\"auto\",\"barAlignment\":0,\"drawStyle\":\"line\",\"fillOpacity\":0,\"gradientMode\":\"none\",\"hideFrom\":{\"legend\":false,\"tooltip\":false,\"viz\":false},\"insertNulls\":false,\"lineInterpolation\":\"linear\",\"lineWidth\":1,\"pointSize\":5,\"scaleDistribution\":{\"type\":\"linear\"},\"showPoints\":\"never\",\"spanNulls\":false,\"stacking\":{\"group\":\"A\",\"mode\":\"none\"},\"thresholdsStyle\":{\"mode\":\"off\"}},\"mappings\":[],\"min\":0,\"thresholds\":{\"mode\":\"absolute\",\"steps\":[{\"color\":\"green\",\"value\":null},{\"color\":\"red\",\"value\":80}]},\"unit\":\"ops\"},\"overrides\":[{\"matcher\":{\"id\":\"byValue\",\"options\":{\"op\":\"gte\",\"reducer\":\"allIsNull\",\"value\":0}},\"properties\":[{\"id\":\"custom.hideFrom\",\"value\":{\"legend\":true,\"tooltip\":true,\"viz\":false}}]}]},\"gridPos\":{\"h\":6,\"w\":12,\"x\":0,\"y\":16},\"id\":25,\"links\":[],\"options\":{\"legend\":{\"calcs\":[],\"displayMode\":\"list\",\"placement\":\"bottom\",\"showLegend\":true},\"tooltip\":{\"mode\":\"single\",\"sort\":\"none\"}},\"pluginVersion\":\"10.1.5\",\"targets\":[{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"round(sum(irate(istio_requests_total{connection_security_policy=\\\"mutual_tls\\\", - destination_workload_namespace=~\\\"$namespace\\\", destination_workload=~\\\"$workload\\\", - reporter=~\\\"$qrep\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[5m])) - by (source_workload, source_workload_namespace, response_code), 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{ - source_workload }}.{{ source_workload_namespace }} : {{ response_code }} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"round(sum(irate(istio_requests_total{connection_security_policy!=\\\"mutual_tls\\\", - destination_workload_namespace=~\\\"$namespace\\\", destination_workload=~\\\"$workload\\\", - reporter=~\\\"$qrep\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[5m])) - by (source_workload, source_workload_namespace, response_code), 0.001)\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - source_workload }}.{{ source_workload_namespace }} : {{ response_code }}\",\"refId\":\"B\",\"step\":2}],\"title\":\"Incoming - Requests By Source And Response Code\",\"type\":\"timeseries\"},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"fieldConfig\":{\"defaults\":{\"color\":{\"mode\":\"palette-classic\"},\"custom\":{\"axisCenteredZero\":false,\"axisColorMode\":\"text\",\"axisLabel\":\"\",\"axisPlacement\":\"auto\",\"barAlignment\":0,\"drawStyle\":\"line\",\"fillOpacity\":10,\"gradientMode\":\"none\",\"hideFrom\":{\"legend\":false,\"tooltip\":false,\"viz\":false},\"insertNulls\":false,\"lineInterpolation\":\"linear\",\"lineWidth\":1,\"pointSize\":5,\"scaleDistribution\":{\"type\":\"linear\"},\"showPoints\":\"never\",\"spanNulls\":false,\"stacking\":{\"group\":\"A\",\"mode\":\"none\"},\"thresholdsStyle\":{\"mode\":\"off\"}},\"mappings\":[],\"max\":1.01,\"min\":0,\"thresholds\":{\"mode\":\"absolute\",\"steps\":[{\"color\":\"green\",\"value\":null},{\"color\":\"red\",\"value\":80}]},\"unit\":\"percentunit\"},\"overrides\":[{\"matcher\":{\"id\":\"byValue\",\"options\":{\"op\":\"gte\",\"reducer\":\"allIsNull\",\"value\":0}},\"properties\":[{\"id\":\"custom.hideFrom\",\"value\":{\"legend\":true,\"tooltip\":true,\"viz\":false}}]}]},\"gridPos\":{\"h\":6,\"w\":12,\"x\":12,\"y\":16},\"id\":26,\"links\":[],\"options\":{\"legend\":{\"calcs\":[],\"displayMode\":\"list\",\"placement\":\"bottom\",\"showLegend\":true},\"tooltip\":{\"mode\":\"multi\",\"sort\":\"none\"}},\"pluginVersion\":\"10.1.5\",\"targets\":[{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"sum(irate(istio_requests_total{reporter=~\\\"$qrep\\\", - connection_security_policy=\\\"mutual_tls\\\", destination_workload_namespace=~\\\"$namespace\\\", - destination_workload=~\\\"$workload\\\",response_code!~\\\"5.*\\\", source_workload=~\\\"$srcwl\\\", - source_workload_namespace=~\\\"$srcns\\\"}[5m])) by (source_workload, source_workload_namespace) - / sum(irate(istio_requests_total{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", - destination_workload_namespace=~\\\"$namespace\\\", destination_workload=~\\\"$workload\\\", - source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[5m])) - by (source_workload, source_workload_namespace)\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - source_workload }}.{{ source_workload_namespace }} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"sum(irate(istio_requests_total{reporter=~\\\"$qrep\\\", - connection_security_policy!=\\\"mutual_tls\\\", destination_workload_namespace=~\\\"$namespace\\\", - destination_workload=~\\\"$workload\\\",response_code!~\\\"5.*\\\", source_workload=~\\\"$srcwl\\\", - source_workload_namespace=~\\\"$srcns\\\"}[5m])) by (source_workload, source_workload_namespace) - / sum(irate(istio_requests_total{reporter=~\\\"$qrep\\\", connection_security_policy!=\\\"mutual_tls\\\", - destination_workload_namespace=~\\\"$namespace\\\", destination_workload=~\\\"$workload\\\", - source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[5m])) - by (source_workload, source_workload_namespace)\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - source_workload }}.{{ source_workload_namespace }}\",\"refId\":\"B\",\"step\":2}],\"title\":\"Incoming - Success Rate (non-5xx responses) By Source\",\"type\":\"timeseries\"},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"description\":\"\",\"fieldConfig\":{\"defaults\":{\"color\":{\"mode\":\"palette-classic\"},\"custom\":{\"axisCenteredZero\":false,\"axisColorMode\":\"text\",\"axisLabel\":\"\",\"axisPlacement\":\"auto\",\"barAlignment\":0,\"drawStyle\":\"line\",\"fillOpacity\":10,\"gradientMode\":\"none\",\"hideFrom\":{\"legend\":false,\"tooltip\":false,\"viz\":false},\"insertNulls\":false,\"lineInterpolation\":\"linear\",\"lineWidth\":1,\"pointSize\":5,\"scaleDistribution\":{\"type\":\"linear\"},\"showPoints\":\"never\",\"spanNulls\":false,\"stacking\":{\"group\":\"A\",\"mode\":\"none\"},\"thresholdsStyle\":{\"mode\":\"off\"}},\"mappings\":[],\"min\":0,\"thresholds\":{\"mode\":\"absolute\",\"steps\":[{\"color\":\"green\",\"value\":null},{\"color\":\"red\",\"value\":80}]},\"unit\":\"s\"},\"overrides\":[{\"matcher\":{\"id\":\"byValue\",\"options\":{\"op\":\"gte\",\"reducer\":\"allIsNull\",\"value\":0}},\"properties\":[{\"id\":\"custom.hideFrom\",\"value\":{\"legend\":true,\"tooltip\":true,\"viz\":false}}]}]},\"gridPos\":{\"h\":6,\"w\":8,\"x\":0,\"y\":22},\"id\":27,\"links\":[],\"options\":{\"legend\":{\"calcs\":[],\"displayMode\":\"list\",\"placement\":\"bottom\",\"showLegend\":true},\"tooltip\":{\"mode\":\"multi\",\"sort\":\"none\"}},\"pluginVersion\":\"10.1.5\",\"targets\":[{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"(histogram_quantile(0.50, - sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\", - connection_security_policy=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", - destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", - source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, - le)) / 1000) or histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\", - connection_security_policy=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", - destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", - source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, - le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - P50 (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"(histogram_quantile(0.90, - sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\", - connection_security_policy=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", - destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", - source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, - le)) / 1000) or histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\", - connection_security_policy=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", - destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", - source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, - le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - P90 (\U0001F510mTLS)\",\"refId\":\"B\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"(histogram_quantile(0.95, - sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\", - connection_security_policy=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", - destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", - source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, - le)) / 1000) or histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\", - connection_security_policy=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", - destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", - source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, - le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - P95 (\U0001F510mTLS)\",\"refId\":\"C\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"(histogram_quantile(0.99, - sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\", - connection_security_policy=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", - destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", - source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, - le)) / 1000) or histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\", - connection_security_policy=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", - destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", - source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, - le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - P99 (\U0001F510mTLS)\",\"refId\":\"D\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"(histogram_quantile(0.50, - sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\", - connection_security_policy!=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", - destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", - source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, - le)) / 1000) or histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\", - connection_security_policy!=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", - destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", - source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, - le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - P50\",\"refId\":\"E\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"(histogram_quantile(0.90, - sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\", - connection_security_policy!=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", - destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", - source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, - le)) / 1000) or histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\", - connection_security_policy!=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", - destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", - source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, - le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - P90\",\"refId\":\"F\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"(histogram_quantile(0.95, - sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\", - connection_security_policy!=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", - destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", - source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, - le)) / 1000) or histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\", - connection_security_policy!=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", - destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", - source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, - le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - P95\",\"refId\":\"G\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"(histogram_quantile(0.99, - sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\", - connection_security_policy!=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", - destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", - source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, - le)) / 1000) or histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\", - connection_security_policy!=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", - destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", - source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, - le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - P99\",\"refId\":\"H\",\"step\":2}],\"title\":\"Incoming Request Duration By Source\",\"type\":\"timeseries\"},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"fieldConfig\":{\"defaults\":{\"color\":{\"mode\":\"palette-classic\"},\"custom\":{\"axisCenteredZero\":false,\"axisColorMode\":\"text\",\"axisLabel\":\"\",\"axisPlacement\":\"auto\",\"barAlignment\":0,\"drawStyle\":\"line\",\"fillOpacity\":10,\"gradientMode\":\"none\",\"hideFrom\":{\"legend\":false,\"tooltip\":false,\"viz\":false},\"insertNulls\":false,\"lineInterpolation\":\"linear\",\"lineWidth\":1,\"pointSize\":5,\"scaleDistribution\":{\"type\":\"linear\"},\"showPoints\":\"never\",\"spanNulls\":false,\"stacking\":{\"group\":\"A\",\"mode\":\"none\"},\"thresholdsStyle\":{\"mode\":\"off\"}},\"mappings\":[],\"min\":0,\"thresholds\":{\"mode\":\"absolute\",\"steps\":[{\"color\":\"green\",\"value\":null},{\"color\":\"red\",\"value\":80}]},\"unit\":\"decbytes\"},\"overrides\":[{\"matcher\":{\"id\":\"byValue\",\"options\":{\"op\":\"gte\",\"reducer\":\"allIsNull\",\"value\":0}},\"properties\":[{\"id\":\"custom.hideFrom\",\"value\":{\"legend\":true,\"tooltip\":true,\"viz\":false}}]}]},\"gridPos\":{\"h\":6,\"w\":8,\"x\":8,\"y\":22},\"id\":28,\"links\":[],\"options\":{\"legend\":{\"calcs\":[],\"displayMode\":\"list\",\"placement\":\"bottom\",\"showLegend\":true},\"tooltip\":{\"mode\":\"multi\",\"sort\":\"none\"}},\"pluginVersion\":\"10.1.5\",\"targets\":[{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.50, - sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", - destination_workload=~\\\"$workload\\\", destination_workload_namespace=~\\\"$namespace\\\", - source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - P50 (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.90, - sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", - destination_workload=~\\\"$workload\\\", destination_workload_namespace=~\\\"$namespace\\\", - source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - \ P90 (\U0001F510mTLS)\",\"refId\":\"B\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.95, - sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", - destination_workload=~\\\"$workload\\\", destination_workload_namespace=~\\\"$namespace\\\", - source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - P95 (\U0001F510mTLS)\",\"refId\":\"C\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.99, - sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", - destination_workload=~\\\"$workload\\\", destination_workload_namespace=~\\\"$namespace\\\", - source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - \ P99 (\U0001F510mTLS)\",\"refId\":\"D\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.50, - sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy!=\\\"mutual_tls\\\", - destination_workload=~\\\"$workload\\\", destination_workload_namespace=~\\\"$namespace\\\", - source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - P50\",\"refId\":\"E\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.90, - sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy!=\\\"mutual_tls\\\", - destination_workload=~\\\"$workload\\\", destination_workload_namespace=~\\\"$namespace\\\", - source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - P90\",\"refId\":\"F\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.95, - sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy!=\\\"mutual_tls\\\", - destination_workload=~\\\"$workload\\\", destination_workload_namespace=~\\\"$namespace\\\", - source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - P95\",\"refId\":\"G\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.99, - sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy!=\\\"mutual_tls\\\", - destination_workload=~\\\"$workload\\\", destination_workload_namespace=~\\\"$namespace\\\", - source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - P99\",\"refId\":\"H\",\"step\":2}],\"title\":\"Incoming Request Size By Source\",\"type\":\"timeseries\"},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"fieldConfig\":{\"defaults\":{\"color\":{\"mode\":\"palette-classic\"},\"custom\":{\"axisCenteredZero\":false,\"axisColorMode\":\"text\",\"axisLabel\":\"\",\"axisPlacement\":\"auto\",\"barAlignment\":0,\"drawStyle\":\"line\",\"fillOpacity\":10,\"gradientMode\":\"none\",\"hideFrom\":{\"legend\":false,\"tooltip\":false,\"viz\":false},\"insertNulls\":false,\"lineInterpolation\":\"linear\",\"lineWidth\":1,\"pointSize\":5,\"scaleDistribution\":{\"type\":\"linear\"},\"showPoints\":\"never\",\"spanNulls\":false,\"stacking\":{\"group\":\"A\",\"mode\":\"none\"},\"thresholdsStyle\":{\"mode\":\"off\"}},\"mappings\":[],\"min\":0,\"thresholds\":{\"mode\":\"absolute\",\"steps\":[{\"color\":\"green\",\"value\":null},{\"color\":\"red\",\"value\":80}]},\"unit\":\"decbytes\"},\"overrides\":[{\"matcher\":{\"id\":\"byValue\",\"options\":{\"op\":\"gte\",\"reducer\":\"allIsNull\",\"value\":0}},\"properties\":[{\"id\":\"custom.hideFrom\",\"value\":{\"legend\":true,\"tooltip\":true,\"viz\":false}}]}]},\"gridPos\":{\"h\":6,\"w\":8,\"x\":16,\"y\":22},\"id\":68,\"links\":[],\"options\":{\"legend\":{\"calcs\":[],\"displayMode\":\"list\",\"placement\":\"bottom\",\"showLegend\":true},\"tooltip\":{\"mode\":\"multi\",\"sort\":\"none\"}},\"pluginVersion\":\"10.1.5\",\"targets\":[{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.50, - sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", - destination_workload=~\\\"$workload\\\", destination_workload_namespace=~\\\"$namespace\\\", - source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - P50 (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.90, - sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", - destination_workload=~\\\"$workload\\\", destination_workload_namespace=~\\\"$namespace\\\", - source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - \ P90 (\U0001F510mTLS)\",\"refId\":\"B\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.95, - sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", - destination_workload=~\\\"$workload\\\", destination_workload_namespace=~\\\"$namespace\\\", - source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - P95 (\U0001F510mTLS)\",\"refId\":\"C\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.99, - sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", - destination_workload=~\\\"$workload\\\", destination_workload_namespace=~\\\"$namespace\\\", - source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - \ P99 (\U0001F510mTLS)\",\"refId\":\"D\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.50, - sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy!=\\\"mutual_tls\\\", - destination_workload=~\\\"$workload\\\", destination_workload_namespace=~\\\"$namespace\\\", - source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - P50\",\"refId\":\"E\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.90, - sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy!=\\\"mutual_tls\\\", - destination_workload=~\\\"$workload\\\", destination_workload_namespace=~\\\"$namespace\\\", - source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - P90\",\"refId\":\"F\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.95, - sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy!=\\\"mutual_tls\\\", - destination_workload=~\\\"$workload\\\", destination_workload_namespace=~\\\"$namespace\\\", - source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - P95\",\"refId\":\"G\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.99, - sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy!=\\\"mutual_tls\\\", - destination_workload=~\\\"$workload\\\", destination_workload_namespace=~\\\"$namespace\\\", - source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - P99\",\"refId\":\"H\",\"step\":2}],\"title\":\"Response Size By Source\",\"type\":\"timeseries\"},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"fieldConfig\":{\"defaults\":{\"color\":{\"mode\":\"palette-classic\"},\"custom\":{\"axisCenteredZero\":false,\"axisColorMode\":\"text\",\"axisLabel\":\"\",\"axisPlacement\":\"auto\",\"barAlignment\":0,\"drawStyle\":\"line\",\"fillOpacity\":10,\"gradientMode\":\"none\",\"hideFrom\":{\"legend\":false,\"tooltip\":false,\"viz\":false},\"insertNulls\":false,\"lineInterpolation\":\"linear\",\"lineWidth\":1,\"pointSize\":5,\"scaleDistribution\":{\"type\":\"linear\"},\"showPoints\":\"never\",\"spanNulls\":false,\"stacking\":{\"group\":\"A\",\"mode\":\"none\"},\"thresholdsStyle\":{\"mode\":\"off\"}},\"mappings\":[],\"min\":0,\"thresholds\":{\"mode\":\"absolute\",\"steps\":[{\"color\":\"green\",\"value\":null},{\"color\":\"red\",\"value\":80}]},\"unit\":\"Bps\"},\"overrides\":[]},\"gridPos\":{\"h\":6,\"w\":12,\"x\":0,\"y\":28},\"id\":80,\"links\":[],\"options\":{\"legend\":{\"calcs\":[],\"displayMode\":\"list\",\"placement\":\"bottom\",\"showLegend\":true},\"tooltip\":{\"mode\":\"multi\",\"sort\":\"none\"}},\"pluginVersion\":\"10.1.5\",\"targets\":[{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"round(sum(irate(istio_tcp_received_bytes_total{reporter=~\\\"$qrep\\\", - connection_security_policy=\\\"mutual_tls\\\", destination_workload_namespace=~\\\"$namespace\\\", - destination_workload=~\\\"$workload\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace), 0.001)\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - source_workload }}.{{ source_workload_namespace}} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"round(sum(irate(istio_tcp_received_bytes_total{reporter=~\\\"$qrep\\\", - connection_security_policy!=\\\"mutual_tls\\\", destination_workload_namespace=~\\\"$namespace\\\", - destination_workload=~\\\"$workload\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace), 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{ - source_workload }}.{{ source_workload_namespace}}\",\"refId\":\"B\",\"step\":2}],\"title\":\"Bytes - Received from Incoming TCP Connection\",\"type\":\"timeseries\"},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"fieldConfig\":{\"defaults\":{\"color\":{\"mode\":\"palette-classic\"},\"custom\":{\"axisCenteredZero\":false,\"axisColorMode\":\"text\",\"axisLabel\":\"\",\"axisPlacement\":\"auto\",\"barAlignment\":0,\"drawStyle\":\"line\",\"fillOpacity\":10,\"gradientMode\":\"none\",\"hideFrom\":{\"legend\":false,\"tooltip\":false,\"viz\":false},\"insertNulls\":false,\"lineInterpolation\":\"linear\",\"lineWidth\":1,\"pointSize\":5,\"scaleDistribution\":{\"type\":\"linear\"},\"showPoints\":\"never\",\"spanNulls\":false,\"stacking\":{\"group\":\"A\",\"mode\":\"none\"},\"thresholdsStyle\":{\"mode\":\"off\"}},\"mappings\":[],\"min\":0,\"thresholds\":{\"mode\":\"absolute\",\"steps\":[{\"color\":\"green\",\"value\":null},{\"color\":\"red\",\"value\":80}]},\"unit\":\"Bps\"},\"overrides\":[]},\"gridPos\":{\"h\":6,\"w\":12,\"x\":12,\"y\":28},\"id\":82,\"links\":[],\"options\":{\"legend\":{\"calcs\":[],\"displayMode\":\"list\",\"placement\":\"bottom\",\"showLegend\":true},\"tooltip\":{\"mode\":\"multi\",\"sort\":\"none\"}},\"pluginVersion\":\"10.1.5\",\"targets\":[{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy=\\\"mutual_tls\\\", - reporter=~\\\"$qrep\\\", destination_workload_namespace=~\\\"$namespace\\\", destination_workload=~\\\"$workload\\\", - source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace), 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{ - source_workload }}.{{ source_workload_namespace}} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy!=\\\"mutual_tls\\\", - reporter=~\\\"$qrep\\\", destination_workload_namespace=~\\\"$namespace\\\", destination_workload=~\\\"$workload\\\", - source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace), 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{ - source_workload }}.{{ source_workload_namespace}}\",\"refId\":\"B\",\"step\":2}],\"title\":\"Bytes - Sent to Incoming TCP Connection\",\"type\":\"timeseries\"},{\"collapsed\":false,\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"gridPos\":{\"h\":1,\"w\":24,\"x\":0,\"y\":34},\"id\":91,\"panels\":[],\"targets\":[{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"refId\":\"A\"}],\"title\":\"Outbound - Services\",\"type\":\"row\"},{\"gridPos\":{\"h\":3,\"w\":24,\"x\":0,\"y\":35},\"id\":69,\"links\":[],\"options\":{\"code\":{\"language\":\"plaintext\",\"showLineNumbers\":false,\"showMiniMap\":false},\"content\":\"
\\nOUTBOUND SERVICES\\n
\",\"mode\":\"html\"},\"pluginVersion\":\"10.1.5\",\"transparent\":true,\"type\":\"text\"},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"fieldConfig\":{\"defaults\":{\"color\":{\"mode\":\"palette-classic\"},\"custom\":{\"axisCenteredZero\":false,\"axisColorMode\":\"text\",\"axisLabel\":\"\",\"axisPlacement\":\"auto\",\"barAlignment\":0,\"drawStyle\":\"line\",\"fillOpacity\":0,\"gradientMode\":\"none\",\"hideFrom\":{\"legend\":false,\"tooltip\":false,\"viz\":false},\"insertNulls\":false,\"lineInterpolation\":\"linear\",\"lineWidth\":1,\"pointSize\":5,\"scaleDistribution\":{\"type\":\"linear\"},\"showPoints\":\"never\",\"spanNulls\":false,\"stacking\":{\"group\":\"A\",\"mode\":\"none\"},\"thresholdsStyle\":{\"mode\":\"off\"}},\"mappings\":[],\"min\":0,\"thresholds\":{\"mode\":\"absolute\",\"steps\":[{\"color\":\"green\",\"value\":null},{\"color\":\"red\",\"value\":80}]},\"unit\":\"ops\"},\"overrides\":[{\"matcher\":{\"id\":\"byValue\",\"options\":{\"op\":\"gte\",\"reducer\":\"allIsNull\",\"value\":0}},\"properties\":[{\"id\":\"custom.hideFrom\",\"value\":{\"legend\":true,\"tooltip\":true,\"viz\":false}}]}]},\"gridPos\":{\"h\":6,\"w\":12,\"x\":0,\"y\":38},\"id\":70,\"links\":[],\"options\":{\"legend\":{\"calcs\":[],\"displayMode\":\"list\",\"placement\":\"bottom\",\"showLegend\":true},\"tooltip\":{\"mode\":\"single\",\"sort\":\"none\"}},\"pluginVersion\":\"10.1.5\",\"targets\":[{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"round(sum(irate(istio_requests_total{destination_principal=~\\\"spiffe.*\\\", - source_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$workload\\\", - reporter=\\\"source\\\", destination_service=~\\\"$dstsvc\\\"}[5m])) by (destination_service, - response_code), 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_service }} : {{ response_code }} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"round(sum(irate(istio_requests_total{destination_principal!~\\\"spiffe.*\\\", - source_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$workload\\\", - reporter=\\\"source\\\", destination_service=~\\\"$dstsvc\\\"}[5m])) by (destination_service, - response_code), 0.001)\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_service }} : {{ response_code }}\",\"refId\":\"B\",\"step\":2}],\"title\":\"Outgoing - Requests By Destination And Response Code\",\"type\":\"timeseries\"},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"fieldConfig\":{\"defaults\":{\"color\":{\"mode\":\"palette-classic\"},\"custom\":{\"axisCenteredZero\":false,\"axisColorMode\":\"text\",\"axisLabel\":\"\",\"axisPlacement\":\"auto\",\"barAlignment\":0,\"drawStyle\":\"line\",\"fillOpacity\":10,\"gradientMode\":\"none\",\"hideFrom\":{\"legend\":false,\"tooltip\":false,\"viz\":false},\"insertNulls\":false,\"lineInterpolation\":\"linear\",\"lineWidth\":1,\"pointSize\":5,\"scaleDistribution\":{\"type\":\"linear\"},\"showPoints\":\"never\",\"spanNulls\":false,\"stacking\":{\"group\":\"A\",\"mode\":\"none\"},\"thresholdsStyle\":{\"mode\":\"off\"}},\"mappings\":[],\"max\":1.01,\"min\":0,\"thresholds\":{\"mode\":\"absolute\",\"steps\":[{\"color\":\"green\",\"value\":null},{\"color\":\"red\",\"value\":80}]},\"unit\":\"percentunit\"},\"overrides\":[{\"matcher\":{\"id\":\"byValue\",\"options\":{\"op\":\"gte\",\"reducer\":\"allIsNull\",\"value\":0}},\"properties\":[{\"id\":\"custom.hideFrom\",\"value\":{\"legend\":true,\"tooltip\":true,\"viz\":false}}]}]},\"gridPos\":{\"h\":6,\"w\":12,\"x\":12,\"y\":38},\"id\":71,\"links\":[],\"options\":{\"legend\":{\"calcs\":[],\"displayMode\":\"list\",\"placement\":\"bottom\",\"showLegend\":true},\"tooltip\":{\"mode\":\"multi\",\"sort\":\"none\"}},\"pluginVersion\":\"10.1.5\",\"targets\":[{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"sum(irate(istio_requests_total{reporter=\\\"source\\\", - connection_security_policy=\\\"mutual_tls\\\", source_workload_namespace=~\\\"$namespace\\\", - source_workload=~\\\"$workload\\\",response_code!~\\\"5.*\\\", destination_service=~\\\"$dstsvc\\\"}[5m])) - by (destination_service) / sum(irate(istio_requests_total{reporter=\\\"source\\\", - connection_security_policy=\\\"mutual_tls\\\", source_workload_namespace=~\\\"$namespace\\\", - source_workload=~\\\"$workload\\\", destination_service=~\\\"$dstsvc\\\"}[5m])) - by (destination_service)\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_service }} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"sum(irate(istio_requests_total{reporter=\\\"source\\\", - connection_security_policy!=\\\"mutual_tls\\\", source_workload_namespace=~\\\"$namespace\\\", - source_workload=~\\\"$workload\\\",response_code!~\\\"5.*\\\", destination_service=~\\\"$dstsvc\\\"}[5m])) - by (destination_service) / sum(irate(istio_requests_total{reporter=\\\"source\\\", - connection_security_policy!=\\\"mutual_tls\\\", source_workload_namespace=~\\\"$namespace\\\", - source_workload=~\\\"$workload\\\", destination_service=~\\\"$dstsvc\\\"}[5m])) - by (destination_service)\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_service }}\",\"refId\":\"B\",\"step\":2}],\"title\":\"Outgoing Success - Rate (non-5xx responses) By Destination\",\"type\":\"timeseries\"},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"description\":\"\",\"fieldConfig\":{\"defaults\":{\"color\":{\"mode\":\"palette-classic\"},\"custom\":{\"axisCenteredZero\":false,\"axisColorMode\":\"text\",\"axisLabel\":\"\",\"axisPlacement\":\"auto\",\"barAlignment\":0,\"drawStyle\":\"line\",\"fillOpacity\":10,\"gradientMode\":\"none\",\"hideFrom\":{\"legend\":false,\"tooltip\":false,\"viz\":false},\"insertNulls\":false,\"lineInterpolation\":\"linear\",\"lineWidth\":1,\"pointSize\":5,\"scaleDistribution\":{\"type\":\"linear\"},\"showPoints\":\"never\",\"spanNulls\":false,\"stacking\":{\"group\":\"A\",\"mode\":\"none\"},\"thresholdsStyle\":{\"mode\":\"off\"}},\"mappings\":[],\"min\":0,\"thresholds\":{\"mode\":\"absolute\",\"steps\":[{\"color\":\"green\",\"value\":null},{\"color\":\"red\",\"value\":80}]},\"unit\":\"s\"},\"overrides\":[{\"matcher\":{\"id\":\"byValue\",\"options\":{\"op\":\"gte\",\"reducer\":\"allIsNull\",\"value\":0}},\"properties\":[{\"id\":\"custom.hideFrom\",\"value\":{\"legend\":true,\"tooltip\":true,\"viz\":false}}]}]},\"gridPos\":{\"h\":6,\"w\":8,\"x\":0,\"y\":44},\"id\":72,\"links\":[],\"options\":{\"legend\":{\"calcs\":[],\"displayMode\":\"list\",\"placement\":\"bottom\",\"showLegend\":true},\"tooltip\":{\"mode\":\"multi\",\"sort\":\"none\"}},\"pluginVersion\":\"10.1.5\",\"targets\":[{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"(histogram_quantile(0.50, - sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"source\\\", - connection_security_policy=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\", - source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m])) - by (destination_service, le)) / 1000) or histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"source\\\", - connection_security_policy=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\", - source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m])) - by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_service }} P50 (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"(histogram_quantile(0.90, - sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"source\\\", - connection_security_policy=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\", - source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m])) - by (destination_service, le)) / 1000) or histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"source\\\", - connection_security_policy=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\", - source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m])) - by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_service }} P90 (\U0001F510mTLS)\",\"refId\":\"B\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"(histogram_quantile(0.95, - sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"source\\\", - connection_security_policy=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\", - source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m])) - by (destination_service, le)) / 1000) or histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"source\\\", - connection_security_policy=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\", - source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m])) - by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_service }} P95 (\U0001F510mTLS)\",\"refId\":\"C\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"(histogram_quantile(0.99, - sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"source\\\", - connection_security_policy=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\", - source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m])) - by (destination_service, le)) / 1000) or histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"source\\\", - connection_security_policy=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\", - source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m])) - by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_service }} P99 (\U0001F510mTLS)\",\"refId\":\"D\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"(histogram_quantile(0.50, - sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"source\\\", - connection_security_policy!=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\", - source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m])) - by (destination_service, le)) / 1000) or histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"source\\\", - connection_security_policy!=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\", - source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m])) - by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_service }} P50\",\"refId\":\"E\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"(histogram_quantile(0.90, - sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"source\\\", - connection_security_policy!=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\", - source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m])) - by (destination_service, le)) / 1000) or histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"source\\\", - connection_security_policy!=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\", - source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m])) - by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_service }} P90\",\"refId\":\"F\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"(histogram_quantile(0.95, - sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"source\\\", - connection_security_policy!=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\", - source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m])) - by (destination_service, le)) / 1000) or histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"source\\\", - connection_security_policy!=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\", - source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m])) - by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_service }} P95\",\"refId\":\"G\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"(histogram_quantile(0.99, - sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"source\\\", - connection_security_policy!=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\", - source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m])) - by (destination_service, le)) / 1000) or histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"source\\\", - connection_security_policy!=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\", - source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m])) - by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_service }} P99\",\"refId\":\"H\",\"step\":2}],\"title\":\"Outgoing - Request Duration By Destination\",\"type\":\"timeseries\"},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"fieldConfig\":{\"defaults\":{\"color\":{\"mode\":\"palette-classic\"},\"custom\":{\"axisCenteredZero\":false,\"axisColorMode\":\"text\",\"axisLabel\":\"\",\"axisPlacement\":\"auto\",\"barAlignment\":0,\"drawStyle\":\"line\",\"fillOpacity\":10,\"gradientMode\":\"none\",\"hideFrom\":{\"legend\":false,\"tooltip\":false,\"viz\":false},\"insertNulls\":false,\"lineInterpolation\":\"linear\",\"lineWidth\":1,\"pointSize\":5,\"scaleDistribution\":{\"type\":\"linear\"},\"showPoints\":\"never\",\"spanNulls\":false,\"stacking\":{\"group\":\"A\",\"mode\":\"none\"},\"thresholdsStyle\":{\"mode\":\"off\"}},\"mappings\":[],\"min\":0,\"thresholds\":{\"mode\":\"absolute\",\"steps\":[{\"color\":\"green\",\"value\":null},{\"color\":\"red\",\"value\":80}]},\"unit\":\"decbytes\"},\"overrides\":[{\"matcher\":{\"id\":\"byValue\",\"options\":{\"op\":\"gte\",\"reducer\":\"allIsNull\",\"value\":0}},\"properties\":[{\"id\":\"custom.hideFrom\",\"value\":{\"legend\":true,\"tooltip\":true,\"viz\":false}}]}]},\"gridPos\":{\"h\":6,\"w\":8,\"x\":8,\"y\":44},\"id\":73,\"links\":[],\"options\":{\"legend\":{\"calcs\":[],\"displayMode\":\"list\",\"placement\":\"bottom\",\"showLegend\":true},\"tooltip\":{\"mode\":\"multi\",\"sort\":\"none\"}},\"pluginVersion\":\"10.1.5\",\"targets\":[{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.50, - sum(irate(istio_request_bytes_bucket{reporter=\\\"source\\\", connection_security_policy=\\\"mutual_tls\\\", - source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\", - destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_service }} P50 (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.90, - sum(irate(istio_request_bytes_bucket{reporter=\\\"source\\\", connection_security_policy=\\\"mutual_tls\\\", - source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\", - destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_service }} P90 (\U0001F510mTLS)\",\"refId\":\"B\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.95, - sum(irate(istio_request_bytes_bucket{reporter=\\\"source\\\", connection_security_policy=\\\"mutual_tls\\\", - source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\", - destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_service }} P95 (\U0001F510mTLS)\",\"refId\":\"C\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.99, - sum(irate(istio_request_bytes_bucket{reporter=\\\"source\\\", connection_security_policy=\\\"mutual_tls\\\", - source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\", - destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_service }} P99 (\U0001F510mTLS)\",\"refId\":\"D\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.50, - sum(irate(istio_request_bytes_bucket{reporter=\\\"source\\\", connection_security_policy!=\\\"mutual_tls\\\", - source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\", - destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_service }} P50\",\"refId\":\"E\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.90, - sum(irate(istio_request_bytes_bucket{reporter=\\\"source\\\", connection_security_policy!=\\\"mutual_tls\\\", - source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\", - destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_service }} P90\",\"refId\":\"F\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.95, - sum(irate(istio_request_bytes_bucket{reporter=\\\"source\\\", connection_security_policy!=\\\"mutual_tls\\\", - source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\", - destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_service }} P95\",\"refId\":\"G\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.99, - sum(irate(istio_request_bytes_bucket{reporter=\\\"source\\\", connection_security_policy!=\\\"mutual_tls\\\", - source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\", - destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_service }} P99\",\"refId\":\"H\",\"step\":2}],\"title\":\"Outgoing - Request Size By Destination\",\"type\":\"timeseries\"},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"fieldConfig\":{\"defaults\":{\"color\":{\"mode\":\"palette-classic\"},\"custom\":{\"axisCenteredZero\":false,\"axisColorMode\":\"text\",\"axisLabel\":\"\",\"axisPlacement\":\"auto\",\"barAlignment\":0,\"drawStyle\":\"line\",\"fillOpacity\":10,\"gradientMode\":\"none\",\"hideFrom\":{\"legend\":false,\"tooltip\":false,\"viz\":false},\"insertNulls\":false,\"lineInterpolation\":\"linear\",\"lineWidth\":1,\"pointSize\":5,\"scaleDistribution\":{\"type\":\"linear\"},\"showPoints\":\"never\",\"spanNulls\":false,\"stacking\":{\"group\":\"A\",\"mode\":\"none\"},\"thresholdsStyle\":{\"mode\":\"off\"}},\"mappings\":[],\"min\":0,\"thresholds\":{\"mode\":\"absolute\",\"steps\":[{\"color\":\"green\",\"value\":null},{\"color\":\"red\",\"value\":80}]},\"unit\":\"decbytes\"},\"overrides\":[{\"matcher\":{\"id\":\"byValue\",\"options\":{\"op\":\"gte\",\"reducer\":\"allIsNull\",\"value\":0}},\"properties\":[{\"id\":\"custom.hideFrom\",\"value\":{\"legend\":true,\"tooltip\":true,\"viz\":false}}]}]},\"gridPos\":{\"h\":6,\"w\":8,\"x\":16,\"y\":44},\"id\":74,\"links\":[],\"options\":{\"legend\":{\"calcs\":[],\"displayMode\":\"list\",\"placement\":\"bottom\",\"showLegend\":true},\"tooltip\":{\"mode\":\"multi\",\"sort\":\"none\"}},\"pluginVersion\":\"10.1.5\",\"targets\":[{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.50, - sum(irate(istio_response_bytes_bucket{reporter=\\\"source\\\", connection_security_policy=\\\"mutual_tls\\\", - source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\", - destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_service }} P50 (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.90, - sum(irate(istio_response_bytes_bucket{reporter=\\\"source\\\", connection_security_policy=\\\"mutual_tls\\\", - source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\", - destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_service }} P90 (\U0001F510mTLS)\",\"refId\":\"B\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.95, - sum(irate(istio_response_bytes_bucket{reporter=\\\"source\\\", connection_security_policy=\\\"mutual_tls\\\", - source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\", - destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_service }} P95 (\U0001F510mTLS)\",\"refId\":\"C\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.99, - sum(irate(istio_response_bytes_bucket{reporter=\\\"source\\\", connection_security_policy=\\\"mutual_tls\\\", - source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\", - destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_service }} P99 (\U0001F510mTLS)\",\"refId\":\"D\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.50, - sum(irate(istio_response_bytes_bucket{reporter=\\\"source\\\", connection_security_policy!=\\\"mutual_tls\\\", - source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\", - destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_service }} P50\",\"refId\":\"E\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.90, - sum(irate(istio_response_bytes_bucket{reporter=\\\"source\\\", connection_security_policy!=\\\"mutual_tls\\\", - source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\", - destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_service }} P90\",\"refId\":\"F\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.95, - sum(irate(istio_response_bytes_bucket{reporter=\\\"source\\\", connection_security_policy!=\\\"mutual_tls\\\", - source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\", - destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_service }} P95\",\"refId\":\"G\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"histogram_quantile(0.99, - sum(irate(istio_response_bytes_bucket{reporter=\\\"source\\\", connection_security_policy!=\\\"mutual_tls\\\", - source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\", - destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_service }} P99\",\"refId\":\"H\",\"step\":2}],\"title\":\"Response - Size By Destination\",\"type\":\"timeseries\"},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"fieldConfig\":{\"defaults\":{\"color\":{\"mode\":\"palette-classic\"},\"custom\":{\"axisCenteredZero\":false,\"axisColorMode\":\"text\",\"axisLabel\":\"\",\"axisPlacement\":\"auto\",\"barAlignment\":0,\"drawStyle\":\"line\",\"fillOpacity\":10,\"gradientMode\":\"none\",\"hideFrom\":{\"legend\":false,\"tooltip\":false,\"viz\":false},\"insertNulls\":false,\"lineInterpolation\":\"linear\",\"lineWidth\":1,\"pointSize\":5,\"scaleDistribution\":{\"type\":\"linear\"},\"showPoints\":\"never\",\"spanNulls\":false,\"stacking\":{\"group\":\"A\",\"mode\":\"none\"},\"thresholdsStyle\":{\"mode\":\"off\"}},\"mappings\":[],\"min\":0,\"thresholds\":{\"mode\":\"absolute\",\"steps\":[{\"color\":\"green\",\"value\":null},{\"color\":\"red\",\"value\":80}]},\"unit\":\"Bps\"},\"overrides\":[]},\"gridPos\":{\"h\":6,\"w\":12,\"x\":0,\"y\":50},\"id\":76,\"links\":[],\"options\":{\"legend\":{\"calcs\":[],\"displayMode\":\"list\",\"placement\":\"bottom\",\"showLegend\":true},\"tooltip\":{\"mode\":\"multi\",\"sort\":\"none\"}},\"pluginVersion\":\"10.1.5\",\"targets\":[{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"round(sum(irate(istio_tcp_received_bytes_total{connection_security_policy=\\\"mutual_tls\\\", - reporter=\\\"source\\\", source_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$workload\\\", - destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service), 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_service }} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"round(sum(irate(istio_tcp_received_bytes_total{connection_security_policy!=\\\"mutual_tls\\\", - reporter=\\\"source\\\", source_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$workload\\\", - destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service), 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_service }}\",\"refId\":\"B\",\"step\":2}],\"title\":\"Bytes Sent on - Outgoing TCP Connection\",\"type\":\"timeseries\"},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"fieldConfig\":{\"defaults\":{\"color\":{\"mode\":\"palette-classic\"},\"custom\":{\"axisCenteredZero\":false,\"axisColorMode\":\"text\",\"axisLabel\":\"\",\"axisPlacement\":\"auto\",\"barAlignment\":0,\"drawStyle\":\"line\",\"fillOpacity\":10,\"gradientMode\":\"none\",\"hideFrom\":{\"legend\":false,\"tooltip\":false,\"viz\":false},\"insertNulls\":false,\"lineInterpolation\":\"linear\",\"lineWidth\":1,\"pointSize\":5,\"scaleDistribution\":{\"type\":\"linear\"},\"showPoints\":\"never\",\"spanNulls\":false,\"stacking\":{\"group\":\"A\",\"mode\":\"none\"},\"thresholdsStyle\":{\"mode\":\"off\"}},\"mappings\":[],\"min\":0,\"thresholds\":{\"mode\":\"absolute\",\"steps\":[{\"color\":\"green\",\"value\":null},{\"color\":\"red\",\"value\":80}]},\"unit\":\"Bps\"},\"overrides\":[]},\"gridPos\":{\"h\":6,\"w\":12,\"x\":12,\"y\":50},\"id\":78,\"links\":[],\"options\":{\"legend\":{\"calcs\":[],\"displayMode\":\"list\",\"placement\":\"bottom\",\"showLegend\":true},\"tooltip\":{\"mode\":\"multi\",\"sort\":\"none\"}},\"pluginVersion\":\"10.1.5\",\"targets\":[{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"round(sum(irate(istio_tcp_sent_bytes_total{reporter=\\\"source\\\", - connection_security_policy=\\\"mutual_tls\\\", source_workload_namespace=~\\\"$namespace\\\", - source_workload=~\\\"$workload\\\", destination_service=~\\\"$dstsvc\\\"}[1m])) - by (destination_service), 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_service }} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"expr\":\"round(sum(irate(istio_tcp_sent_bytes_total{reporter=\\\"source\\\", - connection_security_policy!=\\\"mutual_tls\\\", source_workload_namespace=~\\\"$namespace\\\", - source_workload=~\\\"$workload\\\", destination_service=~\\\"$dstsvc\\\"}[1m])) - by (destination_service), 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_service }}\",\"refId\":\"B\",\"step\":2}],\"title\":\"Bytes Received - from Outgoing TCP Connection\",\"type\":\"timeseries\"}],\"refresh\":\"1m\",\"schemaVersion\":38,\"style\":\"dark\",\"tags\":[],\"templating\":{\"list\":[{\"hide\":0,\"includeAll\":false,\"multi\":false,\"name\":\"datasource\",\"options\":[],\"query\":\"prometheus\",\"queryValue\":\"\",\"refresh\":1,\"regex\":\"\",\"skipUrlSync\":false,\"type\":\"datasource\"},{\"current\":{\"selected\":true,\"text\":\"default\",\"value\":\"default\"},\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"definition\":\"\",\"hide\":0,\"includeAll\":false,\"label\":\"Namespace\",\"multi\":false,\"name\":\"namespace\",\"options\":[],\"query\":\"query_result(sum(istio_requests_total) - by (destination_workload_namespace) or sum(istio_tcp_sent_bytes_total) by (destination_workload_namespace))\",\"refresh\":1,\"regex\":\"/.*_namespace=\\\"([^\\\"]*).*/\",\"skipUrlSync\":false,\"sort\":0,\"tagValuesQuery\":\"\",\"tagsQuery\":\"\",\"type\":\"query\",\"useTags\":false},{\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"definition\":\"\",\"hide\":0,\"includeAll\":false,\"label\":\"Workload\",\"multi\":false,\"name\":\"workload\",\"options\":[],\"query\":\"query_result((sum(istio_requests_total{destination_workload_namespace=~\\\"$namespace\\\"}) - by (destination_workload) or sum(istio_requests_total{source_workload_namespace=~\\\"$namespace\\\"}) - by (source_workload)) or (sum(istio_tcp_sent_bytes_total{destination_workload_namespace=~\\\"$namespace\\\"}) - by (destination_workload) or sum(istio_tcp_sent_bytes_total{source_workload_namespace=~\\\"$namespace\\\"}) - by (source_workload)))\",\"refresh\":1,\"regex\":\"/.*workload=\\\"([^\\\"]*).*/\",\"skipUrlSync\":false,\"sort\":1,\"tagValuesQuery\":\"\",\"tagsQuery\":\"\",\"type\":\"query\",\"useTags\":false},{\"current\":{\"selected\":false,\"text\":\"destination\",\"value\":\"destination\"},\"datasource\":\"Prometheus\",\"definition\":\"\",\"hide\":0,\"includeAll\":false,\"label\":\"Reporter\",\"multi\":true,\"name\":\"qrep\",\"options\":[{\"selected\":false,\"text\":\"source\",\"value\":\"source\"},{\"selected\":true,\"text\":\"destination\",\"value\":\"destination\"}],\"query\":\"source,destination\",\"refresh\":1,\"regex\":\"\",\"skipUrlSync\":false,\"sort\":2,\"tagValuesQuery\":\"\",\"tagsQuery\":\"\",\"type\":\"custom\",\"useTags\":false},{\"current\":{\"selected\":false,\"text\":\"All\",\"value\":\"$__all\"},\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"definition\":\"\",\"hide\":0,\"includeAll\":true,\"label\":\"Inbound - Workload Namespace\",\"multi\":true,\"name\":\"srcns\",\"options\":[],\"query\":\"query_result(sum(istio_requests_total{reporter=~\\\"$qrep\\\", - destination_workload=\\\"$workload\\\", destination_workload_namespace=~\\\"$namespace\\\"}) - by (source_workload_namespace) or sum(istio_tcp_sent_bytes_total{reporter=~\\\"$qrep\\\", - destination_workload=\\\"$workload\\\", destination_workload_namespace=~\\\"$namespace\\\"}) - by (source_workload_namespace))\",\"refresh\":1,\"regex\":\"/.*namespace=\\\"([^\\\"]*).*/\",\"skipUrlSync\":false,\"sort\":2,\"tagValuesQuery\":\"\",\"tagsQuery\":\"\",\"type\":\"query\",\"useTags\":false},{\"current\":{\"selected\":false,\"text\":\"All\",\"value\":\"$__all\"},\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"definition\":\"\",\"hide\":0,\"includeAll\":true,\"label\":\"Inbound - Workload\",\"multi\":true,\"name\":\"srcwl\",\"options\":[],\"query\":\"query_result(sum(istio_requests_total{reporter=~\\\"$qrep\\\", - destination_workload=\\\"$workload\\\", destination_workload_namespace=~\\\"$namespace\\\", - source_workload_namespace=~\\\"$srcns\\\"}) by (source_workload) or sum(istio_tcp_sent_bytes_total{reporter=~\\\"$qrep\\\", - destination_workload=\\\"$workload\\\", destination_workload_namespace=~\\\"$namespace\\\", - source_workload_namespace=~\\\"$srcns\\\"}) by (source_workload))\",\"refresh\":1,\"regex\":\"/.*workload=\\\"([^\\\"]*).*/\",\"skipUrlSync\":false,\"sort\":3,\"tagValuesQuery\":\"\",\"tagsQuery\":\"\",\"type\":\"query\",\"useTags\":false},{\"current\":{\"selected\":false,\"text\":\"All\",\"value\":\"$__all\"},\"datasource\":{\"type\":\"prometheus\",\"uid\":\"${datasource}\"},\"definition\":\"\",\"hide\":0,\"includeAll\":true,\"label\":\"Destination - Service\",\"multi\":true,\"name\":\"dstsvc\",\"options\":[],\"query\":\"query_result(sum(istio_requests_total{reporter=\\\"source\\\", - source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\"}) - by (destination_service) or sum(istio_tcp_sent_bytes_total{reporter=\\\"source\\\", - source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\"}) - by (destination_service))\",\"refresh\":1,\"regex\":\"/.*destination_service=\\\"([^\\\"]*).*/\",\"skipUrlSync\":false,\"sort\":4,\"tagValuesQuery\":\"\",\"tagsQuery\":\"\",\"type\":\"query\",\"useTags\":false}]},\"time\":{\"from\":\"now-30m\",\"to\":\"now\"},\"timepicker\":{\"refresh_intervals\":[\"5m\",\"15m\",\"30m\",\"1h\",\"2h\",\"1d\"],\"time_options\":[\"5m\",\"15m\",\"1h\",\"6h\",\"12h\",\"24h\",\"2d\",\"7d\",\"30d\"]},\"timezone\":\"\",\"title\":\"Istio - Workload Dashboard\",\"version\":1,\"weekStart\":\"\"}\n" -kind: ConfigMap -metadata: - creationTimestamp: null - name: istio-services-grafana-dashboards - namespace: istio-system diff --git a/istio-1.24.3/samples/addons/jaeger.yaml b/istio-1.24.3/samples/addons/jaeger.yaml deleted file mode 100644 index 6cc13587..00000000 --- a/istio-1.24.3/samples/addons/jaeger.yaml +++ /dev/null @@ -1,121 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: jaeger - namespace: istio-system - labels: - app: jaeger -spec: - selector: - matchLabels: - app: jaeger - template: - metadata: - labels: - app: jaeger - sidecar.istio.io/inject: "false" - annotations: - prometheus.io/scrape: "true" - prometheus.io/port: "14269" - spec: - containers: - - name: jaeger - image: "docker.io/jaegertracing/all-in-one:1.58" - env: - - name: BADGER_EPHEMERAL - value: "false" - - name: SPAN_STORAGE_TYPE - value: "badger" - - name: BADGER_DIRECTORY_VALUE - value: "/badger/data" - - name: BADGER_DIRECTORY_KEY - value: "/badger/key" - - name: COLLECTOR_ZIPKIN_HOST_PORT - value: ":9411" - - name: MEMORY_MAX_TRACES - value: "50000" - - name: QUERY_BASE_PATH - value: /jaeger - livenessProbe: - httpGet: - path: / - port: 14269 - readinessProbe: - httpGet: - path: / - port: 14269 - volumeMounts: - - name: data - mountPath: /badger - resources: - requests: - cpu: 10m - volumes: - - name: data - emptyDir: {} ---- -apiVersion: v1 -kind: Service -metadata: - name: tracing - namespace: istio-system - labels: - app: jaeger -spec: - type: ClusterIP - ports: - - name: http-query - port: 80 - protocol: TCP - targetPort: 16686 - # Note: Change port name if you add '--query.grpc.tls.enabled=true' - - name: grpc-query - port: 16685 - protocol: TCP - targetPort: 16685 - selector: - app: jaeger ---- -# Jaeger implements the Zipkin API. To support swapping out the tracing backend, we use a Service named Zipkin. -apiVersion: v1 -kind: Service -metadata: - labels: - name: zipkin - name: zipkin - namespace: istio-system -spec: - ports: - - port: 9411 - targetPort: 9411 - name: http-query - selector: - app: jaeger ---- -apiVersion: v1 -kind: Service -metadata: - name: jaeger-collector - namespace: istio-system - labels: - app: jaeger -spec: - type: ClusterIP - ports: - - name: jaeger-collector-http - port: 14268 - targetPort: 14268 - protocol: TCP - - name: jaeger-collector-grpc - port: 14250 - targetPort: 14250 - protocol: TCP - - port: 9411 - targetPort: 9411 - name: http-zipkin - - port: 4317 - name: grpc-otel - - port: 4318 - name: http-otel - selector: - app: jaeger diff --git a/istio-1.24.3/samples/addons/kiali.yaml b/istio-1.24.3/samples/addons/kiali.yaml deleted file mode 100644 index f899a633..00000000 --- a/istio-1.24.3/samples/addons/kiali.yaml +++ /dev/null @@ -1,425 +0,0 @@ ---- -# Source: kiali-server/templates/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: kiali - namespace: "istio-system" - labels: - helm.sh/chart: kiali-server-2.0.0 - app: kiali - app.kubernetes.io/name: kiali - app.kubernetes.io/instance: kiali - version: "v2.0.0" - app.kubernetes.io/version: "v2.0.0" - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: "kiali" -... ---- -# Source: kiali-server/templates/configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: kiali - namespace: "istio-system" - labels: - helm.sh/chart: kiali-server-2.0.0 - app: kiali - app.kubernetes.io/name: kiali - app.kubernetes.io/instance: kiali - version: "v2.0.0" - app.kubernetes.io/version: "v2.0.0" - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: "kiali" -data: - config.yaml: | - additional_display_details: - - annotation: kiali.io/api-spec - icon_annotation: kiali.io/api-type - title: API Documentation - auth: - openid: {} - openshift: - client_id_prefix: kiali - strategy: anonymous - clustering: - autodetect_secrets: - enabled: true - label: kiali.io/multiCluster=true - clusters: [] - deployment: - additional_service_yaml: {} - affinity: - node: {} - pod: {} - pod_anti: {} - cluster_wide_access: true - configmap_annotations: {} - custom_envs: [] - custom_secrets: [] - dns: - config: {} - policy: "" - host_aliases: [] - hpa: - api_version: autoscaling/v2 - spec: {} - image_digest: "" - image_name: quay.io/kiali/kiali - image_pull_policy: IfNotPresent - image_pull_secrets: [] - image_version: v2.0 - ingress: - additional_labels: {} - class_name: nginx - override_yaml: - metadata: {} - ingress_enabled: false - instance_name: kiali - logger: - log_format: text - log_level: info - sampler_rate: "1" - time_field_format: 2006-01-02T15:04:05Z07:00 - namespace: istio-system - node_selector: {} - pod_annotations: {} - pod_labels: - sidecar.istio.io/inject: "false" - priority_class_name: "" - replicas: 1 - resources: - limits: - memory: 1Gi - requests: - cpu: 10m - memory: 64Mi - secret_name: kiali - security_context: {} - service_annotations: {} - service_type: "" - tolerations: [] - version_label: v2.0.0 - view_only_mode: false - external_services: - custom_dashboards: - enabled: true - istio: - root_namespace: istio-system - tracing: - enabled: false - identity: - cert_file: "" - private_key_file: "" - istio_namespace: istio-system - kiali_feature_flags: - disabled_features: [] - validations: - ignore: - - KIA1301 - login_token: - signing_key: CHANGEME00000000 - server: - observability: - metrics: - enabled: true - port: 9090 - port: 20001 - web_root: /kiali -... ---- -# Source: kiali-server/templates/role.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: kiali - labels: - helm.sh/chart: kiali-server-2.0.0 - app: kiali - app.kubernetes.io/name: kiali - app.kubernetes.io/instance: kiali - version: "v2.0.0" - app.kubernetes.io/version: "v2.0.0" - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: "kiali" -rules: -- apiGroups: [""] - resources: - - configmaps - - endpoints - - pods/log - verbs: - - get - - list - - watch -- apiGroups: [""] - resources: - - namespaces - - pods - - replicationcontrollers - - services - verbs: - - get - - list - - watch - - patch -- apiGroups: [""] - resources: - - pods/portforward - verbs: - - create - - post -- apiGroups: ["extensions", "apps"] - resources: - - daemonsets - - deployments - - replicasets - - statefulsets - verbs: - - get - - list - - watch - - patch -- apiGroups: ["batch"] - resources: - - cronjobs - - jobs - verbs: - - get - - list - - watch - - patch -- apiGroups: - - networking.istio.io - - security.istio.io - - extensions.istio.io - - telemetry.istio.io - - gateway.networking.k8s.io - resources: ["*"] - verbs: - - get - - list - - watch - - create - - delete - - patch -- apiGroups: ["apps.openshift.io"] - resources: - - deploymentconfigs - verbs: - - get - - list - - watch - - patch -- apiGroups: ["project.openshift.io"] - resources: - - projects - verbs: - - get -- apiGroups: ["route.openshift.io"] - resources: - - routes - verbs: - - get -- apiGroups: ["authentication.k8s.io"] - resources: - - tokenreviews - verbs: - - create -- apiGroups: ["oauth.openshift.io"] - resources: - - oauthclients - resourceNames: - - kiali-istio-system - verbs: - - get -- apiGroups: ["admissionregistration.k8s.io"] - resources: - - mutatingwebhookconfigurations - verbs: - - get - - list - - watch -... ---- -# Source: kiali-server/templates/rolebinding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: kiali - labels: - helm.sh/chart: kiali-server-2.0.0 - app: kiali - app.kubernetes.io/name: kiali - app.kubernetes.io/instance: kiali - version: "v2.0.0" - app.kubernetes.io/version: "v2.0.0" - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: "kiali" -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: kiali -subjects: -- kind: ServiceAccount - name: kiali - namespace: "istio-system" -... ---- -# Source: kiali-server/templates/service.yaml -apiVersion: v1 -kind: Service -metadata: - name: kiali - namespace: "istio-system" - labels: - helm.sh/chart: kiali-server-2.0.0 - app: kiali - app.kubernetes.io/name: kiali - app.kubernetes.io/instance: kiali - version: "v2.0.0" - app.kubernetes.io/version: "v2.0.0" - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: "kiali" - annotations: -spec: - ports: - - name: http - appProtocol: http - protocol: TCP - port: 20001 - - name: http-metrics - appProtocol: http - protocol: TCP - port: 9090 - selector: - app.kubernetes.io/name: kiali - app.kubernetes.io/instance: kiali -... ---- -# Source: kiali-server/templates/deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: kiali - namespace: "istio-system" - labels: - helm.sh/chart: kiali-server-2.0.0 - app: kiali - app.kubernetes.io/name: kiali - app.kubernetes.io/instance: kiali - version: "v2.0.0" - app.kubernetes.io/version: "v2.0.0" - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: "kiali" -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: kiali - app.kubernetes.io/instance: kiali - strategy: - rollingUpdate: - maxSurge: 1 - maxUnavailable: 1 - type: RollingUpdate - template: - metadata: - name: kiali - labels: - helm.sh/chart: kiali-server-2.0.0 - app: kiali - app.kubernetes.io/name: kiali - app.kubernetes.io/instance: kiali - version: "v2.0.0" - app.kubernetes.io/version: "v2.0.0" - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: "kiali" - sidecar.istio.io/inject: "false" - annotations: - checksum/config: 03a677accc379d7d5b7b3c74464dc72867b31f794e5beaa98221ba19c5735016 - prometheus.io/scrape: "true" - prometheus.io/port: "9090" - kiali.io/dashboards: go,kiali - spec: - serviceAccountName: kiali - containers: - - image: "quay.io/kiali/kiali:v2.0" - imagePullPolicy: IfNotPresent - name: kiali - command: - - "/opt/kiali/kiali" - - "-config" - - "/kiali-configuration/config.yaml" - securityContext: - allowPrivilegeEscalation: false - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: true - capabilities: - drop: - - ALL - ports: - - name: api-port - containerPort: 20001 - - name: http-metrics - containerPort: 9090 - readinessProbe: - httpGet: - path: /kiali/healthz - port: api-port - scheme: HTTP - initialDelaySeconds: 5 - periodSeconds: 30 - livenessProbe: - httpGet: - path: /kiali/healthz - port: api-port - scheme: HTTP - initialDelaySeconds: 5 - periodSeconds: 30 - env: - - name: ACTIVE_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: LOG_LEVEL - value: "info" - - name: LOG_FORMAT - value: "text" - - name: LOG_TIME_FIELD_FORMAT - value: "2006-01-02T15:04:05Z07:00" - - name: LOG_SAMPLER_RATE - value: "1" - volumeMounts: - - name: kiali-configuration - mountPath: "/kiali-configuration" - - name: kiali-cert - mountPath: "/kiali-cert" - - name: kiali-secret - mountPath: "/kiali-secret" - - name: kiali-cabundle - mountPath: "/kiali-cabundle" - resources: - limits: - memory: 1Gi - requests: - cpu: 10m - memory: 64Mi - volumes: - - name: kiali-configuration - configMap: - name: kiali - - name: kiali-cert - secret: - secretName: istio.kiali-service-account - optional: true - - name: kiali-secret - secret: - secretName: kiali - optional: true - - name: kiali-cabundle - configMap: - name: kiali-cabundle - optional: true -... diff --git a/istio-1.24.3/samples/addons/loki.yaml b/istio-1.24.3/samples/addons/loki.yaml deleted file mode 100644 index 2bc77414..00000000 --- a/istio-1.24.3/samples/addons/loki.yaml +++ /dev/null @@ -1,382 +0,0 @@ ---- -# Source: loki/templates/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: loki - namespace: istio-system - labels: - helm.sh/chart: loki-6.18.0 - app.kubernetes.io/name: loki - app.kubernetes.io/instance: loki - app.kubernetes.io/version: "3.2.0" - app.kubernetes.io/managed-by: Helm -automountServiceAccountToken: true ---- -# Source: loki/templates/config.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: loki - namespace: istio-system - labels: - helm.sh/chart: loki-6.18.0 - app.kubernetes.io/name: loki - app.kubernetes.io/instance: loki - app.kubernetes.io/version: "3.2.0" - app.kubernetes.io/managed-by: Helm -data: - config.yaml: | - - auth_enabled: false - bloom_build: - builder: - planner_address: "" - enabled: false - bloom_gateway: - client: - addresses: "" - enabled: false - common: - compactor_address: 'http://loki:3100' - path_prefix: /var/loki - replication_factor: 1 - storage: - filesystem: - chunks_directory: /var/loki/chunks - rules_directory: /var/loki/rules - frontend: - scheduler_address: "" - tail_proxy_url: "" - frontend_worker: - scheduler_address: "" - index_gateway: - mode: simple - limits_config: - max_cache_freshness_per_query: 10m - query_timeout: 300s - reject_old_samples: true - reject_old_samples_max_age: 168h - split_queries_by_interval: 15m - volume_enabled: true - memberlist: - join_members: - - loki-memberlist - pattern_ingester: - enabled: false - query_range: - align_queries_with_step: true - ruler: - storage: - type: local - runtime_config: - file: /etc/loki/runtime-config/runtime-config.yaml - schema_config: - configs: - - from: "2024-04-01" - index: - period: 24h - prefix: index_ - object_store: 'filesystem' - schema: v13 - store: tsdb - server: - grpc_listen_port: 9095 - http_listen_port: 3100 - http_server_read_timeout: 600s - http_server_write_timeout: 600s - storage_config: - bloom_shipper: - working_directory: /var/loki/data/bloomshipper - boltdb_shipper: - index_gateway_client: - server_address: "" - hedging: - at: 250ms - max_per_second: 20 - up_to: 3 - tsdb_shipper: - index_gateway_client: - server_address: "" - tracing: - enabled: false ---- -# Source: loki/templates/runtime-configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: loki-runtime - namespace: istio-system - labels: - helm.sh/chart: loki-6.18.0 - app.kubernetes.io/name: loki - app.kubernetes.io/instance: loki - app.kubernetes.io/version: "3.2.0" - app.kubernetes.io/managed-by: Helm -data: - runtime-config.yaml: | - {} ---- -# Source: loki/templates/backend/clusterrole.yaml -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - labels: - helm.sh/chart: loki-6.18.0 - app.kubernetes.io/name: loki - app.kubernetes.io/instance: loki - app.kubernetes.io/version: "3.2.0" - app.kubernetes.io/managed-by: Helm - name: loki-clusterrole -rules: -- apiGroups: [""] # "" indicates the core API group - resources: ["configmaps", "secrets"] - verbs: ["get", "watch", "list"] ---- -# Source: loki/templates/backend/clusterrolebinding.yaml -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: loki-clusterrolebinding - labels: - helm.sh/chart: loki-6.18.0 - app.kubernetes.io/name: loki - app.kubernetes.io/instance: loki - app.kubernetes.io/version: "3.2.0" - app.kubernetes.io/managed-by: Helm -subjects: - - kind: ServiceAccount - name: loki - namespace: istio-system -roleRef: - kind: ClusterRole - name: loki-clusterrole - apiGroup: rbac.authorization.k8s.io ---- -# Source: loki/templates/service-memberlist.yaml -apiVersion: v1 -kind: Service -metadata: - name: loki-memberlist - namespace: istio-system - labels: - helm.sh/chart: loki-6.18.0 - app.kubernetes.io/name: loki - app.kubernetes.io/instance: loki - app.kubernetes.io/version: "3.2.0" - app.kubernetes.io/managed-by: Helm - annotations: -spec: - type: ClusterIP - clusterIP: None - ports: - - name: tcp - port: 7946 - targetPort: http-memberlist - protocol: TCP - selector: - app.kubernetes.io/name: loki - app.kubernetes.io/instance: loki - app.kubernetes.io/part-of: memberlist ---- -# Source: loki/templates/single-binary/service-headless.yaml -apiVersion: v1 -kind: Service -metadata: - name: loki-headless - namespace: istio-system - labels: - helm.sh/chart: loki-6.18.0 - app.kubernetes.io/name: loki - app.kubernetes.io/instance: loki - app.kubernetes.io/version: "3.2.0" - app.kubernetes.io/managed-by: Helm - variant: headless - prometheus.io/service-monitor: "false" - annotations: -spec: - clusterIP: None - ports: - - name: http-metrics - port: 3100 - targetPort: http-metrics - protocol: TCP - selector: - app.kubernetes.io/name: loki - app.kubernetes.io/instance: loki ---- -# Source: loki/templates/single-binary/service.yaml -apiVersion: v1 -kind: Service -metadata: - name: loki - namespace: istio-system - labels: - helm.sh/chart: loki-6.18.0 - app.kubernetes.io/name: loki - app.kubernetes.io/instance: loki - app.kubernetes.io/version: "3.2.0" - app.kubernetes.io/managed-by: Helm - annotations: -spec: - type: ClusterIP - ports: - - name: http-metrics - port: 3100 - targetPort: http-metrics - protocol: TCP - - name: grpc - port: 9095 - targetPort: grpc - protocol: TCP - selector: - app.kubernetes.io/name: loki - app.kubernetes.io/instance: loki - app.kubernetes.io/component: single-binary ---- -# Source: loki/templates/single-binary/statefulset.yaml -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: loki - namespace: istio-system - labels: - helm.sh/chart: loki-6.18.0 - app.kubernetes.io/name: loki - app.kubernetes.io/instance: loki - app.kubernetes.io/version: "3.2.0" - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: single-binary - app.kubernetes.io/part-of: memberlist -spec: - replicas: 1 - podManagementPolicy: Parallel - updateStrategy: - rollingUpdate: - partition: 0 - serviceName: loki-headless - revisionHistoryLimit: 10 - - persistentVolumeClaimRetentionPolicy: - whenDeleted: Delete - whenScaled: Delete - selector: - matchLabels: - app.kubernetes.io/name: loki - app.kubernetes.io/instance: loki - app.kubernetes.io/component: single-binary - template: - metadata: - annotations: - checksum/config: 33763d92c95bb565c019078f0419bddedd9febff7743044c8a329dfe84d4d218 - labels: - app.kubernetes.io/name: loki - app.kubernetes.io/instance: loki - app.kubernetes.io/component: single-binary - app.kubernetes.io/part-of: memberlist - spec: - serviceAccountName: loki - automountServiceAccountToken: true - enableServiceLinks: true - - securityContext: - fsGroup: 10001 - runAsGroup: 10001 - runAsNonRoot: true - runAsUser: 10001 - terminationGracePeriodSeconds: 30 - containers: - - name: loki-sc-rules - image: "kiwigrid/k8s-sidecar:1.27.5" - imagePullPolicy: IfNotPresent - env: - - name: METHOD - value: WATCH - - name: LABEL - value: "loki_rule" - - name: FOLDER - value: "/rules" - - name: RESOURCE - value: "both" - - name: WATCH_SERVER_TIMEOUT - value: "60" - - name: WATCH_CLIENT_TIMEOUT - value: "60" - - name: LOG_LEVEL - value: "INFO" - volumeMounts: - - name: sc-rules-volume - mountPath: "/rules" - - name: loki - image: docker.io/grafana/loki:3.2.0 - imagePullPolicy: IfNotPresent - args: - - -config.file=/etc/loki/config/config.yaml - - -target=all - ports: - - name: http-metrics - containerPort: 3100 - protocol: TCP - - name: grpc - containerPort: 9095 - protocol: TCP - - name: http-memberlist - containerPort: 7946 - protocol: TCP - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - readinessProbe: - httpGet: - path: /ready - port: http-metrics - initialDelaySeconds: 30 - timeoutSeconds: 1 - volumeMounts: - - name: tmp - mountPath: /tmp - - name: config - mountPath: /etc/loki/config - - name: runtime-config - mountPath: /etc/loki/runtime-config - - name: storage - mountPath: /var/loki - - name: sc-rules-volume - mountPath: "/rules" - resources: - {} - affinity: - podAntiAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchLabels: - app.kubernetes.io/component: single-binary - topologyKey: kubernetes.io/hostname - volumes: - - name: tmp - emptyDir: {} - - name: config - configMap: - name: loki - items: - - key: "config.yaml" - path: "config.yaml" - - name: runtime-config - configMap: - name: loki-runtime - - name: sc-rules-volume - emptyDir: {} - volumeClaimTemplates: - - apiVersion: v1 - kind: PersistentVolumeClaim - metadata: - name: storage - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: "10Gi" diff --git a/istio-1.24.3/samples/addons/prometheus.yaml b/istio-1.24.3/samples/addons/prometheus.yaml deleted file mode 100644 index 78f92228..00000000 --- a/istio-1.24.3/samples/addons/prometheus.yaml +++ /dev/null @@ -1,570 +0,0 @@ ---- -# Source: prometheus/templates/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - app.kubernetes.io/component: server - app.kubernetes.io/name: prometheus - app.kubernetes.io/instance: prometheus - app.kubernetes.io/version: v2.54.1 - helm.sh/chart: prometheus-25.27.0 - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: prometheus - name: prometheus - namespace: istio-system - annotations: - {} ---- -# Source: prometheus/templates/cm.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - labels: - app.kubernetes.io/component: server - app.kubernetes.io/name: prometheus - app.kubernetes.io/instance: prometheus - app.kubernetes.io/version: v2.54.1 - helm.sh/chart: prometheus-25.27.0 - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: prometheus - name: prometheus - namespace: istio-system -data: - allow-snippet-annotations: "false" - alerting_rules.yml: | - {} - alerts: | - {} - prometheus.yml: | - global: - evaluation_interval: 1m - scrape_interval: 15s - scrape_timeout: 10s - rule_files: - - /etc/config/recording_rules.yml - - /etc/config/alerting_rules.yml - - /etc/config/rules - - /etc/config/alerts - scrape_configs: - - job_name: prometheus - static_configs: - - targets: - - localhost:9090 - - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token - job_name: kubernetes-apiservers - kubernetes_sd_configs: - - role: endpoints - relabel_configs: - - action: keep - regex: default;kubernetes;https - source_labels: - - __meta_kubernetes_namespace - - __meta_kubernetes_service_name - - __meta_kubernetes_endpoint_port_name - scheme: https - tls_config: - ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt - insecure_skip_verify: true - - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token - job_name: kubernetes-nodes - kubernetes_sd_configs: - - role: node - relabel_configs: - - action: labelmap - regex: __meta_kubernetes_node_label_(.+) - - replacement: kubernetes.default.svc:443 - target_label: __address__ - - regex: (.+) - replacement: /api/v1/nodes/$1/proxy/metrics - source_labels: - - __meta_kubernetes_node_name - target_label: __metrics_path__ - scheme: https - tls_config: - ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt - insecure_skip_verify: true - - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token - job_name: kubernetes-nodes-cadvisor - kubernetes_sd_configs: - - role: node - relabel_configs: - - action: labelmap - regex: __meta_kubernetes_node_label_(.+) - - replacement: kubernetes.default.svc:443 - target_label: __address__ - - regex: (.+) - replacement: /api/v1/nodes/$1/proxy/metrics/cadvisor - source_labels: - - __meta_kubernetes_node_name - target_label: __metrics_path__ - scheme: https - tls_config: - ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt - insecure_skip_verify: true - - honor_labels: true - job_name: kubernetes-service-endpoints - kubernetes_sd_configs: - - role: endpoints - relabel_configs: - - action: keep - regex: true - source_labels: - - __meta_kubernetes_service_annotation_prometheus_io_scrape - - action: drop - regex: true - source_labels: - - __meta_kubernetes_service_annotation_prometheus_io_scrape_slow - - action: replace - regex: (https?) - source_labels: - - __meta_kubernetes_service_annotation_prometheus_io_scheme - target_label: __scheme__ - - action: replace - regex: (.+) - source_labels: - - __meta_kubernetes_service_annotation_prometheus_io_path - target_label: __metrics_path__ - - action: replace - regex: (.+?)(?::\d+)?;(\d+) - replacement: $1:$2 - source_labels: - - __address__ - - __meta_kubernetes_service_annotation_prometheus_io_port - target_label: __address__ - - action: labelmap - regex: __meta_kubernetes_service_annotation_prometheus_io_param_(.+) - replacement: __param_$1 - - action: labelmap - regex: __meta_kubernetes_service_label_(.+) - - action: replace - source_labels: - - __meta_kubernetes_namespace - target_label: namespace - - action: replace - source_labels: - - __meta_kubernetes_service_name - target_label: service - - action: replace - source_labels: - - __meta_kubernetes_pod_node_name - target_label: node - - honor_labels: true - job_name: kubernetes-service-endpoints-slow - kubernetes_sd_configs: - - role: endpoints - relabel_configs: - - action: keep - regex: true - source_labels: - - __meta_kubernetes_service_annotation_prometheus_io_scrape_slow - - action: replace - regex: (https?) - source_labels: - - __meta_kubernetes_service_annotation_prometheus_io_scheme - target_label: __scheme__ - - action: replace - regex: (.+) - source_labels: - - __meta_kubernetes_service_annotation_prometheus_io_path - target_label: __metrics_path__ - - action: replace - regex: (.+?)(?::\d+)?;(\d+) - replacement: $1:$2 - source_labels: - - __address__ - - __meta_kubernetes_service_annotation_prometheus_io_port - target_label: __address__ - - action: labelmap - regex: __meta_kubernetes_service_annotation_prometheus_io_param_(.+) - replacement: __param_$1 - - action: labelmap - regex: __meta_kubernetes_service_label_(.+) - - action: replace - source_labels: - - __meta_kubernetes_namespace - target_label: namespace - - action: replace - source_labels: - - __meta_kubernetes_service_name - target_label: service - - action: replace - source_labels: - - __meta_kubernetes_pod_node_name - target_label: node - scrape_interval: 5m - scrape_timeout: 30s - - honor_labels: true - job_name: prometheus-pushgateway - kubernetes_sd_configs: - - role: service - relabel_configs: - - action: keep - regex: pushgateway - source_labels: - - __meta_kubernetes_service_annotation_prometheus_io_probe - - honor_labels: true - job_name: kubernetes-services - kubernetes_sd_configs: - - role: service - metrics_path: /probe - params: - module: - - http_2xx - relabel_configs: - - action: keep - regex: true - source_labels: - - __meta_kubernetes_service_annotation_prometheus_io_probe - - source_labels: - - __address__ - target_label: __param_target - - replacement: blackbox - target_label: __address__ - - source_labels: - - __param_target - target_label: instance - - action: labelmap - regex: __meta_kubernetes_service_label_(.+) - - source_labels: - - __meta_kubernetes_namespace - target_label: namespace - - source_labels: - - __meta_kubernetes_service_name - target_label: service - - honor_labels: true - job_name: kubernetes-pods - kubernetes_sd_configs: - - role: pod - relabel_configs: - - action: keep - regex: true - source_labels: - - __meta_kubernetes_pod_annotation_prometheus_io_scrape - - action: drop - regex: true - source_labels: - - __meta_kubernetes_pod_annotation_prometheus_io_scrape_slow - - action: replace - regex: (https?) - source_labels: - - __meta_kubernetes_pod_annotation_prometheus_io_scheme - target_label: __scheme__ - - action: replace - regex: (.+) - source_labels: - - __meta_kubernetes_pod_annotation_prometheus_io_path - target_label: __metrics_path__ - - action: replace - regex: (\d+);(([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}) - replacement: '[$2]:$1' - source_labels: - - __meta_kubernetes_pod_annotation_prometheus_io_port - - __meta_kubernetes_pod_ip - target_label: __address__ - - action: replace - regex: (\d+);((([0-9]+?)(\.|$)){4}) - replacement: $2:$1 - source_labels: - - __meta_kubernetes_pod_annotation_prometheus_io_port - - __meta_kubernetes_pod_ip - target_label: __address__ - - action: labelmap - regex: __meta_kubernetes_pod_annotation_prometheus_io_param_(.+) - replacement: __param_$1 - - action: labelmap - regex: __meta_kubernetes_pod_label_(.+) - - action: replace - source_labels: - - __meta_kubernetes_namespace - target_label: namespace - - action: replace - source_labels: - - __meta_kubernetes_pod_name - target_label: pod - - action: drop - regex: Pending|Succeeded|Failed|Completed - source_labels: - - __meta_kubernetes_pod_phase - - action: replace - source_labels: - - __meta_kubernetes_pod_node_name - target_label: node - - honor_labels: true - job_name: kubernetes-pods-slow - kubernetes_sd_configs: - - role: pod - relabel_configs: - - action: keep - regex: true - source_labels: - - __meta_kubernetes_pod_annotation_prometheus_io_scrape_slow - - action: replace - regex: (https?) - source_labels: - - __meta_kubernetes_pod_annotation_prometheus_io_scheme - target_label: __scheme__ - - action: replace - regex: (.+) - source_labels: - - __meta_kubernetes_pod_annotation_prometheus_io_path - target_label: __metrics_path__ - - action: replace - regex: (\d+);(([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}) - replacement: '[$2]:$1' - source_labels: - - __meta_kubernetes_pod_annotation_prometheus_io_port - - __meta_kubernetes_pod_ip - target_label: __address__ - - action: replace - regex: (\d+);((([0-9]+?)(\.|$)){4}) - replacement: $2:$1 - source_labels: - - __meta_kubernetes_pod_annotation_prometheus_io_port - - __meta_kubernetes_pod_ip - target_label: __address__ - - action: labelmap - regex: __meta_kubernetes_pod_annotation_prometheus_io_param_(.+) - replacement: __param_$1 - - action: labelmap - regex: __meta_kubernetes_pod_label_(.+) - - action: replace - source_labels: - - __meta_kubernetes_namespace - target_label: namespace - - action: replace - source_labels: - - __meta_kubernetes_pod_name - target_label: pod - - action: drop - regex: Pending|Succeeded|Failed|Completed - source_labels: - - __meta_kubernetes_pod_phase - - action: replace - source_labels: - - __meta_kubernetes_pod_node_name - target_label: node - scrape_interval: 5m - scrape_timeout: 30s - recording_rules.yml: | - {} - rules: | - {} ---- -# Source: prometheus/templates/clusterrole.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app.kubernetes.io/component: server - app.kubernetes.io/name: prometheus - app.kubernetes.io/instance: prometheus - app.kubernetes.io/version: v2.54.1 - helm.sh/chart: prometheus-25.27.0 - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: prometheus - name: prometheus -rules: - - apiGroups: - - "" - resources: - - nodes - - nodes/proxy - - nodes/metrics - - services - - endpoints - - pods - - ingresses - - configmaps - verbs: - - get - - list - - watch - - apiGroups: - - "extensions" - - "networking.k8s.io" - resources: - - ingresses/status - - ingresses - verbs: - - get - - list - - watch - - apiGroups: - - "discovery.k8s.io" - resources: - - endpointslices - verbs: - - get - - list - - watch - - nonResourceURLs: - - "/metrics" - verbs: - - get ---- -# Source: prometheus/templates/clusterrolebinding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - app.kubernetes.io/component: server - app.kubernetes.io/name: prometheus - app.kubernetes.io/instance: prometheus - app.kubernetes.io/version: v2.54.1 - helm.sh/chart: prometheus-25.27.0 - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: prometheus - name: prometheus -subjects: - - kind: ServiceAccount - name: prometheus - namespace: istio-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: prometheus ---- -# Source: prometheus/templates/service.yaml -apiVersion: v1 -kind: Service -metadata: - labels: - app.kubernetes.io/component: server - app.kubernetes.io/name: prometheus - app.kubernetes.io/instance: prometheus - app.kubernetes.io/version: v2.54.1 - helm.sh/chart: prometheus-25.27.0 - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: prometheus - name: prometheus - namespace: istio-system -spec: - ports: - - name: http - port: 9090 - protocol: TCP - targetPort: 9090 - selector: - app.kubernetes.io/component: server - app.kubernetes.io/name: prometheus - app.kubernetes.io/instance: prometheus - sessionAffinity: None - type: "ClusterIP" ---- -# Source: prometheus/templates/deploy.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app.kubernetes.io/component: server - app.kubernetes.io/name: prometheus - app.kubernetes.io/instance: prometheus - app.kubernetes.io/version: v2.54.1 - helm.sh/chart: prometheus-25.27.0 - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: prometheus - name: prometheus - namespace: istio-system -spec: - selector: - matchLabels: - app.kubernetes.io/component: server - app.kubernetes.io/name: prometheus - app.kubernetes.io/instance: prometheus - replicas: 1 - revisionHistoryLimit: 10 - strategy: - type: Recreate - rollingUpdate: null - template: - metadata: - labels: - app.kubernetes.io/component: server - app.kubernetes.io/name: prometheus - app.kubernetes.io/instance: prometheus - app.kubernetes.io/version: v2.54.1 - helm.sh/chart: prometheus-25.27.0 - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: prometheus - - sidecar.istio.io/inject: "false" - spec: - enableServiceLinks: true - serviceAccountName: prometheus - containers: - - name: prometheus-server-configmap-reload - image: "ghcr.io/prometheus-operator/prometheus-config-reloader:v0.76.0" - imagePullPolicy: "IfNotPresent" - args: - - --watched-dir=/etc/config - - --listen-address=0.0.0.0:8080 - - --reload-url=http://127.0.0.1:9090/-/reload - ports: - - containerPort: 8080 - name: metrics - livenessProbe: - httpGet: - path: /healthz - port: metrics - scheme: HTTP - initialDelaySeconds: 2 - periodSeconds: 10 - readinessProbe: - httpGet: - path: /healthz - port: metrics - scheme: HTTP - periodSeconds: 10 - volumeMounts: - - name: config-volume - mountPath: /etc/config - readOnly: true - - - name: prometheus-server - image: "prom/prometheus:v2.54.1" - imagePullPolicy: "IfNotPresent" - args: - - --storage.tsdb.retention.time=15d - - --config.file=/etc/config/prometheus.yml - - --storage.tsdb.path=/data - - --web.console.libraries=/etc/prometheus/console_libraries - - --web.console.templates=/etc/prometheus/consoles - - --web.enable-lifecycle - ports: - - containerPort: 9090 - readinessProbe: - httpGet: - path: /-/ready - port: 9090 - scheme: HTTP - initialDelaySeconds: 0 - periodSeconds: 5 - timeoutSeconds: 4 - failureThreshold: 3 - successThreshold: 1 - livenessProbe: - httpGet: - path: /-/healthy - port: 9090 - scheme: HTTP - initialDelaySeconds: 30 - periodSeconds: 15 - timeoutSeconds: 10 - failureThreshold: 3 - successThreshold: 1 - volumeMounts: - - name: config-volume - mountPath: /etc/config - - name: storage-volume - mountPath: /data - subPath: "" - dnsPolicy: ClusterFirst - terminationGracePeriodSeconds: 300 - volumes: - - name: config-volume - configMap: - name: prometheus - - name: storage-volume - emptyDir: - {} diff --git a/istio-1.24.3/samples/ambient-argo/README.md b/istio-1.24.3/samples/ambient-argo/README.md deleted file mode 100644 index 9eb1024e..00000000 --- a/istio-1.24.3/samples/ambient-argo/README.md +++ /dev/null @@ -1,99 +0,0 @@ -# Ambient Reference Architecture w/ Argo - -This repo contains a reference architecture for operating Istio Ambient Mesh with ArgoCD using GitOps. It demonstrates best practices for leveraging Istio as part of an application platform. - -## :boom: DISCLAIMER - -Istio Ambient Mesh is still in Alpha, and is not suitable for production use. Likewise, this reference architecture is of Alpha quality, and includes several rough edges, including: - * Cluster-Scoped upgrades cause known traffic loss, and have wide blast radius. - * The tag chart is forked from the primary istio repo, and needs to be merged and published - * CRDs are not currently upgraded - -## Getting Started - -This reference architecture assumes that you have an ArgoCD installation with: - * A [connected cluster](https://argo-cd.readthedocs.io/en/stable/user-guide/commands/argocd_cluster/) named `ambient-cluster` - * A connection to your repository (for private repos) - -To deploy Istio, supporting software, and the bookinfo sample application, copy this folder to the root of your repo and run: - -```bash -read -p 'Please enter the URL to your repo:' -OLD_REPO='{repo-placeholder}' -find . \( -type d -name .git -prune \) -o -type f -name '*.yaml' -print0 | xargs -0 sed -i s,$OLD_REPO,$NEW_REPO,g -argocd create application -f meta-application.json -``` - -## Repository Layout - -The meta-application.yaml file is an App-of-Apps that references all other applications needed for running Istio and the demo application via ArgoCD. The diagram below demonstrates the deployment mechanism for each part of the platform. - -![architecture diagram][layout] - -## Principles - -The [GitOps Principles](https://opengitops.dev/) guide this reference architecture. With the exception of [./meta-application.yaml](./meta-application.yaml) (the bootstrap file), Git is the source of truth for all components of our application. Changes to all components of Istio, including the data plane, are initiated with a pull request. Likewise, rollbacks are as simple as a revert. - -In particular, Istio Sidecars are known to violate the Declarative principle - the version of Istio injected in the sidecar is determined at runtime by the version of the injector at the time the pod was created. Upgrading the injector does not cause the sidecar to upgrade, instead all injected pods must be restarted in order to upgrade their sidecars, which is an imperative operation, rather than a declarative one. - -Additionally, emerging patterns from the field of Platform Engineering guide our understanding of enterprise roles. In particular, two roles are represented in this Architecture: the Application Developer (AppDev) and Platform Engineer (PlatEng). - -### Role: Application Developer - -The AppDev is responsible for the development and delivery of their application, in this case the bookinfo e-commerce application. The AppDev will make use of Istio features, such as HTTPRoutes, AuthorizationPolicy, and L4-L7 telemetry, but is not an expert in Istio, and should be unaware of installation and upgrades. In most cases, AppDev's use of Istio APIs is both templated, to provide them with a simpler API surface, and limited by Policy with tools such as Gatekeeper. Because the focus of this architecture, these technologies are not included here. - -### Role: Platform Engineer - -The PlatEng is responsible for providing the AppDev with a comprehensive application platform, which simplifies getting the application from Source Control to Production, as well as operating the App in Production. As such, the PlatEng team must have a good deal of expertise in installing, operating, and automating a broad array of Cloud Native technologies, such as Service Mesh, Kubernetes, Observability stores and consumers, GitOps tooling, Policy enforcement, and templating tools such as Crossplane. Due to this breadth, the Platform Engineer cannot spend all their time learning or operating any one technology, and any technology that is too difficult to operate is likely to be removed from the platform. - -## Components - -Istio is composed of six charts in Ambient Mode. The components are divided between the Control Plane and the Data Plane, and some are Cluster-Scoped, while others can have multiple versions in a single cluster. - -| | Control Plane | Data Plane | -| ------------------- |:--------------------------:| :----------------:| -| **Cluster-Scoped** | CRDs + validation | CNI
ztunnel | -| **Workload-Scoped** | istiod
tags + revisions | waypoint (envoy) | - -Of these components, only waypoints (and other gateways) are intended to be operated by the AppDev (some users may choose to limit ingress gateways to the PlatEng role as well). The remainder are the sole responsibility of the PlatEng role, and will be the focus of this reference architecture. - -### Tags and Revisions - -Istio components, particularly the waypoint, can specify which control plane they connect to (and by inference what version of the data plane they will run) using the `istio.io/rev` label set to a tag or revision. - -As in sidecar mode, every control plane installation may (and should) include a revision name, which is a stable identifier for that control plane installation and version. For simplicity, we recommend using the version of the control plane as the revision name (see [./istio/control-plane-appset.yaml:9](./istio/control-plane-appset.yaml), at .spec.generators[0].list.elements[*].revision). - -Tags also identify control planes, but unlike revisions, tags are mutable references to revisions. When an Istio Gateway (waypoint, ingress, or egress) references a particular tag, a dataplane is created using the version of the tag reference, and connects to the control plane indicated by the tag. In this way, gateways can be organized into channels, or distinct groups which will be upgraded concurrently, without any involvement from the AppDev who owns the gateway. - -In this reference architecture, three tags are used: stable, rapid, and default (the default tag will manage any gateways which do not use the `istio.io/rev` label). In the example application, we have included an ingress gateway on the default tag, and two waypoints for the reviews and details services, which use the rapid and stable tags. At the time of writing, the rapid revision points to revision 1-19-3, while the stable and default revisions point to revision 1-18-5. The tags definitions can be found at [./istio/tags.yaml](./istio/tags.yaml). - -## Upgrade Planning - -This reference architecture provides the tools to declaratively manage your Istio Ambient installations with simple pull requests. Before performing an upgrade, however, the PlatEng team should consider how they would like their upgrades to progress. The two most common strategies are channels and phases, and these strategies can be combined. - -In a phased model, there is generally a single version of Istio available in the cluster. When a new version becomes available, the phases are moved one at a time to the new version, in order, until all phases have upgraded to the new model. The phased model supports any number of phases based on the needs of your platform. - -In a channel model, multiple versions of Istio are available for use by application developers at any point in time, based on their requirements for risk profile and new features or bugfixes. For example, at the time of this writing, the stable tag or channel is using Istio 1.18.5, while the rapid channel is using Istio 1.19.3. Under the channel model, these versions would be updated in-place as new patch releases are produced for various bugs or security concerns. Then, when Istio 1.20.0 ships (ETA late November 2023), the rapid channel will be moved to point to version 1.20.0, while the stable version will be moved to point to 1.19.x (where x is the lates patch result at that time). Because Istio releases are supported until two subsequent minor versions are shipiped (ie 1.18 will be supported until several weeks after 1.20 ships), this reference architecture uses only two channels, though more are possible. - -![strategy diagram][strategies] - -The channel and phased strategies can be combined into a comprehensive (though somewhat complicated) model where each channel contains phases, which determine the order of rollouts within the channel. - -## Playbook: Minor Version Upgrade - -COMING SOON - -## Playbook: Major Version Upgrade - -COMING SOON - -## Tips and Tricks - -For a quick (but messy) readout on what Istio versions are being used in this repo, run: - -```bash -yq '.spec.generators[0].list.elements' < istio/control-plane-appset.yaml && yq '.spec.source.helm.valuesObject.base.tags' < istio/tags.yaml && grep 'targetRevision' istio/*.yaml -``` - -[layout]: ./documentation/argo-reference-arch.svg "Repo Layout Diagram" -[strategies]: ./documentation/Ambient%20Upgrade%20-%20Strategies.png "Upgrade Strategies Diagram" diff --git a/istio-1.24.3/samples/ambient-argo/application/application.yaml b/istio-1.24.3/samples/ambient-argo/application/application.yaml deleted file mode 100644 index 91eaea00..00000000 --- a/istio-1.24.3/samples/ambient-argo/application/application.yaml +++ /dev/null @@ -1,22 +0,0 @@ -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: bookinfo-application - namespace: argocd - finalizers: - - resources-finalizer.argocd.argoproj.io -spec: - destination: - name: ambient-cluster - namespace: ambient - source: - path: application - repoURL: '{repo-placeholder}' - targetRevision: HEAD - directory: - exclude: application.yaml - project: default - syncPolicy: - automated: - prune: true - selfHeal: true \ No newline at end of file diff --git a/istio-1.24.3/samples/ambient-argo/application/bookinfo-versions.yaml b/istio-1.24.3/samples/ambient-argo/application/bookinfo-versions.yaml deleted file mode 100644 index c374bbee..00000000 --- a/istio-1.24.3/samples/ambient-argo/application/bookinfo-versions.yaml +++ /dev/null @@ -1,72 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: reviews-v1 -spec: - ports: - - port: 9080 - name: http - selector: - app: reviews - version: v1 ---- -apiVersion: v1 -kind: Service -metadata: - name: reviews-v2 -spec: - ports: - - port: 9080 - name: http - selector: - app: reviews - version: v2 ---- -apiVersion: v1 -kind: Service -metadata: - name: reviews-v3 -spec: - ports: - - port: 9080 - name: http - selector: - app: reviews - version: v3 ---- -apiVersion: v1 -kind: Service -metadata: - name: productpage-v1 -spec: - ports: - - port: 9080 - name: http - selector: - app: productpage - version: v1 ---- -apiVersion: v1 -kind: Service -metadata: - name: ratings-v1 -spec: - ports: - - port: 9080 - name: http - selector: - app: ratings - version: v1 ---- -apiVersion: v1 -kind: Service -metadata: - name: details-v1 -spec: - ports: - - port: 9080 - name: http - selector: - app: details - version: v1 ---- diff --git a/istio-1.24.3/samples/ambient-argo/application/details-waypoint.yaml b/istio-1.24.3/samples/ambient-argo/application/details-waypoint.yaml deleted file mode 100644 index d0e5fddd..00000000 --- a/istio-1.24.3/samples/ambient-argo/application/details-waypoint.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: gateway.networking.k8s.io/v1 -kind: Gateway -metadata: - labels: - istio.io/rev: stable - name: bookinfo-details -spec: - gatewayClassName: istio-waypoint - listeners: - - name: mesh - port: 15008 - protocol: HBONE \ No newline at end of file diff --git a/istio-1.24.3/samples/ambient-argo/application/details.yaml b/istio-1.24.3/samples/ambient-argo/application/details.yaml deleted file mode 100644 index f0d72b59..00000000 --- a/istio-1.24.3/samples/ambient-argo/application/details.yaml +++ /dev/null @@ -1,50 +0,0 @@ -################################################################################################## -# Details service -################################################################################################## -apiVersion: v1 -kind: Service -metadata: - name: details - labels: - app: details - service: details -spec: - ports: - - port: 9080 - name: http - selector: - app: details ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: bookinfo-details - labels: - account: details ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: details-v1 - labels: - app: details - version: v1 -spec: - replicas: 1 - selector: - matchLabels: - app: details - version: v1 - template: - metadata: - labels: - app: details - version: v1 - spec: - serviceAccountName: bookinfo-details - containers: - - name: details - image: docker.io/istio/examples-bookinfo-details-v1:1.18.0 - imagePullPolicy: IfNotPresent - ports: - - containerPort: 9080 \ No newline at end of file diff --git a/istio-1.24.3/samples/ambient-argo/application/ingress-gateway.yaml b/istio-1.24.3/samples/ambient-argo/application/ingress-gateway.yaml deleted file mode 100644 index fdd5e7f2..00000000 --- a/istio-1.24.3/samples/ambient-argo/application/ingress-gateway.yaml +++ /dev/null @@ -1,41 +0,0 @@ -apiVersion: gateway.networking.k8s.io/v1 -kind: Gateway -metadata: - name: bookinfo-gateway -spec: - gatewayClassName: istio - listeners: - - name: http - port: 80 - protocol: HTTP - allowedRoutes: - namespaces: - from: Same ---- -apiVersion: gateway.networking.k8s.io/v1 -kind: HTTPRoute -metadata: - name: bookinfo -spec: - parentRefs: - - name: bookinfo-gateway - rules: - - matches: - - path: - type: Exact - value: /productpage - - path: - type: PathPrefix - value: /static - - path: - type: Exact - value: /login - - path: - type: Exact - value: /logout - - path: - type: PathPrefix - value: /api/v1/products - backendRefs: - - name: productpage - port: 9080 \ No newline at end of file diff --git a/istio-1.24.3/samples/ambient-argo/application/namespace.yaml b/istio-1.24.3/samples/ambient-argo/application/namespace.yaml deleted file mode 100644 index 1719eb58..00000000 --- a/istio-1.24.3/samples/ambient-argo/application/namespace.yaml +++ /dev/null @@ -1,4 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: ambient \ No newline at end of file diff --git a/istio-1.24.3/samples/ambient-argo/application/productpage.yaml b/istio-1.24.3/samples/ambient-argo/application/productpage.yaml deleted file mode 100644 index c136feb6..00000000 --- a/istio-1.24.3/samples/ambient-argo/application/productpage.yaml +++ /dev/null @@ -1,60 +0,0 @@ -################################################################################################## -# Productpage services -################################################################################################## -apiVersion: v1 -kind: Service -metadata: - name: productpage - labels: - app: productpage - service: productpage -spec: - ports: - - port: 9080 - name: http - selector: - app: productpage ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: bookinfo-productpage - labels: - account: productpage ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: productpage-v1 - labels: - app: productpage - version: v1 -spec: - replicas: 1 - selector: - matchLabels: - app: productpage - version: v1 - template: - metadata: - annotations: - prometheus.io/scrape: "true" - prometheus.io/port: "9080" - prometheus.io/path: "/metrics" - labels: - app: productpage - version: v1 - spec: - serviceAccountName: bookinfo-productpage - containers: - - name: productpage - image: docker.io/istio/examples-bookinfo-productpage-v1:1.18.0 - imagePullPolicy: IfNotPresent - ports: - - containerPort: 9080 - volumeMounts: - - name: tmp - mountPath: /tmp - volumes: - - name: tmp - emptyDir: {} \ No newline at end of file diff --git a/istio-1.24.3/samples/ambient-argo/application/ratings.yaml b/istio-1.24.3/samples/ambient-argo/application/ratings.yaml deleted file mode 100644 index 69cfd8e2..00000000 --- a/istio-1.24.3/samples/ambient-argo/application/ratings.yaml +++ /dev/null @@ -1,50 +0,0 @@ -################################################################################################## -# Ratings service -################################################################################################## -apiVersion: v1 -kind: Service -metadata: - name: ratings - labels: - app: ratings - service: ratings -spec: - ports: - - port: 9080 - name: http - selector: - app: ratings ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: bookinfo-ratings - labels: - account: ratings ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: ratings-v1 - labels: - app: ratings - version: v1 -spec: - replicas: 1 - selector: - matchLabels: - app: ratings - version: v1 - template: - metadata: - labels: - app: ratings - version: v1 - spec: - serviceAccountName: bookinfo-ratings - containers: - - name: ratings - image: docker.io/istio/examples-bookinfo-ratings-v1:1.18.0 - imagePullPolicy: IfNotPresent - ports: - - containerPort: 9080 \ No newline at end of file diff --git a/istio-1.24.3/samples/ambient-argo/application/reviews-waypoint.yaml b/istio-1.24.3/samples/ambient-argo/application/reviews-waypoint.yaml deleted file mode 100644 index 9cf6a1a4..00000000 --- a/istio-1.24.3/samples/ambient-argo/application/reviews-waypoint.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: gateway.networking.k8s.io/v1 -kind: Gateway -metadata: - labels: - istio.io/rev: rapid - name: bookinfo-reviews -spec: - gatewayClassName: istio-waypoint - listeners: - - name: mesh - port: 15008 - protocol: HBONE \ No newline at end of file diff --git a/istio-1.24.3/samples/ambient-argo/application/reviews.yaml b/istio-1.24.3/samples/ambient-argo/application/reviews.yaml deleted file mode 100644 index 6e389ad3..00000000 --- a/istio-1.24.3/samples/ambient-argo/application/reviews.yaml +++ /dev/null @@ -1,143 +0,0 @@ -################################################################################################## -# Reviews service -################################################################################################## -apiVersion: v1 -kind: Service -metadata: - name: reviews - labels: - app: reviews - service: reviews -spec: - ports: - - port: 9080 - name: http - selector: - app: reviews ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: bookinfo-reviews - labels: - account: reviews ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: reviews-v1 - labels: - app: reviews - version: v1 -spec: - replicas: 1 - selector: - matchLabels: - app: reviews - version: v1 - template: - metadata: - labels: - app: reviews - version: v1 - spec: - serviceAccountName: bookinfo-reviews - containers: - - name: reviews - image: docker.io/istio/examples-bookinfo-reviews-v1:1.18.0 - imagePullPolicy: IfNotPresent - env: - - name: LOG_DIR - value: "/tmp/logs" - ports: - - containerPort: 9080 - volumeMounts: - - name: tmp - mountPath: /tmp - - name: wlp-output - mountPath: /opt/ibm/wlp/output - volumes: - - name: wlp-output - emptyDir: {} - - name: tmp - emptyDir: {} ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: reviews-v2 - labels: - app: reviews - version: v2 -spec: - replicas: 1 - selector: - matchLabels: - app: reviews - version: v2 - template: - metadata: - labels: - app: reviews - version: v2 - spec: - serviceAccountName: bookinfo-reviews - containers: - - name: reviews - image: docker.io/istio/examples-bookinfo-reviews-v2:1.18.0 - imagePullPolicy: IfNotPresent - env: - - name: LOG_DIR - value: "/tmp/logs" - ports: - - containerPort: 9080 - volumeMounts: - - name: tmp - mountPath: /tmp - - name: wlp-output - mountPath: /opt/ibm/wlp/output - volumes: - - name: wlp-output - emptyDir: {} - - name: tmp - emptyDir: {} ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: reviews-v3 - labels: - app: reviews - version: v3 -spec: - replicas: 1 - selector: - matchLabels: - app: reviews - version: v3 - template: - metadata: - labels: - app: reviews - version: v3 - spec: - serviceAccountName: bookinfo-reviews - containers: - - name: reviews - image: docker.io/istio/examples-bookinfo-reviews-v3:1.18.0 - imagePullPolicy: IfNotPresent - env: - - name: LOG_DIR - value: "/tmp/logs" - ports: - - containerPort: 9080 - volumeMounts: - - name: tmp - mountPath: /tmp - - name: wlp-output - mountPath: /opt/ibm/wlp/output - volumes: - - name: wlp-output - emptyDir: {} - - name: tmp - emptyDir: {} \ No newline at end of file diff --git a/istio-1.24.3/samples/ambient-argo/application/route-reviews-90-10.yaml b/istio-1.24.3/samples/ambient-argo/application/route-reviews-90-10.yaml deleted file mode 100644 index 1160a442..00000000 --- a/istio-1.24.3/samples/ambient-argo/application/route-reviews-90-10.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: gateway.networking.k8s.io/v1 -kind: HTTPRoute -metadata: - name: reviews -spec: - parentRefs: - - group: "" - kind: Service - name: reviews - rules: - - backendRefs: - - name: reviews-v1 - port: 9080 - weight: 90 - - name: reviews-v2 - port: 9080 - weight: 10 \ No newline at end of file diff --git a/istio-1.24.3/samples/ambient-argo/istio/cni.yaml b/istio-1.24.3/samples/ambient-argo/istio/cni.yaml deleted file mode 100644 index 85024c43..00000000 --- a/istio-1.24.3/samples/ambient-argo/istio/cni.yaml +++ /dev/null @@ -1,33 +0,0 @@ -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: istio-cni - namespace: argocd - finalizers: - - resources-finalizer.argocd.argoproj.io -spec: - project: default - destination: - name: ambient-cluster - namespace: kube-system - syncPolicy: - automated: - prune: true - selfHeal: true - syncOptions: - - CreateNamespace=true - sources: - - repoURL: 'https://istio-release.storage.googleapis.com/charts' - targetRevision: 1.18.5 - helm: - valuesObject: - revision: rapid - cni: - cniBinDir: "/home/kubernetes/bin" - valueFiles: - - >- - $values/manifests/charts/istio-cni/ambient-values.yaml - chart: cni - - repoURL: 'https://github.com/istio/istio.git' - targetRevision: HEAD - ref: values diff --git a/istio-1.24.3/samples/ambient-argo/istio/control-plane-appset.yaml b/istio-1.24.3/samples/ambient-argo/istio/control-plane-appset.yaml deleted file mode 100644 index 129091d0..00000000 --- a/istio-1.24.3/samples/ambient-argo/istio/control-plane-appset.yaml +++ /dev/null @@ -1,39 +0,0 @@ -apiVersion: argoproj.io/v1alpha1 -kind: ApplicationSet -metadata: - name: istio-multi-control -spec: - generators: - - list: - elements: - - version: 1.18.5 - revision: 1-18-5 - - version: 1.19.3 - revision: 1-19-3 - template: - metadata: - name: 'istio-control-{{revision}}' - spec: - project: default - sources: - - repoURL: 'https://istio-release.storage.googleapis.com/charts' - targetRevision: '{{version}}' - helm: - valuesObject: - revision: '{{revision}}' - valueFiles: - - >- - $values/manifests/charts/istio-control/istio-discovery/ambient-values.yaml - chart: istiod - - repoURL: 'https://github.com/istio/istio.git' - targetRevision: HEAD - ref: values - destination: - name: ambient-cluster - namespace: istio-system - syncPolicy: - automated: - prune: true - selfHeal: true - syncOptions: - - CreateNamespace=true \ No newline at end of file diff --git a/istio-1.24.3/samples/ambient-argo/istio/extras.yaml b/istio-1.24.3/samples/ambient-argo/istio/extras.yaml deleted file mode 100644 index 47a7e2dc..00000000 --- a/istio-1.24.3/samples/ambient-argo/istio/extras.yaml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: istio-addons - namespace: argocd - finalizers: - - resources-finalizer.argocd.argoproj.io -spec: - project: default - source: - repoURL: 'https://github.com/istio/istio.git' - targetRevision: HEAD - path: samples/addons - directory: - exclude: loki.yaml - destination: - name: ambient-cluster - namespace: istio-system - syncPolicy: - automated: - prune: true - selfHeal: true - syncOptions: - - CreateNamespace=true diff --git a/istio-1.24.3/samples/ambient-argo/istio/tags.yaml b/istio-1.24.3/samples/ambient-argo/istio/tags.yaml deleted file mode 100644 index 264ca34d..00000000 --- a/istio-1.24.3/samples/ambient-argo/istio/tags.yaml +++ /dev/null @@ -1,33 +0,0 @@ -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: istio-tags - namespace: argocd - finalizers: - - resources-finalizer.argocd.argoproj.io -spec: - project: default - destination: - name: ambient-cluster - namespace: istio-system - syncPolicy: - automated: - prune: true - selfHeal: true - syncOptions: - - CreateNamespace=true - source: - path: tag-chart - repoURL: '{repo-placeholder}' - targetRevision: HEAD - helm: - valuesObject: - base: - tags: - default: - revision: "1-18-5" - stable: - revision: "1-18-5" - rapid: - revision: "1-19-3" - istiodservice: "1-18-5" # This can be removed once ztunnel is on 1.20 \ No newline at end of file diff --git a/istio-1.24.3/samples/ambient-argo/istio/ztunnel.yaml b/istio-1.24.3/samples/ambient-argo/istio/ztunnel.yaml deleted file mode 100644 index e8cad644..00000000 --- a/istio-1.24.3/samples/ambient-argo/istio/ztunnel.yaml +++ /dev/null @@ -1,25 +0,0 @@ -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: istio-ztunnel - namespace: argocd - finalizers: - - resources-finalizer.argocd.argoproj.io -spec: - project: default - source: - repoURL: 'https://istio-release.storage.googleapis.com/charts' - targetRevision: 1.18.5 - chart: ztunnel - helm: - valuesObject: - revision: rapid - destination: - name: ambient-cluster - namespace: istio-system - syncPolicy: - automated: - prune: true - selfHeal: true - syncOptions: - - CreateNamespace=true diff --git a/istio-1.24.3/samples/ambient-argo/meta-application.yaml b/istio-1.24.3/samples/ambient-argo/meta-application.yaml deleted file mode 100644 index 19a9344c..00000000 --- a/istio-1.24.3/samples/ambient-argo/meta-application.yaml +++ /dev/null @@ -1,31 +0,0 @@ -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: meta-application - finalizers: - - resources-finalizer.argocd.argoproj.io -spec: - destination: - name: in-cluster - namespace: argocd - server: '' - sources: - - path: istio - repoURL: '{repo-placeholder}' - targetRevision: HEAD - - path: application - repoURL: '{repo-placeholder}' - targetRevision: HEAD - directory: - include: application.yaml - project: default - syncPolicy: - automated: - prune: true - selfHeal: true - retry: - limit: 2 - backoff: - duration: 5s - maxDuration: 3m0s - factor: 2 \ No newline at end of file diff --git a/istio-1.24.3/samples/ambient-argo/tag-chart/Chart.yaml b/istio-1.24.3/samples/ambient-argo/tag-chart/Chart.yaml deleted file mode 100644 index f7b73a56..00000000 --- a/istio-1.24.3/samples/ambient-argo/tag-chart/Chart.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v1 -name: tags -version: 1.1.0 -tillerVersion: ">=2.7.2" -description: Helm chart for deploying Istio cluster resources and CRDs -keywords: - - istio -sources: - - http://github.com/istio/istio -engine: gotpl -icon: https://istio.io/latest/favicons/android-192x192.png diff --git a/istio-1.24.3/samples/ambient-argo/tag-chart/templates/mutatingwebhooks.yaml b/istio-1.24.3/samples/ambient-argo/tag-chart/templates/mutatingwebhooks.yaml deleted file mode 100644 index 339ba52a..00000000 --- a/istio-1.24.3/samples/ambient-argo/tag-chart/templates/mutatingwebhooks.yaml +++ /dev/null @@ -1,109 +0,0 @@ -{{- define "core" }} -- name: {{.Prefix}}sidecar-injector.istio.io - clientConfig: - {{- if .injectionURL }} - url: "{{ .injectionURL }}" - {{- else }} - service: - name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }} - namespace: {{ .Release.Namespace }} - path: "{{ .injectionPath }}" - {{- end }} - sideEffects: None - rules: - - operations: [ "CREATE" ] - apiGroups: [""] - apiVersions: ["v1"] - resources: ["pods"] - failurePolicy: Fail - admissionReviewVersions: ["v1"] -{{- end }} - -{{- range $tagName, $tag := $.Values.base.tags }} -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: -{{- if eq $.Release.Namespace "istio-system"}} - name: istio-revision-tag-{{ $tagName }} -{{- else }} - name: istio-revision-tag-{{ $tagName }}-{{ $.Release.Namespace }} -{{- end }} - labels: - istio.io/tag: {{ $tagName }} - istio.io/rev: {{ $tag.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ $.Values.ownerName | default "unknown" }} - operator.istio.io/component: "Pilot" - app: sidecar-injector - release: {{ $.Release.Name }} -webhooks: -{{- include "core" (mergeOverwrite (deepCopy $) (deepCopy $tag) (dict "Prefix" "rev.namespace.") ) }} - namespaceSelector: - matchExpressions: - - key: istio.io/rev - operator: In - values: - - "{{ $tagName }}" - - key: istio-injection - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" -{{- include "core" (mergeOverwrite (deepCopy $) (deepCopy $tag) (dict "Prefix" "rev.object.") ) }} - namespaceSelector: - matchExpressions: - - key: istio.io/rev - operator: DoesNotExist - - key: istio-injection - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - - key: istio.io/rev - operator: In - values: - - "{{ $tagName }}" - -{{- /* When the tag is "default" we want to create webhooks for the default revision */}} -{{- /* These webhooks should be kept in sync with istio-discovery/templates/mutatingwebhook.yaml */}} -{{- if (eq $tagName "default") }} - -{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}} -{{- include "core" (mergeOverwrite (deepCopy $) (deepCopy $tag) (dict "Prefix" "namespace.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: In - values: - - enabled - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - -{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}} -{{- include "core" (mergeOverwrite (deepCopy $) (deepCopy $tag) (dict "Prefix" "object.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: In - values: - - "true" - - key: istio.io/rev - operator: DoesNotExist -{{- end }} ---- -{{- end }} diff --git a/istio-1.24.3/samples/ambient-argo/tag-chart/templates/shimservice.yaml b/istio-1.24.3/samples/ambient-argo/tag-chart/templates/shimservice.yaml deleted file mode 100644 index ae63ae73..00000000 --- a/istio-1.24.3/samples/ambient-argo/tag-chart/templates/shimservice.yaml +++ /dev/null @@ -1,31 +0,0 @@ -{{- if ((.Values.base.tags.default).revision) }} -apiVersion: v1 -kind: Service -metadata: - labels: - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "Pilot" - app: istiod - istio: pilot - release: {{ .Release.Name }} - name: istiod - namespace: istio-system -spec: - ports: - - name: grpc-xds - port: 15010 - protocol: TCP - - name: https-dns - port: 15012 - protocol: TCP - - name: https-webhook - port: 443 - protocol: TCP - targetPort: 15017 - - name: http-monitoring - port: 15014 - protocol: TCP - selector: - app: istiod - istio.io/rev: {{ .Values.base.istiodservice }} -{{- end }} \ No newline at end of file diff --git a/istio-1.24.3/samples/ambient-argo/tag-chart/templates/validatingwebhook.yaml b/istio-1.24.3/samples/ambient-argo/tag-chart/templates/validatingwebhook.yaml deleted file mode 100644 index 6dd4b29a..00000000 --- a/istio-1.24.3/samples/ambient-argo/tag-chart/templates/validatingwebhook.yaml +++ /dev/null @@ -1,48 +0,0 @@ -{{- if .Values.global.configValidation }} -{{- if hasKey .Values.base.tags "default" }} -{{- $tag := .Values.base.tags.default }} -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: istiod-default-validator - labels: - app: istiod - istio: istiod - istio.io/rev: {{ $tag.revision | default "default" }} - istio.io/tag: "default" - # Required to make sure this resource is removed - # when purging Istio resources - operator.istio.io/component: Pilot -webhooks: - - name: validation.istio.io - clientConfig: - {{- if $tag.validationURL }} - url: {{ $tag.validationURL }} - {{- else }} - service: - name: istiod{{- if not (eq $tag.revision "") }}-{{ $tag.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} - path: "/validate" - {{- end }} - rules: - - operations: - - CREATE - - UPDATE - apiGroups: - - security.istio.io - - networking.istio.io - - telemetry.istio.io - apiVersions: - - "*" - resources: - - "*" - failurePolicy: Ignore - sideEffects: None - admissionReviewVersions: ["v1"] - objectSelector: - matchExpressions: - - key: istio.io/rev - operator: DoesNotExist ---- -{{- end }} -{{- end }} diff --git a/istio-1.24.3/samples/ambient-argo/tag-chart/values.yaml b/istio-1.24.3/samples/ambient-argo/tag-chart/values.yaml deleted file mode 100644 index f27642b7..00000000 --- a/istio-1.24.3/samples/ambient-argo/tag-chart/values.yaml +++ /dev/null @@ -1,41 +0,0 @@ -global: - - # ImagePullSecrets for control plane ServiceAccount, list of secrets in the same namespace - # to use for pulling any images in pods that reference this ServiceAccount. - # Must be set for any cluster configured with private docker registry. - imagePullSecrets: [] - - # Used to locate istiod. - istioNamespace: istio-system - - istiod: - enableAnalysis: false - - configValidation: true - externalIstiod: false - remotePilotAddress: "" - -base: - # Used for helm2 to add the CRDs to templates. - enableCRDTemplates: false - - # Validation webhook configuration url - # For example: https://$remotePilotAddress:15017/validate - validationURL: "" - - # For istioctl usage to disable istio config crds in base - enableIstioConfigCRDs: true - - # Defines the mapping from revision tags to revisions. - # - # The following fields can be set for each revision tag: - # (1) revision (REQUIRED): the revision to use for this revision tag. - # (2) namespace: the namespace containing the istiod revision. - # (3) validationURL: the URL to use for validation on this revision tag. - # (4) injectionURL: the URL to for injection on this revision tag. - # (5) injectionPath: the injection path to use for this tag webhook. - # - # Note that the revision tag "default" has additional semantic meaning as it - # controls the revision that performs validation and the revision that handles - # injection for default selectors ("istio-injection=enabled" and "sidecar.istio.io/inject"). - tags: {} diff --git a/istio-1.24.3/samples/bookinfo/README.md b/istio-1.24.3/samples/bookinfo/README.md deleted file mode 100644 index 18f9701d..00000000 --- a/istio-1.24.3/samples/bookinfo/README.md +++ /dev/null @@ -1,234 +0,0 @@ -# Bookinfo Sample - -See . - -**Note**: We need the owner of the PR to perform the appropriate testing with built/pushed images to their own docker repository before we would build/push images to the official Istio repository. - -## General Setup - -```bash -# This defines the docker hub to use when running integration tests and building docker images -# eg: HUB="docker.io/istio", HUB="gcr.io/istio-testing" -export HUB="docker.io/$USER" - -# This defines the docker tag to use when running integration tests and -# building docker images to be your user id. You may also set this variable -# this to any other legitimate docker tag. -export TAG= -``` - -## Compile code - -```bash -cd samples/bookinfo -BOOKINFO_TAG=$TAG BOOKINFO_HUB=$HUB src/build-services.sh -``` - -For example: - -```bash -$ BOOKINFO_TAG=test1.0 BOOKINFO_HUB=docker.io/user1 src/build-services.sh -+++ dirname ./build-services.sh -++ cd . -++ pwd -+ SCRIPTDIR=/work/samples/bookinfo/src -+ cd /work/samples/bookinfo/src/../../.. -+ h=docker.io/user1 -+ t=test1.0 -+ [[ docker.io/user1 == \i\s\t\i\o ]] -+ [[ docker.io/user1 == \d\o\c\k\e\r\.\i\o\/\i\s\t\i\o ]] -+ plat=linux/amd64 -+ [[ '' == \t\r\u\e ]] -+ env TAG=test1.0 HUB=docker.io/user1 docker buildx bake -f samples/bookinfo/src/docker-bake.hcl --set '*.platform=linux/amd64' -[+] Building 1.9s (123/133) - => [examples-bookinfo-ratings-v-faulty internal] load build definition from Dockerfile 0.0s - => => transferring dockerfile: 1.05kB 0.0s -... - => CACHED [examples-bookinfo-ratings-v-faulty 4/6] COPY ratings.js /opt/microservices/ 0.0s - => CACHED [examples-bookinfo-ratings-v-faulty 5/6] WORKDIR /opt/microservices 0.0s - => CACHED [examples-bookinfo-ratings-v-faulty 6/6] RUN npm install 0.0s -WARNING: No output specified for examples-bookinfo-mysqldb, examples-bookinfo-ratings-v-faulty, examples-bookinfo-reviews-v2, examples-bookinfo-reviews-v3, examples-bookinfo-productpage-v-flooding, examples-bookinfo-ratings-v-unhealthy, examples-bookinfo-ratings-v-unavailable, examples-bookinfo-ratings-v1, examples-bookinfo-details-v2, examples-bookinfo-reviews-v1, examples-bookinfo-productpage-v1, examples-bookinfo-ratings-v-delayed, examples-bookinfo-details-v1, examples-bookinfo-ratings-v2, examples-bookinfo-mongodb target(s) with docker-container driver. Build result will only remain in the build cache. To push result image into registry use --push or to load image into docker use --load -``` - -The code for the bookinfo sample is now compiled and built. The bookinfo versions are different from Istio versions since the sample should work with any version of Istio. - -## Build docker images - -```bash -cd samples/bookinfo -BOOKINFO_TAG=$TAG BOOKINFO_HUB=$HUB src/build-services.sh --load -``` - -For example: - -```bash -$ BOOKINFO_TAG=test1.0 BOOKINFO_HUB=docker.io/user1 src/build-services.sh --load -+++ dirname ./build-services.sh -++ cd . -++ pwd -+ SCRIPTDIR=/work/samples/bookinfo/src -+ cd /work/samples/bookinfo/src/../../.. -+ h=docker.io/user1 -+ t=test1.0 -+ [[ docker.io/user1 == \i\s\t\i\o ]] -+ [[ docker.io/user1 == \d\o\c\k\e\r\.\i\o\/\i\s\t\i\o ]] -+ plat=linux/amd64 -+ [[ '' == \t\r\u\e ]] -... - => [examples-bookinfo-productpage-v-flooding] exporting to docker image format 10.4s - => => exporting layers 0.0s - => => exporting manifest sha256:5046deeca78c67f0977fa627b3c2a98ba380b09f4dabf5620040fbf723785f6a 0.0s - => => exporting config sha256:5a632c874e649f6492d5a6592a3da2b9ee3fca8d6f55bfbc0249b865eb8579be 0.0s - => => sending tarball 10.4s - => importing to docker 0.1s - => importing to docker 0.0s - => importing to docker 0.0s - => importing to docker 0.0s - => importing to docker 0.0s - => importing to docker 0.0s - => importing to docker 0.0s - => importing to docker 0.0s - => importing to docker 0.0s - => importing to docker 0.0s - => importing to docker 0.0s - => importing to docker 0.1s - => importing to docker 0.3s - => importing to docker 0.2s - => importing to docker 0.1s -+ [[ true == \t\r\u\e ]] -+ find ./samples/bookinfo/platform -name '*bookinfo*.yaml' -exec sed -i.bak 's#image:.*\(\/examples-bookinfo-.*\):.*#image: docker.io\/user1\1:test1.0#g' '{}' +/ay -``` - -Docker images are now created. - -## Push docker images to docker hub - -After the local build is successful, you will need to push the images to Docker hub. You may need to login to Docker before you run the command using `docker login`. - -```bash -cd samples/bookinfo -BOOKINFO_LATEST=true BOOKINFO_TAG=$TAG BOOKINFO_HUB=$HUB src/build-services.sh --push -``` - -For example: - -```bash -$ BOOKINFO_TAG=test1.0 BOOKINFO_HUB=docker.io/user1 src/build-services.sh --push -+++ dirname ./build-services.sh -++ cd . -++ pwd -+ SCRIPTDIR=/work/samples/bookinfo/src -+ cd /work/samples/bookinfo/src/../../.. -+ h=docker.io/user1 -+ t=test1.0 -+ [[ docker.io/user1 == \i\s\t\i\o ]] -+ [[ docker.io/user1 == \d\o\c\k\e\r\.\i\o\/\i\s\t\i\o ]] -+ plat=linux/amd64 -+ [[ '' == \t\r\u\e ]] -+ env TAG=test1.0 HUB=docker.io/user1 docker buildx bake -f samples/bookinfo/src/docker-bake.hcl --set '*.platform=linux/amd64' --push -... - => => pushing layers 11.1s - => => pushing manifest for docker.io/user1/examples-bookinfo-reviews-v3:test1.0@sha256:4c9e2dfcabdfc55fba9037967ee412690b23d676481713eb88985926e229c8db 0.7s - => [auth] user1/examples-bookinfo-ratings-v2:pull,push token for registry-1.docker.io 0.0s - => [auth] user1/examples-bookinfo-ratings-v-delayed:pull,push token for registry-1.docker.io 0.0s - => [auth] user1/examples-bookinfo-ratings-v-unavailable:pull,push token for registry-1.docker.io 0.0s - => [auth] user1/examples-bookinfo-ratings-v-unhealthy:pull,push token for registry-1.docker.io 0.0s - => [auth] user1/examples-bookinfo-ratings-v-faulty:pull,push token for registry-1.docker.io 0.0s - => [auth] user1/examples-bookinfo-mongodb:pull,push token for registry-1.docker.io 0.0s - => [auth] user1/examples-bookinfo-details-v1:pull,push token for registry-1.docker.io 0.0s - => [auth] user1/examples-bookinfo-productpage-v1:pull,push token for registry-1.docker.io 0.0s - => [auth] user1/examples-bookinfo-details-v2:pull,push token for registry-1.docker.io 0.0s - => [auth] user1/examples-bookinfo-productpage-v-flooding:pull,push token for registry-1.docker.io 0.0s - => [auth] user1/examples-bookinfo-reviews-v1:pull,push token for registry-1.docker.io 0.0s - => [auth] user1/examples-bookinfo-reviews-v3:pull,push token for registry-1.docker.io 0.0s - => [auth] user1/examples-bookinfo-reviews-v2:pull,push token for registry-1.docker.io 0.0s -+ [[ true == \t\r\u\e ]] -+ find ./samples/bookinfo/platform -name '*bookinfo*.yaml' -exec sed -i.bak 's#image:.*\(\/examples-bookinfo-.*\):.*#image: docker.io\/user1\1:test1.0#g' '{}' + -``` - -## Update YAML files to point to the newly created images - -You need to update the YAML file with the latest tag that you used during the build, eg: `$HUB:$TAG`. - -Run the following script to update the YAML files in one step. - -```bash -cd samples/bookinfo -export BOOKINFO_UPDATE=true -BOOKINFO_TAG=test1.0 BOOKINFO_HUB=user1 src/build-services.sh -``` - -For example: - -```bash -$ export BOOKINFO_UPDATE=true -$ BOOKINFO_TAG=test1.0 BOOKINFO_HUB=user1 src/build-services.sh -+++ dirname samples/bookinfo/src/build-services.sh -++ cd samples/bookinfo/src -++ pwd -+ SCRIPTDIR=/work/samples/bookinfo/src -+ cd /work/samples/bookinfo/src/../../.. -+ h=user1 -+ t=test1.0 -+ [[ user1 == \i\s\t\i\o ]] -+ [[ user1 == \d\o\c\k\e\r\.\i\o\/\i\s\t\i\o ]] -+ plat=linux/amd64 -+ [[ '' == \t\r\u\e ]] -+ env TAG=test1.0 HUB=docker.io/user1 docker buildx bake -f samples/bookinfo/src/docker-bake.hcl --set '*.platform=linux/amd64' -... - => CACHED [examples-bookinfo-ratings-v-faulty 4/6] COPY ratings.js /opt/microservices/ 0.0s - => CACHED [examples-bookinfo-ratings-v-faulty 5/6] WORKDIR /opt/microservices 0.0s - => CACHED [examples-bookinfo-ratings-v-faulty 6/6] RUN npm install 0.0s -WARNING: No output specified for examples-bookinfo-mysqldb, examples-bookinfo-ratings-v-faulty, examples-bookinfo-reviews-v2, examples-bookinfo-reviews-v3, examples-bookinfo-productpage-v-flooding, examples-bookinfo-ratings-v-unhealthy, examples-bookinfo-ratings-v-unavailable, examples-bookinfo-ratings-v1, examples-bookinfo-details-v2, examples-bookinfo-reviews-v1, examples-bookinfo-productpage-v1, examples-bookinfo-ratings-v-delayed, examples-bookinfo-details-v1, examples-bookinfo-ratings-v2, examples-bookinfo-mongodb target(s) with docker-container driver. Build result will only remain in the build cache. To push result image into registry use --push or to load image into docker use --load -+ [[ true == \t\r\u\e ]] -+ find ./samples/bookinfo/platform -name '*bookinfo*.yaml' -exec sed -i.bak 's#image:.*\(\/examples-bookinfo-.*\):.*#image: user1\1:test1.0#g' '{}' + -``` - -Verify that expected image eg: `user1/examples-bookinfo-*:test1.0` is updated in `platform/kube/bookinfo*.yaml` files. - -## Tests - -Test that the bookinfo samples work with the latest image eg: `user1/examples-bookinfo-*:test1.0` that you pushed. - -```bash -$ cd ../../ -$ kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml -serviceaccount/bookinfo-details created -deployment.apps/details-v1 created -serviceaccount/bookinfo-ratings created -... -``` - -Wait for all the pods to be in `Running` start. - -```bash -$ kubectl get pods -NAME READY STATUS RESTARTS AGE -details-v1-7f556f5c6b-485l2 2/2 Running 0 10m -productpage-v1-84c8f95c8d-tlml2 2/2 Running 0 10m -ratings-v1-66777f856b-2ls78 2/2 Running 0 10m -reviews-v1-64c47f4f44-rx642 2/2 Running 0 10m -reviews-v2-66b6b95f44-s5nt6 2/2 Running 0 10m -reviews-v3-7f69dd7fd4-zjvc8 2/2 Running 0 10m -``` - -Once all the pods are in the `Running` state. Test if the bookinfo works through cli. - -```bash -$ kubectl exec -it "$(kubectl get pod -l app=ratings -o jsonpath='{.items[0].metadata.name}')" -c ratings -- curl productpage:9080/productpage | grep -o ".*" -Simple Bookstore App -``` - -You can also test it by hitting productpage in the browser. - -```bash -http://192.168.39.116:31395/productpage -``` - -You should see the following in the browser. - -![star](https://user-images.githubusercontent.com/2920003/86032538-212ff900-ba55-11ea-9492-d4bc90656a02.png) - -**Note**: If everything works as mentioned above, request a new official set of images be built and pushed from the reviewer, and add another commit to the original PR with the version changes. - -Bookinfo is tested by istio.io integration tests. You can find them under [tests](https://github.com/istio/istio.io/tree/master/tests) in the [istio/istio.io](https://github.com/istio/istio.io) repository. diff --git a/istio-1.24.3/samples/bookinfo/demo-profile-no-gateways.yaml b/istio-1.24.3/samples/bookinfo/demo-profile-no-gateways.yaml deleted file mode 100644 index 4edaba40..00000000 --- a/istio-1.24.3/samples/bookinfo/demo-profile-no-gateways.yaml +++ /dev/null @@ -1,12 +0,0 @@ -# IOP configuration used to install the demo profile without gateways. -apiVersion: install.istio.io/v1alpha1 -kind: IstioOperator -spec: - profile: demo - components: - ingressGateways: - - name: istio-ingressgateway - enabled: false - egressGateways: - - name: istio-egressgateway - enabled: false diff --git a/istio-1.24.3/samples/bookinfo/gateway-api/bookinfo-gateway.yaml b/istio-1.24.3/samples/bookinfo/gateway-api/bookinfo-gateway.yaml deleted file mode 100644 index bcc17cfa..00000000 --- a/istio-1.24.3/samples/bookinfo/gateway-api/bookinfo-gateway.yaml +++ /dev/null @@ -1,41 +0,0 @@ -apiVersion: gateway.networking.k8s.io/v1 -kind: Gateway -metadata: - name: bookinfo-gateway -spec: - gatewayClassName: istio - listeners: - - name: http - port: 80 - protocol: HTTP - allowedRoutes: - namespaces: - from: Same ---- -apiVersion: gateway.networking.k8s.io/v1 -kind: HTTPRoute -metadata: - name: bookinfo -spec: - parentRefs: - - name: bookinfo-gateway - rules: - - matches: - - path: - type: Exact - value: /productpage - - path: - type: PathPrefix - value: /static - - path: - type: Exact - value: /login - - path: - type: Exact - value: /logout - - path: - type: PathPrefix - value: /api/v1/products - backendRefs: - - name: productpage - port: 9080 diff --git a/istio-1.24.3/samples/bookinfo/gateway-api/route-all-v1.yaml b/istio-1.24.3/samples/bookinfo/gateway-api/route-all-v1.yaml deleted file mode 100644 index 17620e8f..00000000 --- a/istio-1.24.3/samples/bookinfo/gateway-api/route-all-v1.yaml +++ /dev/null @@ -1,60 +0,0 @@ -apiVersion: gateway.networking.k8s.io/v1 -kind: HTTPRoute -metadata: - name: reviews -spec: - parentRefs: - - group: "" - kind: Service - name: reviews - port: 9080 - rules: - - backendRefs: - - name: reviews-v1 - port: 9080 ---- -apiVersion: gateway.networking.k8s.io/v1 -kind: HTTPRoute -metadata: - name: productpage -spec: - parentRefs: - - group: "" - kind: Service - name: productpage - port: 9080 - rules: - - backendRefs: - - name: productpage-v1 - port: 9080 ---- -apiVersion: gateway.networking.k8s.io/v1 -kind: HTTPRoute -metadata: - name: ratings -spec: - parentRefs: - - group: "" - kind: Service - name: ratings - port: 9080 - rules: - - backendRefs: - - name: ratings-v1 - port: 9080 ---- -apiVersion: gateway.networking.k8s.io/v1 -kind: HTTPRoute -metadata: - name: details -spec: - parentRefs: - - group: "" - kind: Service - name: details - port: 9080 - rules: - - backendRefs: - - name: details-v1 - port: 9080 ---- diff --git a/istio-1.24.3/samples/bookinfo/gateway-api/route-reviews-50-v3.yaml b/istio-1.24.3/samples/bookinfo/gateway-api/route-reviews-50-v3.yaml deleted file mode 100644 index 42cbe35b..00000000 --- a/istio-1.24.3/samples/bookinfo/gateway-api/route-reviews-50-v3.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: gateway.networking.k8s.io/v1 -kind: HTTPRoute -metadata: - name: reviews -spec: - parentRefs: - - group: "" - kind: Service - name: reviews - port: 9080 - rules: - - backendRefs: - - name: reviews-v1 - port: 9080 - weight: 50 - - name: reviews-v3 - port: 9080 - weight: 50 diff --git a/istio-1.24.3/samples/bookinfo/gateway-api/route-reviews-90-10.yaml b/istio-1.24.3/samples/bookinfo/gateway-api/route-reviews-90-10.yaml deleted file mode 100644 index f0ab4815..00000000 --- a/istio-1.24.3/samples/bookinfo/gateway-api/route-reviews-90-10.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: gateway.networking.k8s.io/v1 -kind: HTTPRoute -metadata: - name: reviews -spec: - parentRefs: - - group: "" - kind: Service - name: reviews - port: 9080 - rules: - - backendRefs: - - name: reviews-v1 - port: 9080 - weight: 90 - - name: reviews-v2 - port: 9080 - weight: 10 diff --git a/istio-1.24.3/samples/bookinfo/gateway-api/route-reviews-v1.yaml b/istio-1.24.3/samples/bookinfo/gateway-api/route-reviews-v1.yaml deleted file mode 100644 index b7f8d3cf..00000000 --- a/istio-1.24.3/samples/bookinfo/gateway-api/route-reviews-v1.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: gateway.networking.k8s.io/v1 -kind: HTTPRoute -metadata: - name: reviews -spec: - parentRefs: - - group: "" - kind: Service - name: reviews - port: 9080 - rules: - - backendRefs: - - name: reviews-v1 - port: 9080 diff --git a/istio-1.24.3/samples/bookinfo/gateway-api/route-reviews-v3.yaml b/istio-1.24.3/samples/bookinfo/gateway-api/route-reviews-v3.yaml deleted file mode 100644 index e76909aa..00000000 --- a/istio-1.24.3/samples/bookinfo/gateway-api/route-reviews-v3.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: gateway.networking.k8s.io/v1 -kind: HTTPRoute -metadata: - name: reviews -spec: - parentRefs: - - group: "" - kind: Service - name: reviews - port: 9080 - rules: - - backendRefs: - - name: reviews-v3 - port: 9080 diff --git a/istio-1.24.3/samples/bookinfo/networking/bookinfo-gateway.yaml b/istio-1.24.3/samples/bookinfo/networking/bookinfo-gateway.yaml deleted file mode 100644 index 54e86888..00000000 --- a/istio-1.24.3/samples/bookinfo/networking/bookinfo-gateway.yaml +++ /dev/null @@ -1,43 +0,0 @@ -apiVersion: networking.istio.io/v1 -kind: Gateway -metadata: - name: bookinfo-gateway -spec: - # The selector matches the ingress gateway pod labels. - # If you installed Istio using Helm following the standard documentation, this would be "istio=ingress" - selector: - istio: ingressgateway # use istio default controller - servers: - - port: - number: 8080 - name: http - protocol: HTTP - hosts: - - "*" ---- -apiVersion: networking.istio.io/v1 -kind: VirtualService -metadata: - name: bookinfo -spec: - hosts: - - "*" - gateways: - - bookinfo-gateway - http: - - match: - - uri: - exact: /productpage - - uri: - prefix: /static - - uri: - exact: /login - - uri: - exact: /logout - - uri: - prefix: /api/v1/products - route: - - destination: - host: productpage - port: - number: 9080 diff --git a/istio-1.24.3/samples/bookinfo/networking/certmanager-gateway.yaml b/istio-1.24.3/samples/bookinfo/networking/certmanager-gateway.yaml deleted file mode 100644 index f60f1c3b..00000000 --- a/istio-1.24.3/samples/bookinfo/networking/certmanager-gateway.yaml +++ /dev/null @@ -1,35 +0,0 @@ -apiVersion: networking.istio.io/v1 -kind: Gateway -metadata: - name: cert-manager-gateway - namespace: istio-system -spec: - selector: - istio: ingressgateway - servers: - - port: - number: 80 - name: http - protocol: HTTP - hosts: - - "*" ---- -apiVersion: networking.istio.io/v1 -kind: VirtualService -metadata: - name: cert-manager - namespace: istio-system -spec: - hosts: - - "*" - gateways: - - cert-manager-gateway - http: - - match: - - uri: - prefix: /.well-known/acme-challenge/ - route: - - destination: - host: cert-manager-resolver - port: - number: 8089 diff --git a/istio-1.24.3/samples/bookinfo/networking/destination-rule-all-mtls.yaml b/istio-1.24.3/samples/bookinfo/networking/destination-rule-all-mtls.yaml deleted file mode 100644 index 4aea699a..00000000 --- a/istio-1.24.3/samples/bookinfo/networking/destination-rule-all-mtls.yaml +++ /dev/null @@ -1,74 +0,0 @@ -apiVersion: networking.istio.io/v1 -kind: DestinationRule -metadata: - name: productpage -spec: - host: productpage - trafficPolicy: - tls: - mode: ISTIO_MUTUAL - subsets: - - name: v1 - labels: - version: v1 ---- -apiVersion: networking.istio.io/v1 -kind: DestinationRule -metadata: - name: reviews -spec: - host: reviews - trafficPolicy: - tls: - mode: ISTIO_MUTUAL - subsets: - - name: v1 - labels: - version: v1 - - name: v2 - labels: - version: v2 - - name: v3 - labels: - version: v3 ---- -apiVersion: networking.istio.io/v1 -kind: DestinationRule -metadata: - name: ratings -spec: - host: ratings - trafficPolicy: - tls: - mode: ISTIO_MUTUAL - subsets: - - name: v1 - labels: - version: v1 - - name: v2 - labels: - version: v2 - - name: v2-mysql - labels: - version: v2-mysql - - name: v2-mysql-vm - labels: - version: v2-mysql-vm ---- -apiVersion: networking.istio.io/v1 -kind: DestinationRule -metadata: - name: details -spec: - host: details - trafficPolicy: - tls: - mode: ISTIO_MUTUAL - subsets: - - name: v1 - labels: - version: v1 - - name: v2 - labels: - version: v2 ---- diff --git a/istio-1.24.3/samples/bookinfo/networking/destination-rule-all.yaml b/istio-1.24.3/samples/bookinfo/networking/destination-rule-all.yaml deleted file mode 100644 index 0bf3337f..00000000 --- a/istio-1.24.3/samples/bookinfo/networking/destination-rule-all.yaml +++ /dev/null @@ -1,62 +0,0 @@ -apiVersion: networking.istio.io/v1 -kind: DestinationRule -metadata: - name: productpage -spec: - host: productpage - subsets: - - name: v1 - labels: - version: v1 ---- -apiVersion: networking.istio.io/v1 -kind: DestinationRule -metadata: - name: reviews -spec: - host: reviews - subsets: - - name: v1 - labels: - version: v1 - - name: v2 - labels: - version: v2 - - name: v3 - labels: - version: v3 ---- -apiVersion: networking.istio.io/v1 -kind: DestinationRule -metadata: - name: ratings -spec: - host: ratings - subsets: - - name: v1 - labels: - version: v1 - - name: v2 - labels: - version: v2 - - name: v2-mysql - labels: - version: v2-mysql - - name: v2-mysql-vm - labels: - version: v2-mysql-vm ---- -apiVersion: networking.istio.io/v1 -kind: DestinationRule -metadata: - name: details -spec: - host: details - subsets: - - name: v1 - labels: - version: v1 - - name: v2 - labels: - version: v2 ---- diff --git a/istio-1.24.3/samples/bookinfo/networking/destination-rule-reviews.yaml b/istio-1.24.3/samples/bookinfo/networking/destination-rule-reviews.yaml deleted file mode 100644 index ec549cec..00000000 --- a/istio-1.24.3/samples/bookinfo/networking/destination-rule-reviews.yaml +++ /dev/null @@ -1,19 +0,0 @@ -apiVersion: networking.istio.io/v1 -kind: DestinationRule -metadata: - name: reviews -spec: - host: reviews - trafficPolicy: - loadBalancer: - simple: RANDOM - subsets: - - name: v1 - labels: - version: v1 - - name: v2 - labels: - version: v2 - - name: v3 - labels: - version: v3 diff --git a/istio-1.24.3/samples/bookinfo/networking/egress-rule-google-apis.yaml b/istio-1.24.3/samples/bookinfo/networking/egress-rule-google-apis.yaml deleted file mode 100644 index 2c88692c..00000000 --- a/istio-1.24.3/samples/bookinfo/networking/egress-rule-google-apis.yaml +++ /dev/null @@ -1,46 +0,0 @@ -apiVersion: networking.istio.io/v1 -kind: ServiceEntry -metadata: - name: googleapis -spec: - hosts: - - www.googleapis.com - ports: - - number: 80 - name: http - protocol: HTTP - - number: 443 - name: https - protocol: HTTPS - resolution: DNS ---- -apiVersion: networking.istio.io/v1 -kind: VirtualService -metadata: - name: rewrite-port-for-googleapis -spec: - hosts: - - www.googleapis.com - http: - - match: - - port: 80 - route: - - destination: - host: www.googleapis.com - port: - number: 443 ---- -apiVersion: networking.istio.io/v1 -kind: DestinationRule -metadata: - name: originate-tls-for-googleapis -spec: - host: www.googleapis.com - trafficPolicy: - loadBalancer: - simple: ROUND_ROBIN - portLevelSettings: - - port: - number: 443 - tls: - mode: SIMPLE # initiates HTTPS when accessing www.googleapis.com diff --git a/istio-1.24.3/samples/bookinfo/networking/fault-injection-details-v1.yaml b/istio-1.24.3/samples/bookinfo/networking/fault-injection-details-v1.yaml deleted file mode 100644 index cbf52713..00000000 --- a/istio-1.24.3/samples/bookinfo/networking/fault-injection-details-v1.yaml +++ /dev/null @@ -1,32 +0,0 @@ -apiVersion: networking.istio.io/v1 -kind: VirtualService -metadata: - name: details -spec: - hosts: - - details - http: - - fault: - abort: - httpStatus: 555 - percentage: - value: 100 - route: - - destination: - host: details - subset: v1 - - route: - - destination: - host: details - subset: v1 ---- -apiVersion: networking.istio.io/v1 -kind: DestinationRule -metadata: - name: details -spec: - host: details - subsets: - - name: v1 - labels: - version: v1 \ No newline at end of file diff --git a/istio-1.24.3/samples/bookinfo/networking/virtual-service-all-v1.yaml b/istio-1.24.3/samples/bookinfo/networking/virtual-service-all-v1.yaml deleted file mode 100644 index 53e2fd71..00000000 --- a/istio-1.24.3/samples/bookinfo/networking/virtual-service-all-v1.yaml +++ /dev/null @@ -1,52 +0,0 @@ -apiVersion: networking.istio.io/v1 -kind: VirtualService -metadata: - name: productpage -spec: - hosts: - - productpage - http: - - route: - - destination: - host: productpage - subset: v1 ---- -apiVersion: networking.istio.io/v1 -kind: VirtualService -metadata: - name: reviews -spec: - hosts: - - reviews - http: - - route: - - destination: - host: reviews - subset: v1 ---- -apiVersion: networking.istio.io/v1 -kind: VirtualService -metadata: - name: ratings -spec: - hosts: - - ratings - http: - - route: - - destination: - host: ratings - subset: v1 ---- -apiVersion: networking.istio.io/v1 -kind: VirtualService -metadata: - name: details -spec: - hosts: - - details - http: - - route: - - destination: - host: details - subset: v1 ---- diff --git a/istio-1.24.3/samples/bookinfo/networking/virtual-service-details-v2.yaml b/istio-1.24.3/samples/bookinfo/networking/virtual-service-details-v2.yaml deleted file mode 100644 index 74f93a9a..00000000 --- a/istio-1.24.3/samples/bookinfo/networking/virtual-service-details-v2.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: networking.istio.io/v1 -kind: VirtualService -metadata: - name: details -spec: - hosts: - - details - http: - - route: - - destination: - host: details - subset: v2 diff --git a/istio-1.24.3/samples/bookinfo/networking/virtual-service-ratings-db.yaml b/istio-1.24.3/samples/bookinfo/networking/virtual-service-ratings-db.yaml deleted file mode 100644 index 0f15398e..00000000 --- a/istio-1.24.3/samples/bookinfo/networking/virtual-service-ratings-db.yaml +++ /dev/null @@ -1,26 +0,0 @@ -apiVersion: networking.istio.io/v1 -kind: VirtualService -metadata: - name: reviews -spec: - hosts: - - reviews - http: - - route: - - destination: - host: reviews - subset: v3 ---- -apiVersion: networking.istio.io/v1 -kind: VirtualService -metadata: - name: ratings -spec: - hosts: - - ratings - http: - - route: - - destination: - host: ratings - subset: v2 ---- diff --git a/istio-1.24.3/samples/bookinfo/networking/virtual-service-ratings-mysql-vm.yaml b/istio-1.24.3/samples/bookinfo/networking/virtual-service-ratings-mysql-vm.yaml deleted file mode 100644 index fb70fd96..00000000 --- a/istio-1.24.3/samples/bookinfo/networking/virtual-service-ratings-mysql-vm.yaml +++ /dev/null @@ -1,26 +0,0 @@ -apiVersion: networking.istio.io/v1 -kind: VirtualService -metadata: - name: reviews -spec: - hosts: - - reviews - http: - - route: - - destination: - host: reviews - subset: v3 ---- -apiVersion: networking.istio.io/v1 -kind: VirtualService -metadata: - name: ratings -spec: - hosts: - - ratings - http: - - route: - - destination: - host: ratings - subset: v2-mysql-vm ---- diff --git a/istio-1.24.3/samples/bookinfo/networking/virtual-service-ratings-mysql.yaml b/istio-1.24.3/samples/bookinfo/networking/virtual-service-ratings-mysql.yaml deleted file mode 100644 index 6d37feb6..00000000 --- a/istio-1.24.3/samples/bookinfo/networking/virtual-service-ratings-mysql.yaml +++ /dev/null @@ -1,26 +0,0 @@ -apiVersion: networking.istio.io/v1 -kind: VirtualService -metadata: - name: reviews -spec: - hosts: - - reviews - http: - - route: - - destination: - host: reviews - subset: v3 ---- -apiVersion: networking.istio.io/v1 -kind: VirtualService -metadata: - name: ratings -spec: - hosts: - - ratings - http: - - route: - - destination: - host: ratings - subset: v2-mysql ---- diff --git a/istio-1.24.3/samples/bookinfo/networking/virtual-service-ratings-test-abort.yaml b/istio-1.24.3/samples/bookinfo/networking/virtual-service-ratings-test-abort.yaml deleted file mode 100644 index b99455d7..00000000 --- a/istio-1.24.3/samples/bookinfo/networking/virtual-service-ratings-test-abort.yaml +++ /dev/null @@ -1,25 +0,0 @@ -apiVersion: networking.istio.io/v1 -kind: VirtualService -metadata: - name: ratings -spec: - hosts: - - ratings - http: - - match: - - headers: - end-user: - exact: jason - fault: - abort: - percentage: - value: 100.0 - httpStatus: 500 - route: - - destination: - host: ratings - subset: v1 - - route: - - destination: - host: ratings - subset: v1 diff --git a/istio-1.24.3/samples/bookinfo/networking/virtual-service-ratings-test-delay.yaml b/istio-1.24.3/samples/bookinfo/networking/virtual-service-ratings-test-delay.yaml deleted file mode 100644 index 516eba01..00000000 --- a/istio-1.24.3/samples/bookinfo/networking/virtual-service-ratings-test-delay.yaml +++ /dev/null @@ -1,25 +0,0 @@ -apiVersion: networking.istio.io/v1 -kind: VirtualService -metadata: - name: ratings -spec: - hosts: - - ratings - http: - - match: - - headers: - end-user: - exact: jason - fault: - delay: - percentage: - value: 100.0 - fixedDelay: 7s - route: - - destination: - host: ratings - subset: v1 - - route: - - destination: - host: ratings - subset: v1 diff --git a/istio-1.24.3/samples/bookinfo/networking/virtual-service-reviews-50-v3.yaml b/istio-1.24.3/samples/bookinfo/networking/virtual-service-reviews-50-v3.yaml deleted file mode 100644 index 2883c635..00000000 --- a/istio-1.24.3/samples/bookinfo/networking/virtual-service-reviews-50-v3.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: networking.istio.io/v1 -kind: VirtualService -metadata: - name: reviews -spec: - hosts: - - reviews - http: - - route: - - destination: - host: reviews - subset: v1 - weight: 50 - - destination: - host: reviews - subset: v3 - weight: 50 diff --git a/istio-1.24.3/samples/bookinfo/networking/virtual-service-reviews-80-20.yaml b/istio-1.24.3/samples/bookinfo/networking/virtual-service-reviews-80-20.yaml deleted file mode 100644 index 72683061..00000000 --- a/istio-1.24.3/samples/bookinfo/networking/virtual-service-reviews-80-20.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: networking.istio.io/v1 -kind: VirtualService -metadata: - name: reviews -spec: - hosts: - - reviews - http: - - route: - - destination: - host: reviews - subset: v1 - weight: 80 - - destination: - host: reviews - subset: v2 - weight: 20 diff --git a/istio-1.24.3/samples/bookinfo/networking/virtual-service-reviews-90-10.yaml b/istio-1.24.3/samples/bookinfo/networking/virtual-service-reviews-90-10.yaml deleted file mode 100644 index 4de526f7..00000000 --- a/istio-1.24.3/samples/bookinfo/networking/virtual-service-reviews-90-10.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: networking.istio.io/v1 -kind: VirtualService -metadata: - name: reviews -spec: - hosts: - - reviews - http: - - route: - - destination: - host: reviews - subset: v1 - weight: 90 - - destination: - host: reviews - subset: v2 - weight: 10 diff --git a/istio-1.24.3/samples/bookinfo/networking/virtual-service-reviews-jason-v2-v3.yaml b/istio-1.24.3/samples/bookinfo/networking/virtual-service-reviews-jason-v2-v3.yaml deleted file mode 100644 index c79517b6..00000000 --- a/istio-1.24.3/samples/bookinfo/networking/virtual-service-reviews-jason-v2-v3.yaml +++ /dev/null @@ -1,20 +0,0 @@ -apiVersion: networking.istio.io/v1 -kind: VirtualService -metadata: - name: reviews -spec: - hosts: - - reviews - http: - - match: - - headers: - end-user: - exact: jason - route: - - destination: - host: reviews - subset: v2 - - route: - - destination: - host: reviews - subset: v3 diff --git a/istio-1.24.3/samples/bookinfo/networking/virtual-service-reviews-test-v2.yaml b/istio-1.24.3/samples/bookinfo/networking/virtual-service-reviews-test-v2.yaml deleted file mode 100644 index d13156e2..00000000 --- a/istio-1.24.3/samples/bookinfo/networking/virtual-service-reviews-test-v2.yaml +++ /dev/null @@ -1,20 +0,0 @@ -apiVersion: networking.istio.io/v1 -kind: VirtualService -metadata: - name: reviews -spec: - hosts: - - reviews - http: - - match: - - headers: - end-user: - exact: jason - route: - - destination: - host: reviews - subset: v2 - - route: - - destination: - host: reviews - subset: v1 diff --git a/istio-1.24.3/samples/bookinfo/networking/virtual-service-reviews-v2-v3.yaml b/istio-1.24.3/samples/bookinfo/networking/virtual-service-reviews-v2-v3.yaml deleted file mode 100644 index 28c1fdd9..00000000 --- a/istio-1.24.3/samples/bookinfo/networking/virtual-service-reviews-v2-v3.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: networking.istio.io/v1 -kind: VirtualService -metadata: - name: reviews -spec: - hosts: - - reviews - http: - - route: - - destination: - host: reviews - subset: v2 - weight: 50 - - destination: - host: reviews - subset: v3 - weight: 50 diff --git a/istio-1.24.3/samples/bookinfo/networking/virtual-service-reviews-v3.yaml b/istio-1.24.3/samples/bookinfo/networking/virtual-service-reviews-v3.yaml deleted file mode 100644 index bd2d3f6e..00000000 --- a/istio-1.24.3/samples/bookinfo/networking/virtual-service-reviews-v3.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: networking.istio.io/v1 -kind: VirtualService -metadata: - name: reviews -spec: - hosts: - - reviews - http: - - route: - - destination: - host: reviews - subset: v3 diff --git a/istio-1.24.3/samples/bookinfo/platform/kube/README.md b/istio-1.24.3/samples/bookinfo/platform/kube/README.md deleted file mode 100644 index d1189bec..00000000 --- a/istio-1.24.3/samples/bookinfo/platform/kube/README.md +++ /dev/null @@ -1,2 +0,0 @@ -See the [Bookinfo guide](https://istio.io/docs/guides/bookinfo.html) in Istio -docs for instructions on how to run this demo application. diff --git a/istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-certificate.yaml b/istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-certificate.yaml deleted file mode 100644 index bce874dc..00000000 --- a/istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-certificate.yaml +++ /dev/null @@ -1,37 +0,0 @@ ---- -apiVersion: certmanager.k8s.io/v1alpha1 -kind: ClusterIssuer -metadata: - name: letsencrypt-staging - namespace: istio-system -spec: - acme: - # The ACME server URL - server: https://acme-staging-v02.api.letsencrypt.org/directory - # Email address used for ACME registration - email: stage@istio.io - # Name of a secret used to store the ACME account private key - privateKeySecretRef: - name: letsencrypt-staging - # Enable the HTTP-01 challenge provider - http01: {} ---- -apiVersion: certmanager.k8s.io/v1alpha1 -kind: Certificate -metadata: - name: istio-ingressgateway-certs - namespace: istio-system -spec: - secretName: istio-ingressgateway-certs - issuerRef: - name: letsencrypt-staging - kind: ClusterIssuer - commonName: bookinfo.example.com - dnsNames: - - bookinfo.example.com - acme: - config: - - http01: - ingressClass: none - domains: - - bookinfo.example.com diff --git a/istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-db.yaml b/istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-db.yaml deleted file mode 100644 index b0887e5a..00000000 --- a/istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-db.yaml +++ /dev/null @@ -1,63 +0,0 @@ -# Copyright Istio Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: Service -metadata: - name: mongodb - labels: - app: mongodb - service: mongodb -spec: - ports: - - port: 27017 - name: mongo - selector: - app: mongodb ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: mongodb-v1 - labels: - app: mongodb - version: v1 -spec: - replicas: 1 - selector: - matchLabels: - app: mongodb - version: v1 - template: - metadata: - labels: - app: mongodb - version: v1 - spec: - containers: - - name: mongodb - image: docker.io/istio/examples-bookinfo-mongodb:1.20.2 - imagePullPolicy: IfNotPresent - ports: - - containerPort: 27017 - args: - - '--ipv6' - - '--bind_ip_all' - volumeMounts: - - name: data-db - mountPath: /data/db - volumes: - - name: data-db - emptyDir: {} ---- diff --git a/istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-details-dualstack.yaml b/istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-details-dualstack.yaml deleted file mode 100644 index 2a2b59f8..00000000 --- a/istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-details-dualstack.yaml +++ /dev/null @@ -1,59 +0,0 @@ -# Copyright Istio Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################################################## -# Details service -################################################################################################## -apiVersion: v1 -kind: Service -metadata: - name: details - labels: - app: details - service: details -spec: - ipFamilyPolicy: RequireDualStack - ipFamilies: [IPv6, IPv4] - ports: - - port: 9080 - name: http - selector: - app: details ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: details-v1 - labels: - app: details - version: v1 -spec: - replicas: 1 - selector: - matchLabels: - app: details - version: v1 - template: - metadata: - labels: - app: details - version: v1 - spec: - containers: - - name: details - image: docker.io/istio/examples-bookinfo-details-v1:1.20.2 - imagePullPolicy: IfNotPresent - ports: - - containerPort: 9080 ---- diff --git a/istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-details-v2.yaml b/istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-details-v2.yaml deleted file mode 100644 index 84d4faef..00000000 --- a/istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-details-v2.yaml +++ /dev/null @@ -1,46 +0,0 @@ -# Copyright Istio Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################################################## -# Details service v2 -################################################################################################## -apiVersion: apps/v1 -kind: Deployment -metadata: - name: details-v2 - labels: - app: details - version: v2 -spec: - replicas: 1 - selector: - matchLabels: - app: details - version: v2 - template: - metadata: - labels: - app: details - version: v2 - spec: - containers: - - name: details - image: docker.io/istio/examples-bookinfo-details-v2:1.20.2 - imagePullPolicy: IfNotPresent - ports: - - containerPort: 9080 - env: - - name: DO_NOT_ENCRYPT - value: "true" ---- diff --git a/istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-details.yaml b/istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-details.yaml deleted file mode 100644 index 57024f8a..00000000 --- a/istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-details.yaml +++ /dev/null @@ -1,57 +0,0 @@ -# Copyright Istio Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################################################## -# Details service -################################################################################################## -apiVersion: v1 -kind: Service -metadata: - name: details - labels: - app: details - service: details -spec: - ports: - - port: 9080 - name: http - selector: - app: details ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: details-v1 - labels: - app: details - version: v1 -spec: - replicas: 1 - selector: - matchLabels: - app: details - version: v1 - template: - metadata: - labels: - app: details - version: v1 - spec: - containers: - - name: details - image: docker.io/istio/examples-bookinfo-details-v1:1.20.2 - imagePullPolicy: IfNotPresent - ports: - - containerPort: 9080 ---- diff --git a/istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-dualstack.yaml b/istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-dualstack.yaml deleted file mode 100644 index 8f8d79c7..00000000 --- a/istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-dualstack.yaml +++ /dev/null @@ -1,343 +0,0 @@ -# Copyright Istio Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################################################## -# This file defines the services, service accounts, and deployments for the Bookinfo sample. -# -# To apply all 4 Bookinfo services, their corresponding service accounts, and deployments: -# -# kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml -# -# Alternatively, you can deploy any resource separately: -# -# kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml -l service=reviews # reviews Service -# kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml -l account=reviews # reviews ServiceAccount -# kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml -l app=reviews,version=v3 # reviews-v3 Deployment -################################################################################################## - -################################################################################################## -# Details service -################################################################################################## -apiVersion: v1 -kind: Service -metadata: - name: details - labels: - app: details - service: details -spec: - ipFamilyPolicy: RequireDualStack - ipFamilies: [IPv6, IPv4] - ports: - - port: 9080 - name: http - selector: - app: details ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: bookinfo-details - labels: - account: details ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: details-v1 - labels: - app: details - version: v1 -spec: - replicas: 1 - selector: - matchLabels: - app: details - version: v1 - template: - metadata: - labels: - app: details - version: v1 - spec: - serviceAccountName: bookinfo-details - containers: - - name: details - image: docker.io/istio/examples-bookinfo-details-v1:1.20.2 - imagePullPolicy: IfNotPresent - ports: - - containerPort: 9080 ---- -################################################################################################## -# Ratings service -################################################################################################## -apiVersion: v1 -kind: Service -metadata: - name: ratings - labels: - app: ratings - service: ratings -spec: - ipFamilyPolicy: RequireDualStack - ipFamilies: [IPv6, IPv4] - ports: - - port: 9080 - name: http - selector: - app: ratings ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: bookinfo-ratings - labels: - account: ratings ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: ratings-v1 - labels: - app: ratings - version: v1 -spec: - replicas: 1 - selector: - matchLabels: - app: ratings - version: v1 - template: - metadata: - labels: - app: ratings - version: v1 - spec: - serviceAccountName: bookinfo-ratings - containers: - - name: ratings - image: docker.io/istio/examples-bookinfo-ratings-v1:1.20.2 - imagePullPolicy: IfNotPresent - ports: - - containerPort: 9080 ---- -################################################################################################## -# Reviews service -################################################################################################## -apiVersion: v1 -kind: Service -metadata: - name: reviews - labels: - app: reviews - service: reviews -spec: - ipFamilyPolicy: RequireDualStack - ipFamilies: [IPv4, IPv6] - ports: - - port: 9080 - name: http - selector: - app: reviews ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: bookinfo-reviews - labels: - account: reviews ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: reviews-v1 - labels: - app: reviews - version: v1 -spec: - replicas: 1 - selector: - matchLabels: - app: reviews - version: v1 - template: - metadata: - labels: - app: reviews - version: v1 - spec: - serviceAccountName: bookinfo-reviews - containers: - - name: reviews - image: docker.io/istio/examples-bookinfo-reviews-v1:1.20.2 - imagePullPolicy: IfNotPresent - env: - - name: LOG_DIR - value: "/tmp/logs" - ports: - - containerPort: 9080 - volumeMounts: - - name: tmp - mountPath: /tmp - - name: wlp-output - mountPath: /opt/ibm/wlp/output - volumes: - - name: wlp-output - emptyDir: {} - - name: tmp - emptyDir: {} ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: reviews-v2 - labels: - app: reviews - version: v2 -spec: - replicas: 1 - selector: - matchLabels: - app: reviews - version: v2 - template: - metadata: - labels: - app: reviews - version: v2 - spec: - serviceAccountName: bookinfo-reviews - containers: - - name: reviews - image: docker.io/istio/examples-bookinfo-reviews-v2:1.20.2 - imagePullPolicy: IfNotPresent - env: - - name: LOG_DIR - value: "/tmp/logs" - ports: - - containerPort: 9080 - volumeMounts: - - name: tmp - mountPath: /tmp - - name: wlp-output - mountPath: /opt/ibm/wlp/output - volumes: - - name: wlp-output - emptyDir: {} - - name: tmp - emptyDir: {} ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: reviews-v3 - labels: - app: reviews - version: v3 -spec: - replicas: 1 - selector: - matchLabels: - app: reviews - version: v3 - template: - metadata: - labels: - app: reviews - version: v3 - spec: - serviceAccountName: bookinfo-reviews - containers: - - name: reviews - image: docker.io/istio/examples-bookinfo-reviews-v3:1.20.2 - imagePullPolicy: IfNotPresent - env: - - name: LOG_DIR - value: "/tmp/logs" - ports: - - containerPort: 9080 - volumeMounts: - - name: tmp - mountPath: /tmp - - name: wlp-output - mountPath: /opt/ibm/wlp/output - volumes: - - name: wlp-output - emptyDir: {} - - name: tmp - emptyDir: {} ---- -################################################################################################## -# Productpage services -################################################################################################## -apiVersion: v1 -kind: Service -metadata: - name: productpage - labels: - app: productpage - service: productpage -spec: - ipFamilyPolicy: RequireDualStack - ipFamilies: [IPv4, IPv6] - ports: - - port: 9080 - name: http - selector: - app: productpage ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: bookinfo-productpage - labels: - account: productpage ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: productpage-v1 - labels: - app: productpage - version: v1 -spec: - replicas: 1 - selector: - matchLabels: - app: productpage - version: v1 - template: - metadata: - annotations: - prometheus.io/scrape: "true" - prometheus.io/port: "9080" - prometheus.io/path: "/metrics" - labels: - app: productpage - version: v1 - spec: - serviceAccountName: bookinfo-productpage - containers: - - name: productpage - image: docker.io/istio/examples-bookinfo-productpage-v1:1.20.2 - imagePullPolicy: IfNotPresent - ports: - - containerPort: 9080 - volumeMounts: - - name: tmp - mountPath: /tmp - volumes: - - name: tmp - emptyDir: {} ---- diff --git a/istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-ingress.yaml b/istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-ingress.yaml deleted file mode 100644 index e2143399..00000000 --- a/istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-ingress.yaml +++ /dev/null @@ -1,63 +0,0 @@ -# Copyright Istio Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -########################################################################### -# Ingress resource (gateway) -########################################################################## -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: gateway - annotations: - kubernetes.io/ingress.class: "istio" -spec: - rules: - - http: - paths: - - path: /productpage - pathType: Exact - backend: - service: - name: productpage - port: - number: 9080 - - path: /static/ - pathType: Prefix - backend: - service: - name: productpage - port: - number: 9080 - - path: /login - pathType: Exact - backend: - service: - name: productpage - port: - number: 9080 - - path: /logout - pathType: Exact - backend: - service: - name: productpage - port: - number: 9080 - - path: /api/v1/products - pathType: Prefix - backend: - service: - name: productpage - port: - number: 9080 ---- diff --git a/istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-mysql.yaml b/istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-mysql.yaml deleted file mode 100644 index 84c74202..00000000 --- a/istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-mysql.yaml +++ /dev/null @@ -1,79 +0,0 @@ -# Copyright Istio Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################################################## -# Mysql db services -# credentials: root/password -################################################################################################## -apiVersion: v1 -kind: Secret -metadata: - name: mysql-credentials -type: Opaque -data: - rootpasswd: cGFzc3dvcmQ= ---- -apiVersion: v1 -kind: Service -metadata: - name: mysqldb - labels: - app: mysqldb - service: mysqldb -spec: - ports: - - port: 3306 - name: tcp - selector: - app: mysqldb ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: mysqldb-v1 - labels: - app: mysqldb - version: v1 -spec: - replicas: 1 - selector: - matchLabels: - app: mysqldb - version: v1 - template: - metadata: - labels: - app: mysqldb - version: v1 - spec: - containers: - - name: mysqldb - image: docker.io/istio/examples-bookinfo-mysqldb:1.20.2 - imagePullPolicy: IfNotPresent - ports: - - containerPort: 3306 - env: - - name: MYSQL_ROOT_PASSWORD - valueFrom: - secretKeyRef: - name: mysql-credentials - key: rootpasswd - args: ["--default-authentication-plugin","mysql_native_password"] - volumeMounts: - - name: var-lib-mysql - mountPath: /var/lib/mysql - volumes: - - name: var-lib-mysql - emptyDir: {} ---- diff --git a/istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-psa.yaml b/istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-psa.yaml deleted file mode 100644 index 8e133c9c..00000000 --- a/istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-psa.yaml +++ /dev/null @@ -1,363 +0,0 @@ -# Copyright Istio Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################################################## -# This file defines the same services, service accounts, and deployments as bookinfo.yaml with -# added securityContext fields to allow the bookinfo demo to run on a PodSecurityAdmission -# enabled cluster that enforces the baseline policy. -################################################################################################## - -################################################################################################## -# Details service -################################################################################################## -apiVersion: v1 -kind: Service -metadata: - name: details - labels: - app: details - service: details -spec: - ports: - - port: 9080 - name: http - selector: - app: details ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: bookinfo-details - labels: - account: details ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: details-v1 - labels: - app: details - version: v1 -spec: - replicas: 1 - selector: - matchLabels: - app: details - version: v1 - template: - metadata: - labels: - app: details - version: v1 - spec: - serviceAccountName: bookinfo-details - containers: - - name: details - image: docker.io/istio/examples-bookinfo-details-v1:1.20.2 - imagePullPolicy: IfNotPresent - ports: - - containerPort: 9080 - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - all - runAsNonRoot: true ---- -################################################################################################## -# Ratings service -################################################################################################## -apiVersion: v1 -kind: Service -metadata: - name: ratings - labels: - app: ratings - service: ratings -spec: - ports: - - port: 9080 - name: http - selector: - app: ratings ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: bookinfo-ratings - labels: - account: ratings ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: ratings-v1 - labels: - app: ratings - version: v1 -spec: - replicas: 1 - selector: - matchLabels: - app: ratings - version: v1 - template: - metadata: - labels: - app: ratings - version: v1 - spec: - serviceAccountName: bookinfo-ratings - containers: - - name: ratings - image: docker.io/istio/examples-bookinfo-ratings-v1:1.20.2 - imagePullPolicy: IfNotPresent - ports: - - containerPort: 9080 - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - all - runAsNonRoot: true ---- -################################################################################################## -# Reviews service -################################################################################################## -apiVersion: v1 -kind: Service -metadata: - name: reviews - labels: - app: reviews - service: reviews -spec: - ports: - - port: 9080 - name: http - selector: - app: reviews ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: bookinfo-reviews - labels: - account: reviews ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: reviews-v1 - labels: - app: reviews - version: v1 -spec: - replicas: 1 - selector: - matchLabels: - app: reviews - version: v1 - template: - metadata: - labels: - app: reviews - version: v1 - spec: - serviceAccountName: bookinfo-reviews - containers: - - name: reviews - image: docker.io/istio/examples-bookinfo-reviews-v1:1.20.2 - imagePullPolicy: IfNotPresent - env: - - name: LOG_DIR - value: "/tmp/logs" - ports: - - containerPort: 9080 - volumeMounts: - - name: tmp - mountPath: /tmp - - name: wlp-output - mountPath: /opt/ibm/wlp/output - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - all - runAsNonRoot: true - volumes: - - name: wlp-output - emptyDir: {} - - name: tmp - emptyDir: {} ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: reviews-v2 - labels: - app: reviews - version: v2 -spec: - replicas: 1 - selector: - matchLabels: - app: reviews - version: v2 - template: - metadata: - labels: - app: reviews - version: v2 - spec: - serviceAccountName: bookinfo-reviews - containers: - - name: reviews - image: docker.io/istio/examples-bookinfo-reviews-v2:1.20.2 - imagePullPolicy: IfNotPresent - env: - - name: LOG_DIR - value: "/tmp/logs" - ports: - - containerPort: 9080 - volumeMounts: - - name: tmp - mountPath: /tmp - - name: wlp-output - mountPath: /opt/ibm/wlp/output - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - all - runAsNonRoot: true - volumes: - - name: wlp-output - emptyDir: {} - - name: tmp - emptyDir: {} ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: reviews-v3 - labels: - app: reviews - version: v3 -spec: - replicas: 1 - selector: - matchLabels: - app: reviews - version: v3 - template: - metadata: - labels: - app: reviews - version: v3 - spec: - serviceAccountName: bookinfo-reviews - containers: - - name: reviews - image: docker.io/istio/examples-bookinfo-reviews-v3:1.20.2 - imagePullPolicy: IfNotPresent - env: - - name: LOG_DIR - value: "/tmp/logs" - ports: - - containerPort: 9080 - volumeMounts: - - name: tmp - mountPath: /tmp - - name: wlp-output - mountPath: /opt/ibm/wlp/output - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - all - runAsNonRoot: true - volumes: - - name: wlp-output - emptyDir: {} - - name: tmp - emptyDir: {} ---- -################################################################################################## -# Productpage services -################################################################################################## -apiVersion: v1 -kind: Service -metadata: - name: productpage - labels: - app: productpage - service: productpage -spec: - ports: - - port: 9080 - name: http - selector: - app: productpage ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: bookinfo-productpage - labels: - account: productpage ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: productpage-v1 - labels: - app: productpage - version: v1 -spec: - replicas: 1 - selector: - matchLabels: - app: productpage - version: v1 - template: - metadata: - annotations: - prometheus.io/scrape: "true" - prometheus.io/port: "9080" - prometheus.io/path: "/metrics" - labels: - app: productpage - version: v1 - spec: - serviceAccountName: bookinfo-productpage - containers: - - name: productpage - image: docker.io/istio/examples-bookinfo-productpage-v1:1.20.2 - imagePullPolicy: IfNotPresent - ports: - - containerPort: 9080 - volumeMounts: - - name: tmp - mountPath: /tmp - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - all - runAsNonRoot: true - volumes: - - name: tmp - emptyDir: {} ---- diff --git a/istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-ratings-discovery-dualstack.yaml b/istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-ratings-discovery-dualstack.yaml deleted file mode 100644 index c8364636..00000000 --- a/istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-ratings-discovery-dualstack.yaml +++ /dev/null @@ -1,33 +0,0 @@ -# Copyright Istio Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################################################## -# Ratings service -################################################################################################## -apiVersion: v1 -kind: Service -metadata: - name: ratings - labels: - app: ratings - service: ratings -spec: - ipFamilyPolicy: RequireDualStack - ipFamilies: [IPv6, IPv4] - ports: - - port: 9080 - name: http - selector: - app: ratings ---- diff --git a/istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-ratings-discovery.yaml b/istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-ratings-discovery.yaml deleted file mode 100644 index 61c4b7f1..00000000 --- a/istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-ratings-discovery.yaml +++ /dev/null @@ -1,31 +0,0 @@ -# Copyright Istio Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################################################## -# Ratings service -################################################################################################## -apiVersion: v1 -kind: Service -metadata: - name: ratings - labels: - app: ratings - service: ratings -spec: - ports: - - port: 9080 - name: http - selector: - app: ratings ---- diff --git a/istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-ratings-dualstack.yaml b/istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-ratings-dualstack.yaml deleted file mode 100644 index 7b0833cc..00000000 --- a/istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-ratings-dualstack.yaml +++ /dev/null @@ -1,59 +0,0 @@ -# Copyright Istio Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################################################## -# Ratings service -################################################################################################## -apiVersion: v1 -kind: Service -metadata: - name: ratings - labels: - app: ratings - service: ratings -spec: - ipFamilyPolicy: RequireDualStack - ipFamilies: [IPv6, IPv4] - ports: - - port: 9080 - name: http - selector: - app: ratings ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: ratings-v1 - labels: - app: ratings - version: v1 -spec: - replicas: 1 - selector: - matchLabels: - app: ratings - version: v1 - template: - metadata: - labels: - app: ratings - version: v1 - spec: - containers: - - name: ratings - image: docker.io/istio/examples-bookinfo-ratings-v1:1.20.2 - imagePullPolicy: IfNotPresent - ports: - - containerPort: 9080 ---- diff --git a/istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-ratings-v2-mysql-vm.yaml b/istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-ratings-v2-mysql-vm.yaml deleted file mode 100644 index 73e3130c..00000000 --- a/istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-ratings-v2-mysql-vm.yaml +++ /dev/null @@ -1,53 +0,0 @@ -# Copyright Istio Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: ratings-v2-mysql-vm - labels: - app: ratings - version: v2-mysql-vm -spec: - replicas: 1 - selector: - matchLabels: - app: ratings - version: v2-mysql-vm - template: - metadata: - labels: - app: ratings - version: v2-mysql-vm - spec: - containers: - - name: ratings - image: docker.io/istio/examples-bookinfo-ratings-v2:1.20.2 - imagePullPolicy: IfNotPresent - env: - # This assumes you registered your mysql vm as - # istioctl register -n vm mysqldb 1.2.3.4 3306 - - name: DB_TYPE - value: "mysql" - - name: MYSQL_DB_HOST - value: mysqldb.vm.svc.cluster.local - - name: MYSQL_DB_PORT - value: "3306" - - name: MYSQL_DB_USER - value: root - - name: MYSQL_DB_PASSWORD - value: password - ports: - - containerPort: 9080 ---- diff --git a/istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-ratings-v2-mysql.yaml b/istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-ratings-v2-mysql.yaml deleted file mode 100644 index 746681b6..00000000 --- a/istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-ratings-v2-mysql.yaml +++ /dev/null @@ -1,56 +0,0 @@ -# Copyright Istio Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: ratings-v2-mysql - labels: - app: ratings - version: v2-mysql -spec: - replicas: 1 - selector: - matchLabels: - app: ratings - version: v2-mysql - template: - metadata: - labels: - app: ratings - version: v2-mysql - spec: - containers: - - name: ratings - image: docker.io/istio/examples-bookinfo-ratings-v2:1.20.2 - imagePullPolicy: IfNotPresent - env: - # ratings-v2 will use mongodb as the default db backend. - # if you would like to use mysqldb then you can use this file - # which sets DB_TYPE = 'mysql' and the rest of the parameters shown - # here and also create the # mysqldb service using bookinfo-mysql.yaml - # NOTE: This file is mutually exclusive to bookinfo-ratings-v2.yaml - - name: DB_TYPE - value: "mysql" - - name: MYSQL_DB_HOST - value: mysqldb - - name: MYSQL_DB_PORT - value: "3306" - - name: MYSQL_DB_USER - value: root - - name: MYSQL_DB_PASSWORD - value: password - ports: - - containerPort: 9080 ---- diff --git a/istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-ratings-v2.yaml b/istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-ratings-v2.yaml deleted file mode 100644 index b06d84fc..00000000 --- a/istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-ratings-v2.yaml +++ /dev/null @@ -1,63 +0,0 @@ -# Copyright Istio Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: bookinfo-ratings-v2 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: ratings-v2 - labels: - app: ratings - version: v2 -spec: - replicas: 1 - selector: - matchLabels: - app: ratings - version: v2 - template: - metadata: - labels: - app: ratings - version: v2 - spec: - serviceAccountName: bookinfo-ratings-v2 - containers: - - name: ratings - image: docker.io/istio/examples-bookinfo-ratings-v2:1.20.2 - imagePullPolicy: IfNotPresent - env: - # ratings-v2 will use mongodb as the default db backend. - # if you would like to use mysqldb then set DB_TYPE = 'mysql', set - # the rest of the parameters shown here and also create the - # mysqldb service using bookinfo-mysql.yaml - # - name: DB_TYPE #default to - # value: "mysql" - # - name: MYSQL_DB_HOST - # value: mysqldb - # - name: MYSQL_DB_PORT - # value: "3306" - # - name: MYSQL_DB_USER - # value: root - # - name: MYSQL_DB_PASSWORD - # value: password - - name: MONGO_DB_URL - value: mongodb://mongodb:27017/test - ports: - - containerPort: 9080 ---- diff --git a/istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-ratings.yaml b/istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-ratings.yaml deleted file mode 100644 index 0a55a32e..00000000 --- a/istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-ratings.yaml +++ /dev/null @@ -1,57 +0,0 @@ -# Copyright Istio Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################################################## -# Ratings service -################################################################################################## -apiVersion: v1 -kind: Service -metadata: - name: ratings - labels: - app: ratings - service: ratings -spec: - ports: - - port: 9080 - name: http - selector: - app: ratings ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: ratings-v1 - labels: - app: ratings - version: v1 -spec: - replicas: 1 - selector: - matchLabels: - app: ratings - version: v1 - template: - metadata: - labels: - app: ratings - version: v1 - spec: - containers: - - name: ratings - image: docker.io/istio/examples-bookinfo-ratings-v1:1.20.2 - imagePullPolicy: IfNotPresent - ports: - - containerPort: 9080 ---- diff --git a/istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-reviews-v2.yaml b/istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-reviews-v2.yaml deleted file mode 100644 index 5637ecd8..00000000 --- a/istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-reviews-v2.yaml +++ /dev/null @@ -1,56 +0,0 @@ -# Copyright Istio Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################################################## -# Reviews service v2 -################################################################################################## -apiVersion: apps/v1 -kind: Deployment -metadata: - name: reviews-v2 - labels: - app: reviews - version: v2 -spec: - replicas: 1 - selector: - matchLabels: - app: reviews - version: v2 - template: - metadata: - labels: - app: reviews - version: v2 - spec: - containers: - - name: reviews - image: docker.io/istio/examples-bookinfo-reviews-v2:1.20.2 - imagePullPolicy: IfNotPresent - env: - - name: LOG_DIR - value: "/tmp/logs" - ports: - - containerPort: 9080 - volumeMounts: - - name: tmp - mountPath: /tmp - - name: wlp-output - mountPath: /opt/ibm/wlp/output - volumes: - - name: wlp-output - emptyDir: {} - - name: tmp - emptyDir: {} ---- diff --git a/istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-versions.yaml b/istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-versions.yaml deleted file mode 100644 index c374bbee..00000000 --- a/istio-1.24.3/samples/bookinfo/platform/kube/bookinfo-versions.yaml +++ /dev/null @@ -1,72 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: reviews-v1 -spec: - ports: - - port: 9080 - name: http - selector: - app: reviews - version: v1 ---- -apiVersion: v1 -kind: Service -metadata: - name: reviews-v2 -spec: - ports: - - port: 9080 - name: http - selector: - app: reviews - version: v2 ---- -apiVersion: v1 -kind: Service -metadata: - name: reviews-v3 -spec: - ports: - - port: 9080 - name: http - selector: - app: reviews - version: v3 ---- -apiVersion: v1 -kind: Service -metadata: - name: productpage-v1 -spec: - ports: - - port: 9080 - name: http - selector: - app: productpage - version: v1 ---- -apiVersion: v1 -kind: Service -metadata: - name: ratings-v1 -spec: - ports: - - port: 9080 - name: http - selector: - app: ratings - version: v1 ---- -apiVersion: v1 -kind: Service -metadata: - name: details-v1 -spec: - ports: - - port: 9080 - name: http - selector: - app: details - version: v1 ---- diff --git a/istio-1.24.3/samples/bookinfo/platform/kube/bookinfo.yaml b/istio-1.24.3/samples/bookinfo/platform/kube/bookinfo.yaml deleted file mode 100644 index 35a8a313..00000000 --- a/istio-1.24.3/samples/bookinfo/platform/kube/bookinfo.yaml +++ /dev/null @@ -1,335 +0,0 @@ -# Copyright Istio Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################################################## -# This file defines the services, service accounts, and deployments for the Bookinfo sample. -# -# To apply all 4 Bookinfo services, their corresponding service accounts, and deployments: -# -# kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml -# -# Alternatively, you can deploy any resource separately: -# -# kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml -l service=reviews # reviews Service -# kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml -l account=reviews # reviews ServiceAccount -# kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml -l app=reviews,version=v3 # reviews-v3 Deployment -################################################################################################## - -################################################################################################## -# Details service -################################################################################################## -apiVersion: v1 -kind: Service -metadata: - name: details - labels: - app: details - service: details -spec: - ports: - - port: 9080 - name: http - selector: - app: details ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: bookinfo-details - labels: - account: details ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: details-v1 - labels: - app: details - version: v1 -spec: - replicas: 1 - selector: - matchLabels: - app: details - version: v1 - template: - metadata: - labels: - app: details - version: v1 - spec: - serviceAccountName: bookinfo-details - containers: - - name: details - image: docker.io/istio/examples-bookinfo-details-v1:1.20.2 - imagePullPolicy: IfNotPresent - ports: - - containerPort: 9080 ---- -################################################################################################## -# Ratings service -################################################################################################## -apiVersion: v1 -kind: Service -metadata: - name: ratings - labels: - app: ratings - service: ratings -spec: - ports: - - port: 9080 - name: http - selector: - app: ratings ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: bookinfo-ratings - labels: - account: ratings ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: ratings-v1 - labels: - app: ratings - version: v1 -spec: - replicas: 1 - selector: - matchLabels: - app: ratings - version: v1 - template: - metadata: - labels: - app: ratings - version: v1 - spec: - serviceAccountName: bookinfo-ratings - containers: - - name: ratings - image: docker.io/istio/examples-bookinfo-ratings-v1:1.20.2 - imagePullPolicy: IfNotPresent - ports: - - containerPort: 9080 ---- -################################################################################################## -# Reviews service -################################################################################################## -apiVersion: v1 -kind: Service -metadata: - name: reviews - labels: - app: reviews - service: reviews -spec: - ports: - - port: 9080 - name: http - selector: - app: reviews ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: bookinfo-reviews - labels: - account: reviews ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: reviews-v1 - labels: - app: reviews - version: v1 -spec: - replicas: 1 - selector: - matchLabels: - app: reviews - version: v1 - template: - metadata: - labels: - app: reviews - version: v1 - spec: - serviceAccountName: bookinfo-reviews - containers: - - name: reviews - image: docker.io/istio/examples-bookinfo-reviews-v1:1.20.2 - imagePullPolicy: IfNotPresent - env: - - name: LOG_DIR - value: "/tmp/logs" - ports: - - containerPort: 9080 - volumeMounts: - - name: tmp - mountPath: /tmp - - name: wlp-output - mountPath: /opt/ibm/wlp/output - volumes: - - name: wlp-output - emptyDir: {} - - name: tmp - emptyDir: {} ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: reviews-v2 - labels: - app: reviews - version: v2 -spec: - replicas: 1 - selector: - matchLabels: - app: reviews - version: v2 - template: - metadata: - labels: - app: reviews - version: v2 - spec: - serviceAccountName: bookinfo-reviews - containers: - - name: reviews - image: docker.io/istio/examples-bookinfo-reviews-v2:1.20.2 - imagePullPolicy: IfNotPresent - env: - - name: LOG_DIR - value: "/tmp/logs" - ports: - - containerPort: 9080 - volumeMounts: - - name: tmp - mountPath: /tmp - - name: wlp-output - mountPath: /opt/ibm/wlp/output - volumes: - - name: wlp-output - emptyDir: {} - - name: tmp - emptyDir: {} ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: reviews-v3 - labels: - app: reviews - version: v3 -spec: - replicas: 1 - selector: - matchLabels: - app: reviews - version: v3 - template: - metadata: - labels: - app: reviews - version: v3 - spec: - serviceAccountName: bookinfo-reviews - containers: - - name: reviews - image: docker.io/istio/examples-bookinfo-reviews-v3:1.20.2 - imagePullPolicy: IfNotPresent - env: - - name: LOG_DIR - value: "/tmp/logs" - ports: - - containerPort: 9080 - volumeMounts: - - name: tmp - mountPath: /tmp - - name: wlp-output - mountPath: /opt/ibm/wlp/output - volumes: - - name: wlp-output - emptyDir: {} - - name: tmp - emptyDir: {} ---- -################################################################################################## -# Productpage services -################################################################################################## -apiVersion: v1 -kind: Service -metadata: - name: productpage - labels: - app: productpage - service: productpage -spec: - ports: - - port: 9080 - name: http - selector: - app: productpage ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: bookinfo-productpage - labels: - account: productpage ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: productpage-v1 - labels: - app: productpage - version: v1 -spec: - replicas: 1 - selector: - matchLabels: - app: productpage - version: v1 - template: - metadata: - annotations: - prometheus.io/scrape: "true" - prometheus.io/port: "9080" - prometheus.io/path: "/metrics" - labels: - app: productpage - version: v1 - spec: - serviceAccountName: bookinfo-productpage - containers: - - name: productpage - image: docker.io/istio/examples-bookinfo-productpage-v1:1.20.2 - imagePullPolicy: IfNotPresent - ports: - - containerPort: 9080 - volumeMounts: - - name: tmp - mountPath: /tmp - volumes: - - name: tmp - emptyDir: {} ---- diff --git a/istio-1.24.3/samples/bookinfo/platform/kube/cleanup.sh b/istio-1.24.3/samples/bookinfo/platform/kube/cleanup.sh deleted file mode 100755 index ac6720a4..00000000 --- a/istio-1.24.3/samples/bookinfo/platform/kube/cleanup.sh +++ /dev/null @@ -1,85 +0,0 @@ -#!/bin/bash -# -# Copyright Istio Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -SCRIPTDIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd ) - -# only ask if in interactive mode -if [[ -t 0 && -z ${NAMESPACE} ]];then - echo -n "namespace ? [default] " - read -r NAMESPACE -fi - -# verify if the namespace exists, otherwise use default namespace -if [[ -n ${NAMESPACE} ]];then - ns=$(kubectl get namespace "${NAMESPACE}" --no-headers --output=go-template="{{.metadata.name}}" 2>/dev/null) - if [[ -z ${ns} ]];then - echo "NAMESPACE ${NAMESPACE} not found." - NAMESPACE=default - fi -fi - -# if no namespace is provided, use default namespace -if [[ -z ${NAMESPACE} ]];then - NAMESPACE=default -fi - -echo "using NAMESPACE=${NAMESPACE}" - -# clean up Istio traffic management resources that may have been used -protos=( destinationrules virtualservices gateways authorizationpolicies ) -for proto in "${protos[@]}"; do - for resource in $(kubectl get -n "${NAMESPACE}" "$proto" -o name); do - kubectl delete -n "${NAMESPACE}" "$resource"; - done -done - -# clean up Gateway API resources that may have been used -if kubectl get crd gateways.gateway.networking.k8s.io >/dev/null 2>&1; then - protos=( httproutes gateways.gateway.networking.k8s.io ) - for proto in "${protos[@]}"; do - for resource in $(kubectl get -n "${NAMESPACE}" "$proto" -o name); do - kubectl delete -n "${NAMESPACE}" "$resource"; - done - done - kubectl delete -n "${NAMESPACE}" -f "$SCRIPTDIR/bookinfo-versions.yaml" >/dev/null 2>&1 -fi - -OUTPUT=$(mktemp) -export OUTPUT -echo "Application cleanup may take up to one minute" -kubectl delete -n "${NAMESPACE}" -f "$SCRIPTDIR/bookinfo.yaml" > "${OUTPUT}" 2>&1 -ret=$? -function cleanup() { - rm -f "${OUTPUT}" -} - -trap cleanup EXIT - -if [[ ${ret} -eq 0 ]];then - cat "${OUTPUT}" -else - # ignore NotFound errors - OUT2=$(grep -v NotFound "${OUTPUT}") - if [[ -n ${OUT2} ]];then - cat "${OUTPUT}" - exit ${ret} - fi -fi - -# wait for 30 sec for bookinfo to clean up -sleep 30 - -echo "Application cleanup successful" diff --git a/istio-1.24.3/samples/bookinfo/platform/kube/productpage-nodeport.yaml b/istio-1.24.3/samples/bookinfo/platform/kube/productpage-nodeport.yaml deleted file mode 100644 index aadba2e0..00000000 --- a/istio-1.24.3/samples/bookinfo/platform/kube/productpage-nodeport.yaml +++ /dev/null @@ -1,32 +0,0 @@ -# Copyright Istio Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################################################## -# Productpage services -################################################################################################## -apiVersion: v1 -kind: Service -metadata: - name: productpage - labels: - app: productpage - service: productpage -spec: - type: NodePort - ports: - - port: 9080 - name: http - selector: - app: productpage ---- diff --git a/istio-1.24.3/samples/bookinfo/policy/productpage_envoy_ratelimit.yaml b/istio-1.24.3/samples/bookinfo/policy/productpage_envoy_ratelimit.yaml deleted file mode 100644 index ef96dc56..00000000 --- a/istio-1.24.3/samples/bookinfo/policy/productpage_envoy_ratelimit.yaml +++ /dev/null @@ -1,88 +0,0 @@ -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: filter-ratelimit - namespace: istio-system -spec: - workloadSelector: - # select by label in the same namespace - labels: - istio: ingressgateway - configPatches: - # The Envoy config you want to modify - - applyTo: HTTP_FILTER - match: - context: GATEWAY - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "envoy.filters.http.router" - patch: - operation: INSERT_BEFORE - value: - name: envoy.ratelimit - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.http.ratelimit.v3.RateLimit - # domain can be anything! Match it to the ratelimter service config - domain: productpage-ratelimit - failure_mode_deny: true - rate_limit_service: - grpc_service: - envoy_grpc: - cluster_name: rate_limit_cluster - timeout: 10s - - applyTo: CLUSTER - match: - cluster: - service: ratelimit.default.svc.cluster.local - patch: - operation: ADD - value: - name: rate_limit_cluster - type: STRICT_DNS - connect_timeout: 10s - lb_policy: ROUND_ROBIN - http2_protocol_options: {} - load_assignment: - cluster_name: rate_limit_cluster - endpoints: - - lb_endpoints: - - endpoint: - address: - socket_address: - address: ratelimit.default.svc.cluster.local - port_value: 8081 ---- -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: filter-ratelimit-svc - namespace: istio-system -spec: - workloadSelector: - labels: - istio: ingressgateway - configPatches: - - applyTo: VIRTUAL_HOST - match: - context: GATEWAY - routeConfiguration: - vhost: - name: "" - route: - action: ANY - patch: - operation: MERGE - value: - rate_limits: - - actions: # any actions in here - # Multiple actions nest the descriptors - # - generic_key: - # descriptor_value: "test" - - request_headers: - header_name: ":path" - descriptor_key: "PATH" - # - remote_address: {} - # - destination_cluster: {} \ No newline at end of file diff --git a/istio-1.24.3/samples/bookinfo/src/build-services.sh b/istio-1.24.3/samples/bookinfo/src/build-services.sh deleted file mode 100755 index 74efb909..00000000 --- a/istio-1.24.3/samples/bookinfo/src/build-services.sh +++ /dev/null @@ -1,42 +0,0 @@ -#!/bin/bash -# -# Copyright Istio Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -set -ox errexit - -# Get to the root directory of the repo... -SCRIPTDIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd ) -cd "$SCRIPTDIR/../../.." - -h="${BOOKINFO_HUB:?BOOKINFO_HUB must be set}" -t="${BOOKINFO_TAG:?BOOKINFO_TAG must be set}" -if [[ ("${h}" == "istio" || "${h}" == "docker.io/istio") && -z "$CI" && "$*" =~ "--push" ]]; then - echo "Can only push to prod registry in CI" - exit 1 -fi - -if [[ "${BOOKINFO_LATEST}" == "true" ]]; then - BOOKINFO_TAG="${BOOKINFO_TAG},latest" -fi - -# Pass input args to the command. This allows using --push, --load, etc -env TAGS="${BOOKINFO_TAG}" HUB="${BOOKINFO_HUB}" \ - docker buildx bake -f samples/bookinfo/src/docker-bake.hcl "$@" - -if [[ "${BOOKINFO_UPDATE}" == "true" ]]; then -# Update image references in the yaml files - find ./samples/bookinfo/platform -name "*bookinfo*.yaml" -exec sed -i.bak "s#image:.*\\(\\/examples-bookinfo-.*\\):.*#image: ${h//\//\\/}\\1:$t#g" {} + -fi - diff --git a/istio-1.24.3/samples/bookinfo/src/mongodb/ratings_data.json b/istio-1.24.3/samples/bookinfo/src/mongodb/ratings_data.json deleted file mode 100644 index b4563b50..00000000 --- a/istio-1.24.3/samples/bookinfo/src/mongodb/ratings_data.json +++ /dev/null @@ -1,2 +0,0 @@ -{rating: 5} -{rating: 4} diff --git a/istio-1.24.3/samples/bookinfo/src/mongodb/script.sh b/istio-1.24.3/samples/bookinfo/src/mongodb/script.sh deleted file mode 100644 index 7e230ee5..00000000 --- a/istio-1.24.3/samples/bookinfo/src/mongodb/script.sh +++ /dev/null @@ -1,18 +0,0 @@ -#!/bin/sh - -# Copyright Istio Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -set -e -mongoimport --host localhost --db test --collection ratings --drop --file /app/data/ratings_data.json diff --git a/istio-1.24.3/samples/bookinfo/src/productpage/requirements.txt b/istio-1.24.3/samples/bookinfo/src/productpage/requirements.txt deleted file mode 100644 index a2d57a9a..00000000 --- a/istio-1.24.3/samples/bookinfo/src/productpage/requirements.txt +++ /dev/null @@ -1,633 +0,0 @@ -# -# This file is autogenerated by pip-compile with Python 3.12 -# by the following command: -# -# pip-compile --generate-hashes requirements.in -# -blinker==1.8.2 \ - --hash=sha256:1779309f71bf239144b9399d06ae925637cf6634cf6bd131104184531bf67c01 \ - --hash=sha256:8f77b09d3bf7c795e969e9486f39c2c5e9c39d4ee07424be2bc594ece9642d83 - # via flask -certifi==2024.7.4 \ - --hash=sha256:5a1e7645bc0ec61a09e26c36f6106dd4cf40c6db3a1fb6352b0244e7fb057c7b \ - --hash=sha256:c198e21b1289c2ab85ee4e67bb4b4ef3ead0892059901a8d5b622f24a1101e90 - # via requests -charset-normalizer==3.3.2 \ - --hash=sha256:06435b539f889b1f6f4ac1758871aae42dc3a8c0e24ac9e60c2384973ad73027 \ - --hash=sha256:06a81e93cd441c56a9b65d8e1d043daeb97a3d0856d177d5c90ba85acb3db087 \ - --hash=sha256:0a55554a2fa0d408816b3b5cedf0045f4b8e1a6065aec45849de2d6f3f8e9786 \ - --hash=sha256:0b2b64d2bb6d3fb9112bafa732def486049e63de9618b5843bcdd081d8144cd8 \ - --hash=sha256:10955842570876604d404661fbccbc9c7e684caf432c09c715ec38fbae45ae09 \ - --hash=sha256:122c7fa62b130ed55f8f285bfd56d5f4b4a5b503609d181f9ad85e55c89f4185 \ - --hash=sha256:1ceae2f17a9c33cb48e3263960dc5fc8005351ee19db217e9b1bb15d28c02574 \ - --hash=sha256:1d3193f4a680c64b4b6a9115943538edb896edc190f0b222e73761716519268e \ - --hash=sha256:1f79682fbe303db92bc2b1136016a38a42e835d932bab5b3b1bfcfbf0640e519 \ - --hash=sha256:2127566c664442652f024c837091890cb1942c30937add288223dc895793f898 \ - --hash=sha256:22afcb9f253dac0696b5a4be4a1c0f8762f8239e21b99680099abd9b2b1b2269 \ - --hash=sha256:25baf083bf6f6b341f4121c2f3c548875ee6f5339300e08be3f2b2ba1721cdd3 \ - --hash=sha256:2e81c7b9c8979ce92ed306c249d46894776a909505d8f5a4ba55b14206e3222f \ - --hash=sha256:3287761bc4ee9e33561a7e058c72ac0938c4f57fe49a09eae428fd88aafe7bb6 \ - --hash=sha256:34d1c8da1e78d2e001f363791c98a272bb734000fcef47a491c1e3b0505657a8 \ - --hash=sha256:37e55c8e51c236f95b033f6fb391d7d7970ba5fe7ff453dad675e88cf303377a \ - --hash=sha256:3d47fa203a7bd9c5b6cee4736ee84ca03b8ef23193c0d1ca99b5089f72645c73 \ - --hash=sha256:3e4d1f6587322d2788836a99c69062fbb091331ec940e02d12d179c1d53e25fc \ - --hash=sha256:42cb296636fcc8b0644486d15c12376cb9fa75443e00fb25de0b8602e64c1714 \ - --hash=sha256:45485e01ff4d3630ec0d9617310448a8702f70e9c01906b0d0118bdf9d124cf2 \ - --hash=sha256:4a78b2b446bd7c934f5dcedc588903fb2f5eec172f3d29e52a9096a43722adfc \ - --hash=sha256:4ab2fe47fae9e0f9dee8c04187ce5d09f48eabe611be8259444906793ab7cbce \ - --hash=sha256:4d0d1650369165a14e14e1e47b372cfcb31d6ab44e6e33cb2d4e57265290044d \ - --hash=sha256:549a3a73da901d5bc3ce8d24e0600d1fa85524c10287f6004fbab87672bf3e1e \ - --hash=sha256:55086ee1064215781fff39a1af09518bc9255b50d6333f2e4c74ca09fac6a8f6 \ - --hash=sha256:572c3763a264ba47b3cf708a44ce965d98555f618ca42c926a9c1616d8f34269 \ - --hash=sha256:573f6eac48f4769d667c4442081b1794f52919e7edada77495aaed9236d13a96 \ - --hash=sha256:5b4c145409bef602a690e7cfad0a15a55c13320ff7a3ad7ca59c13bb8ba4d45d \ - --hash=sha256:6463effa3186ea09411d50efc7d85360b38d5f09b870c48e4600f63af490e56a \ - --hash=sha256:65f6f63034100ead094b8744b3b97965785388f308a64cf8d7c34f2f2e5be0c4 \ - --hash=sha256:663946639d296df6a2bb2aa51b60a2454ca1cb29835324c640dafb5ff2131a77 \ - --hash=sha256:6897af51655e3691ff853668779c7bad41579facacf5fd7253b0133308cf000d \ - --hash=sha256:68d1f8a9e9e37c1223b656399be5d6b448dea850bed7d0f87a8311f1ff3dabb0 \ - --hash=sha256:6ac7ffc7ad6d040517be39eb591cac5ff87416c2537df6ba3cba3bae290c0fed \ - --hash=sha256:6b3251890fff30ee142c44144871185dbe13b11bab478a88887a639655be1068 \ - --hash=sha256:6c4caeef8fa63d06bd437cd4bdcf3ffefe6738fb1b25951440d80dc7df8c03ac \ - --hash=sha256:6ef1d82a3af9d3eecdba2321dc1b3c238245d890843e040e41e470ffa64c3e25 \ - --hash=sha256:753f10e867343b4511128c6ed8c82f7bec3bd026875576dfd88483c5c73b2fd8 \ - --hash=sha256:7cd13a2e3ddeed6913a65e66e94b51d80a041145a026c27e6bb76c31a853c6ab \ - --hash=sha256:7ed9e526742851e8d5cc9e6cf41427dfc6068d4f5a3bb03659444b4cabf6bc26 \ - --hash=sha256:7f04c839ed0b6b98b1a7501a002144b76c18fb1c1850c8b98d458ac269e26ed2 \ - --hash=sha256:802fe99cca7457642125a8a88a084cef28ff0cf9407060f7b93dca5aa25480db \ - --hash=sha256:80402cd6ee291dcb72644d6eac93785fe2c8b9cb30893c1af5b8fdd753b9d40f \ - --hash=sha256:8465322196c8b4d7ab6d1e049e4c5cb460d0394da4a27d23cc242fbf0034b6b5 \ - --hash=sha256:86216b5cee4b06df986d214f664305142d9c76df9b6512be2738aa72a2048f99 \ - --hash=sha256:87d1351268731db79e0f8e745d92493ee2841c974128ef629dc518b937d9194c \ - --hash=sha256:8bdb58ff7ba23002a4c5808d608e4e6c687175724f54a5dade5fa8c67b604e4d \ - --hash=sha256:8c622a5fe39a48f78944a87d4fb8a53ee07344641b0562c540d840748571b811 \ - --hash=sha256:8d756e44e94489e49571086ef83b2bb8ce311e730092d2c34ca8f7d925cb20aa \ - --hash=sha256:8f4a014bc36d3c57402e2977dada34f9c12300af536839dc38c0beab8878f38a \ - --hash=sha256:9063e24fdb1e498ab71cb7419e24622516c4a04476b17a2dab57e8baa30d6e03 \ - --hash=sha256:90d558489962fd4918143277a773316e56c72da56ec7aa3dc3dbbe20fdfed15b \ - --hash=sha256:923c0c831b7cfcb071580d3f46c4baf50f174be571576556269530f4bbd79d04 \ - --hash=sha256:95f2a5796329323b8f0512e09dbb7a1860c46a39da62ecb2324f116fa8fdc85c \ - --hash=sha256:96b02a3dc4381e5494fad39be677abcb5e6634bf7b4fa83a6dd3112607547001 \ - --hash=sha256:9f96df6923e21816da7e0ad3fd47dd8f94b2a5ce594e00677c0013018b813458 \ - --hash=sha256:a10af20b82360ab00827f916a6058451b723b4e65030c5a18577c8b2de5b3389 \ - --hash=sha256:a50aebfa173e157099939b17f18600f72f84eed3049e743b68ad15bd69b6bf99 \ - --hash=sha256:a981a536974bbc7a512cf44ed14938cf01030a99e9b3a06dd59578882f06f985 \ - --hash=sha256:a9a8e9031d613fd2009c182b69c7b2c1ef8239a0efb1df3f7c8da66d5dd3d537 \ - --hash=sha256:ae5f4161f18c61806f411a13b0310bea87f987c7d2ecdbdaad0e94eb2e404238 \ - --hash=sha256:aed38f6e4fb3f5d6bf81bfa990a07806be9d83cf7bacef998ab1a9bd660a581f \ - --hash=sha256:b01b88d45a6fcb69667cd6d2f7a9aeb4bf53760d7fc536bf679ec94fe9f3ff3d \ - --hash=sha256:b261ccdec7821281dade748d088bb6e9b69e6d15b30652b74cbbac25e280b796 \ - --hash=sha256:b2b0a0c0517616b6869869f8c581d4eb2dd83a4d79e0ebcb7d373ef9956aeb0a \ - --hash=sha256:b4a23f61ce87adf89be746c8a8974fe1c823c891d8f86eb218bb957c924bb143 \ - --hash=sha256:bd8f7df7d12c2db9fab40bdd87a7c09b1530128315d047a086fa3ae3435cb3a8 \ - --hash=sha256:beb58fe5cdb101e3a055192ac291b7a21e3b7ef4f67fa1d74e331a7f2124341c \ - --hash=sha256:c002b4ffc0be611f0d9da932eb0f704fe2602a9a949d1f738e4c34c75b0863d5 \ - --hash=sha256:c083af607d2515612056a31f0a8d9e0fcb5876b7bfc0abad3ecd275bc4ebc2d5 \ - --hash=sha256:c180f51afb394e165eafe4ac2936a14bee3eb10debc9d9e4db8958fe36afe711 \ - --hash=sha256:c235ebd9baae02f1b77bcea61bce332cb4331dc3617d254df3323aa01ab47bd4 \ - --hash=sha256:cd70574b12bb8a4d2aaa0094515df2463cb429d8536cfb6c7ce983246983e5a6 \ - --hash=sha256:d0eccceffcb53201b5bfebb52600a5fb483a20b61da9dbc885f8b103cbe7598c \ - --hash=sha256:d965bba47ddeec8cd560687584e88cf699fd28f192ceb452d1d7ee807c5597b7 \ - --hash=sha256:db364eca23f876da6f9e16c9da0df51aa4f104a972735574842618b8c6d999d4 \ - --hash=sha256:ddbb2551d7e0102e7252db79ba445cdab71b26640817ab1e3e3648dad515003b \ - --hash=sha256:deb6be0ac38ece9ba87dea880e438f25ca3eddfac8b002a2ec3d9183a454e8ae \ - --hash=sha256:e06ed3eb3218bc64786f7db41917d4e686cc4856944f53d5bdf83a6884432e12 \ - --hash=sha256:e27ad930a842b4c5eb8ac0016b0a54f5aebbe679340c26101df33424142c143c \ - --hash=sha256:e537484df0d8f426ce2afb2d0f8e1c3d0b114b83f8850e5f2fbea0e797bd82ae \ - --hash=sha256:eb00ed941194665c332bf8e078baf037d6c35d7c4f3102ea2d4f16ca94a26dc8 \ - --hash=sha256:eb6904c354526e758fda7167b33005998fb68c46fbc10e013ca97f21ca5c8887 \ - --hash=sha256:eb8821e09e916165e160797a6c17edda0679379a4be5c716c260e836e122f54b \ - --hash=sha256:efcb3f6676480691518c177e3b465bcddf57cea040302f9f4e6e191af91174d4 \ - --hash=sha256:f27273b60488abe721a075bcca6d7f3964f9f6f067c8c4c605743023d7d3944f \ - --hash=sha256:f30c3cb33b24454a82faecaf01b19c18562b1e89558fb6c56de4d9118a032fd5 \ - --hash=sha256:fb69256e180cb6c8a894fee62b3afebae785babc1ee98b81cdf68bbca1987f33 \ - --hash=sha256:fd1abc0d89e30cc4e02e4064dc67fcc51bd941eb395c502aac3ec19fab46b519 \ - --hash=sha256:ff8fa367d09b717b2a17a052544193ad76cd49979c805768879cb63d9ca50561 - # via requests -click==8.1.3 \ - --hash=sha256:7682dc8afb30297001674575ea00d1814d808d6a36af415a82bd481d37ba7b8e \ - --hash=sha256:bb4d8133cb15a609f44e8213d9b391b0809795062913b383c62be0ee95b1db48 - # via flask -deprecated==1.2.14 \ - --hash=sha256:6fac8b097794a90302bdbb17b9b815e732d3c4720583ff1b198499d78470466c \ - --hash=sha256:e5323eb936458dccc2582dc6f9c322c852a775a27065ff2b0c4970b9d53d01b3 - # via - # opentelemetry-api - # opentelemetry-propagator-b3 -dominate==2.9.1 \ - --hash=sha256:558284687d9b8aae1904e3d6051ad132dd4a8c0cf551b37ea4e7e42a31d19dc4 \ - --hash=sha256:cb7b6b79d33b15ae0a6e87856b984879927c7c2ebb29522df4c75b28ffd9b989 - # via flask-bootstrap -flask==3.0.2 \ - --hash=sha256:3232e0e9c850d781933cf0207523d1ece087eb8d87b23777ae38456e2fbe7c6e \ - --hash=sha256:822c03f4b799204250a7ee84b1eddc40665395333973dfb9deebfe425fefcb7d - # via - # -r requirements.in - # flask-bootstrap - # flask-json -flask-bootstrap==3.3.7.1 \ - --hash=sha256:cb08ed940183f6343a64e465e83b3a3f13c53e1baabb8d72b5da4545ef123ac8 - # via -r requirements.in -flask-json==0.4.0 \ - --hash=sha256:07945d66024f3b77694ce1db5d1fe83940f2aa3bcad8a608535686be67e4bc48 \ - --hash=sha256:1c1b87a657daa2179fc19f1ffc78204a716c7c5139673dc5038772db4d9f1988 - # via -r requirements.in -future==0.18.3 \ - --hash=sha256:34a17436ed1e96697a86f9de3d15a3b0be01d8bc8de9c1dffd59fb8234ed5307 - # via -r requirements.in -gevent==24.2.1 \ - --hash=sha256:03aa5879acd6b7076f6a2a307410fb1e0d288b84b03cdfd8c74db8b4bc882fc5 \ - --hash=sha256:117e5837bc74a1673605fb53f8bfe22feb6e5afa411f524c835b2ddf768db0de \ - --hash=sha256:141a2b24ad14f7b9576965c0c84927fc85f824a9bb19f6ec1e61e845d87c9cd8 \ - --hash=sha256:14532a67f7cb29fb055a0e9b39f16b88ed22c66b96641df8c04bdc38c26b9ea5 \ - --hash=sha256:1dffb395e500613e0452b9503153f8f7ba587c67dd4a85fc7cd7aa7430cb02cc \ - --hash=sha256:2955eea9c44c842c626feebf4459c42ce168685aa99594e049d03bedf53c2800 \ - --hash=sha256:2ae3a25ecce0a5b0cd0808ab716bfca180230112bb4bc89b46ae0061d62d4afe \ - --hash=sha256:2e9ac06f225b696cdedbb22f9e805e2dd87bf82e8fa5e17756f94e88a9d37cf7 \ - --hash=sha256:368a277bd9278ddb0fde308e6a43f544222d76ed0c4166e0d9f6b036586819d9 \ - --hash=sha256:3adfb96637f44010be8abd1b5e73b5070f851b817a0b182e601202f20fa06533 \ - --hash=sha256:3d5325ccfadfd3dcf72ff88a92fb8fc0b56cacc7225f0f4b6dcf186c1a6eeabc \ - --hash=sha256:432fc76f680acf7cf188c2ee0f5d3ab73b63c1f03114c7cd8a34cebbe5aa2056 \ - --hash=sha256:44098038d5e2749b0784aabb27f1fcbb3f43edebedf64d0af0d26955611be8d6 \ - --hash=sha256:5a1df555431f5cd5cc189a6ee3544d24f8c52f2529134685f1e878c4972ab026 \ - --hash=sha256:6c47ae7d1174617b3509f5d884935e788f325eb8f1a7efc95d295c68d83cce40 \ - --hash=sha256:6f947a9abc1a129858391b3d9334c45041c08a0f23d14333d5b844b6e5c17a07 \ - --hash=sha256:782a771424fe74bc7e75c228a1da671578c2ba4ddb2ca09b8f959abdf787331e \ - --hash=sha256:7899a38d0ae7e817e99adb217f586d0a4620e315e4de577444ebeeed2c5729be \ - --hash=sha256:7b00f8c9065de3ad226f7979154a7b27f3b9151c8055c162332369262fc025d8 \ - --hash=sha256:8f4b8e777d39013595a7740b4463e61b1cfe5f462f1b609b28fbc1e4c4ff01e5 \ - --hash=sha256:90cbac1ec05b305a1b90ede61ef73126afdeb5a804ae04480d6da12c56378df1 \ - --hash=sha256:918cdf8751b24986f915d743225ad6b702f83e1106e08a63b736e3a4c6ead789 \ - --hash=sha256:9202f22ef811053077d01f43cc02b4aaf4472792f9fd0f5081b0b05c926cca19 \ - --hash=sha256:94138682e68ec197db42ad7442d3cf9b328069c3ad8e4e5022e6b5cd3e7ffae5 \ - --hash=sha256:968581d1717bbcf170758580f5f97a2925854943c45a19be4d47299507db2eb7 \ - --hash=sha256:9d8d0642c63d453179058abc4143e30718b19a85cbf58c2744c9a63f06a1d388 \ - --hash=sha256:a7ceb59986456ce851160867ce4929edaffbd2f069ae25717150199f8e1548b8 \ - --hash=sha256:b9913c45d1be52d7a5db0c63977eebb51f68a2d5e6fd922d1d9b5e5fd758cc98 \ - --hash=sha256:bde283313daf0b34a8d1bab30325f5cb0f4e11b5869dbe5bc61f8fe09a8f66f3 \ - --hash=sha256:bf5b9c72b884c6f0c4ed26ef204ee1f768b9437330422492c319470954bc4cc7 \ - --hash=sha256:ca80b121bbec76d7794fcb45e65a7eca660a76cc1a104ed439cdbd7df5f0b060 \ - --hash=sha256:cdf66977a976d6a3cfb006afdf825d1482f84f7b81179db33941f2fc9673bb1d \ - --hash=sha256:d4faf846ed132fd7ebfbbf4fde588a62d21faa0faa06e6f468b7faa6f436b661 \ - --hash=sha256:d7f87c2c02e03d99b95cfa6f7a776409083a9e4d468912e18c7680437b29222c \ - --hash=sha256:dd23df885318391856415e20acfd51a985cba6919f0be78ed89f5db9ff3a31cb \ - --hash=sha256:f5de3c676e57177b38857f6e3cdfbe8f38d1cd754b63200c0615eaa31f514b4f \ - --hash=sha256:f5e8e8d60e18d5f7fd49983f0c4696deeddaf6e608fbab33397671e2fcc6cc91 \ - --hash=sha256:f7cac622e11b4253ac4536a654fe221249065d9a69feb6cdcd4d9af3503602e0 \ - --hash=sha256:f8a04cf0c5b7139bc6368b461257d4a757ea2fe89b3773e494d235b7dd51119f \ - --hash=sha256:f8bb35ce57a63c9a6896c71a285818a3922d8ca05d150fd1fe49a7f57287b836 \ - --hash=sha256:fbfdce91239fe306772faab57597186710d5699213f4df099d1612da7320d682 - # via -r requirements.in -greenlet==3.0.3 \ - --hash=sha256:01bc7ea167cf943b4c802068e178bbf70ae2e8c080467070d01bfa02f337ee67 \ - --hash=sha256:0448abc479fab28b00cb472d278828b3ccca164531daab4e970a0458786055d6 \ - --hash=sha256:086152f8fbc5955df88382e8a75984e2bb1c892ad2e3c80a2508954e52295257 \ - --hash=sha256:098d86f528c855ead3479afe84b49242e174ed262456c342d70fc7f972bc13c4 \ - --hash=sha256:149e94a2dd82d19838fe4b2259f1b6b9957d5ba1b25640d2380bea9c5df37676 \ - --hash=sha256:1551a8195c0d4a68fac7a4325efac0d541b48def35feb49d803674ac32582f61 \ - --hash=sha256:15d79dd26056573940fcb8c7413d84118086f2ec1a8acdfa854631084393efcc \ - --hash=sha256:1996cb9306c8595335bb157d133daf5cf9f693ef413e7673cb07e3e5871379ca \ - --hash=sha256:1a7191e42732df52cb5f39d3527217e7ab73cae2cb3694d241e18f53d84ea9a7 \ - --hash=sha256:1ea188d4f49089fc6fb283845ab18a2518d279c7cd9da1065d7a84e991748728 \ - --hash=sha256:1f672519db1796ca0d8753f9e78ec02355e862d0998193038c7073045899f305 \ - --hash=sha256:2516a9957eed41dd8f1ec0c604f1cdc86758b587d964668b5b196a9db5bfcde6 \ - --hash=sha256:2797aa5aedac23af156bbb5a6aa2cd3427ada2972c828244eb7d1b9255846379 \ - --hash=sha256:2dd6e660effd852586b6a8478a1d244b8dc90ab5b1321751d2ea15deb49ed414 \ - --hash=sha256:3ddc0f794e6ad661e321caa8d2f0a55ce01213c74722587256fb6566049a8b04 \ - --hash=sha256:3ed7fb269f15dc662787f4119ec300ad0702fa1b19d2135a37c2c4de6fadfd4a \ - --hash=sha256:419b386f84949bf0e7c73e6032e3457b82a787c1ab4a0e43732898a761cc9dbf \ - --hash=sha256:43374442353259554ce33599da8b692d5aa96f8976d567d4badf263371fbe491 \ - --hash=sha256:52f59dd9c96ad2fc0d5724107444f76eb20aaccb675bf825df6435acb7703559 \ - --hash=sha256:57e8974f23e47dac22b83436bdcf23080ade568ce77df33159e019d161ce1d1e \ - --hash=sha256:5b51e85cb5ceda94e79d019ed36b35386e8c37d22f07d6a751cb659b180d5274 \ - --hash=sha256:649dde7de1a5eceb258f9cb00bdf50e978c9db1b996964cd80703614c86495eb \ - --hash=sha256:64d7675ad83578e3fc149b617a444fab8efdafc9385471f868eb5ff83e446b8b \ - --hash=sha256:68834da854554926fbedd38c76e60c4a2e3198c6fbed520b106a8986445caaf9 \ - --hash=sha256:6b66c9c1e7ccabad3a7d037b2bcb740122a7b17a53734b7d72a344ce39882a1b \ - --hash=sha256:70fb482fdf2c707765ab5f0b6655e9cfcf3780d8d87355a063547b41177599be \ - --hash=sha256:7170375bcc99f1a2fbd9c306f5be8764eaf3ac6b5cb968862cad4c7057756506 \ - --hash=sha256:73a411ef564e0e097dbe7e866bb2dda0f027e072b04da387282b02c308807405 \ - --hash=sha256:77457465d89b8263bca14759d7c1684df840b6811b2499838cc5b040a8b5b113 \ - --hash=sha256:7f362975f2d179f9e26928c5b517524e89dd48530a0202570d55ad6ca5d8a56f \ - --hash=sha256:81bb9c6d52e8321f09c3d165b2a78c680506d9af285bfccbad9fb7ad5a5da3e5 \ - --hash=sha256:881b7db1ebff4ba09aaaeae6aa491daeb226c8150fc20e836ad00041bcb11230 \ - --hash=sha256:894393ce10ceac937e56ec00bb71c4c2f8209ad516e96033e4b3b1de270e200d \ - --hash=sha256:99bf650dc5d69546e076f413a87481ee1d2d09aaaaaca058c9251b6d8c14783f \ - --hash=sha256:9da2bd29ed9e4f15955dd1595ad7bc9320308a3b766ef7f837e23ad4b4aac31a \ - --hash=sha256:afaff6cf5200befd5cec055b07d1c0a5a06c040fe5ad148abcd11ba6ab9b114e \ - --hash=sha256:b1b5667cced97081bf57b8fa1d6bfca67814b0afd38208d52538316e9422fc61 \ - --hash=sha256:b37eef18ea55f2ffd8f00ff8fe7c8d3818abd3e25fb73fae2ca3b672e333a7a6 \ - --hash=sha256:b542be2440edc2d48547b5923c408cbe0fc94afb9f18741faa6ae970dbcb9b6d \ - --hash=sha256:b7dcbe92cc99f08c8dd11f930de4d99ef756c3591a5377d1d9cd7dd5e896da71 \ - --hash=sha256:b7f009caad047246ed379e1c4dbcb8b020f0a390667ea74d2387be2998f58a22 \ - --hash=sha256:bba5387a6975598857d86de9eac14210a49d554a77eb8261cc68b7d082f78ce2 \ - --hash=sha256:c5e1536de2aad7bf62e27baf79225d0d64360d4168cf2e6becb91baf1ed074f3 \ - --hash=sha256:c5ee858cfe08f34712f548c3c363e807e7186f03ad7a5039ebadb29e8c6be067 \ - --hash=sha256:c9db1c18f0eaad2f804728c67d6c610778456e3e1cc4ab4bbd5eeb8e6053c6fc \ - --hash=sha256:d353cadd6083fdb056bb46ed07e4340b0869c305c8ca54ef9da3421acbdf6881 \ - --hash=sha256:d46677c85c5ba00a9cb6f7a00b2bfa6f812192d2c9f7d9c4f6a55b60216712f3 \ - --hash=sha256:d4d1ac74f5c0c0524e4a24335350edad7e5f03b9532da7ea4d3c54d527784f2e \ - --hash=sha256:d73a9fe764d77f87f8ec26a0c85144d6a951a6c438dfe50487df5595c6373eac \ - --hash=sha256:da70d4d51c8b306bb7a031d5cff6cc25ad253affe89b70352af5f1cb68e74b53 \ - --hash=sha256:daf3cb43b7cf2ba96d614252ce1684c1bccee6b2183a01328c98d36fcd7d5cb0 \ - --hash=sha256:dca1e2f3ca00b84a396bc1bce13dd21f680f035314d2379c4160c98153b2059b \ - --hash=sha256:dd4f49ae60e10adbc94b45c0b5e6a179acc1736cf7a90160b404076ee283cf83 \ - --hash=sha256:e1f145462f1fa6e4a4ae3c0f782e580ce44d57c8f2c7aae1b6fa88c0b2efdb41 \ - --hash=sha256:e3391d1e16e2a5a1507d83e4a8b100f4ee626e8eca43cf2cadb543de69827c4c \ - --hash=sha256:fcd2469d6a2cf298f198f0487e0a5b1a47a42ca0fa4dfd1b6862c999f018ebbf \ - --hash=sha256:fd096eb7ffef17c456cfa587523c5f92321ae02427ff955bebe9e3c63bc9f0da \ - --hash=sha256:fe754d231288e1e64323cfad462fcee8f0288654c10bdf4f603a39ed923bef33 - # via gevent -gunicorn==22.0.0 \ - --hash=sha256:350679f91b24062c86e386e198a15438d53a7a8207235a78ba1b53df4c4378d9 \ - --hash=sha256:4a0b436239ff76fb33f11c07a16482c521a7e09c1ce3cc293c2330afe01bec63 - # via -r requirements.in -idna==3.7 \ - --hash=sha256:028ff3aadf0609c1fd278d8ea3089299412a7a8b9bd005dd08b9f8285bcb5cfc \ - --hash=sha256:82fee1fc78add43492d3a1898bfa6d8a904cc97d8427f683ed8e798d07761aa0 - # via requests -importlib-metadata==6.11.0 \ - --hash=sha256:1231cf92d825c9e03cfc4da076a16de6422c863558229ea0b22b675657463443 \ - --hash=sha256:f0afba6205ad8f8947c7d338b5342d5db2afbfd82f9cbef7879a9539cc12eb9b - # via opentelemetry-api -itsdangerous==2.2.0 \ - --hash=sha256:c6242fc49e35958c8b15141343aa660db5fc54d4f13a1db01a3f5891b98700ef \ - --hash=sha256:e0050c0b7da1eea53ffaf149c0cfbb5c6e2e2b69c4bef22c81fa6eb73e5f6173 - # via flask -jinja2==3.1.4 \ - --hash=sha256:4a3aee7acbbe7303aede8e9648d13b8bf88a429282aa6122a993f0ac800cb369 \ - --hash=sha256:bc5dd2abb727a5319567b7a813e6a2e7318c39f4f487cfe6c89c6f9c7d25197d - # via flask -json2html==1.3.0 \ - --hash=sha256:8951a53662ae9cfd812685facdba693fc950ffc1c1fd1a8a2d3cf4c34600689c - # via -r requirements.in -markupsafe==2.1.5 \ - --hash=sha256:00e046b6dd71aa03a41079792f8473dc494d564611a8f89bbbd7cb93295ebdcf \ - --hash=sha256:075202fa5b72c86ad32dc7d0b56024ebdbcf2048c0ba09f1cde31bfdd57bcfff \ - --hash=sha256:0e397ac966fdf721b2c528cf028494e86172b4feba51d65f81ffd65c63798f3f \ - --hash=sha256:17b950fccb810b3293638215058e432159d2b71005c74371d784862b7e4683f3 \ - --hash=sha256:1f3fbcb7ef1f16e48246f704ab79d79da8a46891e2da03f8783a5b6fa41a9532 \ - --hash=sha256:2174c595a0d73a3080ca3257b40096db99799265e1c27cc5a610743acd86d62f \ - --hash=sha256:2b7c57a4dfc4f16f7142221afe5ba4e093e09e728ca65c51f5620c9aaeb9a617 \ - --hash=sha256:2d2d793e36e230fd32babe143b04cec8a8b3eb8a3122d2aceb4a371e6b09b8df \ - --hash=sha256:30b600cf0a7ac9234b2638fbc0fb6158ba5bdcdf46aeb631ead21248b9affbc4 \ - --hash=sha256:397081c1a0bfb5124355710fe79478cdbeb39626492b15d399526ae53422b906 \ - --hash=sha256:3a57fdd7ce31c7ff06cdfbf31dafa96cc533c21e443d57f5b1ecc6cdc668ec7f \ - --hash=sha256:3c6b973f22eb18a789b1460b4b91bf04ae3f0c4234a0a6aa6b0a92f6f7b951d4 \ - --hash=sha256:3e53af139f8579a6d5f7b76549125f0d94d7e630761a2111bc431fd820e163b8 \ - --hash=sha256:4096e9de5c6fdf43fb4f04c26fb114f61ef0bf2e5604b6ee3019d51b69e8c371 \ - --hash=sha256:4275d846e41ecefa46e2015117a9f491e57a71ddd59bbead77e904dc02b1bed2 \ - --hash=sha256:4c31f53cdae6ecfa91a77820e8b151dba54ab528ba65dfd235c80b086d68a465 \ - --hash=sha256:4f11aa001c540f62c6166c7726f71f7573b52c68c31f014c25cc7901deea0b52 \ - --hash=sha256:5049256f536511ee3f7e1b3f87d1d1209d327e818e6ae1365e8653d7e3abb6a6 \ - --hash=sha256:58c98fee265677f63a4385256a6d7683ab1832f3ddd1e66fe948d5880c21a169 \ - --hash=sha256:598e3276b64aff0e7b3451b72e94fa3c238d452e7ddcd893c3ab324717456bad \ - --hash=sha256:5b7b716f97b52c5a14bffdf688f971b2d5ef4029127f1ad7a513973cfd818df2 \ - --hash=sha256:5dedb4db619ba5a2787a94d877bc8ffc0566f92a01c0ef214865e54ecc9ee5e0 \ - --hash=sha256:619bc166c4f2de5caa5a633b8b7326fbe98e0ccbfacabd87268a2b15ff73a029 \ - --hash=sha256:629ddd2ca402ae6dbedfceeba9c46d5f7b2a61d9749597d4307f943ef198fc1f \ - --hash=sha256:656f7526c69fac7f600bd1f400991cc282b417d17539a1b228617081106feb4a \ - --hash=sha256:6ec585f69cec0aa07d945b20805be741395e28ac1627333b1c5b0105962ffced \ - --hash=sha256:72b6be590cc35924b02c78ef34b467da4ba07e4e0f0454a2c5907f473fc50ce5 \ - --hash=sha256:7502934a33b54030eaf1194c21c692a534196063db72176b0c4028e140f8f32c \ - --hash=sha256:7a68b554d356a91cce1236aa7682dc01df0edba8d043fd1ce607c49dd3c1edcf \ - --hash=sha256:7b2e5a267c855eea6b4283940daa6e88a285f5f2a67f2220203786dfa59b37e9 \ - --hash=sha256:823b65d8706e32ad2df51ed89496147a42a2a6e01c13cfb6ffb8b1e92bc910bb \ - --hash=sha256:8590b4ae07a35970728874632fed7bd57b26b0102df2d2b233b6d9d82f6c62ad \ - --hash=sha256:8dd717634f5a044f860435c1d8c16a270ddf0ef8588d4887037c5028b859b0c3 \ - --hash=sha256:8dec4936e9c3100156f8a2dc89c4b88d5c435175ff03413b443469c7c8c5f4d1 \ - --hash=sha256:97cafb1f3cbcd3fd2b6fbfb99ae11cdb14deea0736fc2b0952ee177f2b813a46 \ - --hash=sha256:a17a92de5231666cfbe003f0e4b9b3a7ae3afb1ec2845aadc2bacc93ff85febc \ - --hash=sha256:a549b9c31bec33820e885335b451286e2969a2d9e24879f83fe904a5ce59d70a \ - --hash=sha256:ac07bad82163452a6884fe8fa0963fb98c2346ba78d779ec06bd7a6262132aee \ - --hash=sha256:ae2ad8ae6ebee9d2d94b17fb62763125f3f374c25618198f40cbb8b525411900 \ - --hash=sha256:b91c037585eba9095565a3556f611e3cbfaa42ca1e865f7b8015fe5c7336d5a5 \ - --hash=sha256:bc1667f8b83f48511b94671e0e441401371dfd0f0a795c7daa4a3cd1dde55bea \ - --hash=sha256:bec0a414d016ac1a18862a519e54b2fd0fc8bbfd6890376898a6c0891dd82e9f \ - --hash=sha256:bf50cd79a75d181c9181df03572cdce0fbb75cc353bc350712073108cba98de5 \ - --hash=sha256:bff1b4290a66b490a2f4719358c0cdcd9bafb6b8f061e45c7a2460866bf50c2e \ - --hash=sha256:c061bb86a71b42465156a3ee7bd58c8c2ceacdbeb95d05a99893e08b8467359a \ - --hash=sha256:c8b29db45f8fe46ad280a7294f5c3ec36dbac9491f2d1c17345be8e69cc5928f \ - --hash=sha256:ce409136744f6521e39fd8e2a24c53fa18ad67aa5bc7c2cf83645cce5b5c4e50 \ - --hash=sha256:d050b3361367a06d752db6ead6e7edeb0009be66bc3bae0ee9d97fb326badc2a \ - --hash=sha256:d283d37a890ba4c1ae73ffadf8046435c76e7bc2247bbb63c00bd1a709c6544b \ - --hash=sha256:d9fad5155d72433c921b782e58892377c44bd6252b5af2f67f16b194987338a4 \ - --hash=sha256:daa4ee5a243f0f20d528d939d06670a298dd39b1ad5f8a72a4275124a7819eff \ - --hash=sha256:db0b55e0f3cc0be60c1f19efdde9a637c32740486004f20d1cff53c3c0ece4d2 \ - --hash=sha256:e61659ba32cf2cf1481e575d0462554625196a1f2fc06a1c777d3f48e8865d46 \ - --hash=sha256:ea3d8a3d18833cf4304cd2fc9cbb1efe188ca9b5efef2bdac7adc20594a0e46b \ - --hash=sha256:ec6a563cff360b50eed26f13adc43e61bc0c04d94b8be985e6fb24b81f6dcfdf \ - --hash=sha256:f5dfb42c4604dddc8e4305050aa6deb084540643ed5804d7455b5df8fe16f5e5 \ - --hash=sha256:fa173ec60341d6bb97a89f5ea19c85c5643c1e7dedebc22f5181eb73573142c5 \ - --hash=sha256:fa9db3f79de01457b03d4f01b34cf91bc0048eb2c3846ff26f66687c2f6d16ab \ - --hash=sha256:fce659a462a1be54d2ffcacea5e3ba2d74daa74f30f5f143fe0c58636e355fdd \ - --hash=sha256:ffee1f21e5ef0d712f9033568f8344d5da8cc2869dbd08d87c84656e6a2d2f68 - # via - # jinja2 - # werkzeug -opentelemetry-api==1.22.0 \ - --hash=sha256:15ae4ca925ecf9cfdfb7a709250846fbb08072260fca08ade78056c502b86bed \ - --hash=sha256:43621514301a7e9f5d06dd8013a1b450f30c2e9372b8e30aaeb4562abf2ce034 - # via - # -r requirements.in - # opentelemetry-instrumentation - # opentelemetry-instrumentation-flask - # opentelemetry-instrumentation-wsgi - # opentelemetry-propagator-b3 - # opentelemetry-sdk -opentelemetry-instrumentation==0.43b0 \ - --hash=sha256:0ff1334d7e359e27640e9d420024efeb73eacae464309c2e14ede7ba6c93967e \ - --hash=sha256:c3755da6c4be8033be0216d0501e11f4832690f4e2eca5a3576fbf113498f0f6 - # via - # -r requirements.in - # opentelemetry-instrumentation-flask - # opentelemetry-instrumentation-wsgi -opentelemetry-instrumentation-flask==0.43b0 \ - --hash=sha256:537aecdd8de1c00f9b408d7a02b85e9ba55cda1ed95f4712199478ceaa4dfb2c \ - --hash=sha256:ea3779f157a7efe82d0e10a59af64440e34b5e8004eaee08d7d61bbb889701fa - # via -r requirements.in -opentelemetry-instrumentation-wsgi==0.43b0 \ - --hash=sha256:0b7511469daa29a6e75b9cc54b4d01a9bb46aa1f964471dc3ee3f06ff39f94b2 \ - --hash=sha256:3a1cf045f7ccf04987a89cdd49eda93e9195de4c8b73be228a9e565ec3ab453c - # via - # -r requirements.in - # opentelemetry-instrumentation-flask -opentelemetry-propagator-b3==1.22.0 \ - --hash=sha256:3270f17bceb46338d700b5a09ff2e0499ec4f5189b3a4114bc3f2e64283b317d \ - --hash=sha256:cef5528b5c16866fdf7d6d6eb5dfbca216f071cda3c87da658cedf3451e6f6bf - # via -r requirements.in -opentelemetry-sdk==1.22.0 \ - --hash=sha256:45267ac1f38a431fc2eb5d6e0c0d83afc0b78de57ac345488aa58c28c17991d0 \ - --hash=sha256:a730555713d7c8931657612a88a141e3a4fe6eb5523d9e2d5a8b1e673d76efa6 - # via -r requirements.in -opentelemetry-semantic-conventions==0.43b0 \ - --hash=sha256:291284d7c1bf15fdaddf309b3bd6d3b7ce12a253cec6d27144439819a15d8445 \ - --hash=sha256:b9576fb890df479626fa624e88dde42d3d60b8b6c8ae1152ad157a8b97358635 - # via - # -r requirements.in - # opentelemetry-instrumentation-flask - # opentelemetry-instrumentation-wsgi - # opentelemetry-sdk -opentelemetry-util-http==0.43b0 \ - --hash=sha256:3ff6ab361dbe99fc81200d625603c0fb890c055c6e416a3e6d661ddf47a6c7f7 \ - --hash=sha256:f25a820784b030f6cb86b3d76e5676c769b75ed3f55a210bcdae0a5e175ebadb - # via - # -r requirements.in - # opentelemetry-instrumentation-flask - # opentelemetry-instrumentation-wsgi -packaging==24.0 \ - --hash=sha256:2ddfb553fdf02fb784c234c7ba6ccc288296ceabec964ad2eae3777778130bc5 \ - --hash=sha256:eb82c5e3e56209074766e6885bb04b8c38a0c015d0a30036ebe7ece34c9989e9 - # via - # gunicorn - # opentelemetry-instrumentation-flask -prometheus-client==0.19.0 \ - --hash=sha256:4585b0d1223148c27a225b10dbec5ae9bc4c81a99a3fa80774fa6209935324e1 \ - --hash=sha256:c88b1e6ecf6b41cd8fb5731c7ae919bf66df6ec6fafa555cd6c0e16ca169ae92 - # via -r requirements.in -requests==2.32.2 \ - --hash=sha256:dd951ff5ecf3e3b3aa26b40703ba77495dab41da839ae72ef3c8e5d8e2433289 \ - --hash=sha256:fc06670dd0ed212426dfeb94fc1b983d917c4f9847c863f313c9dfaaffb7c23c - # via -r requirements.in -simplejson==3.19.2 \ - --hash=sha256:0405984f3ec1d3f8777c4adc33eac7ab7a3e629f3b1c05fdded63acc7cf01137 \ - --hash=sha256:0436a70d8eb42bea4fe1a1c32d371d9bb3b62c637969cb33970ad624d5a3336a \ - --hash=sha256:061e81ea2d62671fa9dea2c2bfbc1eec2617ae7651e366c7b4a2baf0a8c72cae \ - --hash=sha256:064300a4ea17d1cd9ea1706aa0590dcb3be81112aac30233823ee494f02cb78a \ - --hash=sha256:08889f2f597ae965284d7b52a5c3928653a9406d88c93e3161180f0abc2433ba \ - --hash=sha256:0a48679310e1dd5c9f03481799311a65d343748fe86850b7fb41df4e2c00c087 \ - --hash=sha256:0b0a3eb6dd39cce23801a50c01a0976971498da49bc8a0590ce311492b82c44b \ - --hash=sha256:0d2d5119b1d7a1ed286b8af37357116072fc96700bce3bec5bb81b2e7057ab41 \ - --hash=sha256:0d551dc931638e2102b8549836a1632e6e7cf620af3d093a7456aa642bff601d \ - --hash=sha256:1018bd0d70ce85f165185d2227c71e3b1e446186f9fa9f971b69eee223e1e3cd \ - --hash=sha256:11c39fbc4280d7420684494373b7c5904fa72a2b48ef543a56c2d412999c9e5d \ - --hash=sha256:11cc3afd8160d44582543838b7e4f9aa5e97865322844b75d51bf4e0e413bb3e \ - --hash=sha256:1537b3dd62d8aae644f3518c407aa8469e3fd0f179cdf86c5992792713ed717a \ - --hash=sha256:16ca9c90da4b1f50f089e14485db8c20cbfff2d55424062791a7392b5a9b3ff9 \ - --hash=sha256:176a1b524a3bd3314ed47029a86d02d5a95cc0bee15bd3063a1e1ec62b947de6 \ - --hash=sha256:18955c1da6fc39d957adfa346f75226246b6569e096ac9e40f67d102278c3bcb \ - --hash=sha256:1bb5b50dc6dd671eb46a605a3e2eb98deb4a9af787a08fcdddabe5d824bb9664 \ - --hash=sha256:1c768e7584c45094dca4b334af361e43b0aaa4844c04945ac7d43379eeda9bc2 \ - --hash=sha256:1dd4f692304854352c3e396e9b5f0a9c9e666868dd0bdc784e2ac4c93092d87b \ - --hash=sha256:25785d038281cd106c0d91a68b9930049b6464288cea59ba95b35ee37c2d23a5 \ - --hash=sha256:287e39ba24e141b046812c880f4619d0ca9e617235d74abc27267194fc0c7835 \ - --hash=sha256:2c1467d939932901a97ba4f979e8f2642415fcf02ea12f53a4e3206c9c03bc17 \ - --hash=sha256:2c433a412e96afb9a3ce36fa96c8e61a757af53e9c9192c97392f72871e18e69 \ - --hash=sha256:2d022b14d7758bfb98405672953fe5c202ea8a9ccf9f6713c5bd0718eba286fd \ - --hash=sha256:2f98d918f7f3aaf4b91f2b08c0c92b1774aea113334f7cde4fe40e777114dbe6 \ - --hash=sha256:2fc697be37585eded0c8581c4788fcfac0e3f84ca635b73a5bf360e28c8ea1a2 \ - --hash=sha256:3194cd0d2c959062b94094c0a9f8780ffd38417a5322450a0db0ca1a23e7fbd2 \ - --hash=sha256:332c848f02d71a649272b3f1feccacb7e4f7e6de4a2e6dc70a32645326f3d428 \ - --hash=sha256:346820ae96aa90c7d52653539a57766f10f33dd4be609206c001432b59ddf89f \ - --hash=sha256:3471e95110dcaf901db16063b2e40fb394f8a9e99b3fe9ee3acc6f6ef72183a2 \ - --hash=sha256:3848427b65e31bea2c11f521b6fc7a3145d6e501a1038529da2391aff5970f2f \ - --hash=sha256:39b6d79f5cbfa3eb63a869639cfacf7c41d753c64f7801efc72692c1b2637ac7 \ - --hash=sha256:3e74355cb47e0cd399ead3477e29e2f50e1540952c22fb3504dda0184fc9819f \ - --hash=sha256:3f39bb1f6e620f3e158c8b2eaf1b3e3e54408baca96a02fe891794705e788637 \ - --hash=sha256:40847f617287a38623507d08cbcb75d51cf9d4f9551dd6321df40215128325a3 \ - --hash=sha256:4280e460e51f86ad76dc456acdbfa9513bdf329556ffc8c49e0200878ca57816 \ - --hash=sha256:445a96543948c011a3a47c8e0f9d61e9785df2544ea5be5ab3bc2be4bd8a2565 \ - --hash=sha256:4969d974d9db826a2c07671273e6b27bc48e940738d768fa8f33b577f0978378 \ - --hash=sha256:49aaf4546f6023c44d7e7136be84a03a4237f0b2b5fb2b17c3e3770a758fc1a0 \ - --hash=sha256:49e0e3faf3070abdf71a5c80a97c1afc059b4f45a5aa62de0c2ca0444b51669b \ - --hash=sha256:49f9da0d6cd17b600a178439d7d2d57c5ef01f816b1e0e875e8e8b3b42db2693 \ - --hash=sha256:4a8c3cc4f9dfc33220246760358c8265dad6e1104f25f0077bbca692d616d358 \ - --hash=sha256:4d36081c0b1c12ea0ed62c202046dca11438bee48dd5240b7c8de8da62c620e9 \ - --hash=sha256:4edcd0bf70087b244ba77038db23cd98a1ace2f91b4a3ecef22036314d77ac23 \ - --hash=sha256:554313db34d63eac3b3f42986aa9efddd1a481169c12b7be1e7512edebff8eaf \ - --hash=sha256:5675e9d8eeef0aa06093c1ff898413ade042d73dc920a03e8cea2fb68f62445a \ - --hash=sha256:60848ab779195b72382841fc3fa4f71698a98d9589b0a081a9399904487b5832 \ - --hash=sha256:66e5dc13bfb17cd6ee764fc96ccafd6e405daa846a42baab81f4c60e15650414 \ - --hash=sha256:6779105d2fcb7fcf794a6a2a233787f6bbd4731227333a072d8513b252ed374f \ - --hash=sha256:6ad331349b0b9ca6da86064a3599c425c7a21cd41616e175ddba0866da32df48 \ - --hash=sha256:6f0a0b41dd05eefab547576bed0cf066595f3b20b083956b1405a6f17d1be6ad \ - --hash=sha256:73a8a4653f2e809049999d63530180d7b5a344b23a793502413ad1ecea9a0290 \ - --hash=sha256:778331444917108fa8441f59af45886270d33ce8a23bfc4f9b192c0b2ecef1b3 \ - --hash=sha256:7cb98be113911cb0ad09e5523d0e2a926c09a465c9abb0784c9269efe4f95917 \ - --hash=sha256:7d74beca677623481810c7052926365d5f07393c72cbf62d6cce29991b676402 \ - --hash=sha256:7f2398361508c560d0bf1773af19e9fe644e218f2a814a02210ac2c97ad70db0 \ - --hash=sha256:8434dcdd347459f9fd9c526117c01fe7ca7b016b6008dddc3c13471098f4f0dc \ - --hash=sha256:8a390e56a7963e3946ff2049ee1eb218380e87c8a0e7608f7f8790ba19390867 \ - --hash=sha256:92c4a4a2b1f4846cd4364855cbac83efc48ff5a7d7c06ba014c792dd96483f6f \ - --hash=sha256:9300aee2a8b5992d0f4293d88deb59c218989833e3396c824b69ba330d04a589 \ - --hash=sha256:9453419ea2ab9b21d925d0fd7e3a132a178a191881fab4169b6f96e118cc25bb \ - --hash=sha256:9652e59c022e62a5b58a6f9948b104e5bb96d3b06940c6482588176f40f4914b \ - --hash=sha256:972a7833d4a1fcf7a711c939e315721a88b988553fc770a5b6a5a64bd6ebeba3 \ - --hash=sha256:9c1a4393242e321e344213a90a1e3bf35d2f624aa8b8f6174d43e3c6b0e8f6eb \ - --hash=sha256:9e038c615b3906df4c3be8db16b3e24821d26c55177638ea47b3f8f73615111c \ - --hash=sha256:9e4c166f743bb42c5fcc60760fb1c3623e8fda94f6619534217b083e08644b46 \ - --hash=sha256:9eb117db8d7ed733a7317c4215c35993b815bf6aeab67523f1f11e108c040672 \ - --hash=sha256:9eb442a2442ce417801c912df68e1f6ccfcd41577ae7274953ab3ad24ef7d82c \ - --hash=sha256:a3cd18e03b0ee54ea4319cdcce48357719ea487b53f92a469ba8ca8e39df285e \ - --hash=sha256:a8617625369d2d03766413bff9e64310feafc9fc4f0ad2b902136f1a5cd8c6b0 \ - --hash=sha256:a970a2e6d5281d56cacf3dc82081c95c1f4da5a559e52469287457811db6a79b \ - --hash=sha256:aad7405c033d32c751d98d3a65801e2797ae77fac284a539f6c3a3e13005edc4 \ - --hash=sha256:adcb3332979cbc941b8fff07181f06d2b608625edc0a4d8bc3ffc0be414ad0c4 \ - --hash=sha256:af9c7e6669c4d0ad7362f79cb2ab6784d71147503e62b57e3d95c4a0f222c01c \ - --hash=sha256:b01fda3e95d07a6148702a641e5e293b6da7863f8bc9b967f62db9461330562c \ - --hash=sha256:b8d940fd28eb34a7084877747a60873956893e377f15a32ad445fe66c972c3b8 \ - --hash=sha256:bccb3e88ec26ffa90f72229f983d3a5d1155e41a1171190fa723d4135523585b \ - --hash=sha256:bcedf4cae0d47839fee7de344f96b5694ca53c786f28b5f773d4f0b265a159eb \ - --hash=sha256:be893258d5b68dd3a8cba8deb35dc6411db844a9d35268a8d3793b9d9a256f80 \ - --hash=sha256:c0521e0f07cb56415fdb3aae0bbd8701eb31a9dfef47bb57206075a0584ab2a2 \ - --hash=sha256:c594642d6b13d225e10df5c16ee15b3398e21a35ecd6aee824f107a625690374 \ - --hash=sha256:c87c22bd6a987aca976e3d3e23806d17f65426191db36d40da4ae16a6a494cbc \ - --hash=sha256:c9ac1c2678abf9270e7228133e5b77c6c3c930ad33a3c1dfbdd76ff2c33b7b50 \ - --hash=sha256:d0e5ffc763678d48ecc8da836f2ae2dd1b6eb2d27a48671066f91694e575173c \ - --hash=sha256:d0f402e787e6e7ee7876c8b05e2fe6464820d9f35ba3f172e95b5f8b699f6c7f \ - --hash=sha256:d222a9ed082cd9f38b58923775152003765016342a12f08f8c123bf893461f28 \ - --hash=sha256:d94245caa3c61f760c4ce4953cfa76e7739b6f2cbfc94cc46fff6c050c2390c5 \ - --hash=sha256:de9a2792612ec6def556d1dc621fd6b2073aff015d64fba9f3e53349ad292734 \ - --hash=sha256:e2f5a398b5e77bb01b23d92872255e1bcb3c0c719a3be40b8df146570fe7781a \ - --hash=sha256:e8dd53a8706b15bc0e34f00e6150fbefb35d2fd9235d095b4f83b3c5ed4fa11d \ - --hash=sha256:e9eb3cff1b7d71aa50c89a0536f469cb8d6dcdd585d8f14fb8500d822f3bdee4 \ - --hash=sha256:ed628c1431100b0b65387419551e822987396bee3c088a15d68446d92f554e0c \ - --hash=sha256:ef7938a78447174e2616be223f496ddccdbf7854f7bf2ce716dbccd958cc7d13 \ - --hash=sha256:f1c70249b15e4ce1a7d5340c97670a95f305ca79f376887759b43bb33288c973 \ - --hash=sha256:f3c7363a8cb8c5238878ec96c5eb0fc5ca2cb11fc0c7d2379863d342c6ee367a \ - --hash=sha256:fbbcc6b0639aa09b9649f36f1bcb347b19403fe44109948392fbb5ea69e48c3e \ - --hash=sha256:febffa5b1eda6622d44b245b0685aff6fb555ce0ed734e2d7b1c3acd018a2cff \ - --hash=sha256:ff836cd4041e16003549449cc0a5e372f6b6f871eb89007ab0ee18fb2800fded - # via -r requirements.in -typing-extensions==4.11.0 \ - --hash=sha256:83f085bd5ca59c80295fc2a82ab5dac679cbe02b9f33f7d83af68e241bea51b0 \ - --hash=sha256:c1f94d72897edaf4ce775bb7558d5b79d8126906a14ea5ed1635921406c0387a - # via opentelemetry-sdk -urllib3==2.2.2 \ - --hash=sha256:a448b2f64d686155468037e1ace9f2d2199776e17f0a46610480d311f73e3472 \ - --hash=sha256:dd505485549a7a552833da5e6063639d0d177c04f23bc3864e41e5dc5f612168 - # via - # -r requirements.in - # requests -visitor==0.1.3 \ - --hash=sha256:2c737903b2b6864ebc6167eef7cf3b997126f1aa94bdf590f90f1436d23e480a - # via flask-bootstrap -werkzeug==3.0.3 \ - --hash=sha256:097e5bfda9f0aba8da6b8545146def481d06aa7d3266e7448e2cccf67dd8bd18 \ - --hash=sha256:fc9645dc43e03e4d630d23143a04a7f947a9a3b5727cd535fdfe155a17cc48c8 - # via flask -wrapt==1.16.0 \ - --hash=sha256:0d2691979e93d06a95a26257adb7bfd0c93818e89b1406f5a28f36e0d8c1e1fc \ - --hash=sha256:14d7dc606219cdd7405133c713f2c218d4252f2a469003f8c46bb92d5d095d81 \ - --hash=sha256:1a5db485fe2de4403f13fafdc231b0dbae5eca4359232d2efc79025527375b09 \ - --hash=sha256:1acd723ee2a8826f3d53910255643e33673e1d11db84ce5880675954183ec47e \ - --hash=sha256:1ca9b6085e4f866bd584fb135a041bfc32cab916e69f714a7d1d397f8c4891ca \ - --hash=sha256:1dd50a2696ff89f57bd8847647a1c363b687d3d796dc30d4dd4a9d1689a706f0 \ - --hash=sha256:2076fad65c6736184e77d7d4729b63a6d1ae0b70da4868adeec40989858eb3fb \ - --hash=sha256:2a88e6010048489cda82b1326889ec075a8c856c2e6a256072b28eaee3ccf487 \ - --hash=sha256:3ebf019be5c09d400cf7b024aa52b1f3aeebeff51550d007e92c3c1c4afc2a40 \ - --hash=sha256:418abb18146475c310d7a6dc71143d6f7adec5b004ac9ce08dc7a34e2babdc5c \ - --hash=sha256:43aa59eadec7890d9958748db829df269f0368521ba6dc68cc172d5d03ed8060 \ - --hash=sha256:44a2754372e32ab315734c6c73b24351d06e77ffff6ae27d2ecf14cf3d229202 \ - --hash=sha256:490b0ee15c1a55be9c1bd8609b8cecd60e325f0575fc98f50058eae366e01f41 \ - --hash=sha256:49aac49dc4782cb04f58986e81ea0b4768e4ff197b57324dcbd7699c5dfb40b9 \ - --hash=sha256:5eb404d89131ec9b4f748fa5cfb5346802e5ee8836f57d516576e61f304f3b7b \ - --hash=sha256:5f15814a33e42b04e3de432e573aa557f9f0f56458745c2074952f564c50e664 \ - --hash=sha256:5f370f952971e7d17c7d1ead40e49f32345a7f7a5373571ef44d800d06b1899d \ - --hash=sha256:66027d667efe95cc4fa945af59f92c5a02c6f5bb6012bff9e60542c74c75c362 \ - --hash=sha256:66dfbaa7cfa3eb707bbfcd46dab2bc6207b005cbc9caa2199bcbc81d95071a00 \ - --hash=sha256:685f568fa5e627e93f3b52fda002c7ed2fa1800b50ce51f6ed1d572d8ab3e7fc \ - --hash=sha256:6906c4100a8fcbf2fa735f6059214bb13b97f75b1a61777fcf6432121ef12ef1 \ - --hash=sha256:6a42cd0cfa8ffc1915aef79cb4284f6383d8a3e9dcca70c445dcfdd639d51267 \ - --hash=sha256:6dcfcffe73710be01d90cae08c3e548d90932d37b39ef83969ae135d36ef3956 \ - --hash=sha256:6f6eac2360f2d543cc875a0e5efd413b6cbd483cb3ad7ebf888884a6e0d2e966 \ - --hash=sha256:72554a23c78a8e7aa02abbd699d129eead8b147a23c56e08d08dfc29cfdddca1 \ - --hash=sha256:73870c364c11f03ed072dda68ff7aea6d2a3a5c3fe250d917a429c7432e15228 \ - --hash=sha256:73aa7d98215d39b8455f103de64391cb79dfcad601701a3aa0dddacf74911d72 \ - --hash=sha256:75ea7d0ee2a15733684badb16de6794894ed9c55aa5e9903260922f0482e687d \ - --hash=sha256:7bd2d7ff69a2cac767fbf7a2b206add2e9a210e57947dd7ce03e25d03d2de292 \ - --hash=sha256:807cc8543a477ab7422f1120a217054f958a66ef7314f76dd9e77d3f02cdccd0 \ - --hash=sha256:8e9723528b9f787dc59168369e42ae1c3b0d3fadb2f1a71de14531d321ee05b0 \ - --hash=sha256:9090c9e676d5236a6948330e83cb89969f433b1943a558968f659ead07cb3b36 \ - --hash=sha256:9153ed35fc5e4fa3b2fe97bddaa7cbec0ed22412b85bcdaf54aeba92ea37428c \ - --hash=sha256:9159485323798c8dc530a224bd3ffcf76659319ccc7bbd52e01e73bd0241a0c5 \ - --hash=sha256:941988b89b4fd6b41c3f0bfb20e92bd23746579736b7343283297c4c8cbae68f \ - --hash=sha256:94265b00870aa407bd0cbcfd536f17ecde43b94fb8d228560a1e9d3041462d73 \ - --hash=sha256:98b5e1f498a8ca1858a1cdbffb023bfd954da4e3fa2c0cb5853d40014557248b \ - --hash=sha256:9b201ae332c3637a42f02d1045e1d0cccfdc41f1f2f801dafbaa7e9b4797bfc2 \ - --hash=sha256:a0ea261ce52b5952bf669684a251a66df239ec6d441ccb59ec7afa882265d593 \ - --hash=sha256:a33a747400b94b6d6b8a165e4480264a64a78c8a4c734b62136062e9a248dd39 \ - --hash=sha256:a452f9ca3e3267cd4d0fcf2edd0d035b1934ac2bd7e0e57ac91ad6b95c0c6389 \ - --hash=sha256:a86373cf37cd7764f2201b76496aba58a52e76dedfaa698ef9e9688bfd9e41cf \ - --hash=sha256:ac83a914ebaf589b69f7d0a1277602ff494e21f4c2f743313414378f8f50a4cf \ - --hash=sha256:aefbc4cb0a54f91af643660a0a150ce2c090d3652cf4052a5397fb2de549cd89 \ - --hash=sha256:b3646eefa23daeba62643a58aac816945cadc0afaf21800a1421eeba5f6cfb9c \ - --hash=sha256:b47cfad9e9bbbed2339081f4e346c93ecd7ab504299403320bf85f7f85c7d46c \ - --hash=sha256:b935ae30c6e7400022b50f8d359c03ed233d45b725cfdd299462f41ee5ffba6f \ - --hash=sha256:bb2dee3874a500de01c93d5c71415fcaef1d858370d405824783e7a8ef5db440 \ - --hash=sha256:bc57efac2da352a51cc4658878a68d2b1b67dbe9d33c36cb826ca449d80a8465 \ - --hash=sha256:bf5703fdeb350e36885f2875d853ce13172ae281c56e509f4e6eca049bdfb136 \ - --hash=sha256:c31f72b1b6624c9d863fc095da460802f43a7c6868c5dda140f51da24fd47d7b \ - --hash=sha256:c5cd603b575ebceca7da5a3a251e69561bec509e0b46e4993e1cac402b7247b8 \ - --hash=sha256:d2efee35b4b0a347e0d99d28e884dfd82797852d62fcd7ebdeee26f3ceb72cf3 \ - --hash=sha256:d462f28826f4657968ae51d2181a074dfe03c200d6131690b7d65d55b0f360f8 \ - --hash=sha256:d5e49454f19ef621089e204f862388d29e6e8d8b162efce05208913dde5b9ad6 \ - --hash=sha256:da4813f751142436b075ed7aa012a8778aa43a99f7b36afe9b742d3ed8bdc95e \ - --hash=sha256:db2e408d983b0e61e238cf579c09ef7020560441906ca990fe8412153e3b291f \ - --hash=sha256:db98ad84a55eb09b3c32a96c576476777e87c520a34e2519d3e59c44710c002c \ - --hash=sha256:dbed418ba5c3dce92619656802cc5355cb679e58d0d89b50f116e4a9d5a9603e \ - --hash=sha256:dcdba5c86e368442528f7060039eda390cc4091bfd1dca41e8046af7c910dda8 \ - --hash=sha256:decbfa2f618fa8ed81c95ee18a387ff973143c656ef800c9f24fb7e9c16054e2 \ - --hash=sha256:e4fdb9275308292e880dcbeb12546df7f3e0f96c6b41197e0cf37d2826359020 \ - --hash=sha256:eb1b046be06b0fce7249f1d025cd359b4b80fc1c3e24ad9eca33e0dcdb2e4a35 \ - --hash=sha256:eb6e651000a19c96f452c85132811d25e9264d836951022d6e81df2fff38337d \ - --hash=sha256:ed867c42c268f876097248e05b6117a65bcd1e63b779e916fe2e33cd6fd0d3c3 \ - --hash=sha256:edfad1d29c73f9b863ebe7082ae9321374ccb10879eeabc84ba3b69f2579d537 \ - --hash=sha256:f2058f813d4f2b5e3a9eb2eb3faf8f1d99b81c3e51aeda4b168406443e8ba809 \ - --hash=sha256:f6b2d0c6703c988d334f297aa5df18c45e97b0af3679bb75059e0e0bd8b1069d \ - --hash=sha256:f8212564d49c50eb4565e502814f694e240c55551a5f1bc841d4fcaabb0a9b8a \ - --hash=sha256:ffa565331890b90056c01db69c0fe634a776f8019c143a5ae265f9c6bc4bd6d4 - # via - # deprecated - # opentelemetry-instrumentation -zipp==3.19.1 \ - --hash=sha256:2828e64edb5386ea6a52e7ba7cdb17bb30a73a858f5eb6eb93d8d36f5ea26091 \ - --hash=sha256:35427f6d5594f4acf82d25541438348c26736fa9b3afa2754bcd63cdb99d8e8f - # via importlib-metadata -zope-event==5.0 \ - --hash=sha256:2832e95014f4db26c47a13fdaef84cef2f4df37e66b59d8f1f4a8f319a632c26 \ - --hash=sha256:bac440d8d9891b4068e2b5a2c5e2c9765a9df762944bda6955f96bb9b91e67cd - # via gevent -zope-interface==6.4.post2 \ - --hash=sha256:00b5c3e9744dcdc9e84c24ed6646d5cf0cf66551347b310b3ffd70f056535854 \ - --hash=sha256:0e4fa5d34d7973e6b0efa46fe4405090f3b406f64b6290facbb19dcbf642ad6b \ - --hash=sha256:136cacdde1a2c5e5bc3d0b2a1beed733f97e2dad8c2ad3c2e17116f6590a3827 \ - --hash=sha256:1730c93a38b5a18d24549bc81613223962a19d457cfda9bdc66e542f475a36f4 \ - --hash=sha256:1a62fd6cd518693568e23e02f41816adedfca637f26716837681c90b36af3671 \ - --hash=sha256:1c207e6f6dfd5749a26f5a5fd966602d6b824ec00d2df84a7e9a924e8933654e \ - --hash=sha256:2eccd5bef45883802848f821d940367c1d0ad588de71e5cabe3813175444202c \ - --hash=sha256:33ee982237cffaf946db365c3a6ebaa37855d8e3ca5800f6f48890209c1cfefc \ - --hash=sha256:3d136e5b8821073e1a09dde3eb076ea9988e7010c54ffe4d39701adf0c303438 \ - --hash=sha256:47654177e675bafdf4e4738ce58cdc5c6d6ee2157ac0a78a3fa460942b9d64a8 \ - --hash=sha256:47937cf2e7ed4e0e37f7851c76edeb8543ec9b0eae149b36ecd26176ff1ca874 \ - --hash=sha256:4ac46298e0143d91e4644a27a769d1388d5d89e82ee0cf37bf2b0b001b9712a4 \ - --hash=sha256:4c0b208a5d6c81434bdfa0f06d9b667e5de15af84d8cae5723c3a33ba6611b82 \ - --hash=sha256:551db2fe892fcbefb38f6f81ffa62de11090c8119fd4e66a60f3adff70751ec7 \ - --hash=sha256:599f3b07bde2627e163ce484d5497a54a0a8437779362395c6b25e68c6590ede \ - --hash=sha256:5ef8356f16b1a83609f7a992a6e33d792bb5eff2370712c9eaae0d02e1924341 \ - --hash=sha256:5fe919027f29b12f7a2562ba0daf3e045cb388f844e022552a5674fcdf5d21f1 \ - --hash=sha256:6f0a6be264afb094975b5ef55c911379d6989caa87c4e558814ec4f5125cfa2e \ - --hash=sha256:706efc19f9679a1b425d6fa2b4bc770d976d0984335eaea0869bd32f627591d2 \ - --hash=sha256:73f9752cf3596771c7726f7eea5b9e634ad47c6d863043589a1c3bb31325c7eb \ - --hash=sha256:762e616199f6319bb98e7f4f27d254c84c5fb1c25c908c2a9d0f92b92fb27530 \ - --hash=sha256:866a0f583be79f0def667a5d2c60b7b4cc68f0c0a470f227e1122691b443c934 \ - --hash=sha256:86a94af4a88110ed4bb8961f5ac72edf782958e665d5bfceaab6bf388420a78b \ - --hash=sha256:8e0343a6e06d94f6b6ac52fbc75269b41dd3c57066541a6c76517f69fe67cb43 \ - --hash=sha256:97e615eab34bd8477c3f34197a17ce08c648d38467489359cb9eb7394f1083f7 \ - --hash=sha256:a96e6d4074db29b152222c34d7eec2e2db2f92638d2b2b2c704f9e8db3ae0edc \ - --hash=sha256:b912750b13d76af8aac45ddf4679535def304b2a48a07989ec736508d0bbfbde \ - --hash=sha256:bc2676312cc3468a25aac001ec727168994ea3b69b48914944a44c6a0b251e79 \ - --hash=sha256:cebff2fe5dc82cb22122e4e1225e00a4a506b1a16fafa911142ee124febf2c9e \ - --hash=sha256:d22fce0b0f5715cdac082e35a9e735a1752dc8585f005d045abb1a7c20e197f9 \ - --hash=sha256:d3f7e001328bd6466b3414215f66dde3c7c13d8025a9c160a75d7b2687090d15 \ - --hash=sha256:d3fe667935e9562407c2511570dca14604a654988a13d8725667e95161d92e9b \ - --hash=sha256:dabb70a6e3d9c22df50e08dc55b14ca2a99da95a2d941954255ac76fd6982bc5 \ - --hash=sha256:e2fb8e8158306567a3a9a41670c1ff99d0567d7fc96fa93b7abf8b519a46b250 \ - --hash=sha256:e96ac6b3169940a8cd57b4f2b8edcad8f5213b60efcd197d59fbe52f0accd66e \ - --hash=sha256:fbf649bc77510ef2521cf797700b96167bb77838c40780da7ea3edd8b78044d1 - # via gevent - -# WARNING: The following packages were not pinned, but pip requires them to be -# pinned when the requirements file includes hashes and the requirement is not -# satisfied by a package already installed. Consider using the --allow-unsafe flag. -# setuptools diff --git a/istio-1.24.3/samples/bookinfo/src/productpage/test-requirements.txt b/istio-1.24.3/samples/bookinfo/src/productpage/test-requirements.txt deleted file mode 100644 index f1ad8e3b..00000000 --- a/istio-1.24.3/samples/bookinfo/src/productpage/test-requirements.txt +++ /dev/null @@ -1,122 +0,0 @@ -# -# This file is autogenerated by pip-compile with Python 3.12 -# by the following command: -# -# pip-compile --generate-hashes test-requirements.in -# -certifi==2024.7.4 \ - --hash=sha256:5a1e7645bc0ec61a09e26c36f6106dd4cf40c6db3a1fb6352b0244e7fb057c7b \ - --hash=sha256:c198e21b1289c2ab85ee4e67bb4b4ef3ead0892059901a8d5b622f24a1101e90 - # via requests -charset-normalizer==3.3.2 \ - --hash=sha256:06435b539f889b1f6f4ac1758871aae42dc3a8c0e24ac9e60c2384973ad73027 \ - --hash=sha256:06a81e93cd441c56a9b65d8e1d043daeb97a3d0856d177d5c90ba85acb3db087 \ - --hash=sha256:0a55554a2fa0d408816b3b5cedf0045f4b8e1a6065aec45849de2d6f3f8e9786 \ - --hash=sha256:0b2b64d2bb6d3fb9112bafa732def486049e63de9618b5843bcdd081d8144cd8 \ - --hash=sha256:10955842570876604d404661fbccbc9c7e684caf432c09c715ec38fbae45ae09 \ - --hash=sha256:122c7fa62b130ed55f8f285bfd56d5f4b4a5b503609d181f9ad85e55c89f4185 \ - --hash=sha256:1ceae2f17a9c33cb48e3263960dc5fc8005351ee19db217e9b1bb15d28c02574 \ - --hash=sha256:1d3193f4a680c64b4b6a9115943538edb896edc190f0b222e73761716519268e \ - --hash=sha256:1f79682fbe303db92bc2b1136016a38a42e835d932bab5b3b1bfcfbf0640e519 \ - --hash=sha256:2127566c664442652f024c837091890cb1942c30937add288223dc895793f898 \ - --hash=sha256:22afcb9f253dac0696b5a4be4a1c0f8762f8239e21b99680099abd9b2b1b2269 \ - --hash=sha256:25baf083bf6f6b341f4121c2f3c548875ee6f5339300e08be3f2b2ba1721cdd3 \ - --hash=sha256:2e81c7b9c8979ce92ed306c249d46894776a909505d8f5a4ba55b14206e3222f \ - --hash=sha256:3287761bc4ee9e33561a7e058c72ac0938c4f57fe49a09eae428fd88aafe7bb6 \ - --hash=sha256:34d1c8da1e78d2e001f363791c98a272bb734000fcef47a491c1e3b0505657a8 \ - --hash=sha256:37e55c8e51c236f95b033f6fb391d7d7970ba5fe7ff453dad675e88cf303377a \ - --hash=sha256:3d47fa203a7bd9c5b6cee4736ee84ca03b8ef23193c0d1ca99b5089f72645c73 \ - --hash=sha256:3e4d1f6587322d2788836a99c69062fbb091331ec940e02d12d179c1d53e25fc \ - --hash=sha256:42cb296636fcc8b0644486d15c12376cb9fa75443e00fb25de0b8602e64c1714 \ - --hash=sha256:45485e01ff4d3630ec0d9617310448a8702f70e9c01906b0d0118bdf9d124cf2 \ - --hash=sha256:4a78b2b446bd7c934f5dcedc588903fb2f5eec172f3d29e52a9096a43722adfc \ - --hash=sha256:4ab2fe47fae9e0f9dee8c04187ce5d09f48eabe611be8259444906793ab7cbce \ - --hash=sha256:4d0d1650369165a14e14e1e47b372cfcb31d6ab44e6e33cb2d4e57265290044d \ - --hash=sha256:549a3a73da901d5bc3ce8d24e0600d1fa85524c10287f6004fbab87672bf3e1e \ - --hash=sha256:55086ee1064215781fff39a1af09518bc9255b50d6333f2e4c74ca09fac6a8f6 \ - --hash=sha256:572c3763a264ba47b3cf708a44ce965d98555f618ca42c926a9c1616d8f34269 \ - --hash=sha256:573f6eac48f4769d667c4442081b1794f52919e7edada77495aaed9236d13a96 \ - --hash=sha256:5b4c145409bef602a690e7cfad0a15a55c13320ff7a3ad7ca59c13bb8ba4d45d \ - --hash=sha256:6463effa3186ea09411d50efc7d85360b38d5f09b870c48e4600f63af490e56a \ - --hash=sha256:65f6f63034100ead094b8744b3b97965785388f308a64cf8d7c34f2f2e5be0c4 \ - --hash=sha256:663946639d296df6a2bb2aa51b60a2454ca1cb29835324c640dafb5ff2131a77 \ - --hash=sha256:6897af51655e3691ff853668779c7bad41579facacf5fd7253b0133308cf000d \ - --hash=sha256:68d1f8a9e9e37c1223b656399be5d6b448dea850bed7d0f87a8311f1ff3dabb0 \ - --hash=sha256:6ac7ffc7ad6d040517be39eb591cac5ff87416c2537df6ba3cba3bae290c0fed \ - --hash=sha256:6b3251890fff30ee142c44144871185dbe13b11bab478a88887a639655be1068 \ - --hash=sha256:6c4caeef8fa63d06bd437cd4bdcf3ffefe6738fb1b25951440d80dc7df8c03ac \ - --hash=sha256:6ef1d82a3af9d3eecdba2321dc1b3c238245d890843e040e41e470ffa64c3e25 \ - --hash=sha256:753f10e867343b4511128c6ed8c82f7bec3bd026875576dfd88483c5c73b2fd8 \ - --hash=sha256:7cd13a2e3ddeed6913a65e66e94b51d80a041145a026c27e6bb76c31a853c6ab \ - --hash=sha256:7ed9e526742851e8d5cc9e6cf41427dfc6068d4f5a3bb03659444b4cabf6bc26 \ - --hash=sha256:7f04c839ed0b6b98b1a7501a002144b76c18fb1c1850c8b98d458ac269e26ed2 \ - --hash=sha256:802fe99cca7457642125a8a88a084cef28ff0cf9407060f7b93dca5aa25480db \ - --hash=sha256:80402cd6ee291dcb72644d6eac93785fe2c8b9cb30893c1af5b8fdd753b9d40f \ - --hash=sha256:8465322196c8b4d7ab6d1e049e4c5cb460d0394da4a27d23cc242fbf0034b6b5 \ - --hash=sha256:86216b5cee4b06df986d214f664305142d9c76df9b6512be2738aa72a2048f99 \ - --hash=sha256:87d1351268731db79e0f8e745d92493ee2841c974128ef629dc518b937d9194c \ - --hash=sha256:8bdb58ff7ba23002a4c5808d608e4e6c687175724f54a5dade5fa8c67b604e4d \ - --hash=sha256:8c622a5fe39a48f78944a87d4fb8a53ee07344641b0562c540d840748571b811 \ - --hash=sha256:8d756e44e94489e49571086ef83b2bb8ce311e730092d2c34ca8f7d925cb20aa \ - --hash=sha256:8f4a014bc36d3c57402e2977dada34f9c12300af536839dc38c0beab8878f38a \ - --hash=sha256:9063e24fdb1e498ab71cb7419e24622516c4a04476b17a2dab57e8baa30d6e03 \ - --hash=sha256:90d558489962fd4918143277a773316e56c72da56ec7aa3dc3dbbe20fdfed15b \ - --hash=sha256:923c0c831b7cfcb071580d3f46c4baf50f174be571576556269530f4bbd79d04 \ - --hash=sha256:95f2a5796329323b8f0512e09dbb7a1860c46a39da62ecb2324f116fa8fdc85c \ - --hash=sha256:96b02a3dc4381e5494fad39be677abcb5e6634bf7b4fa83a6dd3112607547001 \ - --hash=sha256:9f96df6923e21816da7e0ad3fd47dd8f94b2a5ce594e00677c0013018b813458 \ - --hash=sha256:a10af20b82360ab00827f916a6058451b723b4e65030c5a18577c8b2de5b3389 \ - --hash=sha256:a50aebfa173e157099939b17f18600f72f84eed3049e743b68ad15bd69b6bf99 \ - --hash=sha256:a981a536974bbc7a512cf44ed14938cf01030a99e9b3a06dd59578882f06f985 \ - --hash=sha256:a9a8e9031d613fd2009c182b69c7b2c1ef8239a0efb1df3f7c8da66d5dd3d537 \ - --hash=sha256:ae5f4161f18c61806f411a13b0310bea87f987c7d2ecdbdaad0e94eb2e404238 \ - --hash=sha256:aed38f6e4fb3f5d6bf81bfa990a07806be9d83cf7bacef998ab1a9bd660a581f \ - --hash=sha256:b01b88d45a6fcb69667cd6d2f7a9aeb4bf53760d7fc536bf679ec94fe9f3ff3d \ - --hash=sha256:b261ccdec7821281dade748d088bb6e9b69e6d15b30652b74cbbac25e280b796 \ - --hash=sha256:b2b0a0c0517616b6869869f8c581d4eb2dd83a4d79e0ebcb7d373ef9956aeb0a \ - --hash=sha256:b4a23f61ce87adf89be746c8a8974fe1c823c891d8f86eb218bb957c924bb143 \ - --hash=sha256:bd8f7df7d12c2db9fab40bdd87a7c09b1530128315d047a086fa3ae3435cb3a8 \ - --hash=sha256:beb58fe5cdb101e3a055192ac291b7a21e3b7ef4f67fa1d74e331a7f2124341c \ - --hash=sha256:c002b4ffc0be611f0d9da932eb0f704fe2602a9a949d1f738e4c34c75b0863d5 \ - --hash=sha256:c083af607d2515612056a31f0a8d9e0fcb5876b7bfc0abad3ecd275bc4ebc2d5 \ - --hash=sha256:c180f51afb394e165eafe4ac2936a14bee3eb10debc9d9e4db8958fe36afe711 \ - --hash=sha256:c235ebd9baae02f1b77bcea61bce332cb4331dc3617d254df3323aa01ab47bd4 \ - --hash=sha256:cd70574b12bb8a4d2aaa0094515df2463cb429d8536cfb6c7ce983246983e5a6 \ - --hash=sha256:d0eccceffcb53201b5bfebb52600a5fb483a20b61da9dbc885f8b103cbe7598c \ - --hash=sha256:d965bba47ddeec8cd560687584e88cf699fd28f192ceb452d1d7ee807c5597b7 \ - --hash=sha256:db364eca23f876da6f9e16c9da0df51aa4f104a972735574842618b8c6d999d4 \ - --hash=sha256:ddbb2551d7e0102e7252db79ba445cdab71b26640817ab1e3e3648dad515003b \ - --hash=sha256:deb6be0ac38ece9ba87dea880e438f25ca3eddfac8b002a2ec3d9183a454e8ae \ - --hash=sha256:e06ed3eb3218bc64786f7db41917d4e686cc4856944f53d5bdf83a6884432e12 \ - --hash=sha256:e27ad930a842b4c5eb8ac0016b0a54f5aebbe679340c26101df33424142c143c \ - --hash=sha256:e537484df0d8f426ce2afb2d0f8e1c3d0b114b83f8850e5f2fbea0e797bd82ae \ - --hash=sha256:eb00ed941194665c332bf8e078baf037d6c35d7c4f3102ea2d4f16ca94a26dc8 \ - --hash=sha256:eb6904c354526e758fda7167b33005998fb68c46fbc10e013ca97f21ca5c8887 \ - --hash=sha256:eb8821e09e916165e160797a6c17edda0679379a4be5c716c260e836e122f54b \ - --hash=sha256:efcb3f6676480691518c177e3b465bcddf57cea040302f9f4e6e191af91174d4 \ - --hash=sha256:f27273b60488abe721a075bcca6d7f3964f9f6f067c8c4c605743023d7d3944f \ - --hash=sha256:f30c3cb33b24454a82faecaf01b19c18562b1e89558fb6c56de4d9118a032fd5 \ - --hash=sha256:fb69256e180cb6c8a894fee62b3afebae785babc1ee98b81cdf68bbca1987f33 \ - --hash=sha256:fd1abc0d89e30cc4e02e4064dc67fcc51bd941eb395c502aac3ec19fab46b519 \ - --hash=sha256:ff8fa367d09b717b2a17a052544193ad76cd49979c805768879cb63d9ca50561 - # via requests -idna==3.7 \ - --hash=sha256:028ff3aadf0609c1fd278d8ea3089299412a7a8b9bd005dd08b9f8285bcb5cfc \ - --hash=sha256:82fee1fc78add43492d3a1898bfa6d8a904cc97d8427f683ed8e798d07761aa0 - # via requests -requests==2.32.2 \ - --hash=sha256:dd951ff5ecf3e3b3aa26b40703ba77495dab41da839ae72ef3c8e5d8e2433289 \ - --hash=sha256:fc06670dd0ed212426dfeb94fc1b983d917c4f9847c863f313c9dfaaffb7c23c - # via requests-mock -requests-mock==1.5.2 \ - --hash=sha256:7a5fa99db5e3a2a961b6f20ed40ee6baeff73503cf0a553cc4d679409e6170fb \ - --hash=sha256:8ca0628dc66d3f212878932fd741b02aa197ad53fd2228164800a169a4a826af - # via -r test-requirements.in -six==1.16.0 \ - --hash=sha256:1e61c37477a1626458e36f7b1d82aa5c9b094fa4802892072e49de9c60c4c926 \ - --hash=sha256:8abb2f1d86890a2dfb989f9a77cfcfd3e47c2a354b01111771326f8aa26e0254 - # via requests-mock -urllib3==2.2.2 \ - --hash=sha256:a448b2f64d686155468037e1ace9f2d2199776e17f0a46610480d311f73e3472 \ - --hash=sha256:dd505485549a7a552833da5e6063639d0d177c04f23bc3864e41e5dc5f612168 - # via requests diff --git a/istio-1.24.3/samples/bookinfo/src/ratings/package.json b/istio-1.24.3/samples/bookinfo/src/ratings/package.json deleted file mode 100644 index f0498224..00000000 --- a/istio-1.24.3/samples/bookinfo/src/ratings/package.json +++ /dev/null @@ -1,11 +0,0 @@ -{ - "scripts": { - "start": "node ratings.js" - }, - "dependencies": { - "httpdispatcher": "1.0.0", - "mongodb": "^3.6.0", - "mysql": "^2.15.0" - }, - "private": true -} diff --git a/istio-1.24.3/samples/bookinfo/swagger.yaml b/istio-1.24.3/samples/bookinfo/swagger.yaml deleted file mode 100644 index 6782e732..00000000 --- a/istio-1.24.3/samples/bookinfo/swagger.yaml +++ /dev/null @@ -1,248 +0,0 @@ -swagger: "2.0" -info: - description: "This is the API of the Istio BookInfo sample application." - version: "1.0.0" - title: "BookInfo API" - termsOfService: "https://istio.io/" - license: - name: "Apache 2.0" - url: "http://www.apache.org/licenses/LICENSE-2.0.html" -basePath: "/api/v1" -tags: -- name: "product" - description: "Information about a product (in this case a book)" -- name: "review" - description: "Review information for a product" -- name: "rating" - description: "Rating information for a product" -externalDocs: - description: "Learn more about the Istio BookInfo application" - url: "https://istio.io/docs/samples/bookinfo.html" -paths: - /products: - get: - tags: - - "product" - summary: "List all products" - description: "List all products available in the application with a minimum amount of information." - operationId: "getProducts" - consumes: - - "application/json" - produces: - - "application/json" - responses: - 200: - description: "successful operation" - schema: - type: "array" - items: - $ref: "#/definitions/Product" - /products/{id}: - get: - tags: - - "product" - summary: "Get individual product" - description: "Get detailed information about an individual product with the given id." - operationId: "getProduct" - consumes: - - "application/json" - produces: - - "application/json" - parameters: - - name: "id" - in: "path" - description: "Product id" - required: true - type: "integer" - format: "int32" - responses: - 200: - description: "successful operation" - schema: - $ref: "#/definitions/ProductDetails" - 400: - description: "Invalid product id" - /products/{id}/reviews: - get: - tags: - - "review" - summary: "Get reviews for a product" - description: "Get reviews for a product, including review text and possibly ratings information." - operationId: "getProductReviews" - consumes: - - "application/json" - produces: - - "application/json" - parameters: - - name: "id" - in: "path" - description: "Product id" - required: true - type: "integer" - format: "int32" - responses: - 200: - description: "successful operation" - schema: - $ref: "#/definitions/ProductReviews" - 400: - description: "Invalid product id" - /products/{id}/ratings: - get: - tags: - - "rating" - summary: "Get ratings for a product" - description: "Get ratings for a product, including stars and their color." - operationId: "getProductRatings" - consumes: - - "application/json" - produces: - - "application/json" - parameters: - - name: "id" - in: "path" - description: "Product id" - required: true - type: "integer" - format: "int32" - responses: - 200: - description: "successful operation" - schema: - $ref: "#/definitions/ProductRatings" - 400: - description: "Invalid product id" - - -definitions: - Product: - type: "object" - description: "Basic information about a product" - properties: - id: - type: "integer" - format: "int32" - description: "Product id" - title: - type: "string" - description: "Title of the book" - descriptionHtml: - type: "string" - description: "Description of the book - may contain HTML tags" - required: - - "id" - - "title" - - "descriptionHtml" - ProductDetails: - type: "object" - description: "Detailed information about a product" - properties: - id: - type: "integer" - format: "int32" - description: "Product id" - publisher: - type: "string" - description: "Publisher of the book" - language: - type: "string" - description: "Language of the book" - author: - type: "string" - description: "Author of the book" - ISBN-10: - type: "string" - description: "ISBN-10 of the book" - ISBN-13: - type: "string" - description: "ISBN-13 of the book" - year: - type: "integer" - format: "int32" - description: "Year the book was first published in" - type: - type: "string" - enum: - - "paperback" - - "hardcover" - description: "Type of the book" - pages: - type: "integer" - format: "int32" - description: "Number of pages of the book" - required: - - "id" - - "publisher" - - "language" - - "author" - - "ISBN-10" - - "ISBN-13" - - "year" - - "type" - - "pages" - ProductReviews: - type: "object" - description: "Object containing reviews for a product" - properties: - id: - type: "integer" - format: "int32" - description: "Product id" - reviews: - type: "array" - description: "List of reviews" - items: - $ref: "#/definitions/Review" - required: - - "id" - - "reviews" - Review: - type: "object" - description: "Review of a product" - properties: - reviewer: - type: "string" - description: "Name of the reviewer" - text: - type: "string" - description: "Review text" - rating: - $ref: "#/definitions/Rating" - required: - - "reviewer" - - "text" - Rating: - type: "object" - description: "Rating of a product" - properties: - stars: - type: "integer" - format: "int32" - minimum: 1 - maximum: 5 - description: "Number of stars" - color: - type: "string" - enum: - - "red" - - "black" - description: "Color in which stars should be displayed" - required: - - "stars" - - "color" - ProductRatings: - type: "object" - description: "Object containing ratings of a product" - properties: - id: - type: "integer" - format: "int32" - description: "Product id" - ratings: - type: "object" - description: "A hashmap where keys are reviewer names, values are number of stars" - additionalProperties: - type: "string" - required: - - "id" - - "ratings" \ No newline at end of file diff --git a/istio-1.24.3/samples/builder/README.md b/istio-1.24.3/samples/builder/README.md deleted file mode 100644 index ca007151..00000000 --- a/istio-1.24.3/samples/builder/README.md +++ /dev/null @@ -1,31 +0,0 @@ -# Sample builder - -This folder contains docker image building logic for various samples, to consolidate things. -Note some images still user per-folder config, so this is not complete. - -## Building for testing - -To build all images and push them: - -```bash -docker buildx bake --push -``` - -This will push to `localhost:5000` by default, which you can override with `HUB=localhost:5000`. -It will also build `linux/amd64,linux/arm64` which you can override with `PLATFORMS`. - -You can also build a set of images instead of all of them: - -```bash -docker buildx bake --push examples-helloworld-v1 tcp-echo-server -``` - -## Updating images - -When updating images, increment the version for the image in the `tags` config. -You will also want to update the sample YAMLs - -## Building official images - -Set `HUB=docker.io/istio` for official image builds. -Its best to only do this once for each image to avoid accidentally mutating existing images. diff --git a/istio-1.24.3/samples/certs/README.md b/istio-1.24.3/samples/certs/README.md deleted file mode 100644 index 847d60ab..00000000 --- a/istio-1.24.3/samples/certs/README.md +++ /dev/null @@ -1,38 +0,0 @@ -# Istio plugin CA sample certificates - -This directory contains sample pre-generated certificate and keys to demonstrate how an operator could configure Citadel with an existing root certificate, signing certificates and keys. In such -a deployment, Citadel acts as an intermediate certificate authority (CA), under the given root CA. -Instructions are available [here](https://istio.io/docs/tasks/security/cert-management/plugin-ca-cert/). - -The included sample files are: - -- `root-cert.pem`: root CA certificate. -- `root-cert-alt.pem`: alternative CA certificate. -- `root-cert-combined.pem`: combine `root-cert.pem` and `root-cert-alt.pem` into a single file. -- `root-cert-combined-2.pem`: combine `root-cert.pem` and two `root-cert-alt.pem` into a single file. -- `ca-[cert|key].pem`: Citadel intermediate certificate and corresponding private key. -- `ca-[cert-alt|key-alt].pem`: alternative intermediate certificate and corresponding private key. -- `ca-[cert-alt-2|key-alt-2].pem`: alternative intermediate certificate and corresponding private key signed by `root-cert-alt.pem`. -- `cert-chain.pem`: certificate trust chain. -- `cert-chain-alt.pem`: alternative certificate chain. -- `cert-chain-alt-2.pem`: alternative certificate chain signed by `root-cert-alt.pem`. -- `workload-foo-[cert|key].pem`: workload certificate and key for URI SAN `spiffe://trust-domain-foo/ns/foo/sa/foo` signed by `ca-cert.key`. -- `workload-bar-[cert|key].pem`: workload certificate and key for URI SAN `spiffe://trust-domain-bar/ns/bar/sa/bar` signed by `ca-cert.key`. -- `workload-foo-root-certs.pem`: root and intermediate CA certificates for foo workload certificate. -- `workload-bar-root-certs.pem`: root and intermediate CA certificates for bar workload certificate. -- `leaf-workload-foo-cert.pem`: leaf workload certificate for URI SAN `spiffe://trust-domain-foo/ns/foo/sa/foo`. -- `leaf-workload-bar-cert.pem`: leaf workload certificate for URI SAN `spiffe://trust-domain-bar/ns/bar/sa/bar`. - -The workload cert and key are generated by: - -```shell script - ./generate-workload.sh foo - ./generate-workload.sh bar -``` - -To generate certs signed by the alternative root `root-cert-alt.pem` - -```shell script -./generate-workload.sh name namespace serviceAccount tmpDir use-alternative-root -./generate-workload.sh name namespace serviceAccount tmpDir use-alternative-root -``` diff --git a/istio-1.24.3/samples/certs/ca-cert-alt-2.pem b/istio-1.24.3/samples/certs/ca-cert-alt-2.pem deleted file mode 100644 index afd02209..00000000 --- a/istio-1.24.3/samples/certs/ca-cert-alt-2.pem +++ /dev/null @@ -1,32 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIFeTCCA2GgAwIBAgIUNnd90WzsKHfAhOFJAiow2W5D8iQwDQYJKoZIhvcNAQEL -BQAwIjEOMAwGA1UECgwFSXN0aW8xEDAOBgNVBAMMB1Jvb3QgQ0EwHhcNMjMxMjEx -MTYyNTMwWhcNMzMxMjA4MTYyNTMwWjA9MQ4wDAYDVQQKDAVJc3RpbzEYMBYGA1UE -AwwPSW50ZXJtZWRpYXRlIENBMREwDwYDVQQHDAhjbHVzdGVyMjCCAiIwDQYJKoZI -hvcNAQEBBQADggIPADCCAgoCggIBAMbK7UmbUiCLkoUMUXE+5gkfHQ/x808O/RfL -JNxUa/1pN6Jt9COosld69FmJBwpTufOyCZOP7rerOeufxlel45R28EVNyRnjG6jO -Kl/O1vuAwjc0HNvftXTsYVEZ+zpV4UWa4QK6kUwIZ6KH75A6HT6qmJavNEs1PEUA -oCitowAMpn8Ix1E9LxQNgx7IUeAD8THzyeAPZsOYcl1IFWvZkcqabg9hMqXtPxP0 -eciHlQb/jeEd0gLTXVi7ymhUczMmffxZZrQ346Ylz7zZ6SkHFjPCyfeNSwB5iszk -VdKGVtyogmp7mEcwa8o4p1JESmWF3qRZpUVs+Y7loGYTVQBlqUSdnI/zx5yd+qXY -mR3ktEUK5AUI7liIwJ1BKZy6z4OSZ+qna+LbJRqLcB/4tK0YuOf8ffmk18GyjQQ+ -tKeZjntTnnaS+mtFLP1zpW+BnurCRfVPxEg8bFCg511AuyuWRuB2MHQXQg+H915C -e2qm5/ccGfV2mDVF2jKS1q39g7YVLd5HCxR0rBlrh9IwdxE5sAzoREylLrc+HsJn -27841ID+MiwI3l/GUst/UW2SEA1OtxT5USC6pkZyRBM/Y7OJthNxXyCOpzUhu8AQ -GUbtrdI7oEFaSLsdH2GXhQeh0TecJiNnhbvIryZK2HofWncdBVE+AcK7VWUFO4At -6gVcR1qPAgMBAAGjgYswgYgwHQYDVR0OBBYEFCuu9MuphtLDKUZpJK49m12qXRwo -MBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgLkMCIGA1UdEQQbMBmC -F2lzdGlvZC5pc3Rpby1zeXN0ZW0uc3ZjMB8GA1UdIwQYMBaAFL3svuf0yV+M2BHp -EvDmo37j045gMA0GCSqGSIb3DQEBCwUAA4ICAQDGvZxypjwVUljjvQ1AFi6Grirq -iLPgrC5zepLyUaWefLr9I99k4Uq8+f5WWk3Y04SWnY2JPNGvdjAG8aRpM0IixnO0 -OFnlaYjRBv0EKhdzg+TC6O9R2s5s01lR4ya1kmzDyC7BKcGzo8T2IXOOTftcFAAT -arc6Z55BuFuYslWlj+bQ96mxuN1q53a+JzYl+o92vpdnCBKb3OSGjb1hA29E3wzm -YPsctkItuGImX/JUBqZH/0YxdRDjXI8AJ8R8p1qoZZORMrMVey8bX98EN3ai8HVQ -RmP1Fa7qU3O28fi5JHGaX48O8VdJHdRR0G87qDNxArtrhrylrcTykPZkapwUQP+C -SJuy2F5hEVwI8nwX6SKbzW3tsUYQssk9/3U4DmfIWhCg7ffeEp+aLshkrtlIi9NY -YZtznntQagFSs3Cg/XsSjcKMmVfQ69uy7tTHUpK66mz5DosRBo13DFaI19bxNfQX -yJnKuuvyx1q6Y7BsFwqElX2G9WZ6/mgUpochDKgTni0o6AmDBvrfcXfJRxQwICUe -crvOngDaRmQ50HaKoNtWgYHYCXSNP8de//Yz+ebusyLca4i0PTt5oGInW4k8folC -ntXpODzLE3qNYRrSM74KGNre7hwp9BE+i6ksiojVawt5GJgS98PK3zdpVNNIPp0s -ZW8HVio+HD4I2VBxTQ== ------END CERTIFICATE----- diff --git a/istio-1.24.3/samples/certs/ca-cert-alt.pem b/istio-1.24.3/samples/certs/ca-cert-alt.pem deleted file mode 100644 index f20a8c6e..00000000 --- a/istio-1.24.3/samples/certs/ca-cert-alt.pem +++ /dev/null @@ -1,32 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIFeTCCA2GgAwIBAgIUQchu+RczGG1A4BnmrCcpkURQGTAwDQYJKoZIhvcNAQEL -BQAwIjEOMAwGA1UECgwFSXN0aW8xEDAOBgNVBAMMB1Jvb3QgQ0EwHhcNMjMxMjEx -MTYyNTI1WhcNMzMxMjA4MTYyNTI1WjA9MQ4wDAYDVQQKDAVJc3RpbzEYMBYGA1UE -AwwPSW50ZXJtZWRpYXRlIENBMREwDwYDVQQHDAhjbHVzdGVyMTCCAiIwDQYJKoZI -hvcNAQEBBQADggIPADCCAgoCggIBAJCkq9Y68g9n0i4xkyYo4mygXIgaj94cvmu3 -X81CLEu/hYrl08acaKZMno+57ibAfxKBsWfA0FMp1eXZ3T9KYlNsSarC8c6RCPbX -Lzp4iPGMq5n/+OgCGaVUbaLuZB7F6gCJebyM3Du6Zap7X1xm3w2EpiVqHW6iAJqv -oBNtm7/uzFQiIU3UMeea/XBzo1FpDqNcuc/GgyILs1GA2+U4LfmcwhvUjF36bZ1q -WMnPfCMHwHTNiGikAJKSXqADz8+rthOyNZq3yFGV/ZOJf6yHOWiyP1BjojRbHCt1 -P8u2nWuD40iqreVrQw3h5Hsz6+mCIkUYFZ45yO0fyRZ/q46M8RKHluD1VI7X6R98 -wB+XPqh12tbXUQJw1/QdtUotszhQq/WUbewX9v4joGIel3MFpoBCoaHh4N4/S1Vk -9k32c4lEYeV5wO6DZSV9fuasN6KzaiPNNiufP2MnIzJSbal0uZJ0dmyhmHGLGsGc -t6zxAQpV8reqWZE1mZt94T4TnDpm61BDKRPRu7s6sP42iq6055c+5x3DhVqTInnB -uTi7oikTykZ2s0budYyjATNMUuz2RHZXxfb6ScqC5mEL0kbKCDgRzS0NS15LHpUX -Ue65PG8hiuWLuDTcQohWFkeIQyKUGL9uQ5qmmGK8FZwUU/9gY1JjrMw5sa+rVN/C -hkbRsHmBAgMBAAGjgYswgYgwHQYDVR0OBBYEFP/KjsSWWC+hw1cIaZLn1ZV3IeMq -MBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgLkMCIGA1UdEQQbMBmC -F2lzdGlvZC5pc3Rpby1zeXN0ZW0uc3ZjMB8GA1UdIwQYMBaAFL3svuf0yV+M2BHp -EvDmo37j045gMA0GCSqGSIb3DQEBCwUAA4ICAQBO6P+y7UQ7HRyA7dOf2Dvze6xv -HKgjh8z5uKNbfvmgUT2gECQ+3g0LvDRYHU7w/isSmhCQxIGf+xc7r3+Rtyjg+uEc -8z0UBysbqrn8pZXPr+FPU5X5czUnwXlZwj02e1fY250LCmfHXFYuPzgwtlbJs2Ec -2exDG7EZWWX6l/mRFQR8HiF/jum2i06yjO1v+phUVenW/ym2fq+/lY/ZWebQasD7 -7PT3yT/Eage4AIj5zYmZzqJex3OKDiVltAUefnekFJBKqv1UIcWlijRPZPK8uYQk -IYHRL5fpa9E/HkwY8QopXPJi6Yfx76acY+dQd1xovY3noUVGzQV5wuaICS9V6H9B -5vkxDYbbABQQ9OJcy8XR7cqlkUATiH5hVRjMSKJiostO+CiVDWjZyJdNgR0kZeaa -9cSYBdTBxN82A/Vtq4ETq/PG5rR08KQY4HqIlOlo16OxGcJ2zVKSk5lTeI1wx/in -uOnJTo5mDJHOJrtYGuCLiqZp/Fbcz/Tb9Qccc1yw78feYiNV6JXKx3uPvfsNbXkY -KnsorT6OQ9G2d/zKPYUw+JEc1BJpk8okvGT8oTfvnfXty63ccN4+iyohQP/GwtQ9 -XiIJ0gGGQjY1VA/L2MOYV0hSMLgddvl4Pt8KXsxQ72gGl8a/s1oOKkYfpm/xchpd -3ldrrKbAwExwhsARrA== ------END CERTIFICATE----- diff --git a/istio-1.24.3/samples/certs/ca-cert.pem b/istio-1.24.3/samples/certs/ca-cert.pem deleted file mode 100644 index a460e036..00000000 --- a/istio-1.24.3/samples/certs/ca-cert.pem +++ /dev/null @@ -1,22 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDnzCCAoegAwIBAgIJAON1ifrBZ2/BMA0GCSqGSIb3DQEBCwUAMIGLMQswCQYD -VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJU3Vubnl2YWxl -MQ4wDAYDVQQKDAVJc3RpbzENMAsGA1UECwwEVGVzdDEQMA4GA1UEAwwHUm9vdCBD -QTEiMCAGCSqGSIb3DQEJARYTdGVzdHJvb3RjYUBpc3Rpby5pbzAgFw0xODAxMjQx -OTE1NTFaGA8yMTE3MTIzMTE5MTU1MVowWTELMAkGA1UEBhMCVVMxEzARBgNVBAgT -CkNhbGlmb3JuaWExEjAQBgNVBAcTCVN1bm55dmFsZTEOMAwGA1UEChMFSXN0aW8x -ETAPBgNVBAMTCElzdGlvIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC -AQEAyzCxr/xu0zy5rVBiso9ffgl00bRKvB/HF4AX9/ytmZ6Hqsy13XIQk8/u/By9 -iCvVwXIMvyT0CbiJq/aPEj5mJUy0lzbrUs13oneXqrPXf7ir3HzdRw+SBhXlsh9z -APZJXcF93DJU3GabPKwBvGJ0IVMJPIFCuDIPwW4kFAI7R/8A5LSdPrFx6EyMXl7K -M8jekC0y9DnTj83/fY72WcWX7YTpgZeBHAeeQOPTZ2KYbFal2gLsar69PgFS0Tom -ESO9M14Yit7mzB1WDK2z9g3r+zLxENdJ5JG/ZskKe+TO4Diqi5OJt/h8yspS1ck8 -LJtCole9919umByg5oruflqIlQIDAQABozUwMzALBgNVHQ8EBAMCAgQwDAYDVR0T -BAUwAwEB/zAWBgNVHREEDzANggtjYS5pc3Rpby5pbzANBgkqhkiG9w0BAQsFAAOC -AQEAltHEhhyAsve4K4bLgBXtHwWzo6SpFzdAfXpLShpOJNtQNERb3qg6iUGQdY+w -A2BpmSkKr3Rw/6ClP5+cCG7fGocPaZh+c+4Nxm9suMuZBZCtNOeYOMIfvCPcCS+8 -PQ/0hC4/0J3WJKzGBssaaMufJxzgFPPtDJ998kY8rlROghdSaVt423/jXIAYnP3Y -05n8TGERBj7TLdtIVbtUIx3JHAo3PWJywA6mEDovFMJhJERp9sDHIr1BbhXK1TFN -Z6HNH6gInkSSMtvC4Ptejb749PTaePRPF7ID//eq/3AH8UK50F3TQcLjEqWUsJUn -aFKltOc+RAjzDklcUPeG4Y6eMA== ------END CERTIFICATE----- diff --git a/istio-1.24.3/samples/certs/ca-key-alt-2.pem b/istio-1.24.3/samples/certs/ca-key-alt-2.pem deleted file mode 100644 index f6e2468d..00000000 --- a/istio-1.24.3/samples/certs/ca-key-alt-2.pem +++ /dev/null @@ -1,52 +0,0 @@ ------BEGIN PRIVATE KEY----- -MIIJRAIBADANBgkqhkiG9w0BAQEFAASCCS4wggkqAgEAAoICAQDopeTrevAe/mV+ -rXUNjxsamaQgQ6GQuHlsysUxO9MfMo6jn/v55KZv8LvjRTQXsxT7SIY5UPAcDXUZ -So866W4kIncUFuIFCvRQfULcP0/dVz8Al1tcssyi5s5rEnUIb8QmCXpM3g7cTONz -taBSwmY8JG+EjNkUJzFzlWOdMa9kvR2DboWhTnKazM8SUCa7gQDCI0ntZkbFotqx -uqIkbsxYpgw2mplEGoEcVbfBID2MYqoK+w5CtNGBsnr946auIb33smqtnAC52fyC -xwoDu3I9XLJZmYEPqk/EyP6cTmxRT3E4SSTGtgEqS51L+eraubpDUBwoW5NPkKah -qRhaia/26nCMB29WVvSWOfnIb8irZF+Gaq7tWsGY3oZ0o4VWXLmhxMBeeHGhy6Zu -RID6lE2HCj/LJCChKAThwGpLn2P+9TYiAHjrP8A47SRUq+evKWPgUtOgnF7plgGk -1WafZt9kIxV0+tptoqquUoMgOT1StBsFRHjUIEk4ABHSZ83y1U61T5AnmVWWfArf -bsBNYSRRAFU3fD9aIF2RqNlYxCezxoMZaNC7hyqD4vrH+yTsJxuFVgUo+iSYtIxa -jeJODKtUv0x1sxzhH3JhQ/I2Gk8fby3HEC21eHit69MU+qDQQ69xApY28qk3uEE0 -whzxBAmdqWuWMOkdM4dQpq93vqaJRQIDAQABAoICACZ9FY2AofuarjtiInibCYqh -yvWcgrzwzAPb2vo9cbzaTh9TTypFMeTYkJj1oLvgAHNfCPewBH07m7kSrPX72uEn -A4jDDWL0sD0lr/tEjSeq8K0eHTsNiI3VveYYYFzEMtDxJfbUEOTQ4ptIu8ydRTEj -fQCSlbJAFq4O07NUnjX+FIUjMn/gfNTP190pffLs0W2MzYT1M/Wr7t7S59K7stpi -pCgfdQY/lUcVBkiw1wXj58pXxQDzrap1luPsdu2dfvJc5cmxgqw8nEodeDJsXya4 -MHhizSeEj1xYvUiqL8DW8f30Gd23DCPNbSk94CUN73sF5JanqcwSvAKIOVN3LnFM -DrGnvMi4Quct5rBEVsZW7mKdgmNd0rPCjAbQKY3T3HyQuAm/gR0rEv3x4WOvFK2m -SgPpgcrozNvP9RUgZlziNkdl9iVlnpi/bOAk2VKbQWhArOTolWiEJDNcKOsAQXUj -JuTEEfv2z9adbguhIL7A79AeqsdJze7YBSqvZcmxVg8FOvQlzlMnznQIfMSTniS2 -CAIEmxPqQ6EQLjMSyDoDdQ5UFQ62MAoG3XGkI9iUQLSsaqY6GBVBJVpAGfbQed/c -6HAxwdJBw5270Z0xw+U4gTuaG8qDvHHqqO6M9YIjsKAnkwjwGmF1l6HHFFsr5Hyc -8ZdOGuBV5KBne3vVkmXxAoIBAQD4FTx5vLwdbILvr0ehxLfIH3jxsfF8Dphqb1g0 -tCaiKMEqaeLaKTBxy+h9Z4qfXDQW+3Oa2CZgAbDc2bCJynQ/li5lDGwXlFwnuzPV -Dq8mIOymogZFgX+WbDDLOJ7rNrj7+82WV4UHZVlDQ3/5zkvJ2GuVICV9MAr1b2c+ -+1y0ozE87wViQDuBlHxLDHL7OZq0UinBlAJ0eyPWn5ZjkhxKHqqcDBKjbYm5JgV+ -GhNvNeJZcLUUkmg+MCPMglZ0SJojDBiLVBE5m1S8x+vyoy4bjb0GWag2rapqkCbv -5X/WqMrVxZdB1X86d4hLFaDwG7yNZtnijJigdFwS+EayE+rVAoIBAQDwEo8ofTZa -hoY5Fl8KNigqEP5/5n24q+qZ6Ku+SkWBnqmGS5ZHx7u6aItXWc/m9MoZh/jLlbba -LNCqT1MKa4jLkVVkyUBTqFy4bu3baU1BYHE0zLEkegsb8RnD3tFGI4tjEoBnvwEq -yQItbQp9IhGTw60fml619WU2yZK5gfIYxBxJyT8M33aizYRSGP2ihBtwFz16/L33 -If0nA30RD2hOXcSGAfoyAn7nFqQfTkByTsSTp8HrqtHLDrTLNDSewx09c2ExuXPd -XdcXVvA6Z7ZP/vpVrqkLQHVx4dpPsvKQ7rwI0KKjjkvEh/XkJq4xUlPlyMrVkULX -EFPXHGNhmnyxAoIBAQCmEKEg5KQQFjk39N9AfIyBm/+72t/JqYOBi/NBpG5QEnPr -zmGapAPXySVh/NOghXohAEWMm7Bkh/06eUZhlnJmtkNsRPp+dkOSHRA/SMsZ/OQt -TzxffqZHrTikcMyAq2r80rv2LbPRFZjBHAgo0l2NSiAJ/TDbMjPDw8UbNewCx1MI -dP/nmxO6VAk3u6ekYBUdK/rjqA5UprGA0+c50+639vtB5hr75zFQDRGULiRgR3Oz -Z2zvzmmVZ2gvV/hDcu4rE8fCTI4TP9VjYXiiPXV54FFuVMnzgCEZoFFQORJwQSE2 -JERyP1Yhby5/BIVs9UQsa3Li4jaxAfM4h5XbUtXZAoIBAQDPCrJ78MCXgbzwLuL4 -I4yv+sgB9f4m7dz9rzOugM9A4lzBfR61+QNl2BOT2dj7DdHeAu4GZa+0qUGsH402 -R1dKeKR0rzvS6jhMtx5bQ41k/I+lQYLkOnyqNFxMGDXTj4P+hU5IKuoOxBwkoQ2S -rXcLQI5l2vQjaOdJQL5RTkhEI51h5TWDHJVsAmJDi1nydoxTNzfGgYIzSBTTOKb7 -t5X1P9jk2X+08YIQOe6BMTNTYasWzG7pmAAmZyB0vylCYnMtM/x2rcHG/88oScoU -FK2ef//VNTSEh6rB9E4avfGEHN/9mjEpbObbL4ZYpSNFVgMVAP4tAYHriCFGOy1a -V6mBAoIBAQDVG3hZJ8jONTpW4EXLrHIWtgxhYNjIdM3EFPFLZtMQ3ub6iNwtfMeM -fjD4CJGRIK52t4jv65F0lY8p4JFGLVjnXIIxP45/GZ4CGj+APg4dBd5cORmJmuZQ -jzJyHJ1/Oc12v1VMb7HJRezeAm60wjGKr1PeFezp2HkjQDNswwSvjmbQhIYvIII+ -l5RosqYuIPYq96+L4gj4VSh4IfbUHt0fY6O90cjdHK0fbXL99GtKMJvgA4u9IKDb -FwimOxL+xU8CeBV8TebVS5NYyyPHoKNkGh5GDNkKFG4e75Qn04P+vRvn/CJaz2Vt -f9ijIRn01xKm7QpucsEmo6FNo58miyT9 ------END PRIVATE KEY----- diff --git a/istio-1.24.3/samples/certs/ca-key-alt.pem b/istio-1.24.3/samples/certs/ca-key-alt.pem deleted file mode 100644 index 3f1f1964..00000000 --- a/istio-1.24.3/samples/certs/ca-key-alt.pem +++ /dev/null @@ -1,52 +0,0 @@ ------BEGIN PRIVATE KEY----- -MIIJQQIBADANBgkqhkiG9w0BAQEFAASCCSswggknAgEAAoICAQCQpKvWOvIPZ9Iu -MZMmKOJsoFyIGo/eHL5rt1/NQixLv4WK5dPGnGimTJ6Pue4mwH8SgbFnwNBTKdXl -2d0/SmJTbEmqwvHOkQj21y86eIjxjKuZ//joAhmlVG2i7mQexeoAiXm8jNw7umWq -e19cZt8NhKYlah1uogCar6ATbZu/7sxUIiFN1DHnmv1wc6NRaQ6jXLnPxoMiC7NR -gNvlOC35nMIb1Ixd+m2daljJz3wjB8B0zYhopACSkl6gA8/Pq7YTsjWat8hRlf2T -iX+shzlosj9QY6I0WxwrdT/Ltp1rg+NIqq3la0MN4eR7M+vpgiJFGBWeOcjtH8kW -f6uOjPESh5bg9VSO1+kffMAflz6oddrW11ECcNf0HbVKLbM4UKv1lG3sF/b+I6Bi -HpdzBaaAQqGh4eDeP0tVZPZN9nOJRGHlecDug2UlfX7mrDeis2ojzTYrnz9jJyMy -Um2pdLmSdHZsoZhxixrBnLes8QEKVfK3qlmRNZmbfeE+E5w6ZutQQykT0bu7OrD+ -NoqutOeXPucdw4VakyJ5wbk4u6IpE8pGdrNG7nWMowEzTFLs9kR2V8X2+knKguZh -C9JGygg4Ec0tDUteSx6VF1HuuTxvIYrli7g03EKIVhZHiEMilBi/bkOapphivBWc -FFP/YGNSY6zMObGvq1TfwoZG0bB5gQIDAQABAoICAAOg1NRkMMKbCyg4W0GEmqbo -yB9sIqYavJpTPIyHm5i4FHmLKbJ4hY2/2+WdL2ySjTF1tkF08kjWwqBAFHsgIpqm -+4tUdeg1hkb6V3uBDubXvW140LmhpVrqxPAGiLWGp4e1SxvkIOlg4+hYjUgiJrfW -JyyGtpeqCce3jnV0TTkNnHujCkizcR/HGRLFPNBXyTum8ZyFFVChIGGz0LhFji4t -7ObRsGZyV+XwJytjSHDwwqavaeu9iuviTuw2wkOKYjAo6wwvLl/BCl4FP8IQN4wB -NiI+KJFFhI2wxI2XrmfWNGkkCmYICHPggeinARS/vFw1NiQcnRYZIzQ8tj0GeyzP -FeC4ozplVdsp4ouY1/XsyoW1vG/gRLV+ua3dQyHPreLAP452QGOhzffUNksCejtb -dPQJ5e4RZeAQab5YL2MSNCutZ/tcGJtsjuiSfDZZflWEeKpXz/NU4WiGxX+AHC6C -TIscYhXbCkanZ6J5UXOwVjUsg2xLcuAyoh67iphMuqTbaeQSJehPwhkR4VXad9mW -1ChZJnc/YSD6S3/fGzSn94kWWDCoRh9KUtqk0ZCRJBQdHq9owPny0tszxJZZw6wF -6nnQH8Ywk5RsvNL2CxMWFuPIfPgUuoSgucBpWoHmcN7ZRWsd+wfZsolbZtE09buz -mUXybkHnWtMUO3MlJoARAoIBAQDK7E9ZExt4GGsyvWAw2HVuHJ0VF5LAlvgHGiHj -r2zDw7mWX9jIMnZcB3s3DJFIZloQspDyxrIwefuI2xTHpoI4yeTH/MWjyzaBhZAW -uMDakWuUTFXYfPPrLorLh7HwMYGxJoI5Gx9bvTHs/Gl/3KwNsX6kWayCTruvUfuH -5uOKZd3XvjgfcUT9uKnOf/K8eJDZ2d4LIDm+VkCSsU832CsPMf1O0wLGe1QEiaAt -PXHyxF5wnNn3URYmtukyX4gspI9ZCqu6cYOYdvuwl6XihaFD812eUtnaNc5b8BQH -5/INKNvZrPmcjvW2LiPqHFfnG8gvcZ++hy/poG48/5K7/k3RAoIBAQC2efRnqHxi -+mPDCytVdI1egkMZzkfq8syzPKr1zE6fDCizYuIGl00SJOVvm0avFz0z+mBT2cGl -xYMe36XtkLZ7qt0g95M/8Obt1EZvOJ5AGgjFgOCD3BPK1W/CdXP+Aa1HKb0LrUak -VRfARWjDvF97q2BANyWRy4mfRHcgQbXDcuSG4iyUP9IPZWHtt13CTrkM0zbawFb/ -nx1tmLCXT4N+s3h3PgB6+TpolWuZX1Sxbkggf4uQwZrwrcuDF+F9pbgQ97oeNmmP -BSZoh0YG9COdVxTJ5nqFYKKenLl3PVG5SADBrW5Hftax2bfijq/UdwolwLWc26uV -y05jJ8odIOyxAoIBAF1bYJoDX2TeHxtl4sY2H7h784zLnpl6GzvxOtwsTea2ukBD -clGQXcGzM229G23qoM8DyAnZfgstY5qv6Bx+L3T+9YFIeokDqdzm3MaHUzp7IrpE -cE48FmABtpsyn5t4u0kMBWdOYhvrq/dynPrVRFa8bR4hn2sH2/MpzYXVpKN8gBaM -jfdxPiNYfM7jMIKjGUkQocYOmmJF/kk+x8pSamUAQ6CrFaDJBntb8dQ+a5kb3LME -hobwyDcheaHSL60SPFzjuuP462kOfHbfHdNcVTgU0+JODaoFjR3hEuYcQNDrFlJL -8T6kysh4687+ITbTIkMpjCu0uEdMpsrrbc+NjLECggEAPuxI6iHAWsUq94v3cm1R -fmB+0Pw/8nWtPrVR4paEGfYwZsNXW5x62CHe+CBcPG5QDYduBhwV2ZsFPvUyG3yG -YJinzgFxRmBE0YgcjafBcitIEQsC4JVYQd5dvnmP+OwNG3f6F3e13170ZLnKiYyA -hH2xIBOkIeVE3KXYSkg+bFpHEXgWlTx4rBRys21CqIlK6HBA/yfKGDV/CVbYtiSW -HG+4v62irsUYbg3wX5/u7Yww1PwGXXFVg176yYbHm/M0SK2UAW0T81x8RRk4fZdc -XJo1sfWHFE0hZn52ufZsIu8AS8kJOSA02nlQHpDDcwlld2U/ewqI3YuQyUJkQK0k -0QKCAQAdJtr4fvDtghvum7+ZYkzmt9kstm4/elM35FmAtJfm11DQJ4bSTErrj+Zz -zQOJ0P8VF0MFoFoCuUPoN5u2eq3Y0na6DhD4RqYJA9BkZFrKqn8U33CgX6qQ7UHC -P3WuawYeR3xBdIKPUGOMPdUiwfC6Xz9JL2L0WcnoGQ3rI3AhijvyF4r4F3dCycZy -IM5LZJWsTOhCJqOuxrAQLJz2UX28+Bn7gH+jPTZLKE2yX3NH9/L0ydqwZLjFw3e9 -I53RcJBti1zA8N0n8IISOlwiKnhUiLyrujccEYzQFDVyjvcGos68gNLEXPPOceq1 -8xj8Qh/Q3Y4H3Ktn1ELiSPHc44oM ------END PRIVATE KEY----- diff --git a/istio-1.24.3/samples/certs/ca-key.pem b/istio-1.24.3/samples/certs/ca-key.pem deleted file mode 100644 index faa77f38..00000000 --- a/istio-1.24.3/samples/certs/ca-key.pem +++ /dev/null @@ -1,27 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEpAIBAAKCAQEAyzCxr/xu0zy5rVBiso9ffgl00bRKvB/HF4AX9/ytmZ6Hqsy1 -3XIQk8/u/By9iCvVwXIMvyT0CbiJq/aPEj5mJUy0lzbrUs13oneXqrPXf7ir3Hzd -Rw+SBhXlsh9zAPZJXcF93DJU3GabPKwBvGJ0IVMJPIFCuDIPwW4kFAI7R/8A5LSd -PrFx6EyMXl7KM8jekC0y9DnTj83/fY72WcWX7YTpgZeBHAeeQOPTZ2KYbFal2gLs -ar69PgFS0TomESO9M14Yit7mzB1WDK2z9g3r+zLxENdJ5JG/ZskKe+TO4Diqi5OJ -t/h8yspS1ck8LJtCole9919umByg5oruflqIlQIDAQABAoIBAGZI8fnUinmd5R6B -C941XG3XFs6GAuUm3hNPcUFuGnntmv/5I0gBpqSyFO0nDqYg4u8Jma8TTCIkmnFN -ogIeFU+LiJFinR3GvwWzTE8rTz1FWoaY+M9P4ENd/I4pVLxUPuSKhfA2ChAVOupU -8F7D9Q/dfBXQQCT3VoUaC+FiqjL4HvIhji1zIqaqpK7fChGPraC/4WHwLMNzI0Zg -oDdAanwVygettvm6KD7AeKzhK94gX1PcnsOi3KuzQYvkenQE1M6/K7YtEc5qXCYf -QETj0UCzB55btgdF36BGoZXf0LwHqxys9ubfHuhwKBpY0xg2z4/4RXZNhfIDih3w -J3mihcECgYEA6FtQ0cfh0Zm03OPDpBGc6sdKxTw6aBDtE3KztfI2hl26xHQoeFqp -FmV/TbnExnppw+gWJtwx7IfvowUD8uRR2P0M2wGctWrMpnaEYTiLAPhXsj69HSM/ -CYrh54KM0YWyjwNhtUzwbOTrh1jWtT9HV5e7ay9Atk3UWljuR74CFMUCgYEA392e -DVoDLE0XtbysmdlfSffhiQLP9sT8+bf/zYnr8Eq/4LWQoOtjEARbuCj3Oq7bP8IE -Vz45gT1mEE3IacC9neGwuEa6icBiuQi86NW8ilY/ZbOWrRPLOhk3zLiZ+yqkt+sN -cqWx0JkIh7IMKWI4dVQgk4I0jcFP7vNG/So4AZECgYEA426eSPgxHQwqcBuwn6Nt -yJCRq0UsljgbFfIr3Wfb3uFXsntQMZ3r67QlS1sONIgVhmBhbmARrcfQ0+xQ1SqO -wqnOL4AAd8K11iojoVXLGYP7ssieKysYxKpgPE8Yru0CveE9fkx0+OGJeM2IO5hY -qHAoTt3NpaPAuz5Y3XgqaVECgYA0TONS/TeGjxA9/jFY1Cbl8gp35vdNEKKFeM5D -Z7h+cAg56FE8tyFyqYIAGVoBFL7WO26mLzxiDEUfA/0Rb90c2JBfzO5hpleqIPd5 -cg3VR+cRzI4kK16sWR3nLy2SN1k6OqjuovVS5Z3PjfI3bOIBz0C5FY9Pmt0g1yc7 -mDRzcQKBgQCXWCZStbdjewaLd5u5Hhbw8tIWImMVfcfs3H1FN669LLpbARM8RtAa -8dYwDVHmWmevb/WX03LiSE+GCjCBO79fa1qc5RKAalqH/1OYxTuvYOeTUebSrg8+ -lQFlP2OC4GGolKrN6HVWdxtf+F+SdjwX6qGCfYkXJRLYXIFSFjFeuw== ------END RSA PRIVATE KEY----- diff --git a/istio-1.24.3/samples/certs/cert-chain-alt-2.pem b/istio-1.24.3/samples/certs/cert-chain-alt-2.pem deleted file mode 100644 index ba9e49e7..00000000 --- a/istio-1.24.3/samples/certs/cert-chain-alt-2.pem +++ /dev/null @@ -1,62 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIFeTCCA2GgAwIBAgIUNnd90WzsKHfAhOFJAiow2W5D8iQwDQYJKoZIhvcNAQEL -BQAwIjEOMAwGA1UECgwFSXN0aW8xEDAOBgNVBAMMB1Jvb3QgQ0EwHhcNMjMxMjEx -MTYyNTMwWhcNMzMxMjA4MTYyNTMwWjA9MQ4wDAYDVQQKDAVJc3RpbzEYMBYGA1UE -AwwPSW50ZXJtZWRpYXRlIENBMREwDwYDVQQHDAhjbHVzdGVyMjCCAiIwDQYJKoZI -hvcNAQEBBQADggIPADCCAgoCggIBAMbK7UmbUiCLkoUMUXE+5gkfHQ/x808O/RfL -JNxUa/1pN6Jt9COosld69FmJBwpTufOyCZOP7rerOeufxlel45R28EVNyRnjG6jO -Kl/O1vuAwjc0HNvftXTsYVEZ+zpV4UWa4QK6kUwIZ6KH75A6HT6qmJavNEs1PEUA -oCitowAMpn8Ix1E9LxQNgx7IUeAD8THzyeAPZsOYcl1IFWvZkcqabg9hMqXtPxP0 -eciHlQb/jeEd0gLTXVi7ymhUczMmffxZZrQ346Ylz7zZ6SkHFjPCyfeNSwB5iszk -VdKGVtyogmp7mEcwa8o4p1JESmWF3qRZpUVs+Y7loGYTVQBlqUSdnI/zx5yd+qXY -mR3ktEUK5AUI7liIwJ1BKZy6z4OSZ+qna+LbJRqLcB/4tK0YuOf8ffmk18GyjQQ+ -tKeZjntTnnaS+mtFLP1zpW+BnurCRfVPxEg8bFCg511AuyuWRuB2MHQXQg+H915C -e2qm5/ccGfV2mDVF2jKS1q39g7YVLd5HCxR0rBlrh9IwdxE5sAzoREylLrc+HsJn -27841ID+MiwI3l/GUst/UW2SEA1OtxT5USC6pkZyRBM/Y7OJthNxXyCOpzUhu8AQ -GUbtrdI7oEFaSLsdH2GXhQeh0TecJiNnhbvIryZK2HofWncdBVE+AcK7VWUFO4At -6gVcR1qPAgMBAAGjgYswgYgwHQYDVR0OBBYEFCuu9MuphtLDKUZpJK49m12qXRwo -MBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgLkMCIGA1UdEQQbMBmC -F2lzdGlvZC5pc3Rpby1zeXN0ZW0uc3ZjMB8GA1UdIwQYMBaAFL3svuf0yV+M2BHp -EvDmo37j045gMA0GCSqGSIb3DQEBCwUAA4ICAQDGvZxypjwVUljjvQ1AFi6Grirq -iLPgrC5zepLyUaWefLr9I99k4Uq8+f5WWk3Y04SWnY2JPNGvdjAG8aRpM0IixnO0 -OFnlaYjRBv0EKhdzg+TC6O9R2s5s01lR4ya1kmzDyC7BKcGzo8T2IXOOTftcFAAT -arc6Z55BuFuYslWlj+bQ96mxuN1q53a+JzYl+o92vpdnCBKb3OSGjb1hA29E3wzm -YPsctkItuGImX/JUBqZH/0YxdRDjXI8AJ8R8p1qoZZORMrMVey8bX98EN3ai8HVQ -RmP1Fa7qU3O28fi5JHGaX48O8VdJHdRR0G87qDNxArtrhrylrcTykPZkapwUQP+C -SJuy2F5hEVwI8nwX6SKbzW3tsUYQssk9/3U4DmfIWhCg7ffeEp+aLshkrtlIi9NY -YZtznntQagFSs3Cg/XsSjcKMmVfQ69uy7tTHUpK66mz5DosRBo13DFaI19bxNfQX -yJnKuuvyx1q6Y7BsFwqElX2G9WZ6/mgUpochDKgTni0o6AmDBvrfcXfJRxQwICUe -crvOngDaRmQ50HaKoNtWgYHYCXSNP8de//Yz+ebusyLca4i0PTt5oGInW4k8folC -ntXpODzLE3qNYRrSM74KGNre7hwp9BE+i6ksiojVawt5GJgS98PK3zdpVNNIPp0s -ZW8HVio+HD4I2VBxTQ== ------END CERTIFICATE----- ------BEGIN CERTIFICATE----- -MIIFFDCCAvygAwIBAgIUbQ/RQ9GNnLx7rNVNUJHeizdO1TswDQYJKoZIhvcNAQEL -BQAwIjEOMAwGA1UECgwFSXN0aW8xEDAOBgNVBAMMB1Jvb3QgQ0EwHhcNMjMxMjEx -MTYyNDM2WhcNMzMxMjA4MTYyNDM2WjAiMQ4wDAYDVQQKDAVJc3RpbzEQMA4GA1UE -AwwHUm9vdCBDQTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAN7V2l7b -/bZsHlWY5qC1p99Au3I0VYr34i/2BIMHSnh1jHn1B6qspjHw2IkqH0SU41M3Vpr7 -m06HGuuZHsq8biUfuUL6Ywt+Vyj2UnPuc6SDPRXxAkBaVGGEAs30akJPkhbbA2qv -jFxfc2A8GCfnHpGYQkZOvZEQNeHPYkTDsdLEKdbdXkzJMFEGxGDgYiW7xjowDkta -YlrLBIeHwRCnZ/gTjdCu6oPjCW9JsySbbfx8dYWthIDf/SGqnX8gnDn5K1W5Ip+w -xaiXZ9FsEzrWd+DXx67sPAS2wl/Qe+RVFLbCGfGnfKdj0CGUtwV/hE2BLWk7fMK/ -dzQR9Bc6GM06uJejZFGuVrwkJldzWW7rp6cJc5D5vJxYCRZZsuk3x6o/mg+z+meh -kYeUCgsEGU1eKJB7tJ6myiYCLvgjihnnbS0fQlq+9XhHh3IlQfYvZsgPPlWZjyE6 -SO0JUNgCenuvgawihEHCUvFW/VbeuhxNlcP8w03tXcZCPJd75Xe1GRboa0KEcCwx -hFMWMZmqLQOZ6XZUAWZIPqKPvBCLJKCDhXwf3kZjX9Geg04+KJwsJt5wJndlWjdb -LWUIoiy41Jovc3N2hME5cinTllZI4kdOrnZ+NdL5aqoppfjZDQGHESuuPY0vxJEP -dcfM5Q3BiMo/K/hNCnbp1ywtvbzGqd8/b9OtAgMBAAGjQjBAMB0GA1UdDgQWBBS9 -7L7n9MlfjNgR6RLw5qN+49OOYDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQE -AwIC5DANBgkqhkiG9w0BAQsFAAOCAgEANnOOVzb6CpOkkXsSwxqaFfrCwJT+L+1O -H8WvVtewAmzu8TcfuVjwwSgnVMF48TbnA1KvHIWktRNGtSTyEMLN5pH4SvCyK/9w -IeIOqTNyHmN/4nETT7HjbszdjfsIWYZAjcq2cyhRj+650OJdotUHbBo7iBbAi4TW -IuqseH4hgrT7qDFebhcVz8ualx9UJkmR7QqWhWqOsMbcLtm4OLZCFNJseaHM/t6H -seO/OH7FNqe+GMCoXX1m348iJBZ/1ZhBMReqtNMQKpGL23fQqJnUTrD3717kS+xF -36PsFP5YYtBJ9WMXfX8Wk/YQIimXpcQeuF40VAIw5EG6SxntpBjoSPET2mTj2j9X -Gunoh3PjYMBOlszrQVs66Qwe+vBj6xdPMHyRI0eTiETnmVG5jUo2cJnr8ztqD6oU -zCmTX2SXCE9FXJ6MifPHEXJ1OPb9IY5tcUdjxhIB2HAigFHasxBlX44Ob6nHUyJO -ZqhsF8FouuzSQTRWP7soIA3HT9MlZHhRh3Uef+ZXziKZR/Uyb66uYylIWCWsAoiU -Hw4wPZhG65XTVQfg7R2cz1w72v7ugXAy3xbGfgLXhFzVnjy/ttIV/TSgpdBquhTQ -1ZG9Ieiu16avJkphqkmNr/CRCdZqDGp4DGQZNo69POGphapVe7EZenpzDU787oZF -tugW0JVzMZI= ------END CERTIFICATE----- diff --git a/istio-1.24.3/samples/certs/cert-chain-alt.pem b/istio-1.24.3/samples/certs/cert-chain-alt.pem deleted file mode 100644 index 204d4090..00000000 --- a/istio-1.24.3/samples/certs/cert-chain-alt.pem +++ /dev/null @@ -1,62 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIFeTCCA2GgAwIBAgIUQchu+RczGG1A4BnmrCcpkURQGTAwDQYJKoZIhvcNAQEL -BQAwIjEOMAwGA1UECgwFSXN0aW8xEDAOBgNVBAMMB1Jvb3QgQ0EwHhcNMjMxMjEx -MTYyNTI1WhcNMzMxMjA4MTYyNTI1WjA9MQ4wDAYDVQQKDAVJc3RpbzEYMBYGA1UE -AwwPSW50ZXJtZWRpYXRlIENBMREwDwYDVQQHDAhjbHVzdGVyMTCCAiIwDQYJKoZI -hvcNAQEBBQADggIPADCCAgoCggIBAJCkq9Y68g9n0i4xkyYo4mygXIgaj94cvmu3 -X81CLEu/hYrl08acaKZMno+57ibAfxKBsWfA0FMp1eXZ3T9KYlNsSarC8c6RCPbX -Lzp4iPGMq5n/+OgCGaVUbaLuZB7F6gCJebyM3Du6Zap7X1xm3w2EpiVqHW6iAJqv -oBNtm7/uzFQiIU3UMeea/XBzo1FpDqNcuc/GgyILs1GA2+U4LfmcwhvUjF36bZ1q -WMnPfCMHwHTNiGikAJKSXqADz8+rthOyNZq3yFGV/ZOJf6yHOWiyP1BjojRbHCt1 -P8u2nWuD40iqreVrQw3h5Hsz6+mCIkUYFZ45yO0fyRZ/q46M8RKHluD1VI7X6R98 -wB+XPqh12tbXUQJw1/QdtUotszhQq/WUbewX9v4joGIel3MFpoBCoaHh4N4/S1Vk -9k32c4lEYeV5wO6DZSV9fuasN6KzaiPNNiufP2MnIzJSbal0uZJ0dmyhmHGLGsGc -t6zxAQpV8reqWZE1mZt94T4TnDpm61BDKRPRu7s6sP42iq6055c+5x3DhVqTInnB -uTi7oikTykZ2s0budYyjATNMUuz2RHZXxfb6ScqC5mEL0kbKCDgRzS0NS15LHpUX -Ue65PG8hiuWLuDTcQohWFkeIQyKUGL9uQ5qmmGK8FZwUU/9gY1JjrMw5sa+rVN/C -hkbRsHmBAgMBAAGjgYswgYgwHQYDVR0OBBYEFP/KjsSWWC+hw1cIaZLn1ZV3IeMq -MBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgLkMCIGA1UdEQQbMBmC -F2lzdGlvZC5pc3Rpby1zeXN0ZW0uc3ZjMB8GA1UdIwQYMBaAFL3svuf0yV+M2BHp -EvDmo37j045gMA0GCSqGSIb3DQEBCwUAA4ICAQBO6P+y7UQ7HRyA7dOf2Dvze6xv -HKgjh8z5uKNbfvmgUT2gECQ+3g0LvDRYHU7w/isSmhCQxIGf+xc7r3+Rtyjg+uEc -8z0UBysbqrn8pZXPr+FPU5X5czUnwXlZwj02e1fY250LCmfHXFYuPzgwtlbJs2Ec -2exDG7EZWWX6l/mRFQR8HiF/jum2i06yjO1v+phUVenW/ym2fq+/lY/ZWebQasD7 -7PT3yT/Eage4AIj5zYmZzqJex3OKDiVltAUefnekFJBKqv1UIcWlijRPZPK8uYQk -IYHRL5fpa9E/HkwY8QopXPJi6Yfx76acY+dQd1xovY3noUVGzQV5wuaICS9V6H9B -5vkxDYbbABQQ9OJcy8XR7cqlkUATiH5hVRjMSKJiostO+CiVDWjZyJdNgR0kZeaa -9cSYBdTBxN82A/Vtq4ETq/PG5rR08KQY4HqIlOlo16OxGcJ2zVKSk5lTeI1wx/in -uOnJTo5mDJHOJrtYGuCLiqZp/Fbcz/Tb9Qccc1yw78feYiNV6JXKx3uPvfsNbXkY -KnsorT6OQ9G2d/zKPYUw+JEc1BJpk8okvGT8oTfvnfXty63ccN4+iyohQP/GwtQ9 -XiIJ0gGGQjY1VA/L2MOYV0hSMLgddvl4Pt8KXsxQ72gGl8a/s1oOKkYfpm/xchpd -3ldrrKbAwExwhsARrA== ------END CERTIFICATE----- ------BEGIN CERTIFICATE----- -MIIFFDCCAvygAwIBAgIUbQ/RQ9GNnLx7rNVNUJHeizdO1TswDQYJKoZIhvcNAQEL -BQAwIjEOMAwGA1UECgwFSXN0aW8xEDAOBgNVBAMMB1Jvb3QgQ0EwHhcNMjMxMjEx -MTYyNDM2WhcNMzMxMjA4MTYyNDM2WjAiMQ4wDAYDVQQKDAVJc3RpbzEQMA4GA1UE -AwwHUm9vdCBDQTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAN7V2l7b -/bZsHlWY5qC1p99Au3I0VYr34i/2BIMHSnh1jHn1B6qspjHw2IkqH0SU41M3Vpr7 -m06HGuuZHsq8biUfuUL6Ywt+Vyj2UnPuc6SDPRXxAkBaVGGEAs30akJPkhbbA2qv -jFxfc2A8GCfnHpGYQkZOvZEQNeHPYkTDsdLEKdbdXkzJMFEGxGDgYiW7xjowDkta -YlrLBIeHwRCnZ/gTjdCu6oPjCW9JsySbbfx8dYWthIDf/SGqnX8gnDn5K1W5Ip+w -xaiXZ9FsEzrWd+DXx67sPAS2wl/Qe+RVFLbCGfGnfKdj0CGUtwV/hE2BLWk7fMK/ -dzQR9Bc6GM06uJejZFGuVrwkJldzWW7rp6cJc5D5vJxYCRZZsuk3x6o/mg+z+meh -kYeUCgsEGU1eKJB7tJ6myiYCLvgjihnnbS0fQlq+9XhHh3IlQfYvZsgPPlWZjyE6 -SO0JUNgCenuvgawihEHCUvFW/VbeuhxNlcP8w03tXcZCPJd75Xe1GRboa0KEcCwx -hFMWMZmqLQOZ6XZUAWZIPqKPvBCLJKCDhXwf3kZjX9Geg04+KJwsJt5wJndlWjdb -LWUIoiy41Jovc3N2hME5cinTllZI4kdOrnZ+NdL5aqoppfjZDQGHESuuPY0vxJEP -dcfM5Q3BiMo/K/hNCnbp1ywtvbzGqd8/b9OtAgMBAAGjQjBAMB0GA1UdDgQWBBS9 -7L7n9MlfjNgR6RLw5qN+49OOYDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQE -AwIC5DANBgkqhkiG9w0BAQsFAAOCAgEANnOOVzb6CpOkkXsSwxqaFfrCwJT+L+1O -H8WvVtewAmzu8TcfuVjwwSgnVMF48TbnA1KvHIWktRNGtSTyEMLN5pH4SvCyK/9w -IeIOqTNyHmN/4nETT7HjbszdjfsIWYZAjcq2cyhRj+650OJdotUHbBo7iBbAi4TW -IuqseH4hgrT7qDFebhcVz8ualx9UJkmR7QqWhWqOsMbcLtm4OLZCFNJseaHM/t6H -seO/OH7FNqe+GMCoXX1m348iJBZ/1ZhBMReqtNMQKpGL23fQqJnUTrD3717kS+xF -36PsFP5YYtBJ9WMXfX8Wk/YQIimXpcQeuF40VAIw5EG6SxntpBjoSPET2mTj2j9X -Gunoh3PjYMBOlszrQVs66Qwe+vBj6xdPMHyRI0eTiETnmVG5jUo2cJnr8ztqD6oU -zCmTX2SXCE9FXJ6MifPHEXJ1OPb9IY5tcUdjxhIB2HAigFHasxBlX44Ob6nHUyJO -ZqhsF8FouuzSQTRWP7soIA3HT9MlZHhRh3Uef+ZXziKZR/Uyb66uYylIWCWsAoiU -Hw4wPZhG65XTVQfg7R2cz1w72v7ugXAy3xbGfgLXhFzVnjy/ttIV/TSgpdBquhTQ -1ZG9Ieiu16avJkphqkmNr/CRCdZqDGp4DGQZNo69POGphapVe7EZenpzDU787oZF -tugW0JVzMZI= ------END CERTIFICATE----- diff --git a/istio-1.24.3/samples/certs/cert-chain.pem b/istio-1.24.3/samples/certs/cert-chain.pem deleted file mode 100644 index a460e036..00000000 --- a/istio-1.24.3/samples/certs/cert-chain.pem +++ /dev/null @@ -1,22 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDnzCCAoegAwIBAgIJAON1ifrBZ2/BMA0GCSqGSIb3DQEBCwUAMIGLMQswCQYD -VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJU3Vubnl2YWxl -MQ4wDAYDVQQKDAVJc3RpbzENMAsGA1UECwwEVGVzdDEQMA4GA1UEAwwHUm9vdCBD -QTEiMCAGCSqGSIb3DQEJARYTdGVzdHJvb3RjYUBpc3Rpby5pbzAgFw0xODAxMjQx -OTE1NTFaGA8yMTE3MTIzMTE5MTU1MVowWTELMAkGA1UEBhMCVVMxEzARBgNVBAgT -CkNhbGlmb3JuaWExEjAQBgNVBAcTCVN1bm55dmFsZTEOMAwGA1UEChMFSXN0aW8x -ETAPBgNVBAMTCElzdGlvIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC -AQEAyzCxr/xu0zy5rVBiso9ffgl00bRKvB/HF4AX9/ytmZ6Hqsy13XIQk8/u/By9 -iCvVwXIMvyT0CbiJq/aPEj5mJUy0lzbrUs13oneXqrPXf7ir3HzdRw+SBhXlsh9z -APZJXcF93DJU3GabPKwBvGJ0IVMJPIFCuDIPwW4kFAI7R/8A5LSdPrFx6EyMXl7K -M8jekC0y9DnTj83/fY72WcWX7YTpgZeBHAeeQOPTZ2KYbFal2gLsar69PgFS0Tom -ESO9M14Yit7mzB1WDK2z9g3r+zLxENdJ5JG/ZskKe+TO4Diqi5OJt/h8yspS1ck8 -LJtCole9919umByg5oruflqIlQIDAQABozUwMzALBgNVHQ8EBAMCAgQwDAYDVR0T -BAUwAwEB/zAWBgNVHREEDzANggtjYS5pc3Rpby5pbzANBgkqhkiG9w0BAQsFAAOC -AQEAltHEhhyAsve4K4bLgBXtHwWzo6SpFzdAfXpLShpOJNtQNERb3qg6iUGQdY+w -A2BpmSkKr3Rw/6ClP5+cCG7fGocPaZh+c+4Nxm9suMuZBZCtNOeYOMIfvCPcCS+8 -PQ/0hC4/0J3WJKzGBssaaMufJxzgFPPtDJ998kY8rlROghdSaVt423/jXIAYnP3Y -05n8TGERBj7TLdtIVbtUIx3JHAo3PWJywA6mEDovFMJhJERp9sDHIr1BbhXK1TFN -Z6HNH6gInkSSMtvC4Ptejb749PTaePRPF7ID//eq/3AH8UK50F3TQcLjEqWUsJUn -aFKltOc+RAjzDklcUPeG4Y6eMA== ------END CERTIFICATE----- diff --git a/istio-1.24.3/samples/certs/generate-workload.sh b/istio-1.24.3/samples/certs/generate-workload.sh deleted file mode 100755 index 2ff08c8e..00000000 --- a/istio-1.24.3/samples/certs/generate-workload.sh +++ /dev/null @@ -1,111 +0,0 @@ -#!/bin/bash -# -# Copyright Istio Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -set -euo pipefail - -name=${1:-foo} -ns=${2:-$name} -sa=${3:-$name} -tmp=${4:-""} -rootselect=${5:-""} -san="spiffe://trust-domain-$name/ns/$ns/sa/$sa" - -DIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd ) - -FINAL_DIR=$DIR -if [ -n "$tmp" ]; then - if [ -d "$tmp" ]; then - FINAL_DIR=$tmp - cp "$DIR"/root-cert.pem "$FINAL_DIR" - cp "$DIR"/ca-cert.pem "$FINAL_DIR" - cp "$DIR"/ca-key.pem "$FINAL_DIR" - cp "$DIR"/cert-chain.pem "$FINAL_DIR" - - cp "$DIR"/root-cert-alt.pem "$FINAL_DIR" - cp "$DIR"/ca-cert-alt.pem "$FINAL_DIR" - cp "$DIR"/ca-key-alt.pem "$FINAL_DIR" - cp "$DIR"/cert-chain-alt.pem "$FINAL_DIR" - - else - echo "tmp argument is not a directory: $tmp" - exit 1 - fi -fi - -function cleanup() { - if [ -f "$FINAL_DIR"/.srl ]; then - rm "$FINAL_DIR"/.srl - fi - if [ -f "$FINAL_DIR"/ca-cert.srl ]; then - rm "$FINAL_DIR"/ca-cert.srl - fi - if [ -f "$FINAL_DIR"/ca-cert-alt.srl ]; then - rm "$FINAL_DIR"/ca-cert-alt.srl - fi - if [ -f "$FINAL_DIR"/workload.cfg ]; then - rm "$FINAL_DIR"/workload.cfg - fi - if [ -f "$FINAL_DIR"/workload.csr ]; then - rm "$FINAL_DIR"/workload.csr - fi -} - -trap cleanup EXIT - -openssl genrsa -out "$FINAL_DIR/workload-$sa-key.pem" 2048 - -cat > "$FINAL_DIR"/workload.cfg <> "$FINAL_DIR/workload-$sa-cert.pem" -cp "$certchain" "$FINAL_DIR/workload-$sa-root-certs.pem" -cat "$rootcert" >> "$FINAL_DIR/workload-$sa-root-certs.pem" - -echo "Generated workload-$sa-[cert|key].pem with URI SAN $san" -openssl verify -CAfile <(cat "$certchain" "$rootcert") "$FINAL_DIR/workload-$sa-cert.pem" - diff --git a/istio-1.24.3/samples/certs/leaf-workload-bar-cert.pem b/istio-1.24.3/samples/certs/leaf-workload-bar-cert.pem deleted file mode 100644 index b5f4752c..00000000 --- a/istio-1.24.3/samples/certs/leaf-workload-bar-cert.pem +++ /dev/null @@ -1,21 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDXTCCAkWgAwIBAgIUJS8Ge239oviRxEdt1/drPcAB194wDQYJKoZIhvcNAQEL -BQAwWTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExEjAQBgNVBAcT -CVN1bm55dmFsZTEOMAwGA1UEChMFSXN0aW8xETAPBgNVBAMTCElzdGlvIENBMB4X -DTIzMDIwMjE4MjA1MVoXDTMzMDEzMDE4MjA1MVowADCCASIwDQYJKoZIhvcNAQEB -BQADggEPADCCAQoCggEBAOqfOu1GdBXNbvC9iWsqHOWIEQeKTO8UTSYOzflXKQHd -GCC42TSu+uRRH808Qnyz8Ce6eJJ1UwP+m7S2zZfNbY1L2VJvWboQtFC7egbxp2eR -91rJ2WmRiQO6ZoAmQG+UVaVMjqWtrOyJ/tkzjXSskZXcbUkWkrPPAkxsSBRWoCXI -j230dRKggvzZgIgBm4NfDjrdj7AmwEZA0tziPFy/5h+6XJEqD8cFOzKj0Sop80GE -OzSB8zDnZComFz8CZv2WUkJjngj7rOD+coC1LoWJiUlTFMdAngwSWPsyaqpZtDDw -Ct+Cs51lhkQQXC6b3t9D9bHbXAxYsEcHaqR+dKVVHIsCAwEAAaN2MHQwDgYDVR0P -AQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMB -Af8EAjAAMDUGA1UdEQEB/wQrMCmGJ3NwaWZmZTovL3RydXN0LWRvbWFpbi1iYXIv -bnMvYmFyL3NhL2JhcjANBgkqhkiG9w0BAQsFAAOCAQEAjwguC0yf0YavkVJripre -gVkzLMFSn5MeTxbnHxwDGJAHs+0znOXPrCnAxQ6tU7Z1QwpDLlHEekFKGTLdOz4C -FT/kDz7ec7SXt2HkPopRSKY+x0FKuxRcYrDTctMliKul5SFU8h3hcT+hIw9ynPU/ -4+I8WxJjpbw91FTddhMCOD2c23xMS9HNENtCxMlR9vrmkKXcim9M0RlPbuMEMbcT -ntDtdfoHeOC++DdY+41ulGzsbs1NiKdcJu2trxw8axgUFpENo9+xGjmaUdo5AjIE -JjsPVxRStETMko/pV5i6/hTnE5ZejV/o80OMLXvdIdHVxLO0N0X7fR0xDv45bmY9 -8w== ------END CERTIFICATE----- diff --git a/istio-1.24.3/samples/certs/leaf-workload-foo-cert.pem b/istio-1.24.3/samples/certs/leaf-workload-foo-cert.pem deleted file mode 100644 index fee6dcf8..00000000 --- a/istio-1.24.3/samples/certs/leaf-workload-foo-cert.pem +++ /dev/null @@ -1,21 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDXTCCAkWgAwIBAgIUVrmTEZowmbvjxihqy0tqCb6CDJEwDQYJKoZIhvcNAQEL -BQAwWTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExEjAQBgNVBAcT -CVN1bm55dmFsZTEOMAwGA1UEChMFSXN0aW8xETAPBgNVBAMTCElzdGlvIENBMB4X -DTIzMDIwMjE4MjA1N1oXDTMzMDEzMDE4MjA1N1owADCCASIwDQYJKoZIhvcNAQEB -BQADggEPADCCAQoCggEBAMRFee8ym0dNiLEaK46r3axHmSaPEu+8weYsq5Jz++pp -tpLYrRxV79UPKzKqMLmfca1KUs6PYkCipf/hsvNjLwkQf1RRpdScHk17VK/Aa0Er -3maIDw5TzReqd7MfgsIUStmy6T0WVyzMHVAjDV/aRkTwzWwp29bJgfkvI2/Qy9Mh -MONNOZ3+m+UcIK4opgg7GmNwynfrPxhWfUsgtYEpaTXEbJOjqQh/8Io56IK4AbS5 -IvNFfN2RKLi0wg9Yzgd+odoifpumaTP6iuJpohSyCgphr8a3jX5DuUNXduveiwMG -+PESc0QSGzAWA11/PWC1v0nU45oWTB31ibduGWenm2cCAwEAAaN2MHQwDgYDVR0P -AQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMB -Af8EAjAAMDUGA1UdEQEB/wQrMCmGJ3NwaWZmZTovL3RydXN0LWRvbWFpbi1mb28v -bnMvZm9vL3NhL2ZvbzANBgkqhkiG9w0BAQsFAAOCAQEAVwpzfheyDDAitN9zVirV -WZtk70CMabWPxEMk76/70MK2LBZmC1v1Zhjt9NOj1viTRA8jbi/WtNJhfkdH6UzC -FaHhPdg8FidIuSazyrXEfiP88L9BLQ2qvJEQq3+ZoyQoCX8bWLOh/8vqm+CgwJR/ -q9JzdYf4rjvXmrm3leHI9Q1AgC83bvNn1FUXBNoMyhHzPYB5/u0j2nlnaeSjc6og -MSgcq/yrq8CpLK4ZS3E5dk8DQPOlTtACFRCSahRn7O7aqZn3QKZ2dXVzu2Uo0GbE -Jgkh1hAemPL9zwSxcfz2uBF4J//ecfDM3xccXuBRaXs6qaDwoM1n+84R9VODKLqT -bw== ------END CERTIFICATE----- diff --git a/istio-1.24.3/samples/certs/root-cert-alt.pem b/istio-1.24.3/samples/certs/root-cert-alt.pem deleted file mode 100644 index 751429c9..00000000 --- a/istio-1.24.3/samples/certs/root-cert-alt.pem +++ /dev/null @@ -1,30 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIFFDCCAvygAwIBAgIUbQ/RQ9GNnLx7rNVNUJHeizdO1TswDQYJKoZIhvcNAQEL -BQAwIjEOMAwGA1UECgwFSXN0aW8xEDAOBgNVBAMMB1Jvb3QgQ0EwHhcNMjMxMjEx -MTYyNDM2WhcNMzMxMjA4MTYyNDM2WjAiMQ4wDAYDVQQKDAVJc3RpbzEQMA4GA1UE -AwwHUm9vdCBDQTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAN7V2l7b -/bZsHlWY5qC1p99Au3I0VYr34i/2BIMHSnh1jHn1B6qspjHw2IkqH0SU41M3Vpr7 -m06HGuuZHsq8biUfuUL6Ywt+Vyj2UnPuc6SDPRXxAkBaVGGEAs30akJPkhbbA2qv -jFxfc2A8GCfnHpGYQkZOvZEQNeHPYkTDsdLEKdbdXkzJMFEGxGDgYiW7xjowDkta -YlrLBIeHwRCnZ/gTjdCu6oPjCW9JsySbbfx8dYWthIDf/SGqnX8gnDn5K1W5Ip+w -xaiXZ9FsEzrWd+DXx67sPAS2wl/Qe+RVFLbCGfGnfKdj0CGUtwV/hE2BLWk7fMK/ -dzQR9Bc6GM06uJejZFGuVrwkJldzWW7rp6cJc5D5vJxYCRZZsuk3x6o/mg+z+meh -kYeUCgsEGU1eKJB7tJ6myiYCLvgjihnnbS0fQlq+9XhHh3IlQfYvZsgPPlWZjyE6 -SO0JUNgCenuvgawihEHCUvFW/VbeuhxNlcP8w03tXcZCPJd75Xe1GRboa0KEcCwx -hFMWMZmqLQOZ6XZUAWZIPqKPvBCLJKCDhXwf3kZjX9Geg04+KJwsJt5wJndlWjdb -LWUIoiy41Jovc3N2hME5cinTllZI4kdOrnZ+NdL5aqoppfjZDQGHESuuPY0vxJEP -dcfM5Q3BiMo/K/hNCnbp1ywtvbzGqd8/b9OtAgMBAAGjQjBAMB0GA1UdDgQWBBS9 -7L7n9MlfjNgR6RLw5qN+49OOYDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQE -AwIC5DANBgkqhkiG9w0BAQsFAAOCAgEANnOOVzb6CpOkkXsSwxqaFfrCwJT+L+1O -H8WvVtewAmzu8TcfuVjwwSgnVMF48TbnA1KvHIWktRNGtSTyEMLN5pH4SvCyK/9w -IeIOqTNyHmN/4nETT7HjbszdjfsIWYZAjcq2cyhRj+650OJdotUHbBo7iBbAi4TW -IuqseH4hgrT7qDFebhcVz8ualx9UJkmR7QqWhWqOsMbcLtm4OLZCFNJseaHM/t6H -seO/OH7FNqe+GMCoXX1m348iJBZ/1ZhBMReqtNMQKpGL23fQqJnUTrD3717kS+xF -36PsFP5YYtBJ9WMXfX8Wk/YQIimXpcQeuF40VAIw5EG6SxntpBjoSPET2mTj2j9X -Gunoh3PjYMBOlszrQVs66Qwe+vBj6xdPMHyRI0eTiETnmVG5jUo2cJnr8ztqD6oU -zCmTX2SXCE9FXJ6MifPHEXJ1OPb9IY5tcUdjxhIB2HAigFHasxBlX44Ob6nHUyJO -ZqhsF8FouuzSQTRWP7soIA3HT9MlZHhRh3Uef+ZXziKZR/Uyb66uYylIWCWsAoiU -Hw4wPZhG65XTVQfg7R2cz1w72v7ugXAy3xbGfgLXhFzVnjy/ttIV/TSgpdBquhTQ -1ZG9Ieiu16avJkphqkmNr/CRCdZqDGp4DGQZNo69POGphapVe7EZenpzDU787oZF -tugW0JVzMZI= ------END CERTIFICATE----- diff --git a/istio-1.24.3/samples/certs/root-cert-combined-2.pem b/istio-1.24.3/samples/certs/root-cert-combined-2.pem deleted file mode 100644 index 3be5ea66..00000000 --- a/istio-1.24.3/samples/certs/root-cert-combined-2.pem +++ /dev/null @@ -1,84 +0,0 @@ ------BEGIN CERTIFICATE----- -MIID7TCCAtWgAwIBAgIJAOIRDhOcxsx6MA0GCSqGSIb3DQEBCwUAMIGLMQswCQYD -VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJU3Vubnl2YWxl -MQ4wDAYDVQQKDAVJc3RpbzENMAsGA1UECwwEVGVzdDEQMA4GA1UEAwwHUm9vdCBD -QTEiMCAGCSqGSIb3DQEJARYTdGVzdHJvb3RjYUBpc3Rpby5pbzAgFw0xODAxMjQx -OTE1NTFaGA8yMTE3MTIzMTE5MTU1MVowgYsxCzAJBgNVBAYTAlVTMRMwEQYDVQQI -DApDYWxpZm9ybmlhMRIwEAYDVQQHDAlTdW5ueXZhbGUxDjAMBgNVBAoMBUlzdGlv -MQ0wCwYDVQQLDARUZXN0MRAwDgYDVQQDDAdSb290IENBMSIwIAYJKoZIhvcNAQkB -FhN0ZXN0cm9vdGNhQGlzdGlvLmlvMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB -CgKCAQEA38uEfAatzQYqbaLou1nxJ348VyNzumYMmDDt5pbLYRrCo2pS3ki1ZVDN -8yxIENJFkpKw9UctTGdbNGuGCiSDP7uqF6BiVn+XKAU/3pnPFBbTd0S33NqbDEQu -IYraHSl/tSk5rARbC1DrQRdZ6nYD2KrapC4g0XbjY6Pu5l4y7KnFwSunnp9uqpZw -uERv/BgumJ5QlSeSeCmhnDhLxooG8w5tC2yVr1yDpsOHGimP/mc8Cds4V0zfIhQv -YzfIHphhE9DKjmnjBYLOdj4aycv44jHnOGc+wvA1Jqsl60t3wgms+zJTiWwABLdw -zgMAa7yxLyoV0+PiVQud6k+8ZoIFcwIDAQABo1AwTjAdBgNVHQ4EFgQUOUYGtUyh -euxO4lGe4Op1y8NVoagwHwYDVR0jBBgwFoAUOUYGtUyheuxO4lGe4Op1y8NVoagw -DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEANXLyfAs7J9rmBamGJvPZ -ltx390WxzzLFQsBRAaH6rgeipBq3dR9qEjAwb6BTF+ROmtQzX+fjstCRrJxCto9W -tC8KvXTdRfIjfCCZjhtIOBKqRxE4KJV/RBfv9xD5lyjtCPCQl3Ia6MSf42N+abAK -WCdU6KCojA8WB9YhSCzza3aQbPTzd26OC/JblJpVgtus5f8ILzCsz+pbMimgTkhy -AuhYRppJaQ24APijsEC9+GIaVKPg5IwWroiPoj+QXNpshuvqVQQXvGaRiq4zoSnx -xAJz+w8tjrDWcf826VN14IL+/Cmqlg/rIfB5CHdwVIfWwpuGB66q/UiPegZMNs8a -3g== ------END CERTIFICATE----- ------BEGIN CERTIFICATE----- -MIIFFDCCAvygAwIBAgIUbQ/RQ9GNnLx7rNVNUJHeizdO1TswDQYJKoZIhvcNAQEL -BQAwIjEOMAwGA1UECgwFSXN0aW8xEDAOBgNVBAMMB1Jvb3QgQ0EwHhcNMjMxMjEx -MTYyNDM2WhcNMzMxMjA4MTYyNDM2WjAiMQ4wDAYDVQQKDAVJc3RpbzEQMA4GA1UE -AwwHUm9vdCBDQTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAN7V2l7b -/bZsHlWY5qC1p99Au3I0VYr34i/2BIMHSnh1jHn1B6qspjHw2IkqH0SU41M3Vpr7 -m06HGuuZHsq8biUfuUL6Ywt+Vyj2UnPuc6SDPRXxAkBaVGGEAs30akJPkhbbA2qv -jFxfc2A8GCfnHpGYQkZOvZEQNeHPYkTDsdLEKdbdXkzJMFEGxGDgYiW7xjowDkta -YlrLBIeHwRCnZ/gTjdCu6oPjCW9JsySbbfx8dYWthIDf/SGqnX8gnDn5K1W5Ip+w -xaiXZ9FsEzrWd+DXx67sPAS2wl/Qe+RVFLbCGfGnfKdj0CGUtwV/hE2BLWk7fMK/ -dzQR9Bc6GM06uJejZFGuVrwkJldzWW7rp6cJc5D5vJxYCRZZsuk3x6o/mg+z+meh -kYeUCgsEGU1eKJB7tJ6myiYCLvgjihnnbS0fQlq+9XhHh3IlQfYvZsgPPlWZjyE6 -SO0JUNgCenuvgawihEHCUvFW/VbeuhxNlcP8w03tXcZCPJd75Xe1GRboa0KEcCwx -hFMWMZmqLQOZ6XZUAWZIPqKPvBCLJKCDhXwf3kZjX9Geg04+KJwsJt5wJndlWjdb -LWUIoiy41Jovc3N2hME5cinTllZI4kdOrnZ+NdL5aqoppfjZDQGHESuuPY0vxJEP -dcfM5Q3BiMo/K/hNCnbp1ywtvbzGqd8/b9OtAgMBAAGjQjBAMB0GA1UdDgQWBBS9 -7L7n9MlfjNgR6RLw5qN+49OOYDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQE -AwIC5DANBgkqhkiG9w0BAQsFAAOCAgEANnOOVzb6CpOkkXsSwxqaFfrCwJT+L+1O -H8WvVtewAmzu8TcfuVjwwSgnVMF48TbnA1KvHIWktRNGtSTyEMLN5pH4SvCyK/9w -IeIOqTNyHmN/4nETT7HjbszdjfsIWYZAjcq2cyhRj+650OJdotUHbBo7iBbAi4TW -IuqseH4hgrT7qDFebhcVz8ualx9UJkmR7QqWhWqOsMbcLtm4OLZCFNJseaHM/t6H -seO/OH7FNqe+GMCoXX1m348iJBZ/1ZhBMReqtNMQKpGL23fQqJnUTrD3717kS+xF -36PsFP5YYtBJ9WMXfX8Wk/YQIimXpcQeuF40VAIw5EG6SxntpBjoSPET2mTj2j9X -Gunoh3PjYMBOlszrQVs66Qwe+vBj6xdPMHyRI0eTiETnmVG5jUo2cJnr8ztqD6oU -zCmTX2SXCE9FXJ6MifPHEXJ1OPb9IY5tcUdjxhIB2HAigFHasxBlX44Ob6nHUyJO -ZqhsF8FouuzSQTRWP7soIA3HT9MlZHhRh3Uef+ZXziKZR/Uyb66uYylIWCWsAoiU -Hw4wPZhG65XTVQfg7R2cz1w72v7ugXAy3xbGfgLXhFzVnjy/ttIV/TSgpdBquhTQ -1ZG9Ieiu16avJkphqkmNr/CRCdZqDGp4DGQZNo69POGphapVe7EZenpzDU787oZF -tugW0JVzMZI= ------END CERTIFICATE----- ------BEGIN CERTIFICATE----- -MIIFFDCCAvygAwIBAgIUbQ/RQ9GNnLx7rNVNUJHeizdO1TswDQYJKoZIhvcNAQEL -BQAwIjEOMAwGA1UECgwFSXN0aW8xEDAOBgNVBAMMB1Jvb3QgQ0EwHhcNMjMxMjEx -MTYyNDM2WhcNMzMxMjA4MTYyNDM2WjAiMQ4wDAYDVQQKDAVJc3RpbzEQMA4GA1UE -AwwHUm9vdCBDQTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAN7V2l7b -/bZsHlWY5qC1p99Au3I0VYr34i/2BIMHSnh1jHn1B6qspjHw2IkqH0SU41M3Vpr7 -m06HGuuZHsq8biUfuUL6Ywt+Vyj2UnPuc6SDPRXxAkBaVGGEAs30akJPkhbbA2qv -jFxfc2A8GCfnHpGYQkZOvZEQNeHPYkTDsdLEKdbdXkzJMFEGxGDgYiW7xjowDkta -YlrLBIeHwRCnZ/gTjdCu6oPjCW9JsySbbfx8dYWthIDf/SGqnX8gnDn5K1W5Ip+w -xaiXZ9FsEzrWd+DXx67sPAS2wl/Qe+RVFLbCGfGnfKdj0CGUtwV/hE2BLWk7fMK/ -dzQR9Bc6GM06uJejZFGuVrwkJldzWW7rp6cJc5D5vJxYCRZZsuk3x6o/mg+z+meh -kYeUCgsEGU1eKJB7tJ6myiYCLvgjihnnbS0fQlq+9XhHh3IlQfYvZsgPPlWZjyE6 -SO0JUNgCenuvgawihEHCUvFW/VbeuhxNlcP8w03tXcZCPJd75Xe1GRboa0KEcCwx -hFMWMZmqLQOZ6XZUAWZIPqKPvBCLJKCDhXwf3kZjX9Geg04+KJwsJt5wJndlWjdb -LWUIoiy41Jovc3N2hME5cinTllZI4kdOrnZ+NdL5aqoppfjZDQGHESuuPY0vxJEP -dcfM5Q3BiMo/K/hNCnbp1ywtvbzGqd8/b9OtAgMBAAGjQjBAMB0GA1UdDgQWBBS9 -7L7n9MlfjNgR6RLw5qN+49OOYDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQE -AwIC5DANBgkqhkiG9w0BAQsFAAOCAgEANnOOVzb6CpOkkXsSwxqaFfrCwJT+L+1O -H8WvVtewAmzu8TcfuVjwwSgnVMF48TbnA1KvHIWktRNGtSTyEMLN5pH4SvCyK/9w -IeIOqTNyHmN/4nETT7HjbszdjfsIWYZAjcq2cyhRj+650OJdotUHbBo7iBbAi4TW -IuqseH4hgrT7qDFebhcVz8ualx9UJkmR7QqWhWqOsMbcLtm4OLZCFNJseaHM/t6H -seO/OH7FNqe+GMCoXX1m348iJBZ/1ZhBMReqtNMQKpGL23fQqJnUTrD3717kS+xF -36PsFP5YYtBJ9WMXfX8Wk/YQIimXpcQeuF40VAIw5EG6SxntpBjoSPET2mTj2j9X -Gunoh3PjYMBOlszrQVs66Qwe+vBj6xdPMHyRI0eTiETnmVG5jUo2cJnr8ztqD6oU -zCmTX2SXCE9FXJ6MifPHEXJ1OPb9IY5tcUdjxhIB2HAigFHasxBlX44Ob6nHUyJO -ZqhsF8FouuzSQTRWP7soIA3HT9MlZHhRh3Uef+ZXziKZR/Uyb66uYylIWCWsAoiU -Hw4wPZhG65XTVQfg7R2cz1w72v7ugXAy3xbGfgLXhFzVnjy/ttIV/TSgpdBquhTQ -1ZG9Ieiu16avJkphqkmNr/CRCdZqDGp4DGQZNo69POGphapVe7EZenpzDU787oZF -tugW0JVzMZI= ------END CERTIFICATE----- \ No newline at end of file diff --git a/istio-1.24.3/samples/certs/root-cert-combined.pem b/istio-1.24.3/samples/certs/root-cert-combined.pem deleted file mode 100644 index fc7ee45a..00000000 --- a/istio-1.24.3/samples/certs/root-cert-combined.pem +++ /dev/null @@ -1,54 +0,0 @@ ------BEGIN CERTIFICATE----- -MIID7TCCAtWgAwIBAgIJAOIRDhOcxsx6MA0GCSqGSIb3DQEBCwUAMIGLMQswCQYD -VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJU3Vubnl2YWxl -MQ4wDAYDVQQKDAVJc3RpbzENMAsGA1UECwwEVGVzdDEQMA4GA1UEAwwHUm9vdCBD -QTEiMCAGCSqGSIb3DQEJARYTdGVzdHJvb3RjYUBpc3Rpby5pbzAgFw0xODAxMjQx -OTE1NTFaGA8yMTE3MTIzMTE5MTU1MVowgYsxCzAJBgNVBAYTAlVTMRMwEQYDVQQI -DApDYWxpZm9ybmlhMRIwEAYDVQQHDAlTdW5ueXZhbGUxDjAMBgNVBAoMBUlzdGlv -MQ0wCwYDVQQLDARUZXN0MRAwDgYDVQQDDAdSb290IENBMSIwIAYJKoZIhvcNAQkB -FhN0ZXN0cm9vdGNhQGlzdGlvLmlvMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB -CgKCAQEA38uEfAatzQYqbaLou1nxJ348VyNzumYMmDDt5pbLYRrCo2pS3ki1ZVDN -8yxIENJFkpKw9UctTGdbNGuGCiSDP7uqF6BiVn+XKAU/3pnPFBbTd0S33NqbDEQu -IYraHSl/tSk5rARbC1DrQRdZ6nYD2KrapC4g0XbjY6Pu5l4y7KnFwSunnp9uqpZw -uERv/BgumJ5QlSeSeCmhnDhLxooG8w5tC2yVr1yDpsOHGimP/mc8Cds4V0zfIhQv -YzfIHphhE9DKjmnjBYLOdj4aycv44jHnOGc+wvA1Jqsl60t3wgms+zJTiWwABLdw -zgMAa7yxLyoV0+PiVQud6k+8ZoIFcwIDAQABo1AwTjAdBgNVHQ4EFgQUOUYGtUyh -euxO4lGe4Op1y8NVoagwHwYDVR0jBBgwFoAUOUYGtUyheuxO4lGe4Op1y8NVoagw -DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEANXLyfAs7J9rmBamGJvPZ -ltx390WxzzLFQsBRAaH6rgeipBq3dR9qEjAwb6BTF+ROmtQzX+fjstCRrJxCto9W -tC8KvXTdRfIjfCCZjhtIOBKqRxE4KJV/RBfv9xD5lyjtCPCQl3Ia6MSf42N+abAK -WCdU6KCojA8WB9YhSCzza3aQbPTzd26OC/JblJpVgtus5f8ILzCsz+pbMimgTkhy -AuhYRppJaQ24APijsEC9+GIaVKPg5IwWroiPoj+QXNpshuvqVQQXvGaRiq4zoSnx -xAJz+w8tjrDWcf826VN14IL+/Cmqlg/rIfB5CHdwVIfWwpuGB66q/UiPegZMNs8a -3g== ------END CERTIFICATE----- ------BEGIN CERTIFICATE----- -MIIFFDCCAvygAwIBAgIUbQ/RQ9GNnLx7rNVNUJHeizdO1TswDQYJKoZIhvcNAQEL -BQAwIjEOMAwGA1UECgwFSXN0aW8xEDAOBgNVBAMMB1Jvb3QgQ0EwHhcNMjMxMjEx -MTYyNDM2WhcNMzMxMjA4MTYyNDM2WjAiMQ4wDAYDVQQKDAVJc3RpbzEQMA4GA1UE -AwwHUm9vdCBDQTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAN7V2l7b -/bZsHlWY5qC1p99Au3I0VYr34i/2BIMHSnh1jHn1B6qspjHw2IkqH0SU41M3Vpr7 -m06HGuuZHsq8biUfuUL6Ywt+Vyj2UnPuc6SDPRXxAkBaVGGEAs30akJPkhbbA2qv -jFxfc2A8GCfnHpGYQkZOvZEQNeHPYkTDsdLEKdbdXkzJMFEGxGDgYiW7xjowDkta -YlrLBIeHwRCnZ/gTjdCu6oPjCW9JsySbbfx8dYWthIDf/SGqnX8gnDn5K1W5Ip+w -xaiXZ9FsEzrWd+DXx67sPAS2wl/Qe+RVFLbCGfGnfKdj0CGUtwV/hE2BLWk7fMK/ -dzQR9Bc6GM06uJejZFGuVrwkJldzWW7rp6cJc5D5vJxYCRZZsuk3x6o/mg+z+meh -kYeUCgsEGU1eKJB7tJ6myiYCLvgjihnnbS0fQlq+9XhHh3IlQfYvZsgPPlWZjyE6 -SO0JUNgCenuvgawihEHCUvFW/VbeuhxNlcP8w03tXcZCPJd75Xe1GRboa0KEcCwx -hFMWMZmqLQOZ6XZUAWZIPqKPvBCLJKCDhXwf3kZjX9Geg04+KJwsJt5wJndlWjdb -LWUIoiy41Jovc3N2hME5cinTllZI4kdOrnZ+NdL5aqoppfjZDQGHESuuPY0vxJEP -dcfM5Q3BiMo/K/hNCnbp1ywtvbzGqd8/b9OtAgMBAAGjQjBAMB0GA1UdDgQWBBS9 -7L7n9MlfjNgR6RLw5qN+49OOYDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQE -AwIC5DANBgkqhkiG9w0BAQsFAAOCAgEANnOOVzb6CpOkkXsSwxqaFfrCwJT+L+1O -H8WvVtewAmzu8TcfuVjwwSgnVMF48TbnA1KvHIWktRNGtSTyEMLN5pH4SvCyK/9w -IeIOqTNyHmN/4nETT7HjbszdjfsIWYZAjcq2cyhRj+650OJdotUHbBo7iBbAi4TW -IuqseH4hgrT7qDFebhcVz8ualx9UJkmR7QqWhWqOsMbcLtm4OLZCFNJseaHM/t6H -seO/OH7FNqe+GMCoXX1m348iJBZ/1ZhBMReqtNMQKpGL23fQqJnUTrD3717kS+xF -36PsFP5YYtBJ9WMXfX8Wk/YQIimXpcQeuF40VAIw5EG6SxntpBjoSPET2mTj2j9X -Gunoh3PjYMBOlszrQVs66Qwe+vBj6xdPMHyRI0eTiETnmVG5jUo2cJnr8ztqD6oU -zCmTX2SXCE9FXJ6MifPHEXJ1OPb9IY5tcUdjxhIB2HAigFHasxBlX44Ob6nHUyJO -ZqhsF8FouuzSQTRWP7soIA3HT9MlZHhRh3Uef+ZXziKZR/Uyb66uYylIWCWsAoiU -Hw4wPZhG65XTVQfg7R2cz1w72v7ugXAy3xbGfgLXhFzVnjy/ttIV/TSgpdBquhTQ -1ZG9Ieiu16avJkphqkmNr/CRCdZqDGp4DGQZNo69POGphapVe7EZenpzDU787oZF -tugW0JVzMZI= ------END CERTIFICATE----- \ No newline at end of file diff --git a/istio-1.24.3/samples/certs/root-cert.pem b/istio-1.24.3/samples/certs/root-cert.pem deleted file mode 100644 index 64c3fd50..00000000 --- a/istio-1.24.3/samples/certs/root-cert.pem +++ /dev/null @@ -1,24 +0,0 @@ ------BEGIN CERTIFICATE----- -MIID7TCCAtWgAwIBAgIJAOIRDhOcxsx6MA0GCSqGSIb3DQEBCwUAMIGLMQswCQYD -VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJU3Vubnl2YWxl -MQ4wDAYDVQQKDAVJc3RpbzENMAsGA1UECwwEVGVzdDEQMA4GA1UEAwwHUm9vdCBD -QTEiMCAGCSqGSIb3DQEJARYTdGVzdHJvb3RjYUBpc3Rpby5pbzAgFw0xODAxMjQx -OTE1NTFaGA8yMTE3MTIzMTE5MTU1MVowgYsxCzAJBgNVBAYTAlVTMRMwEQYDVQQI -DApDYWxpZm9ybmlhMRIwEAYDVQQHDAlTdW5ueXZhbGUxDjAMBgNVBAoMBUlzdGlv -MQ0wCwYDVQQLDARUZXN0MRAwDgYDVQQDDAdSb290IENBMSIwIAYJKoZIhvcNAQkB -FhN0ZXN0cm9vdGNhQGlzdGlvLmlvMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB -CgKCAQEA38uEfAatzQYqbaLou1nxJ348VyNzumYMmDDt5pbLYRrCo2pS3ki1ZVDN -8yxIENJFkpKw9UctTGdbNGuGCiSDP7uqF6BiVn+XKAU/3pnPFBbTd0S33NqbDEQu -IYraHSl/tSk5rARbC1DrQRdZ6nYD2KrapC4g0XbjY6Pu5l4y7KnFwSunnp9uqpZw -uERv/BgumJ5QlSeSeCmhnDhLxooG8w5tC2yVr1yDpsOHGimP/mc8Cds4V0zfIhQv -YzfIHphhE9DKjmnjBYLOdj4aycv44jHnOGc+wvA1Jqsl60t3wgms+zJTiWwABLdw -zgMAa7yxLyoV0+PiVQud6k+8ZoIFcwIDAQABo1AwTjAdBgNVHQ4EFgQUOUYGtUyh -euxO4lGe4Op1y8NVoagwHwYDVR0jBBgwFoAUOUYGtUyheuxO4lGe4Op1y8NVoagw -DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEANXLyfAs7J9rmBamGJvPZ -ltx390WxzzLFQsBRAaH6rgeipBq3dR9qEjAwb6BTF+ROmtQzX+fjstCRrJxCto9W -tC8KvXTdRfIjfCCZjhtIOBKqRxE4KJV/RBfv9xD5lyjtCPCQl3Ia6MSf42N+abAK -WCdU6KCojA8WB9YhSCzza3aQbPTzd26OC/JblJpVgtus5f8ILzCsz+pbMimgTkhy -AuhYRppJaQ24APijsEC9+GIaVKPg5IwWroiPoj+QXNpshuvqVQQXvGaRiq4zoSnx -xAJz+w8tjrDWcf826VN14IL+/Cmqlg/rIfB5CHdwVIfWwpuGB66q/UiPegZMNs8a -3g== ------END CERTIFICATE----- diff --git a/istio-1.24.3/samples/certs/workload-bar-cert.pem b/istio-1.24.3/samples/certs/workload-bar-cert.pem deleted file mode 100644 index 1b59e9c5..00000000 --- a/istio-1.24.3/samples/certs/workload-bar-cert.pem +++ /dev/null @@ -1,43 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDXTCCAkWgAwIBAgIUJS8Ge239oviRxEdt1/drPcAB194wDQYJKoZIhvcNAQEL -BQAwWTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExEjAQBgNVBAcT -CVN1bm55dmFsZTEOMAwGA1UEChMFSXN0aW8xETAPBgNVBAMTCElzdGlvIENBMB4X -DTIzMDIwMjE4MjA1MVoXDTMzMDEzMDE4MjA1MVowADCCASIwDQYJKoZIhvcNAQEB -BQADggEPADCCAQoCggEBAOqfOu1GdBXNbvC9iWsqHOWIEQeKTO8UTSYOzflXKQHd -GCC42TSu+uRRH808Qnyz8Ce6eJJ1UwP+m7S2zZfNbY1L2VJvWboQtFC7egbxp2eR -91rJ2WmRiQO6ZoAmQG+UVaVMjqWtrOyJ/tkzjXSskZXcbUkWkrPPAkxsSBRWoCXI -j230dRKggvzZgIgBm4NfDjrdj7AmwEZA0tziPFy/5h+6XJEqD8cFOzKj0Sop80GE -OzSB8zDnZComFz8CZv2WUkJjngj7rOD+coC1LoWJiUlTFMdAngwSWPsyaqpZtDDw -Ct+Cs51lhkQQXC6b3t9D9bHbXAxYsEcHaqR+dKVVHIsCAwEAAaN2MHQwDgYDVR0P -AQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMB -Af8EAjAAMDUGA1UdEQEB/wQrMCmGJ3NwaWZmZTovL3RydXN0LWRvbWFpbi1iYXIv -bnMvYmFyL3NhL2JhcjANBgkqhkiG9w0BAQsFAAOCAQEAjwguC0yf0YavkVJripre -gVkzLMFSn5MeTxbnHxwDGJAHs+0znOXPrCnAxQ6tU7Z1QwpDLlHEekFKGTLdOz4C -FT/kDz7ec7SXt2HkPopRSKY+x0FKuxRcYrDTctMliKul5SFU8h3hcT+hIw9ynPU/ -4+I8WxJjpbw91FTddhMCOD2c23xMS9HNENtCxMlR9vrmkKXcim9M0RlPbuMEMbcT -ntDtdfoHeOC++DdY+41ulGzsbs1NiKdcJu2trxw8axgUFpENo9+xGjmaUdo5AjIE -JjsPVxRStETMko/pV5i6/hTnE5ZejV/o80OMLXvdIdHVxLO0N0X7fR0xDv45bmY9 -8w== ------END CERTIFICATE----- ------BEGIN CERTIFICATE----- -MIIDnzCCAoegAwIBAgIJAON1ifrBZ2/BMA0GCSqGSIb3DQEBCwUAMIGLMQswCQYD -VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJU3Vubnl2YWxl -MQ4wDAYDVQQKDAVJc3RpbzENMAsGA1UECwwEVGVzdDEQMA4GA1UEAwwHUm9vdCBD -QTEiMCAGCSqGSIb3DQEJARYTdGVzdHJvb3RjYUBpc3Rpby5pbzAgFw0xODAxMjQx -OTE1NTFaGA8yMTE3MTIzMTE5MTU1MVowWTELMAkGA1UEBhMCVVMxEzARBgNVBAgT -CkNhbGlmb3JuaWExEjAQBgNVBAcTCVN1bm55dmFsZTEOMAwGA1UEChMFSXN0aW8x -ETAPBgNVBAMTCElzdGlvIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC -AQEAyzCxr/xu0zy5rVBiso9ffgl00bRKvB/HF4AX9/ytmZ6Hqsy13XIQk8/u/By9 -iCvVwXIMvyT0CbiJq/aPEj5mJUy0lzbrUs13oneXqrPXf7ir3HzdRw+SBhXlsh9z -APZJXcF93DJU3GabPKwBvGJ0IVMJPIFCuDIPwW4kFAI7R/8A5LSdPrFx6EyMXl7K -M8jekC0y9DnTj83/fY72WcWX7YTpgZeBHAeeQOPTZ2KYbFal2gLsar69PgFS0Tom -ESO9M14Yit7mzB1WDK2z9g3r+zLxENdJ5JG/ZskKe+TO4Diqi5OJt/h8yspS1ck8 -LJtCole9919umByg5oruflqIlQIDAQABozUwMzALBgNVHQ8EBAMCAgQwDAYDVR0T -BAUwAwEB/zAWBgNVHREEDzANggtjYS5pc3Rpby5pbzANBgkqhkiG9w0BAQsFAAOC -AQEAltHEhhyAsve4K4bLgBXtHwWzo6SpFzdAfXpLShpOJNtQNERb3qg6iUGQdY+w -A2BpmSkKr3Rw/6ClP5+cCG7fGocPaZh+c+4Nxm9suMuZBZCtNOeYOMIfvCPcCS+8 -PQ/0hC4/0J3WJKzGBssaaMufJxzgFPPtDJ998kY8rlROghdSaVt423/jXIAYnP3Y -05n8TGERBj7TLdtIVbtUIx3JHAo3PWJywA6mEDovFMJhJERp9sDHIr1BbhXK1TFN -Z6HNH6gInkSSMtvC4Ptejb749PTaePRPF7ID//eq/3AH8UK50F3TQcLjEqWUsJUn -aFKltOc+RAjzDklcUPeG4Y6eMA== ------END CERTIFICATE----- diff --git a/istio-1.24.3/samples/certs/workload-bar-key.pem b/istio-1.24.3/samples/certs/workload-bar-key.pem deleted file mode 100644 index 1b7889a9..00000000 --- a/istio-1.24.3/samples/certs/workload-bar-key.pem +++ /dev/null @@ -1,27 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEpAIBAAKCAQEA6p867UZ0Fc1u8L2Jayoc5YgRB4pM7xRNJg7N+VcpAd0YILjZ -NK765FEfzTxCfLPwJ7p4knVTA/6btLbNl81tjUvZUm9ZuhC0ULt6BvGnZ5H3WsnZ -aZGJA7pmgCZAb5RVpUyOpa2s7In+2TONdKyRldxtSRaSs88CTGxIFFagJciPbfR1 -EqCC/NmAiAGbg18OOt2PsCbARkDS3OI8XL/mH7pckSoPxwU7MqPRKinzQYQ7NIHz -MOdkKiYXPwJm/ZZSQmOeCPus4P5ygLUuhYmJSVMUx0CeDBJY+zJqqlm0MPAK34Kz -nWWGRBBcLpve30P1sdtcDFiwRwdqpH50pVUciwIDAQABAoIBABVjCmYSpAZQwaok -POCN6DBsJNFBJB4vBZFQjCoMbeqDku14rCQHR0uEsZdtxMnFRUD52H/RPg4BKYRh -nYAW88OLhHXlPJKfbzBkxozXfmEMhzW5bJ4Y7Bpw5WMNGZaSOPRmdCJaIIc3VQnL -jztxd5vnifa9ngXR+u2oeTGRa+vFncwtf+lDjid6KOsclFEOVRquT9e3BgccwWJL -O7k8GZzHCWj+jxeExrcoD5NMulHZGDTc49ZZeqpVIwQnhFEe+e6LcZ7jaHs1AgUK -v3cHVQUoeHa+NYATeoyXWUJzD0vW6fTgxUrf+GNrtdmbwaoGW4+FmsYKB0YD2FO3 -bQ5cQWECgYEA+sXSllaDmrwFhX7Tga7nHN74maGk0V4eUnVQ2rkwRXgwaUh+V3K7 -5jJ1ZTZuWYbAWup+rVt0cAb0Ja8zBnnkHRdwe0gQqtoj+5YdD8RAluBJePFigp77 -pK+JfdiYnA0JC3Z+7gkeWM/uY9ojDuasX83yVf7Kgm+7HMUrh5dGaDMCgYEA74M5 -Q32oM8zxGm9ck82rh7ox0NwTeIrwr5U42QFqT0h26nR3m51l8odj3rz0WnRtOfAl -sjJ3y5tygdVLMzwpuHzpA/iq7YRY04+g7Q5MoVAImLKzKJzIxZra+6eo2ctcQCBO -U90+jY4C4/YgvTYKnndFvlVXcXXNyhPJKlfLAkkCgYEA8yOWmHjtRLuERvi+rYAd -SJrPQnW9TdoJYD2q1Ua0jMaJear2BGeT0w+dTzLFLzw9iGjPxdlkPbIgSeFigabx -C1vMjVtD/cNfG/Fh4AWR8jcoRYEU2Dy5E+W2UzQMU1E4McsEKlrg948zPdEkKLBy -9LjDe6l8Q5d9PdnV6LM9ao0CgYAnY7NVMCMrcbbtHAdjn11oUuzCZo8lMeRnW+kf -dyYep9I2uLS6+OW9PxrjlLuy7JbSAnaQmdAtwgDQ7V0SrgBGgPRpXMnvieZ51JMo -qUNc/CaNxkXElhRGuzLsVCRmvRUMzsNS833IFeTPzLiRpYOVkBP+O1bIKBGR/DMH -La0LUQKBgQD0Jea309Qr3CZIDp8IYnthYHIezDPmRBbyMKK5kTj/GC19JIXJoonw -nUw9vpVp+WdBy+ZP/567eUp9RrG9xP+OrirWeUT8UFdmpc+JbI54b2tX0UgUePKm -oKXf/DlOM5K2gDaIL+wlFYuxdrLtFCxvFP+7ihueivunjbtENQqdGA== ------END RSA PRIVATE KEY----- diff --git a/istio-1.24.3/samples/certs/workload-bar-root-certs.pem b/istio-1.24.3/samples/certs/workload-bar-root-certs.pem deleted file mode 100644 index 9a43073e..00000000 --- a/istio-1.24.3/samples/certs/workload-bar-root-certs.pem +++ /dev/null @@ -1,46 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDnzCCAoegAwIBAgIJAON1ifrBZ2/BMA0GCSqGSIb3DQEBCwUAMIGLMQswCQYD -VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJU3Vubnl2YWxl -MQ4wDAYDVQQKDAVJc3RpbzENMAsGA1UECwwEVGVzdDEQMA4GA1UEAwwHUm9vdCBD -QTEiMCAGCSqGSIb3DQEJARYTdGVzdHJvb3RjYUBpc3Rpby5pbzAgFw0xODAxMjQx -OTE1NTFaGA8yMTE3MTIzMTE5MTU1MVowWTELMAkGA1UEBhMCVVMxEzARBgNVBAgT -CkNhbGlmb3JuaWExEjAQBgNVBAcTCVN1bm55dmFsZTEOMAwGA1UEChMFSXN0aW8x -ETAPBgNVBAMTCElzdGlvIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC -AQEAyzCxr/xu0zy5rVBiso9ffgl00bRKvB/HF4AX9/ytmZ6Hqsy13XIQk8/u/By9 -iCvVwXIMvyT0CbiJq/aPEj5mJUy0lzbrUs13oneXqrPXf7ir3HzdRw+SBhXlsh9z -APZJXcF93DJU3GabPKwBvGJ0IVMJPIFCuDIPwW4kFAI7R/8A5LSdPrFx6EyMXl7K -M8jekC0y9DnTj83/fY72WcWX7YTpgZeBHAeeQOPTZ2KYbFal2gLsar69PgFS0Tom -ESO9M14Yit7mzB1WDK2z9g3r+zLxENdJ5JG/ZskKe+TO4Diqi5OJt/h8yspS1ck8 -LJtCole9919umByg5oruflqIlQIDAQABozUwMzALBgNVHQ8EBAMCAgQwDAYDVR0T -BAUwAwEB/zAWBgNVHREEDzANggtjYS5pc3Rpby5pbzANBgkqhkiG9w0BAQsFAAOC -AQEAltHEhhyAsve4K4bLgBXtHwWzo6SpFzdAfXpLShpOJNtQNERb3qg6iUGQdY+w -A2BpmSkKr3Rw/6ClP5+cCG7fGocPaZh+c+4Nxm9suMuZBZCtNOeYOMIfvCPcCS+8 -PQ/0hC4/0J3WJKzGBssaaMufJxzgFPPtDJ998kY8rlROghdSaVt423/jXIAYnP3Y -05n8TGERBj7TLdtIVbtUIx3JHAo3PWJywA6mEDovFMJhJERp9sDHIr1BbhXK1TFN -Z6HNH6gInkSSMtvC4Ptejb749PTaePRPF7ID//eq/3AH8UK50F3TQcLjEqWUsJUn -aFKltOc+RAjzDklcUPeG4Y6eMA== ------END CERTIFICATE----- ------BEGIN CERTIFICATE----- -MIID7TCCAtWgAwIBAgIJAOIRDhOcxsx6MA0GCSqGSIb3DQEBCwUAMIGLMQswCQYD -VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJU3Vubnl2YWxl -MQ4wDAYDVQQKDAVJc3RpbzENMAsGA1UECwwEVGVzdDEQMA4GA1UEAwwHUm9vdCBD -QTEiMCAGCSqGSIb3DQEJARYTdGVzdHJvb3RjYUBpc3Rpby5pbzAgFw0xODAxMjQx -OTE1NTFaGA8yMTE3MTIzMTE5MTU1MVowgYsxCzAJBgNVBAYTAlVTMRMwEQYDVQQI -DApDYWxpZm9ybmlhMRIwEAYDVQQHDAlTdW5ueXZhbGUxDjAMBgNVBAoMBUlzdGlv -MQ0wCwYDVQQLDARUZXN0MRAwDgYDVQQDDAdSb290IENBMSIwIAYJKoZIhvcNAQkB -FhN0ZXN0cm9vdGNhQGlzdGlvLmlvMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB -CgKCAQEA38uEfAatzQYqbaLou1nxJ348VyNzumYMmDDt5pbLYRrCo2pS3ki1ZVDN -8yxIENJFkpKw9UctTGdbNGuGCiSDP7uqF6BiVn+XKAU/3pnPFBbTd0S33NqbDEQu -IYraHSl/tSk5rARbC1DrQRdZ6nYD2KrapC4g0XbjY6Pu5l4y7KnFwSunnp9uqpZw -uERv/BgumJ5QlSeSeCmhnDhLxooG8w5tC2yVr1yDpsOHGimP/mc8Cds4V0zfIhQv -YzfIHphhE9DKjmnjBYLOdj4aycv44jHnOGc+wvA1Jqsl60t3wgms+zJTiWwABLdw -zgMAa7yxLyoV0+PiVQud6k+8ZoIFcwIDAQABo1AwTjAdBgNVHQ4EFgQUOUYGtUyh -euxO4lGe4Op1y8NVoagwHwYDVR0jBBgwFoAUOUYGtUyheuxO4lGe4Op1y8NVoagw -DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEANXLyfAs7J9rmBamGJvPZ -ltx390WxzzLFQsBRAaH6rgeipBq3dR9qEjAwb6BTF+ROmtQzX+fjstCRrJxCto9W -tC8KvXTdRfIjfCCZjhtIOBKqRxE4KJV/RBfv9xD5lyjtCPCQl3Ia6MSf42N+abAK -WCdU6KCojA8WB9YhSCzza3aQbPTzd26OC/JblJpVgtus5f8ILzCsz+pbMimgTkhy -AuhYRppJaQ24APijsEC9+GIaVKPg5IwWroiPoj+QXNpshuvqVQQXvGaRiq4zoSnx -xAJz+w8tjrDWcf826VN14IL+/Cmqlg/rIfB5CHdwVIfWwpuGB66q/UiPegZMNs8a -3g== ------END CERTIFICATE----- diff --git a/istio-1.24.3/samples/certs/workload-foo-cert.pem b/istio-1.24.3/samples/certs/workload-foo-cert.pem deleted file mode 100644 index 50197b98..00000000 --- a/istio-1.24.3/samples/certs/workload-foo-cert.pem +++ /dev/null @@ -1,43 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDXTCCAkWgAwIBAgIUVrmTEZowmbvjxihqy0tqCb6CDJEwDQYJKoZIhvcNAQEL -BQAwWTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExEjAQBgNVBAcT -CVN1bm55dmFsZTEOMAwGA1UEChMFSXN0aW8xETAPBgNVBAMTCElzdGlvIENBMB4X -DTIzMDIwMjE4MjA1N1oXDTMzMDEzMDE4MjA1N1owADCCASIwDQYJKoZIhvcNAQEB -BQADggEPADCCAQoCggEBAMRFee8ym0dNiLEaK46r3axHmSaPEu+8weYsq5Jz++pp -tpLYrRxV79UPKzKqMLmfca1KUs6PYkCipf/hsvNjLwkQf1RRpdScHk17VK/Aa0Er -3maIDw5TzReqd7MfgsIUStmy6T0WVyzMHVAjDV/aRkTwzWwp29bJgfkvI2/Qy9Mh -MONNOZ3+m+UcIK4opgg7GmNwynfrPxhWfUsgtYEpaTXEbJOjqQh/8Io56IK4AbS5 -IvNFfN2RKLi0wg9Yzgd+odoifpumaTP6iuJpohSyCgphr8a3jX5DuUNXduveiwMG -+PESc0QSGzAWA11/PWC1v0nU45oWTB31ibduGWenm2cCAwEAAaN2MHQwDgYDVR0P -AQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMB -Af8EAjAAMDUGA1UdEQEB/wQrMCmGJ3NwaWZmZTovL3RydXN0LWRvbWFpbi1mb28v -bnMvZm9vL3NhL2ZvbzANBgkqhkiG9w0BAQsFAAOCAQEAVwpzfheyDDAitN9zVirV -WZtk70CMabWPxEMk76/70MK2LBZmC1v1Zhjt9NOj1viTRA8jbi/WtNJhfkdH6UzC -FaHhPdg8FidIuSazyrXEfiP88L9BLQ2qvJEQq3+ZoyQoCX8bWLOh/8vqm+CgwJR/ -q9JzdYf4rjvXmrm3leHI9Q1AgC83bvNn1FUXBNoMyhHzPYB5/u0j2nlnaeSjc6og -MSgcq/yrq8CpLK4ZS3E5dk8DQPOlTtACFRCSahRn7O7aqZn3QKZ2dXVzu2Uo0GbE -Jgkh1hAemPL9zwSxcfz2uBF4J//ecfDM3xccXuBRaXs6qaDwoM1n+84R9VODKLqT -bw== ------END CERTIFICATE----- ------BEGIN CERTIFICATE----- -MIIDnzCCAoegAwIBAgIJAON1ifrBZ2/BMA0GCSqGSIb3DQEBCwUAMIGLMQswCQYD -VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJU3Vubnl2YWxl -MQ4wDAYDVQQKDAVJc3RpbzENMAsGA1UECwwEVGVzdDEQMA4GA1UEAwwHUm9vdCBD -QTEiMCAGCSqGSIb3DQEJARYTdGVzdHJvb3RjYUBpc3Rpby5pbzAgFw0xODAxMjQx -OTE1NTFaGA8yMTE3MTIzMTE5MTU1MVowWTELMAkGA1UEBhMCVVMxEzARBgNVBAgT -CkNhbGlmb3JuaWExEjAQBgNVBAcTCVN1bm55dmFsZTEOMAwGA1UEChMFSXN0aW8x -ETAPBgNVBAMTCElzdGlvIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC -AQEAyzCxr/xu0zy5rVBiso9ffgl00bRKvB/HF4AX9/ytmZ6Hqsy13XIQk8/u/By9 -iCvVwXIMvyT0CbiJq/aPEj5mJUy0lzbrUs13oneXqrPXf7ir3HzdRw+SBhXlsh9z -APZJXcF93DJU3GabPKwBvGJ0IVMJPIFCuDIPwW4kFAI7R/8A5LSdPrFx6EyMXl7K -M8jekC0y9DnTj83/fY72WcWX7YTpgZeBHAeeQOPTZ2KYbFal2gLsar69PgFS0Tom -ESO9M14Yit7mzB1WDK2z9g3r+zLxENdJ5JG/ZskKe+TO4Diqi5OJt/h8yspS1ck8 -LJtCole9919umByg5oruflqIlQIDAQABozUwMzALBgNVHQ8EBAMCAgQwDAYDVR0T -BAUwAwEB/zAWBgNVHREEDzANggtjYS5pc3Rpby5pbzANBgkqhkiG9w0BAQsFAAOC -AQEAltHEhhyAsve4K4bLgBXtHwWzo6SpFzdAfXpLShpOJNtQNERb3qg6iUGQdY+w -A2BpmSkKr3Rw/6ClP5+cCG7fGocPaZh+c+4Nxm9suMuZBZCtNOeYOMIfvCPcCS+8 -PQ/0hC4/0J3WJKzGBssaaMufJxzgFPPtDJ998kY8rlROghdSaVt423/jXIAYnP3Y -05n8TGERBj7TLdtIVbtUIx3JHAo3PWJywA6mEDovFMJhJERp9sDHIr1BbhXK1TFN -Z6HNH6gInkSSMtvC4Ptejb749PTaePRPF7ID//eq/3AH8UK50F3TQcLjEqWUsJUn -aFKltOc+RAjzDklcUPeG4Y6eMA== ------END CERTIFICATE----- diff --git a/istio-1.24.3/samples/certs/workload-foo-key.pem b/istio-1.24.3/samples/certs/workload-foo-key.pem deleted file mode 100644 index bac90f1e..00000000 --- a/istio-1.24.3/samples/certs/workload-foo-key.pem +++ /dev/null @@ -1,27 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEpgIBAAKCAQEAxEV57zKbR02IsRorjqvdrEeZJo8S77zB5iyrknP76mm2ktit -HFXv1Q8rMqowuZ9xrUpSzo9iQKKl/+Gy82MvCRB/VFGl1JweTXtUr8BrQSveZogP -DlPNF6p3sx+CwhRK2bLpPRZXLMwdUCMNX9pGRPDNbCnb1smB+S8jb9DL0yEw4005 -nf6b5RwgriimCDsaY3DKd+s/GFZ9SyC1gSlpNcRsk6OpCH/wijnogrgBtLki80V8 -3ZEouLTCD1jOB36h2iJ+m6ZpM/qK4mmiFLIKCmGvxreNfkO5Q1d2696LAwb48RJz -RBIbMBYDXX89YLW/SdTjmhZMHfWJt24ZZ6ebZwIDAQABAoIBAQC+W0vZrFFhpFcw -vVsFcrb6Qi7NcPJCxeWhIi39SrRHM+Q5JCExXD/RenbBGsNLJNMR6QXLBNGcMqOh -OvtehxG1TuTPmKinPgs9xqHqG0tq1+tJsig4ExrVGyYg+izNovS9k4IXFzXRYt4D -PRvZnU+NyabSgv6OoL2IOim6Zt1olBIHK0u57bNEFLoLJBHi+/qxVo1H1ZxW4eg/ -/hCkg8IlT7G1wrT9uwAU5ld6wpG6OYub4uHLPsoyWB4E2vl1/liZq4MnUJG0M5m5 -QWHy9wL3jow/LtjVvcn/I09YIJKI9BocUi6/ze/Boy1zo4cL+cryLpfplIhZ0u/N -a/S/222BAoGBAPPXTLJyfSEt70+H2iYPKEBMVo8UBAW2rSICOCMvKZJuCuqccB75 -Jy6h+BQtIJZf+rnNzlG4EH6Vjb4mC/YYBf0U1inpCsdKcw96hv7+EYzBtKf/lK9N -au+AEAgngr1xgA+M84jMWnosFMNw88pO6j260y1aMUmLD8onrnglPcEHAoGBAM4O -79WMqTXipgvQzx66KeQQs6Gf1nwh4Ut9NYs2nk4KQrkAHd4zuURFlxdnqr/mC4wb -nsLCdFOOZaiWIIG93lp0Ox0dLar2jJK88WfCzzerUBljMRv8xJZBLOe7rv5iawVC -mBnZE606m1kTrj6wY5M7TsZiIIeYQcmlJNmW9ZqhAoGBAMY+iqqiDj2FfQTp7F/4 -/r6X0d/tY//JLyVxLHbehyv3r4Riv31PD54ILQsqTU40pkGdo1opDa/8owqvIBZq -HaRO5neYchzo2HcDJPH3WglYCypyzk1f4crqER6wEMk4l+cMr4rOqdieMhtbn7kh -Q6wAUmSS6XNjTekLLfucO4LNAoGBAIjIgYxQg0Kx4WeWhObwzT4HmDaB0+8yzks+ -Inz3FL7ZMNF9slX+H82iJFn1BvO70Y6ABzNhwbZ1oCX5Ajsdvqxs25DH/bivUUFX -CyjFuKhLoDA6GC9r61OSkCyD+fYDfudO/YirANTNQrIuzkvu6yqhA/nMyas49vLU -HVITU5YBAoGBANJVeCLwpjoK2ROM6mIQrHtBR5Ft0a5DhjQWT/6FrsUXGYH3nsdt -cEUCJsBU7z46GcByRIT25xGimoitQppsw6Wcf0gtjNyqbF56aejjEkd5LNtm77gz -9wNya77NzyrtiAjG9TCnDPJUX7satEoXgEGMxmtoiQ+pbD3nvJsFjkZQ ------END RSA PRIVATE KEY----- diff --git a/istio-1.24.3/samples/certs/workload-foo-root-certs.pem b/istio-1.24.3/samples/certs/workload-foo-root-certs.pem deleted file mode 100644 index 9a43073e..00000000 --- a/istio-1.24.3/samples/certs/workload-foo-root-certs.pem +++ /dev/null @@ -1,46 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDnzCCAoegAwIBAgIJAON1ifrBZ2/BMA0GCSqGSIb3DQEBCwUAMIGLMQswCQYD -VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJU3Vubnl2YWxl -MQ4wDAYDVQQKDAVJc3RpbzENMAsGA1UECwwEVGVzdDEQMA4GA1UEAwwHUm9vdCBD -QTEiMCAGCSqGSIb3DQEJARYTdGVzdHJvb3RjYUBpc3Rpby5pbzAgFw0xODAxMjQx -OTE1NTFaGA8yMTE3MTIzMTE5MTU1MVowWTELMAkGA1UEBhMCVVMxEzARBgNVBAgT -CkNhbGlmb3JuaWExEjAQBgNVBAcTCVN1bm55dmFsZTEOMAwGA1UEChMFSXN0aW8x -ETAPBgNVBAMTCElzdGlvIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC -AQEAyzCxr/xu0zy5rVBiso9ffgl00bRKvB/HF4AX9/ytmZ6Hqsy13XIQk8/u/By9 -iCvVwXIMvyT0CbiJq/aPEj5mJUy0lzbrUs13oneXqrPXf7ir3HzdRw+SBhXlsh9z -APZJXcF93DJU3GabPKwBvGJ0IVMJPIFCuDIPwW4kFAI7R/8A5LSdPrFx6EyMXl7K -M8jekC0y9DnTj83/fY72WcWX7YTpgZeBHAeeQOPTZ2KYbFal2gLsar69PgFS0Tom -ESO9M14Yit7mzB1WDK2z9g3r+zLxENdJ5JG/ZskKe+TO4Diqi5OJt/h8yspS1ck8 -LJtCole9919umByg5oruflqIlQIDAQABozUwMzALBgNVHQ8EBAMCAgQwDAYDVR0T -BAUwAwEB/zAWBgNVHREEDzANggtjYS5pc3Rpby5pbzANBgkqhkiG9w0BAQsFAAOC -AQEAltHEhhyAsve4K4bLgBXtHwWzo6SpFzdAfXpLShpOJNtQNERb3qg6iUGQdY+w -A2BpmSkKr3Rw/6ClP5+cCG7fGocPaZh+c+4Nxm9suMuZBZCtNOeYOMIfvCPcCS+8 -PQ/0hC4/0J3WJKzGBssaaMufJxzgFPPtDJ998kY8rlROghdSaVt423/jXIAYnP3Y -05n8TGERBj7TLdtIVbtUIx3JHAo3PWJywA6mEDovFMJhJERp9sDHIr1BbhXK1TFN -Z6HNH6gInkSSMtvC4Ptejb749PTaePRPF7ID//eq/3AH8UK50F3TQcLjEqWUsJUn -aFKltOc+RAjzDklcUPeG4Y6eMA== ------END CERTIFICATE----- ------BEGIN CERTIFICATE----- -MIID7TCCAtWgAwIBAgIJAOIRDhOcxsx6MA0GCSqGSIb3DQEBCwUAMIGLMQswCQYD -VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJU3Vubnl2YWxl -MQ4wDAYDVQQKDAVJc3RpbzENMAsGA1UECwwEVGVzdDEQMA4GA1UEAwwHUm9vdCBD -QTEiMCAGCSqGSIb3DQEJARYTdGVzdHJvb3RjYUBpc3Rpby5pbzAgFw0xODAxMjQx -OTE1NTFaGA8yMTE3MTIzMTE5MTU1MVowgYsxCzAJBgNVBAYTAlVTMRMwEQYDVQQI -DApDYWxpZm9ybmlhMRIwEAYDVQQHDAlTdW5ueXZhbGUxDjAMBgNVBAoMBUlzdGlv -MQ0wCwYDVQQLDARUZXN0MRAwDgYDVQQDDAdSb290IENBMSIwIAYJKoZIhvcNAQkB -FhN0ZXN0cm9vdGNhQGlzdGlvLmlvMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB -CgKCAQEA38uEfAatzQYqbaLou1nxJ348VyNzumYMmDDt5pbLYRrCo2pS3ki1ZVDN -8yxIENJFkpKw9UctTGdbNGuGCiSDP7uqF6BiVn+XKAU/3pnPFBbTd0S33NqbDEQu -IYraHSl/tSk5rARbC1DrQRdZ6nYD2KrapC4g0XbjY6Pu5l4y7KnFwSunnp9uqpZw -uERv/BgumJ5QlSeSeCmhnDhLxooG8w5tC2yVr1yDpsOHGimP/mc8Cds4V0zfIhQv -YzfIHphhE9DKjmnjBYLOdj4aycv44jHnOGc+wvA1Jqsl60t3wgms+zJTiWwABLdw -zgMAa7yxLyoV0+PiVQud6k+8ZoIFcwIDAQABo1AwTjAdBgNVHQ4EFgQUOUYGtUyh -euxO4lGe4Op1y8NVoagwHwYDVR0jBBgwFoAUOUYGtUyheuxO4lGe4Op1y8NVoagw -DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEANXLyfAs7J9rmBamGJvPZ -ltx390WxzzLFQsBRAaH6rgeipBq3dR9qEjAwb6BTF+ROmtQzX+fjstCRrJxCto9W -tC8KvXTdRfIjfCCZjhtIOBKqRxE4KJV/RBfv9xD5lyjtCPCQl3Ia6MSf42N+abAK -WCdU6KCojA8WB9YhSCzza3aQbPTzd26OC/JblJpVgtus5f8ILzCsz+pbMimgTkhy -AuhYRppJaQ24APijsEC9+GIaVKPg5IwWroiPoj+QXNpshuvqVQQXvGaRiq4zoSnx -xAJz+w8tjrDWcf826VN14IL+/Cmqlg/rIfB5CHdwVIfWwpuGB66q/UiPegZMNs8a -3g== ------END CERTIFICATE----- diff --git a/istio-1.24.3/samples/cicd/skaffold/README.md b/istio-1.24.3/samples/cicd/skaffold/README.md deleted file mode 100644 index a8fa19ab..00000000 --- a/istio-1.24.3/samples/cicd/skaffold/README.md +++ /dev/null @@ -1,45 +0,0 @@ -# Skaffold - -This is intended for demonstration only, and is not tuned for performance or security. - -skaffold is a tool that enables fast development iteration and controls deployment to local or remote clusters - -If running `skaffold run` for deployment, manifests are pulled from remote charts, if running `skaffold dev` for development and hot reload, manifests are pulled from current branch. - -## Quick Start - -skaffold is built around modules and profiles - -1) istio-base + istio - - ```bash - skaffold run -m istiod - ``` - -2) istio-base + istio + ingress - - ```bash - skaffold run -m ingress - ``` - -3) istio-base + istio + ingress + kiali - - ```bash - skaffold run -m ingress,kiali - ``` - -4) istio-base + istio + ingress + kiali + bookinfo - - ```bash - skaffold run -m ingress,kiali,bookinfo - ``` - -## References - -- Github: [github.com/GoogleContainerTools/skaffold](https://github.com/GoogleContainerTools/skaffold) -- Site: [skaffold.dev](https://skaffold.dev/) - -### TODO - -- Add build and test stage for images in istiod (pilot and proxy) -- Addons diff --git a/istio-1.24.3/samples/cicd/skaffold/skaffold.yaml b/istio-1.24.3/samples/cicd/skaffold/skaffold.yaml deleted file mode 100644 index b67aa289..00000000 --- a/istio-1.24.3/samples/cicd/skaffold/skaffold.yaml +++ /dev/null @@ -1,145 +0,0 @@ -# Skaffold - https://skaffold.dev/ -# ------------------------------------------------ # -# This is for illustration purposes only -# ------------------------------------------------ # -# Installation options & modules -# ------------------------------------------------ # -# istio - `skaffold run -m istiod` -# ingress - `skaffold run -m ingress` -# Addons: -# - kiali - `skaffold run -m kiali` -# - prometheus - `skaffold run -m prometheus` -# Demos: -# - bookinfo - `skaffold run -m bookinfo` -# ------------------------------------------------ # -# Development mode - skaffold dev # -# ------------------------------------------------- # -apiVersion: skaffold/v2beta22 -kind: Config -metadata: - name: istio-base -profiles: - - name: dev - activation: - - command: dev - deploy: - helm: - releases: - - name: istio-base - chartPath: ../../../manifests/charts/base - namespace: istio-system - createNamespace: true - - name: run - activation: - - command: run - deploy: - helm: - releases: - - name: istio-base - remoteChart: base - repo: https://istio-release.storage.googleapis.com/charts - namespace: istio-system - createNamespace: true ---- -apiVersion: skaffold/v2beta22 -kind: Config -metadata: - name: istiod -requires: - - configs: [istio-base] -profiles: - - name: dev - activation: - - command: dev - deploy: - helm: - releases: - - name: istiod - chartPath: ../../../manifests/charts/istio-control/istio-discovery - namespace: istio-system - - name: run - activation: - - command: run - deploy: - helm: - releases: - - name: istiod - remoteChart: istiod - repo: https://istio-release.storage.googleapis.com/charts - namespace: istio-system ---- -apiVersion: skaffold/v2beta22 -kind: Config -metadata: - name: ingress -requires: - - configs: [istiod] -profiles: - - name: dev - activation: - - command: dev - deploy: - helm: - releases: - - name: istio-ingressgateway - chartPath: ../../../manifests/charts/gateway - namespace: istio-system - - name: run - activation: - - command: run - deploy: - helm: - releases: - - name: istio-ingressgateway - remoteChart: gateway - repo: https://istio-release.storage.googleapis.com/charts - namespace: istio-system ---- -# https://istio.io/latest/docs/ops/integrations/prometheus/ -apiVersion: skaffold/v2beta22 -kind: Config -metadata: - name: prometheus -requires: - - configs: [istiod] -deploy: - kubectl: - manifests: ["../../../samples/addons/prometheus.yaml"] ---- -apiVersion: skaffold/v2beta22 -kind: Config -metadata: - name: kiali -requires: - - configs: [prometheus] -deploy: - helm: - releases: - - name: kiali-server - remoteChart: kiali-server - repo: https://kiali.org/helm-charts - namespace: istio-system - version: v1.44.0 - valuesFiles: [../../../manifests/addons/values-kiali.yaml] ---- -# Config for https://istio.io/latest/docs/examples/bookinfo/ -apiVersion: skaffold/v2beta22 -kind: Config -metadata: - name: bookinfo -requires: - - configs: [ingress] -deploy: - kubectl: - hooks: - before: - - host: - command: ["sh", "-c", "kubectl label namespace default istio-injection=enabled --overwrite"] - os: [darwin, linux] - - host: - command: ["cmd.exe", "/C", "kubectl label namespace default istio-injection=enabled --overwrite"] - os: [windows] - manifests: - - "../../../samples/bookinfo/platform/kube/bookinfo.yaml" - - "../../../samples/bookinfo/networking/bookinfo-gateway.yaml" - - "../../../samples/bookinfo/networking/destination-rule-all.yaml" diff --git a/istio-1.24.3/samples/curl/README.md b/istio-1.24.3/samples/curl/README.md deleted file mode 100644 index 05ed1534..00000000 --- a/istio-1.24.3/samples/curl/README.md +++ /dev/null @@ -1,28 +0,0 @@ -# Simple curl service - -This sample is a a request source for invoking other services, to experiment with Istio networking. -It consists of a pod that does nothing but sleep. You can get a shell on the pod (an Alpine container) and use `curl`. - -To use it: - -1. Install Istio by following the [installation instructions](https://istio.io/docs/setup/). - -1. Start the curl pod: - - ```bash - kubectl apply -f curl.yaml - ``` - -1. Start some other services, for example, the [Bookinfo sample](https://istio.io/docs/examples/bookinfo/). - - Now you can `kubectl exec` into the curl service to experiment with Istio networking. - For example, the following commands can be used to call the Bookinfo `ratings` service: - - ```bash - export CURL_POD=$(kubectl get pod -l app=curl -o jsonpath={.items..metadata.name}) - kubectl exec -it $CURL_POD -c curl -- curl http://ratings.default.svc.cluster.local:9080/ratings/1 - {"id":1,"ratings":{"Reviewer1":5,"Reviewer2":4}} - ``` - -You can also use the curl service to test accessing services outside of the mesh. -See [configuring egress](https://istio.io/docs/tasks/traffic-management/egress/) for details. diff --git a/istio-1.24.3/samples/curl/curl.yaml b/istio-1.24.3/samples/curl/curl.yaml deleted file mode 100644 index 306a5afc..00000000 --- a/istio-1.24.3/samples/curl/curl.yaml +++ /dev/null @@ -1,66 +0,0 @@ -# Copyright Istio Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################################################## -# Curl service -################################################################################################## -apiVersion: v1 -kind: ServiceAccount -metadata: - name: curl ---- -apiVersion: v1 -kind: Service -metadata: - name: curl - labels: - app: curl - service: curl -spec: - ports: - - port: 80 - name: http - selector: - app: curl ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: curl -spec: - replicas: 1 - selector: - matchLabels: - app: curl - template: - metadata: - labels: - app: curl - spec: - terminationGracePeriodSeconds: 0 - serviceAccountName: curl - containers: - - name: curl - image: curlimages/curl - command: ["/bin/sleep", "infinity"] - imagePullPolicy: IfNotPresent - volumeMounts: - - mountPath: /etc/curl/tls - name: secret-volume - volumes: - - name: secret-volume - secret: - secretName: curl-secret - optional: true ---- diff --git a/istio-1.24.3/samples/custom-bootstrap/README.md b/istio-1.24.3/samples/custom-bootstrap/README.md deleted file mode 100644 index 7d1c6236..00000000 --- a/istio-1.24.3/samples/custom-bootstrap/README.md +++ /dev/null @@ -1,57 +0,0 @@ -# Custom Envoy Bootstrap Configuration - -This sample creates a simple helloworld service that bootstraps the Envoy proxy with a custom configuration file. - -## Starting the service - -First, we need to create a `ConfigMap` resource with our bootstrap configuration. - -```bash -kubectl apply -f custom-bootstrap.yaml -``` - -Next, we can create a service that uses this bootstrap configuration. - -To do this, we need to add an annotation, `sidecar.istio.io/bootstrapOverride`, with the name of our ConfigMap as the value. - -We can create our helloworld app, using the custom config, with: - -```bash -kubectl apply -f example-app.yaml -``` - -If you don't have [automatic sidecar injection](https://istio.io/docs/setup/additional-setup/sidecar-injection/#automatic-sidecar-injection) -set in your cluster you will need to manually inject it to the services instead: - -```bash -istioctl kube-inject -f example-app.yaml -o example-app-istio.yaml -kubectl apply -f example-app-istio.yaml -``` - -## Checking the Bootstrap Configuration - -To see what bootstrap configuration a pod is using: - -```bash -istioctl proxy-config bootstrap -``` - -## Customizing the Bootstrap - -The configuration provided will be passed to envoy using the [`--config-yaml`](https://www.envoyproxy.io/docs/envoy/v1.7.1/operations/cli#cmdoption-config-yaml) flag. - -This will merge the passed in configuration with the default configuration. Singular values will replace the default values, while repeated values will be appended. - -For reference, [the default bootstrap configuration](../../tools/packaging/common/envoy_bootstrap.json) and Envoy's [configuration reference](https://www.envoyproxy.io/docs/envoy/latest/configuration/configuration#config) may be useful - -## Outside of Kubernetes - -The annotation above configures a volume mount and configures Istio to use it. -When running outside of Kubernetes or in custom setups, similar functionality can be achieved by setting the `ISTIO_BOOTSTRAP_OVERRIDE` variable pointing to a file containing the custom bootstrap. - -## Cleanup - -```bash -kubectl delete -f custom-bootstrap.yaml -kubectl delete -f example-app.yaml -``` diff --git a/istio-1.24.3/samples/custom-bootstrap/custom-bootstrap.yaml b/istio-1.24.3/samples/custom-bootstrap/custom-bootstrap.yaml deleted file mode 100644 index 5f406976..00000000 --- a/istio-1.24.3/samples/custom-bootstrap/custom-bootstrap.yaml +++ /dev/null @@ -1,20 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: istio-custom-bootstrap-config - namespace: default -data: - custom_bootstrap.json: | - "tracing": { - "http": { - "name": "envoy.tracers.zipkin", - "typed_config": { - "@type": "type.googleapis.com/envoy.config.trace.v3.ZipkinConfig", - "collector_cluster": "zipkin", - "collector_endpoint": "/api/v1/spans/custom", - "collector_endpoint_version": "HTTP_JSON", - "trace_id_128bit": true, - "shared_span_context": false - } - } - } diff --git a/istio-1.24.3/samples/custom-bootstrap/example-app.yaml b/istio-1.24.3/samples/custom-bootstrap/example-app.yaml deleted file mode 100644 index 3a351a31..00000000 --- a/istio-1.24.3/samples/custom-bootstrap/example-app.yaml +++ /dev/null @@ -1,30 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: helloworld-v1 - labels: - app: helloworld - version: v1 -spec: - replicas: 1 - selector: - matchLabels: - app: helloworld - version: v1 - template: - metadata: - annotations: - sidecar.istio.io/bootstrapOverride: "istio-custom-bootstrap-config" - labels: - app: helloworld - version: v1 - spec: - containers: - - name: helloworld - image: docker.io/istio/examples-helloworld-v1 - resources: - requests: - cpu: "100m" - imagePullPolicy: IfNotPresent - ports: - - containerPort: 5000 diff --git a/istio-1.24.3/samples/extauthz/README.md b/istio-1.24.3/samples/extauthz/README.md deleted file mode 100644 index 8cefb664..00000000 --- a/istio-1.24.3/samples/extauthz/README.md +++ /dev/null @@ -1,99 +0,0 @@ -# Ext Authz Service - -[Ext Authz server](cmd/extauthz) implements the external server for the [Envoy ext_authz filter](https://www.envoyproxy.io/docs/envoy/v1.16.0/intro/arch_overview/security/ext_authz_filter) -as an example of integrating custom authorization system into Istio. - -The Ext Authz server supports authorization check request using either HTTP (port 8000) or gRPC v2/v3 (port 9000) API and -will allow the request if it includes the header `x-ext-authz: allow` or if the service account of the source workload is `a`. -Note that `a` is just a default value for testing. It can be changed with the flag `-allow_service_account` when running the ext authz server. - -## Usage - -1. Deploy the Ext Authz service in a dedicated pod: - - ```console - $ kubectl apply -f ext-authz.yaml - service/ext-authz created - deployment.apps/ext-authz created - ``` - - Note, you can also deploy the Ext Authz service locally with the application container in the same pod, see the example in `local-ext-authz.yaml`. - -1. Verify the Ext Authz server is up and running: - - Deploy a sleep pod to send the request: - - ```console - $ kubectl apply -f ../sleep/sleep.yaml - ``` - - Send a check request with header `x-ext-authz: allow` to the Ext Authz server: - - ```console - $ kubectl exec -it $(kubectl get pod -l app=sleep -o jsonpath={.items..metadata.name}) -c sleep -- curl -v ext-authz:8000 -H "x-ext-authz: allow" - * Trying 10.97.88.183:8000... - * Connected to ext-authz-server (10.97.88.183) port 8000 (#0) - > GET / HTTP/1.1 - > Host: ext-authz-server:8000 - > User-Agent: curl/7.73.0-DEV - > Accept: */* - > x-ext-authz: allow - > - * Mark bundle as not supporting multiuse - < HTTP/1.1 200 OK - < x-ext-authz-result: allowed - < date: Tue, 03 Nov 2020 03:06:11 GMT - < content-length: 0 - < x-envoy-upstream-service-time: 19 - < server: envoy - < - * Connection #0 to host ext-authz-server left intact - ``` - - As you observe, the check request with header `x-ext-authz: allow` is allowed by the Ext Authz server. - - Send another check request with `x-ext-authz: blabla` to the Ext Authz server: - - ```console - $ kubectl exec -it $(kubectl get pod -l app=sleep -o jsonpath={.items..metadata.name}) -c sleep -- curl -v ext-authz:8000 -H "x-ext-authz: bla" - > GET / HTTP/1.1 - > Host: ext-authz-server:8000 - > User-Agent: curl/7.73.0-DEV - > Accept: */* - > x-ext-authz: allowx - > - * Mark bundle as not supporting multiuse - < HTTP/1.1 403 Forbidden - < x-ext-authz-check-result: denied - < date: Tue, 03 Nov 2020 03:14:02 GMT - < content-length: 76 - < content-type: text/plain; charset=utf-8 - < x-envoy-upstream-service-time: 44 - < server: envoy - < - * Connection #0 to host ext-authz-server left intact - denied by ext_authz for not found header `x-ext-authz: allow` in the request - ``` - - As you observe, the check request with header `x-ext-authz: bla` is denied by the Ext Authz server. - -1. To clean up, execute the following commands: - - ```console - $ kubectl delete -f ../sleep/sleep.yaml - $ kubectl delete -f ext-authz.yaml - ``` - -## Advanced features - -The Ext Authz server supports the following advanced features that are useful for testing: - -- The ext authz server will add the `x-ext-authz-check-received` header to the user request. The content is the dump of - the check request it received from the ext-authz filter. This header is useful in verifying the ext-authz filter sending - the expected request to the ext authz server. - -- The ext authz server will add (or override if it already exists) the header `x-ext-authz-additional-header-override` to - the user request. The value of the header depends on the type of ext-authz server. - The ext authz HTTP server will set it to the value of the same `x-ext-authz-additional-header-override` header in the - check request. The ext authz gRPC server will set it to the constant value `grpc-additional-header-override-value`. - This header is useful in verifying the header override behavior in the ext-authz filter. diff --git a/istio-1.24.3/samples/extauthz/ext-authz.yaml b/istio-1.24.3/samples/extauthz/ext-authz.yaml deleted file mode 100644 index 0860df5c..00000000 --- a/istio-1.24.3/samples/extauthz/ext-authz.yaml +++ /dev/null @@ -1,55 +0,0 @@ -# Copyright Istio Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# Example configurations for deploying ext-authz server separately in the mesh. - -apiVersion: v1 -kind: Service -metadata: - name: ext-authz - labels: - app: ext-authz -spec: - ports: - - name: http - port: 8000 - targetPort: 8000 - - name: grpc - port: 9000 - targetPort: 9000 - selector: - app: ext-authz ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: ext-authz -spec: - replicas: 1 - selector: - matchLabels: - app: ext-authz - template: - metadata: - labels: - app: ext-authz - spec: - containers: - - image: gcr.io/istio-testing/ext-authz:latest - imagePullPolicy: IfNotPresent - name: ext-authz - ports: - - containerPort: 8000 - - containerPort: 9000 ---- diff --git a/istio-1.24.3/samples/extauthz/local-ext-authz.yaml b/istio-1.24.3/samples/extauthz/local-ext-authz.yaml deleted file mode 100644 index 46797770..00000000 --- a/istio-1.24.3/samples/extauthz/local-ext-authz.yaml +++ /dev/null @@ -1,111 +0,0 @@ -# Copyright Istio Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# Example configurations for deploying ext-authz server locally with the application container in the same pod. - -# Define the service entry for the local ext-authz service on port 8000. -apiVersion: networking.istio.io/v1 -kind: ServiceEntry -metadata: - name: httpbin-ext-authz-http -spec: - hosts: - - "ext-authz-http.local" - endpoints: - - address: "127.0.0.1" - ports: - - name: http - number: 8000 - protocol: HTTP - resolution: STATIC ---- -# Define the service entry for the local ext-authz service on port 9000. -apiVersion: networking.istio.io/v1 -kind: ServiceEntry -metadata: - name: httpbin-ext-authz-grpc -spec: - hosts: - - "ext-authz-grpc.local" - endpoints: - - address: "127.0.0.1" - ports: - - name: grpc - number: 9000 - protocol: GRPC - resolution: STATIC ---- -# Deploy the ext-authz server locally with the application container in the same pod. -apiVersion: apps/v1 -kind: Deployment -metadata: - name: httpbin -spec: - replicas: 1 - selector: - matchLabels: - app: httpbin - version: v1 - template: - metadata: - labels: - app: httpbin - version: v1 - spec: - serviceAccountName: httpbin - containers: - - image: docker.io/mccutchen/go-httpbin:v2.15.0 - imagePullPolicy: IfNotPresent - name: httpbin - # Same as found in Dockerfile's CMD but using an unprivileged port - command: - - gunicorn - - -b - - 0.0.0.0:8080 - - httpbin:app - - -k - - gevent - env: - # Tells pipenv to use a writable directory instead of $HOME - - name: WORKON_HOME - value: /tmp - ports: - - containerPort: 8080 - - image: gcr.io/istio-testing/ext-authz:latest - imagePullPolicy: IfNotPresent - name: ext-authz - ports: - - containerPort: 8000 - - containerPort: 9000 ---- -apiVersion: v1 -kind: Service -metadata: - name: httpbin - labels: - app: httpbin - service: httpbin -spec: - ports: - - name: http - port: 8000 - targetPort: 8080 - selector: - app: httpbin ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: httpbin ---- diff --git a/istio-1.24.3/samples/external/README.md b/istio-1.24.3/samples/external/README.md deleted file mode 100644 index 8f7d9c48..00000000 --- a/istio-1.24.3/samples/external/README.md +++ /dev/null @@ -1,34 +0,0 @@ -# External Services - -By default, Istio-enabled services are unable to access services and URLs outside the cluster. Pods use iptables to transparently redirect all outbound traffic to the sidecar proxy, which only handles intra-cluster destinations. - -See [the Egress Task](https://istio.io/docs/tasks/traffic-management/egress/) for -information on configuring Istio to contact external services. - -This directory contains samples showing how to enable pods to contact a few well -known services. - -If Istio is not configured to allow pods to contact external services, the pods will -see errors such as 404s, HTTPS connection problems, and TCP connection problems. If -ServiceEntries are misconfigured pods may see problems with server names. - -## Try it out - -After an operator runs `kubectl create -f aptget.yaml` pods will be able to -succeed with `apt-get update` and `apt-get install`. - -After an operator runs `kubectl create -f github.yaml` pods will be able to -succeed with `git clone https://github.com/fortio/fortio.git`. - -Running `kubectl create -f pypi.yaml` allows pods to update Python libraries using `pip`. - -It is not a best practice to enable pods to update libraries dynamically. -We are providing these samples -because they have proven to be helpful with interactive troubleshooting. Security minded clusters should only allow traffic to service dependencies such as cloud -services. - -### Enable communication by default - -Note that [this note](https://istio.io/docs/tasks/traffic-management/egress/#install-istio-with-access-to-all-external-services-by-default) shows how to configure Istio to contact services by default. The technique -discussed there does not allow HTTP on port 80 or SSH on port 22. These examples will -allow external communication for ports 80 and 22. diff --git a/istio-1.24.3/samples/external/aptget.yaml b/istio-1.24.3/samples/external/aptget.yaml deleted file mode 100644 index 0b3bf3bb..00000000 --- a/istio-1.24.3/samples/external/aptget.yaml +++ /dev/null @@ -1,20 +0,0 @@ -# This ServiceEntry exposes the hosts needed for installing packages with apt-get. -# After applying this file, Istio-enabled pods (configured apt-get) be able to execute -# `apt-get upgrade` and `apt-get install`. If this is not installed you may get -# "404 Not Found" - -apiVersion: networking.istio.io/v1 -kind: ServiceEntry -metadata: - name: make-aptget-work -spec: - hosts: - - deb.debian.org - - cdn-fastly.deb.debian.org - - security.debian.org - - archive.ubuntu.com - - security.ubuntu.com - ports: - - number: 80 - name: http - protocol: HTTP diff --git a/istio-1.24.3/samples/external/github.yaml b/istio-1.24.3/samples/external/github.yaml deleted file mode 100644 index 52dd5999..00000000 --- a/istio-1.24.3/samples/external/github.yaml +++ /dev/null @@ -1,53 +0,0 @@ -# This ServiceEntry exposes the hosts needed for github.com. -# After applying this file, Istio-enabled pods will be able to execute -# `git clone https://github.com/istio/api.git` and (with local identification -# config and certificate) `git clone git@github.com:istio/api.git` - -# HTTP and TLS, the host must be specified -# See https://istio.io/docs/tasks/traffic-management/egress/ -apiVersion: networking.istio.io/v1 -kind: ServiceEntry -metadata: - name: github-https -spec: - hosts: - - github.com - ports: - - number: 443 - name: https - protocol: HTTPS ---- -# For TCP services the IP ranges SHOULD be specified to avoid problems -# if multiple SEs use the same port number. -# See https://istio.io/blog/2018/egress-tcp/#mesh-external-service-entry-for-an-external-mysql-instance -apiVersion: networking.istio.io/v1 -kind: ServiceEntry -metadata: - name: github-tcp -spec: - hosts: - - dummy.github.com # not used - addresses: # from https://help.github.com/articles/about-github-s-ip-addresses/ - - "13.229.188.59/32" - - "13.250.177.223/32" - - "140.82.112.0/20" - - "18.194.104.89/32" - - "18.195.85.27/32" - - "185.199.108.0/22" - - "185.199.108.153/32" - - "185.199.109.153/32" - - "185.199.110.153/32" - - "185.199.111.153/32" - - "192.30.252.0/22" - - "192.30.252.153/32" - - "192.30.252.154/32" - - "23.20.92.3/32" - - "35.159.8.160/32" - - "52.74.223.119/32" - - "54.166.52.62/32" - - "54.87.5.173/32" - ports: - - name: tcp - number: 22 - protocol: tcp - location: MESH_EXTERNAL diff --git a/istio-1.24.3/samples/external/pypi.yaml b/istio-1.24.3/samples/external/pypi.yaml deleted file mode 100644 index c502ad7c..00000000 --- a/istio-1.24.3/samples/external/pypi.yaml +++ /dev/null @@ -1,44 +0,0 @@ -# This ServiceEntry exposes the hosts needed for Python `pip`. -# After applying this file, Istio-enabled pods will be able to execute -# `pip search istio`. - -# HTTP and TLS, the host must be specified -# See https://istio.io/docs/tasks/traffic-management/egress/ - -apiVersion: networking.istio.io/v1 -kind: ServiceEntry -metadata: - name: python-https -spec: - hosts: - - pypi.python.org - ports: - - number: 443 - name: https - protocol: HTTPS ---- -# pypi.python.org may 301 redirect to pypi.org, so we need this too. -apiVersion: networking.istio.io/v1 -kind: ServiceEntry -metadata: - name: pypi-https -spec: - hosts: - - pypi.org - ports: - - number: 443 - name: https - protocol: HTTPS ---- -# pip install may fetch files from files.pythonhosted.org -apiVersion: networking.istio.io/v1 -kind: ServiceEntry -metadata: - name: pythonhosted-https -spec: - hosts: - - files.pythonhosted.org - ports: - - number: 443 - name: https - protocol: HTTPS diff --git a/istio-1.24.3/samples/grpc-echo/README.md b/istio-1.24.3/samples/grpc-echo/README.md deleted file mode 100644 index 46631698..00000000 --- a/istio-1.24.3/samples/grpc-echo/README.md +++ /dev/null @@ -1,7 +0,0 @@ -# grpc-echo - -This sample demonstrates Istio's Proxyless gRPC support with a special injection template `grpc-agent`. -The template injects the `istio-proxy` sidecar, but the sidecar will only run `pilot-agent` and not envoy. - -See the [gRPC xDS feature status](https://github.com/grpc/grpc/blob/master/doc/grpc_xds_features.md) for more -information. diff --git a/istio-1.24.3/samples/grpc-echo/grpc-echo.yaml b/istio-1.24.3/samples/grpc-echo/grpc-echo.yaml deleted file mode 100644 index 2dc6fd9a..00000000 --- a/istio-1.24.3/samples/grpc-echo/grpc-echo.yaml +++ /dev/null @@ -1,191 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - labels: - app: echo - name: echo - namespace: echo-grpc -spec: - selector: - app: echo - type: ClusterIP - ports: - - name: http - port: 80 - targetPort: 18080 - - name: grpc - port: 7070 - targetPort: 17070 - - name: tcp - port: 9090 - targetPort: 19090 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: echo-v1 - namespace: echo-grpc -spec: - replicas: 1 - selector: - matchLabels: - app: echo - version: v1 - template: - metadata: - annotations: - inject.istio.io/templates: grpc-agent - proxy.istio.io/config: '{"holdApplicationUntilProxyStarts": true}' - labels: - app: echo - version: v1 - spec: - containers: - - args: - - --metrics=15014 - - --port - - "18080" - - --tcp - - "19090" - - --xds-grpc-server=17070 - - --grpc - - "17070" - - --grpc - - "17171" - - --port - - "3333" - - --port - - "8080" - - --version - - v1 - - --crt=/cert.crt - - --key=/cert.key - env: - - name: INSTANCE_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.podIP - image: gcr.io/istio-testing/app:latest - imagePullPolicy: Always - livenessProbe: - failureThreshold: 10 - initialDelaySeconds: 10 - periodSeconds: 10 - successThreshold: 1 - tcpSocket: - port: tcp-health-port - timeoutSeconds: 1 - name: app - ports: - - containerPort: 17070 - protocol: TCP - - containerPort: 17171 - protocol: TCP - - containerPort: 8080 - protocol: TCP - - containerPort: 3333 - name: tcp-health-port - protocol: TCP - readinessProbe: - failureThreshold: 10 - httpGet: - path: / - port: 8080 - scheme: HTTP - initialDelaySeconds: 1 - periodSeconds: 2 - successThreshold: 1 - timeoutSeconds: 1 - startupProbe: - failureThreshold: 10 - periodSeconds: 10 - successThreshold: 1 - tcpSocket: - port: tcp-health-port - timeoutSeconds: 1 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: echo-v2 - namespace: echo-grpc -spec: - replicas: 1 - selector: - matchLabels: - app: echo - version: v2 - template: - metadata: - annotations: - inject.istio.io/templates: grpc-agent - proxy.istio.io/config: '{"holdApplicationUntilProxyStarts": true}' - labels: - app: echo - version: v2 - spec: - containers: - - args: - - --metrics=15014 - - --xds-grpc-server=17070 - - --port - - "18080" - - --tcp - - "19090" - - --grpc - - "17070" - - --grpc - - "17171" - - --port - - "3333" - - --port - - "8080" - - --version - - v2 - - --crt=/cert.crt - - --key=/cert.key - env: - - name: INSTANCE_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.podIP - image: gcr.io/istio-testing/app:latest - imagePullPolicy: Always - livenessProbe: - failureThreshold: 10 - initialDelaySeconds: 10 - periodSeconds: 10 - successThreshold: 1 - tcpSocket: - port: tcp-health-port - timeoutSeconds: 1 - name: app - ports: - - containerPort: 17070 - protocol: TCP - - containerPort: 17171 - protocol: TCP - - containerPort: 8080 - protocol: TCP - - containerPort: 3333 - name: tcp-health-port - protocol: TCP - readinessProbe: - failureThreshold: 10 - httpGet: - path: / - port: 8080 - scheme: HTTP - initialDelaySeconds: 1 - periodSeconds: 2 - successThreshold: 1 - timeoutSeconds: 1 - startupProbe: - failureThreshold: 10 - periodSeconds: 10 - successThreshold: 1 - tcpSocket: - port: tcp-health-port - timeoutSeconds: 1 diff --git a/istio-1.24.3/samples/health-check/liveness-command.yaml b/istio-1.24.3/samples/health-check/liveness-command.yaml deleted file mode 100644 index 247b55e5..00000000 --- a/istio-1.24.3/samples/health-check/liveness-command.yaml +++ /dev/null @@ -1,58 +0,0 @@ -# Copyright Istio Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################################################## -# Liveness service -################################################################################################## -apiVersion: v1 -kind: Service -metadata: - name: liveness - labels: - app: liveness - service: liveness -spec: - ports: - - port: 80 - name: http - selector: - app: liveness ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: liveness -spec: - selector: - matchLabels: - app: liveness - template: - metadata: - labels: - app: liveness - spec: - containers: - - name: liveness - image: registry.k8s.io/busybox - args: - - /bin/sh - - -c - - touch /tmp/healthy; sleep 3600 - livenessProbe: - exec: - command: - - cat - - /tmp/healthy - initialDelaySeconds: 5 - periodSeconds: 5 diff --git a/istio-1.24.3/samples/health-check/liveness-http-same-port.yaml b/istio-1.24.3/samples/health-check/liveness-http-same-port.yaml deleted file mode 100644 index a39a3ff1..00000000 --- a/istio-1.24.3/samples/health-check/liveness-http-same-port.yaml +++ /dev/null @@ -1,40 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: liveness-http - labels: - app: liveness-http - service: liveness-http -spec: - ports: - - name: http - port: 8001 - selector: - app: liveness-http ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: liveness-http -spec: - selector: - matchLabels: - app: liveness-http - version: v1 - template: - metadata: - labels: - app: liveness-http - version: v1 - spec: - containers: - - name: liveness-http - image: docker.io/istio/health:example - ports: - - containerPort: 8001 - livenessProbe: - httpGet: - path: /foo - port: 8001 - initialDelaySeconds: 5 - periodSeconds: 5 diff --git a/istio-1.24.3/samples/helloworld/README.md b/istio-1.24.3/samples/helloworld/README.md deleted file mode 100644 index 2d4b2fbc..00000000 --- a/istio-1.24.3/samples/helloworld/README.md +++ /dev/null @@ -1,110 +0,0 @@ -# Helloworld service - -This sample includes two versions of a simple helloworld service that returns its version -and instance (hostname) when called. -It can be used as a test service when experimenting with version routing. - -This service is also used to demonstrate canary deployments working in conjunction with autoscaling. -See [Canary deployments using Istio](https://istio.io/blog/2017/0.1-canary). - -## Start the helloworld service - -The following commands assume you have -[automatic sidecar injection](https://istio.io/docs/setup/additional-setup/sidecar-injection/#automatic-sidecar-injection) -enabled in your cluster. -If not, you'll need to modify them to include -[manual sidecar injection](https://istio.io/docs/setup/additional-setup/sidecar-injection/#manual-sidecar-injection). - -To run both versions of the helloworld service, use the following command: - -```bash -kubectl apply -f helloworld.yaml -``` - -Alternatively, you can run just one version at a time by first defining the service: - -```bash -kubectl apply -f helloworld.yaml -l service=helloworld -``` - -and then deploying version v1, v2, or both: - -```bash -kubectl apply -f helloworld.yaml -l version=v1 -kubectl apply -f helloworld.yaml -l version=v2 -``` - -For even more flexibility, there is also a script, `gen-helloworld.sh`, that will -generate YAML for the helloworld service. This script takes the following -arguments: - -| Argument | Default | Description | -|-----------------------|---------|------------------------------------------------------------------------| -| `-h`,`--help` | | Prints usage information. | -| `--version` | `v1` | Specifies the version that will be returned by the helloworld service. | -| `--includeService` | `true` | If `true` the service will be included in the YAML. | -| `--includeDeployment` | `true` | If `true` the deployment will be included in the YAML. | - -You can use this script to deploy a custom version: - -```bash -./gen-helloworld.sh --version customversion | \ - kubectl apply -f - -``` - -## Configure the helloworld gateway - -*___Note:___ Istio intends to make the Kubernetes [Gateway API](https://gateway-api.sigs.k8s.io/) the default API for traffic management [in the future](https://istio.io/latest/blog/2022/gateway-api-beta/). You can use the Gateway API to configure the helloworld service, instead of the classic Istio configuration model, by following the instructions in [./gateway-api/README.md](./gateway-api/README.md), instead of the instructions below.* - -Apply the helloworld gateway configuration: - -```bash -kubectl apply -f helloworld-gateway.yaml -``` - -Follow [these instructions](https://istio.io/docs/tasks/traffic-management/ingress/ingress-control/#determining-the-ingress-ip-and-ports) -to set the INGRESS_HOST and INGRESS_PORT variables and then confirm the sample is running using curl: - -```bash -export GATEWAY_URL=$INGRESS_HOST:$INGRESS_PORT -curl http://$GATEWAY_URL/hello -``` - -## Autoscale the services - -Note that a Kubernetes [Horizontal Pod Autoscaler](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) -only works if all containers in the pods request cpu. In this sample the deployment -containers in `helloworld.yaml` are configured with the request. -The injected istio-proxy containers also include cpu requests, -making the helloworld service ready for autoscaling. - -Enable autoscaling on both versions of the service: - -```bash -kubectl autoscale deployment helloworld-v1 --cpu-percent=50 --min=1 --max=10 -kubectl autoscale deployment helloworld-v2 --cpu-percent=50 --min=1 --max=10 -kubectl get hpa -``` - -## Generate load - -```bash -./loadgen.sh & -./loadgen.sh & # run it twice to generate lots of load -``` - -Wait for about 2 minutes and then check the number of replicas: - -```bash -kubectl get hpa -``` - -If the autoscaler is functioning correctly, the `REPLICAS` column should have a value > 1. - -## Cleanup - -```bash -kubectl delete -f helloworld.yaml -kubectl delete -f helloworld-gateway.yaml -kubectl delete hpa helloworld-v1 helloworld-v2 -``` diff --git a/istio-1.24.3/samples/helloworld/gateway-api/README.md b/istio-1.24.3/samples/helloworld/gateway-api/README.md deleted file mode 100644 index ee37810e..00000000 --- a/istio-1.24.3/samples/helloworld/gateway-api/README.md +++ /dev/null @@ -1,74 +0,0 @@ -# Configure helloworld using the Kubernetes Gateway API - -Istio intends to make the Kubernetes [Gateway API](https://gateway-api.sigs.k8s.io/) the default API for traffic management [in the future](https://istio.io/latest/blog/2022/gateway-api-beta/). -You can use the following instructions to configure the ingress gateway and routing for the helloworld sample. - -## Before you begin - -The Gateway API CRDs do not come installed by default on most Kubernetes clusters, so install them if not present: - -```bash -kubectl get crd gateways.gateway.networking.k8s.io || \ - { kubectl kustomize "github.com/kubernetes-sigs/gateway-api/config/crd?ref=v0.5.0" | kubectl apply -f -; } -``` - -Also make sure you are running two versions (v1 and v2) of the helloworld service: - -```bash -kubectl apply -f ../helloworld.yaml -``` - -## Configure the helloworld gateway - -Apply the helloworld gateway configuration: - -```bash -kubectl apply -f ./helloworld-gateway.yaml -``` - -Note that unlike an Istio `Gateway`, creating a Kubernetes `Gateway` resource will, by default, also [deploy an associated controller](https://istio.io/latest/docs/tasks/traffic-management/ingress/gateway-api/#automated-deployment). - -Set the INGRESS_HOST environment variables to the address of the helloworld gateway: - -```bash -kubectl wait --for=condition=ready gtw helloworld-gateway -export INGRESS_HOST=$(kubectl get gtw helloworld-gateway -o jsonpath='{.status.addresses[*].value}') -``` - -Confirm the sample is running using curl: - -```bash -for run in {1..10}; do curl http://$INGRESS_HOST/hello; done -``` - -Since no version routing has been configured, you should see an equal split of traffic, about half handled by helloworld-v1 and the other half handled by helloworld-v2. - -## Configure weight-based routing - -Declare the helloworld versions (Gateway API requires backend service definitions, unlike the Istio API which uses DestinationRule subsets for this): - -```bash -kubectl apply -f ./helloworld-versions.yaml -``` - -Apply the following route rule to distribute the helloworld traffic 90% to v1, 10% to v2: - -```bash -kubectl apply -f ./helloworld-route.yaml -``` - -Run the previous curl commands again: - -```bash -for run in {1..10}; do curl http://$INGRESS_HOST/hello; done -``` - -Now you should see about 9 out of 10 requests handled by helloworld-v1 and only about 1 in 10 handled by helloworld-v2. - -## Cleanup - -```bash -kubectl delete -f ./helloworld-gateway.yaml -kubectl delete -f ./helloworld-versions.yaml -kubectl delete -f ../helloworld.yaml -``` diff --git a/istio-1.24.3/samples/helloworld/gateway-api/helloworld-gateway.yaml b/istio-1.24.3/samples/helloworld/gateway-api/helloworld-gateway.yaml deleted file mode 100644 index a21f1c67..00000000 --- a/istio-1.24.3/samples/helloworld/gateway-api/helloworld-gateway.yaml +++ /dev/null @@ -1,29 +0,0 @@ -apiVersion: gateway.networking.k8s.io/v1 -kind: Gateway -metadata: - name: helloworld-gateway -spec: - gatewayClassName: istio - listeners: - - name: http - port: 80 - protocol: HTTP - allowedRoutes: - namespaces: - from: Same ---- -apiVersion: gateway.networking.k8s.io/v1 -kind: HTTPRoute -metadata: - name: helloworld -spec: - parentRefs: - - name: helloworld-gateway - rules: - - matches: - - path: - type: Exact - value: /hello - backendRefs: - - name: helloworld - port: 5000 diff --git a/istio-1.24.3/samples/helloworld/gateway-api/helloworld-route.yaml b/istio-1.24.3/samples/helloworld/gateway-api/helloworld-route.yaml deleted file mode 100644 index d6621bd3..00000000 --- a/istio-1.24.3/samples/helloworld/gateway-api/helloworld-route.yaml +++ /dev/null @@ -1,19 +0,0 @@ -apiVersion: gateway.networking.k8s.io/v1 -kind: HTTPRoute -metadata: - name: helloworld -spec: - parentRefs: - - name: helloworld-gateway - rules: - - matches: - - path: - type: Exact - value: /hello - backendRefs: - - name: helloworld-v1 - port: 5000 - weight: 90 - - name: helloworld-v2 - port: 5000 - weight: 10 diff --git a/istio-1.24.3/samples/helloworld/gateway-api/helloworld-versions.yaml b/istio-1.24.3/samples/helloworld/gateway-api/helloworld-versions.yaml deleted file mode 100644 index fc218515..00000000 --- a/istio-1.24.3/samples/helloworld/gateway-api/helloworld-versions.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: helloworld-v1 -spec: - ports: - - port: 5000 - name: http - selector: - app: helloworld - version: v1 ---- -apiVersion: v1 -kind: Service -metadata: - name: helloworld-v2 -spec: - ports: - - port: 5000 - name: http - selector: - app: helloworld - version: v2 diff --git a/istio-1.24.3/samples/helloworld/gen-helloworld.sh b/istio-1.24.3/samples/helloworld/gen-helloworld.sh deleted file mode 100755 index 8634ddc7..00000000 --- a/istio-1.24.3/samples/helloworld/gen-helloworld.sh +++ /dev/null @@ -1,131 +0,0 @@ -#!/bin/bash -# -# Copyright Istio Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -set -euo pipefail - -display_usage() { - echo - echo "USAGE: ./gen-helloworld.sh [--version] [--includeService value] [--includeDeployment value]" - echo " -h|--help: Prints usage information" - echo " --version: Specifies the version that will be returned by the helloworld service, default: 'v1'" - echo " --includeService: If 'true' the service will be included in the YAML, default: 'true'" - echo " --includeDeployment: If 'true' the deployment will be included in the YAML, default: 'true'" -} - -INCLUDE_SERVICE=${INCLUDE_SERVICE:-"true"} -INCLUDE_DEPLOYMENT=${INCLUDE_DEPLOYMENT:-"true"} -SERVICE_VERSION=${SERVICE_VERSION:-"v1"} -while (( "$#" )); do - case "$1" in - -h|--help) - display_usage - exit 0 - ;; - - --version) - SERVICE_VERSION=$2 - shift 2 - ;; - - --includeService) - INCLUDE_SERVICE=$2 - shift 2 - ;; - - --includeDeployment) - INCLUDE_DEPLOYMENT=$2 - shift 2 - ;; - - *) - echo "Error: Unsupported flag $1" >&2 - display_usage - exit 1 - ;; - esac -done - -SERVICE_YAML=$(cat </dev/null || true) -if [[ "${ENVOS}" != "Linux" ]]; then - echo "Your system is not supported by this script. Only Linux is supported" - exit 1 -fi - -# Check prerequisites -REQUISITES=("kubectl" "kind" "docker") -for item in "${REQUISITES[@]}"; do - if [[ -z $(which "${item}") ]]; then - echo "${item} cannot be found on your system, please install ${item}" - exit 1 - fi -done - -# Function to print the usage message -function printHelp() { - echo "Usage: " - echo " $0 --cluster-name cluster1 --k8s-release 1.22.1 --ip-space 255" - echo "" - echo "Where:" - echo " -n|--cluster-name - name of the k8s cluster to be created" - echo " -r|--k8s-release - the release of the k8s to setup, latest available if not given" - echo " -s|--ip-space - the 2nd to the last part for public ip addresses, 255 if not given, valid range: 0-255." - echo " -m|--mode - setup the required number of nodes per deployment model. Values are sidecar (1 node) or ambient (minimum of 2)" - echo " -w|--worker-nodes - the number of worker nodes to create. Default is 1" - echo " --pod-subnet - the pod subnet to specify. Default is 10.244.0.0/16 for IPv4 and fd00:10:244::/56 for IPv6" - echo " --service-subnet - the service subnet to specify. Default is 10.96.0.0/16 for IPv4 and fd00:10:96::/112 for IPv6" - echo " -i|--ip-family - ip family to be supported, default is ipv4 only. Value should be ipv4, ipv6, or dual" - echo " --ipv6gw - set ipv6 as the gateway, necessary for dual-stack IPv6-preferred clusters" - echo " -h|--help - print the usage of this script" -} - -# Setup default values -CLUSTERNAME="cluster1" -K8SRELEASE="" -IPSPACE=255 -IPFAMILY="ipv4" -MODE="sidecar" -NUMNODES="" -PODSUBNET="" -SERVICESUBNET="" -IPV6GW=false - -# Handling parameters -while [[ $# -gt 0 ]]; do - optkey="$1" - case $optkey in - -n|--cluster-name) - CLUSTERNAME="$2"; shift 2;; - -r|--k8s-release) - K8SRELEASE="--image=kindest/node:v$2"; shift 2;; - -s|--ip-space) - IPSPACE="$2"; shift 2;; - -m|--mode) - MODE="$2"; shift 2;; - -w|--worker-nodes) - NUMNODES="$2"; shift 2;; - --pod-subnet) - PODSUBNET="$2"; shift 2;; - --service-subnet) - SERVICESUBNET="$2"; shift 2;; - -i|--ip-family) - IPFAMILY="${2,,}";shift 2;; - --ipv6gw) - IPV6GW=true; shift;; - -h|--help) - printHelp; exit 0;; - *) # unknown option - echo "parameter $1 is not supported"; printHelp; exit 1;; - esac -done - -# This block is to setup kind to have a local image repo to push -# images using localhost:5000, to use this feature, start up -# a registry container such as gcr.io/istio-testing/registry, then -# connect it to the docker network where kind nodes are running on -# which normally will be called kind -FEATURES=$(cat << EOF -featureGates: - MixedProtocolLBService: true - GRPCContainerProbe: true -kubeadmConfigPatches: - - | - apiVersion: kubeadm.k8s.io/v1beta2 - kind: ClusterConfiguration - metadata: - name: config - etcd: - local: - # Run etcd in a tmpfs (in RAM) for performance improvements - dataDir: /tmp/kind-cluster-etcd - # We run single node, drop leader election to reduce overhead - controllerManagerExtraArgs: - leader-elect: "false" - schedulerExtraArgs: - leader-elect: "false" - apiServer: - extraArgs: - "service-account-issuer": "kubernetes.default.svc" - "service-account-signing-key-file": "/etc/kubernetes/pki/sa.key" -containerdConfigPatches: - - |- - [plugins."io.containerd.grpc.v1.cri".registry.mirrors."localhost:5000"] - endpoint = ["http://kind-registry:5000"] -EOF -) - -validIPFamilies=("ipv4" "ipv6" "dual") -# Validate if the ip family value is correct. -isValid="false" -for family in "${validIPFamilies[@]}"; do - if [[ "$family" == "${IPFAMILY}" ]]; then - isValid="true" - break - fi -done - -if [[ "${isValid}" == "false" ]]; then - echo "${IPFAMILY} is not valid ip family, valid values are ipv4, ipv6 or dual" - exit 1 -fi - -if [[ "${MODE}" == "ambient" ]]; then - NUMNODES=${NUMNODES:-2} -fi - -NODES=$(cat <<-EOM -nodes: -- role: control-plane -EOM -) - -if [[ -n "${NUMNODES}" ]]; then -for _ in $(seq 1 "${NUMNODES}"); do - NODES+=$(printf "\n%s" "- role: worker") -done -fi - -CONFIG=$(cat <<-EOM -kind: Cluster -apiVersion: kind.x-k8s.io/v1alpha4 -${FEATURES} -name: ${CLUSTERNAME} -${NODES} -networking: - ipFamily: ${IPFAMILY} -EOM -) - -if [[ -n "${PODSUBNET}" ]]; then - CONFIG+=$(printf "\n%s" " podSubnet: \"${PODSUBNET}\"") -fi - -if [[ -n "${SERVICESUBNET}" ]]; then - CONFIG+=$(printf "\n%s" " serviceSubnet: \"${SERVICESUBNET}\"") -fi - -# Create k8s cluster using the giving release and name -if [[ -z "${K8SRELEASE}" ]]; then - cat << EOF | kind create cluster --config - -${CONFIG} -EOF -else - cat << EOF | kind create cluster "${K8SRELEASE}" --config - -${CONFIG} -EOF -fi - -# Setup cluster context -kubectl cluster-info --context "kind-${CLUSTERNAME}" - -# Setup metallb using v0.13.11 -kubectl apply -f https://raw.githubusercontent.com/metallb/metallb/v0.13.11/config/manifests/metallb-native.yaml - -addrName="IPAddress" -ipv4Prefix="" -ipv6Prefix="" - -# Get both ipv4 and ipv6 gateway for the cluster -gatewaystr=$(docker network inspect -f '{{range .IPAM.Config }}{{ .Gateway }} {{end}}' kind | cut -f1,2) -read -r -a gateways <<< "${gatewaystr}" -for gateway in "${gateways[@]}"; do - if [[ "$gateway" == *"."* ]]; then - ipv4Prefix=$(echo "${gateway}" |cut -d'.' -f1,2) - else - ipv6Prefix=$(echo "${gateway}" |cut -d':' -f1,2,3,4) - fi -done - -if [[ "${IPFAMILY}" == "ipv4" ]]; then - addrName="IPAddress" - ipv4Range="- ${ipv4Prefix}.${IPSPACE}.200-${ipv4Prefix}.${IPSPACE}.240" - ipv6Range="" -elif [[ "${IPFAMILY}" == "ipv6" ]]; then - addrName="GlobalIPv6Address" - ipv4Range="" - ipv6Range="- ${ipv6Prefix}::${IPSPACE}:200-${ipv6Prefix}::${IPSPACE}:240" -else - if [[ "${IPV6GW}" == "true" ]]; then - addrName="GlobalIPv6Address" - fi - - ipv4Range="- ${ipv4Prefix}.${IPSPACE}.200-${ipv4Prefix}.${IPSPACE}.240" - ipv6Range="- ${ipv6Prefix}::${IPSPACE}:200-${ipv6Prefix}::${IPSPACE}:240" -fi - -# utility function to wait for pods to be ready -function waitForPods() { - ns=$1 - lb=$2 - waittime=$3 - # Wait for the pods to be ready in the given namespace with lable - while : ; do - res=$(kubectl wait --context "kind-${CLUSTERNAME}" -n "${ns}" pod \ - -l "${lb}" --for=condition=Ready --timeout="${waittime}s" 2>/dev/null ||true) - if [[ "${res}" == *"condition met"* ]]; then - break - fi - echo "Waiting for pods in namespace ${ns} with label ${lb} to be ready..." - sleep "${waittime}" - done -} - -waitForPods metallb-system app=metallb 10 - -# Now configure the loadbalancer public IP range -cat <&2 - exit 1 - ;; - esac -done - - -# single-cluster installations may need this gateway to allow VMs to get discovery -# for non-single cluster, we add additional topology information -SINGLE_CLUSTER="${SINGLE_CLUSTER:-0}" -if [[ "${SINGLE_CLUSTER}" -eq 0 ]]; then - if [[ -z "${NETWORK:-}" ]]; then - echo "Must specify either --single-cluster or --network." - exit 1 - fi -fi - -# base -IOP=$(cat < apply -f ../otel.yaml -``` - -In this example, we use `observability` as the namespace to deploy the `otel-collector` backend: - -```bash -kubectl create namespace observability -kubectl -n observability apply -f ../otel.yaml -``` - -The otel-collector will create a grpc receiver on port `4317`, and later the sidecars will report trace information to this grpc port. You can find more details from [here](https://github.com/open-telemetry/opentelemetry-collector). - -Below is the configuration: - -```yaml -receivers: - otlp: - protocols: - grpc: - http: -processors: - batch: -exporters: - logging: - loglevel: debug -service: - pipelines: - logs: - receivers: [otlp] - processors: [batch] - exporters: [logging] -``` - -In this example, `Jaeger` is the exporter for gathering the traces. Assuming you have already deployed Jaeger as your tracing system with [this](https://istio.io/latest/docs/ops/integrations/jaeger/) installation, you are good to go to the next steps. If you already have your own `Jaeger` deployed, you may need to modify the otel collector config. The configmap name is `opentelemetry-collector-conf` in the namespace you deployed the otel collector, and the related config is defined as: - -```yaml -exporters: - jaeger: - endpoint: jaeger-collector.istio-system.svc.cluster.local:14250 - tls: - insecure: true - sending_queue: - enabled: true - retry_on_failure: - enabled: true -service: - pipelines: - traces: - exporters: - - jaeger -``` - -You need to modify the jaeger exporter endpoint with the one you deployed, in this case it's `jaeger-collector.istio-system.svc.cluster.local:14250`. - -If you have not deployed the `Jaeger` service, you can follow [this](https://istio.io/latest/docs/ops/integrations/jaeger/) installation to install the service. - -You may also choose any existing tracing system if you have, and you should change the exporter settings in the configmap mentioned above. - -You may also choose to use your own otel collector if you have, and the key part is to have the `otlp` grpc protocol receiver to receive the traces. One important thing is to make sure your otel collector service's grpc port starts with `grpc-` prefix, which is like: - -```yaml -spec: - ports: - - name: grpc-otlp - port: 4317 - protocol: TCP - targetPort: 4317 -``` - -Otherwise the traces may not be reported. - -## Update mesh config - -Install or update Istio with the `demo` profile to make sure you have the OpenTelemetry tracing provider enabled: - -```bash -istioctl install --set profile=demo -y -``` - -Or ensure you have the following additional mesh config set in your Istio: - -```yaml -mesh: |- - extensionProviders: - - name: otel-tracing - opentelemetry: - port: 4317 - service: opentelemetry-collector.observability.svc.cluster.local -``` - -Make sure the service name matches the one you deployed if you select a different namespace. - -## Apply the Telemetry resource to report traces - -Next, add a Telemetry resource that tells Istio to send trace records to the OpenTelemetry collector. - -```bash -kubectl -n apply -f ./telemetry.yaml -``` - -In this example, we deploy it to the default namespace, which is where the sample apps -from the [getting started](https://istio.io/latest/docs/setup/getting-started) are also deployed. - -```bash -kubectl apply -f ./telemetry.yaml -``` - -The core config is: - -```yaml -tracing: -- providers: - - name: otel-tracing - randomSamplingPercentage: 0 -``` - -As you see, the `randomSamplingPercentage` is 0, which means the tracing is still not enabled because of `0` sampling percentage. The tracing can be opt-on by increasing the `randomSamplingPercentage` value to `1-100`. The `Telemetry` resource can also be manipulated in workload/namespace/global levels, you can check [here](https://istio.io/latest/docs/reference/config/telemetry/) for more config examples. - -## Check tracing results - -If you have followed [this](https://istio.io/latest/docs/setup/getting-started/) getting started steps, you have the sample bookinfo applications installed. Try to make some requests to the productpage to generate some traces. - -Then open up the `Jaeger` dashboard with: - -```bash -istioctl dashboard jaeger -``` - -You will see the requests' trace records. - -## Cleanup - -```bash -kubectl -n observability delete -f ./telemetry.yaml -kubectl -n observability delete -f ../otel.yaml -``` diff --git a/istio-1.24.3/samples/open-telemetry/tracing/telemetry.yaml b/istio-1.24.3/samples/open-telemetry/tracing/telemetry.yaml deleted file mode 100644 index 1c9e51d9..00000000 --- a/istio-1.24.3/samples/open-telemetry/tracing/telemetry.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: telemetry.istio.io/v1 -kind: Telemetry -metadata: - name: otel-demo -spec: - tracing: - - providers: - - name: otel-tracing - randomSamplingPercentage: 0 diff --git a/istio-1.24.3/samples/proxy-coredump/README.md b/istio-1.24.3/samples/proxy-coredump/README.md deleted file mode 100644 index 16704b2f..00000000 --- a/istio-1.24.3/samples/proxy-coredump/README.md +++ /dev/null @@ -1,16 +0,0 @@ -# Enabling Coredumps - -If the istio-proxy crashes, it will dump a core file which can be used to diagnose why it crashed. -This is useful when filing a bug report. - -However, the proxy runs with a read-only filesystem, so the default core-dumping configuration will generally not enabled -the proxy to dump cores. - -Instead, a *per node* `sysctl` can be tuned to change the location of the core dump. -Warning: this impacts all processes on the entire node, not just Istio. - -This can be done by running `sysctl -w kernel.core_pattern=/var/lib/istio/data/core.proxy && ulimit -c unlimited` on the node. - -To do this for all nodes, a `DaemonSet` is provided. -Run `kubectl apply -f daemonset.yaml` to apply it. -Note: this requires elevated privileges. diff --git a/istio-1.24.3/samples/proxy-coredump/daemonset.yaml b/istio-1.24.3/samples/proxy-coredump/daemonset.yaml deleted file mode 100644 index 6f820ba8..00000000 --- a/istio-1.24.3/samples/proxy-coredump/daemonset.yaml +++ /dev/null @@ -1,45 +0,0 @@ -apiVersion: apps/v1 -kind: DaemonSet -metadata: - name: enable-istio-coredumps - namespace: istio-system - labels: - app: enable-istio-coredumps -spec: - selector: - matchLabels: - app: enable-istio-coredumps - template: - metadata: - labels: - app: enable-istio-coredumps - spec: - hostNetwork: true - # hostPID: true - # hostIPC: true - initContainers: - - name: setsysctls - command: - - sh - - -c - - sysctl -w kernel.core_pattern=/var/lib/istio/data/core.proxy && ulimit -c unlimited - image: alpine - imagePullPolicy: IfNotPresent - resources: {} - securityContext: - privileged: true - volumeMounts: - - name: sys - mountPath: /sys - containers: - - name: sleepforever - resources: - requests: - cpu: 1m - image: alpine - command: ["tail"] - args: ["-f", "/dev/null"] - volumes: - - name: sys - hostPath: - path: /sys diff --git a/istio-1.24.3/samples/ratelimit/local-rate-limit-service.yaml b/istio-1.24.3/samples/ratelimit/local-rate-limit-service.yaml deleted file mode 100644 index 94f2299f..00000000 --- a/istio-1.24.3/samples/ratelimit/local-rate-limit-service.yaml +++ /dev/null @@ -1,87 +0,0 @@ -# This example shows how to use Istio local rate limiting with descriptors to limit by path. -# This uses the base book-info demo and adds rate limiting by path, specifically rate limiting the product page -# to 10 requests per minute, and the overall fdqn will be able to accept 100 requests per minute. -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: filter-local-ratelimit-svc - namespace: istio-system -spec: - workloadSelector: - labels: - app: productpage - configPatches: - - applyTo: HTTP_FILTER - match: - context: SIDECAR_INBOUND - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - patch: - operation: INSERT_BEFORE - value: - name: envoy.filters.http.local_ratelimit - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.local_ratelimit.v3.LocalRateLimit - value: - stat_prefix: http_local_rate_limiter - - applyTo: HTTP_ROUTE - match: - context: SIDECAR_INBOUND - routeConfiguration: - vhost: - name: "inbound|http|8000" - route: - action: ANY - patch: - operation: MERGE - value: - route: - rate_limits: - - actions: - - remote_address: {} - - actions: - - header_value_match: - descriptor_value: "productpage" - expect_match: true - headers: - - name: :path - string_match: - prefix: /productpage - ignore_case: true - - typed_per_filter_config: - envoy.filters.http.local_ratelimit: - "@type": type.googleapis.com/envoy.extensions.filters.http.local_ratelimit.v3.LocalRateLimit - stat_prefix: test_enabled - token_bucket: - max_tokens: 100 - tokens_per_fill: 100 - fill_interval: 60s - enable_x_ratelimit_headers: DRAFT_VERSION_03 # This adds the ability to see headers for how many tokens are left in the bucket, how often the bucket refills, and what is the token bucket max. - filter_enabled: - runtime_key: test_enabled - default_value: - numerator: 100 - denominator: HUNDRED - filter_enforced: - runtime_key: test_enabled - default_value: - numerator: 100 - denominator: HUNDRED - response_headers_to_add: - - append: false - header: - key: x-local-rate-limit - value: "true" - descriptors: - - entries: - - key: header_match - value: productpage - token_bucket: - max_tokens: 10 - tokens_per_fill: 10 - fill_interval: 60s - diff --git a/istio-1.24.3/samples/ratelimit/rate-limit-service.yaml b/istio-1.24.3/samples/ratelimit/rate-limit-service.yaml deleted file mode 100644 index 1045482b..00000000 --- a/istio-1.24.3/samples/ratelimit/rate-limit-service.yaml +++ /dev/null @@ -1,151 +0,0 @@ -# Copyright Istio Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################################################## -# Redis service and deployment -# Ratelimit service and deployment - -# Note: a configmap is needed to make the rate limit deployment work properly, for example: -# -# apiVersion: v1 -# kind: ConfigMap -# metadata: -# name: ratelimit-config -# data: -# config.yaml: | -# domain: echo-ratelimit -# descriptors: -# - key: PATH -# value: "/" -# rate_limit: -# unit: minute -# requests_per_unit: 1 -# - key: PATH -# rate_limit: -# unit: minute -# requests_per_unit: 100 -################################################################################################## -apiVersion: v1 -kind: Service -metadata: - name: redis - labels: - app: redis -spec: - ports: - - name: redis - port: 6379 - selector: - app: redis ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: redis -spec: - replicas: 1 - selector: - matchLabels: - app: redis - template: - metadata: - labels: - app: redis - spec: - containers: - - image: redis:alpine - imagePullPolicy: IfNotPresent - name: redis - ports: - - name: redis - containerPort: 6379 - restartPolicy: Always - serviceAccountName: "" ---- -apiVersion: v1 -kind: Service -metadata: - name: ratelimit - labels: - app: ratelimit -spec: - ports: - - name: http-port - port: 8080 - targetPort: 8080 - protocol: TCP - - name: grpc-port - port: 8081 - targetPort: 8081 - protocol: TCP - - name: http-debug - port: 6070 - targetPort: 6070 - protocol: TCP - selector: - app: ratelimit ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: ratelimit -spec: - replicas: 1 - selector: - matchLabels: - app: ratelimit - strategy: - type: Recreate - template: - metadata: - labels: - app: ratelimit - spec: - containers: - - image: envoyproxy/ratelimit:9d8d70a8 # 2022/08/16 - imagePullPolicy: IfNotPresent - name: ratelimit - command: ["/bin/ratelimit"] - env: - - name: LOG_LEVEL - value: debug - - name: REDIS_SOCKET_TYPE - value: tcp - - name: REDIS_URL - value: redis:6379 - - name: USE_STATSD - value: "false" - - name: RUNTIME_ROOT - value: /data - - name: RUNTIME_SUBDIRECTORY - value: ratelimit - - name: RUNTIME_WATCH_ROOT - value: "false" - - name: RUNTIME_IGNOREDOTFILES - value: "true" - - name: HOST - value: "::" - - name: GRPC_HOST - value: "::" - ports: - - containerPort: 8080 - - containerPort: 8081 - - containerPort: 6070 - volumeMounts: - - name: config-volume - mountPath: /data/ratelimit/config - volumes: - - name: config-volume - configMap: - name: ratelimit-config diff --git a/istio-1.24.3/samples/security/psp/sidecar-psp.yaml b/istio-1.24.3/samples/security/psp/sidecar-psp.yaml deleted file mode 100644 index b44748f1..00000000 --- a/istio-1.24.3/samples/security/psp/sidecar-psp.yaml +++ /dev/null @@ -1,46 +0,0 @@ -apiVersion: policy/v1 -kind: PodSecurityPolicy -metadata: - name: istio-sidecar -spec: - # Allow the istio sidecar injector to work - allowedCapabilities: - - NET_ADMIN - - NET_RAW - seLinux: - rule: RunAsAny - supplementalGroups: - rule: RunAsAny - runAsUser: - rule: RunAsAny - fsGroup: - rule: RunAsAny - volumes: - - '*' ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: istio-sidecar-psp -rules: - - apiGroups: - - extensions - resources: - - podsecuritypolicies - resourceNames: - - istio-sidecar - verbs: - - use ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istio-sidecar-psp -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istio-sidecar-psp -subjects: - - apiGroup: rbac.authorization.k8s.io - kind: Group - name: system:serviceaccounts diff --git a/istio-1.24.3/samples/security/spire/README.md b/istio-1.24.3/samples/security/spire/README.md deleted file mode 100644 index b3e1978f..00000000 --- a/istio-1.24.3/samples/security/spire/README.md +++ /dev/null @@ -1,90 +0,0 @@ -# Integrating SPIRE as a CA through Envoy's SDS API - -This sample deploys a setup of [SPIRE](https://github.com/spiffe/spire) (the SPIFFE Runtime Environment) as an example of integrating with [Envoy's SDS](https://www.envoyproxy.io/docs/envoy/latest/configuration/security/secret) API. For more information -on the SPIFFE specs, refer to the [SPIFFE Overview](https://spiffe.io/docs/latest/spiffe-about/overview/). - -Once SPIRE is deployed and integrated with Istio, this sample deploys a modified version of the [sleep](/samples/sleep/README.md) service and validates that its [identity](https://spiffe.io/docs/latest/spiffe-about/spiffe-concepts/#spiffe-verifiable-identity-document-svid) was issued by SPIRE. Workload registration is handled by the [SPIRE Controller Manager](https://github.com/spiffe/spire-controller-manager). - -See [Istio CA Integration with SPIRE](https://istio.io/latest/docs/ops/integrations/spire) for further details about this integration. - -## Deploy the integration - -1. Deploy SPIRE. For proper socket injection, this **must** be done prior to installing Istio in your cluster: - - ```bash - $ kubectl apply -f spire-quickstart.yaml - ``` - -1. Ensure that the deployment is completed before moving to the next step. This can be verified by waiting on the `spire-agent` pod to become ready: - - ```bash - $ kubectl wait pod --for=condition=ready -n spire -l app=spire-agent - ``` - -1. Use the configuration profile provided to install Istio (requires istioctl v1.14+): - - ```bash - $ istioctl install -f istio-spire-config.yaml - ``` - -1. Create a ClusterSPIFFEID to create a registration entry for all workloads with the `spiffe.io/spire-managed-identity: true` label: - - ```bash - $ kubectl apply -f clusterspiffeid.yaml - ``` - -1. Add the `spiffe.io/spire-managed-identity: true` label to the Ingress-gateway Deployment: - - ```bash - $ kubectl patch deployment istio-ingressgateway -n istio-system -p '{"spec":{"template":{"metadata":{"labels":{"spiffe.io/spire-managed-identity": "true"}}}}}' - ``` - -1. Deploy the `sleep-spire.yaml` version of the [sleep](/samples/sleep/README.md) service, which injects the custom istio-agent template defined in `istio-spire-config.yaml` and has the `spiffe.io/spire-managed-identity: true` label. - - If you have [automatic sidecar injection](https://istio.io/docs/setup/additional-setup/sidecar-injection/#automatic-sidecar-injection) enabled: - - ```bash - $ kubectl apply -f sleep-spire.yaml - ``` - - Otherwise, manually inject the sidecar before applying: - - ```bash - $ kubectl apply -f <(istioctl kube-inject -f sleep-spire.yaml) - ``` - -1. Retrieve sleep's SVID identity document using the `istioctl proxy-config secret` command: - - ```bash - $ export SLEEP_POD=$(kubectl get pod -l app=sleep -o jsonpath="{.items[0].metadata.name}") - $ istioctl pc secret $SLEEP_POD -o json | jq -r \ - '.dynamicActiveSecrets[0].secret.tlsCertificate.certificateChain.inlineBytes' | base64 --decode > chain.pem - ``` - -1. Inspect the certificate content and verify that SPIRE was the issuer: - - ```bash - $ openssl x509 -in chain.pem -text | grep SPIRE - Subject: C = US, O = SPIRE, CN = sleep-5d6df95bbf-kt2tt - ``` - -## Tear down - -1. Delete all deployments and configurations for the SPIRE Agent, Server, and namespace: - - ```bash - $ kubectl delete namespace spire - ``` - -1. Delete the ClusterRole, ClusterRoleBinding, Role, RoleBindings, ValidatingWebhookConfiguration, CSIDriver, and CustomResourceDefinition: - - ```bash - $ kubectl delete clusterrole spire-server-cluster-role spire-agent-cluster-role manager-role - $ kubectl delete clusterrolebinding spire-server-cluster-role-binding spire-agent-cluster-role-binding manager-role-binding - $ kubectl delete role spire-server-role leader-election-role - $ kubectl delete rolebinding spire-server-role-binding leader-election-role-binding - $ kubectl delete ValidatingWebhookConfiguration spire-controller-manager-webhook - $ kubectl delete csidriver csi.spiffe.io - $ kubectl delete CustomResourceDefinition clusterspiffeids.spire.spiffe.io - $ kubectl delete CustomResourceDefinition clusterfederatedtrustdomains.spire.spiffe.io - ``` diff --git a/istio-1.24.3/samples/security/spire/clusterspiffeid.yaml b/istio-1.24.3/samples/security/spire/clusterspiffeid.yaml deleted file mode 100644 index bf67989e..00000000 --- a/istio-1.24.3/samples/security/spire/clusterspiffeid.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: spire.spiffe.io/v1alpha1 -kind: ClusterSPIFFEID -metadata: - name: example -spec: - spiffeIDTemplate: "spiffe://{{ .TrustDomain }}/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}" - podSelector: - matchLabels: - spiffe.io/spire-managed-identity: "true" diff --git a/istio-1.24.3/samples/security/spire/curl-spire.yaml b/istio-1.24.3/samples/security/spire/curl-spire.yaml deleted file mode 100644 index dcaf9558..00000000 --- a/istio-1.24.3/samples/security/spire/curl-spire.yaml +++ /dev/null @@ -1,70 +0,0 @@ -# Copyright Istio Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################################################## -# curl service -################################################################################################## -apiVersion: v1 -kind: ServiceAccount -metadata: - name: curl ---- -apiVersion: v1 -kind: Service -metadata: - name: curl - labels: - app: curl - service: curl -spec: - ports: - - port: 80 - name: http - selector: - app: curl ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: curl -spec: - replicas: 1 - selector: - matchLabels: - app: curl - template: - metadata: - labels: - app: curl - spiffe.io/spire-managed-identity: "true" - # Injects custom sidecar template - annotations: - inject.istio.io/templates: "sidecar,spire" - spec: - terminationGracePeriodSeconds: 0 - serviceAccountName: curl - containers: - - name: curl - image: curlimages/curl - command: ["/bin/sleep", "infinity"] - imagePullPolicy: IfNotPresent - volumeMounts: - - name: tmp - mountPath: /tmp - securityContext: - runAsUser: 1000 - volumes: - - name: tmp - emptyDir: {} ---- \ No newline at end of file diff --git a/istio-1.24.3/samples/security/spire/istio-spire-config.yaml b/istio-1.24.3/samples/security/spire/istio-spire-config.yaml deleted file mode 100644 index 812c65ec..00000000 --- a/istio-1.24.3/samples/security/spire/istio-spire-config.yaml +++ /dev/null @@ -1,70 +0,0 @@ -apiVersion: install.istio.io/v1alpha1 -kind: IstioOperator -metadata: - namespace: istio-system -spec: - profile: default - meshConfig: - trustDomain: example.org - values: - global: - # This is used to customize the sidecar template - sidecarInjectorWebhook: - templates: - spire: | - spec: - containers: - - name: istio-proxy - volumeMounts: - - name: workload-socket - mountPath: /run/secrets/workload-spiffe-uds - readOnly: true - volumes: - - name: workload-socket - csi: - driver: "csi.spiffe.io" - readOnly: true - components: - ingressGateways: - - name: istio-ingressgateway - enabled: true - label: - istio: ingressgateway - k8s: - overlays: - - apiVersion: apps/v1 - kind: Deployment - name: istio-ingressgateway - patches: - - path: spec.template.spec.volumes.[name:workload-socket] - value: - name: workload-socket - csi: - driver: "csi.spiffe.io" - readOnly: true - - path: spec.template.spec.containers.[name:istio-proxy].volumeMounts.[name:workload-socket] - value: - name: workload-socket - mountPath: "/run/secrets/workload-spiffe-uds" - readOnly: true - - path: spec.template.spec.initContainers - value: - - name: wait-for-spire-socket - image: busybox:1.28 - volumeMounts: - - name: workload-socket - mountPath: /run/secrets/workload-spiffe-uds - readOnly: true - env: - - name: CHECK_FILE - value: /run/secrets/workload-spiffe-uds/socket - command: - - sh - - "-c" - - |- - echo `date -Iseconds` Waiting for: ${CHECK_FILE} - while [[ ! -e ${CHECK_FILE} ]] ; do - echo `date -Iseconds` File does not exist: ${CHECK_FILE} - sleep 15 - done - ls -l ${CHECK_FILE} diff --git a/istio-1.24.3/samples/security/spire/sleep-spire.yaml b/istio-1.24.3/samples/security/spire/sleep-spire.yaml deleted file mode 100644 index d1e1673f..00000000 --- a/istio-1.24.3/samples/security/spire/sleep-spire.yaml +++ /dev/null @@ -1,70 +0,0 @@ -# Copyright Istio Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################################################## -# Sleep service -################################################################################################## -apiVersion: v1 -kind: ServiceAccount -metadata: - name: sleep ---- -apiVersion: v1 -kind: Service -metadata: - name: sleep - labels: - app: sleep - service: sleep -spec: - ports: - - port: 80 - name: http - selector: - app: sleep ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: sleep -spec: - replicas: 1 - selector: - matchLabels: - app: sleep - template: - metadata: - labels: - app: sleep - spiffe.io/spire-managed-identity: "true" - # Injects custom sidecar template - annotations: - inject.istio.io/templates: "sidecar,spire" - spec: - terminationGracePeriodSeconds: 0 - serviceAccountName: sleep - containers: - - name: sleep - image: curlimages/curl - command: ["/bin/sleep", "infinity"] - imagePullPolicy: IfNotPresent - volumeMounts: - - name: tmp - mountPath: /tmp - securityContext: - runAsUser: 1000 - volumes: - - name: tmp - emptyDir: {} ---- \ No newline at end of file diff --git a/istio-1.24.3/samples/security/spire/spire-quickstart.yaml b/istio-1.24.3/samples/security/spire/spire-quickstart.yaml deleted file mode 100644 index 238c91b6..00000000 --- a/istio-1.24.3/samples/security/spire/spire-quickstart.yaml +++ /dev/null @@ -1,985 +0,0 @@ ---- -apiVersion: v1 -kind: Namespace -metadata: - name: spire - ---- -apiVersion: storage.k8s.io/v1 -kind: CSIDriver -metadata: - name: "csi.spiffe.io" -spec: - # Only ephemeral, inline volumes are supported. There is no need for a - # controller to provision and attach volumes. - attachRequired: false - - # Request the pod information which the CSI driver uses to verify that an - # ephemeral mount was requested. - podInfoOnMount: true - - # Don't change ownership on the contents of the mount since the Workload API - # Unix Domain Socket is typically open to all (i.e. 0777). - fsGroupPolicy: None - - # Declare support for ephemeral volumes only. - volumeLifecycleModes: - - Ephemeral - ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: spire-server - namespace: spire - ---- -# ConfigMap for spire-agent bootstrapping. -apiVersion: v1 -kind: ConfigMap -metadata: - name: spire-bundle - namespace: spire - ---- -# ClusterRole to allow spire-server to query k8s API server. -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: spire-server-cluster-role -rules: - # allow TokenReview requests (to verify service account tokens for PSAT - # attestation) -- apiGroups: ["authentication.k8s.io"] - resources: ["tokenreviews"] - verbs: ["get", "create"] -- apiGroups: [""] - resources: ["nodes"] - verbs: ["get"] - ---- -# Binds above cluster role to spire-server service account. -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: spire-server-cluster-role-binding -subjects: -- kind: ServiceAccount - name: spire-server - namespace: spire -roleRef: - kind: ClusterRole - name: spire-server-cluster-role - apiGroup: rbac.authorization.k8s.io - ---- -# Role for the SPIRE server. -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - namespace: spire - name: spire-server-role -rules: - # allow "get" access to pods (to resolve selectors for PSAT attestation) -- apiGroups: [""] - resources: ["pods"] - verbs: ["get"] - # allow access to "get" and "patch" the spire-bundle ConfigMap (for SPIRE - # agent bootstrapping, see the spire-bundle ConfigMap) -- apiGroups: [""] - resources: ["configmaps"] - resourceNames: ["spire-bundle"] - verbs: ["get", "patch"] - ---- -# RoleBinding granting the spire-server-role to the SPIRE server -# service account. -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: spire-server-role-binding - namespace: spire -subjects: -- kind: ServiceAccount - name: spire-server - namespace: spire -roleRef: - kind: Role - name: spire-server-role - apiGroup: rbac.authorization.k8s.io - ---- -# ClusterRules for the SPIRE Controller Manager. -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: manager-role -rules: - - apiGroups: [""] - resources: ["namespaces"] - verbs: ["get", "list", "watch"] - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["validatingwebhookconfigurations"] - verbs: ["get", "list", "patch", "watch"] - - apiGroups: [""] - resources: ["nodes"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["pods"] - verbs: ["get", "list", "watch"] - - apiGroups: ["spire.spiffe.io"] - resources: ["clusterfederatedtrustdomains"] - verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - - apiGroups: ["spire.spiffe.io"] - resources: ["clusterfederatedtrustdomains/finalizers"] - verbs: ["update"] - - apiGroups: ["spire.spiffe.io"] - resources: ["clusterfederatedtrustdomains/status"] - verbs: ["get", "patch", "update"] - - apiGroups: ["spire.spiffe.io"] - resources: ["clusterspiffeids"] - verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - - apiGroups: ["spire.spiffe.io"] - resources: ["clusterspiffeids/finalizers"] - verbs: ["update"] - - apiGroups: ["spire.spiffe.io"] - resources: ["clusterspiffeids/status"] - verbs: ["get", "patch", "update"] - ---- -# Binds manager-role cluster role to spire-server service account. -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: manager-role-binding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: manager-role -subjects: -- kind: ServiceAccount - name: spire-server - namespace: spire - ---- -# Permissions for the SPIRE server to do leader election. -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: leader-election-role - namespace: spire -rules: - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - - apiGroups: ["coordination.k8s.io"] - resources: ["leases"] - verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - - apiGroups: [""] - resources: ["events"] - verbs: ["create", "patch"] - ---- -# Binds leader-election-role to spire-server service account. -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: leader-election-role-binding - namespace: spire -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: leader-election-role -subjects: -- kind: ServiceAccount - name: spire-server - namespace: spire - ---- -# ConfigMap containing the SPIRE server configuration. -apiVersion: v1 -kind: ConfigMap -metadata: - name: spire-server - namespace: spire -data: - server.conf: | - server { - bind_address = "0.0.0.0" - bind_port = "8081" - trust_domain = "example.org" - data_dir = "/run/spire/server/data" - log_level = "DEBUG" - federation { - bundle_endpoint { - address = "0.0.0.0" - port = 8443 - } - } - } - - plugins { - DataStore "sql" { - plugin_data { - database_type = "sqlite3" - connection_string = "/run/spire/server/data/datastore.sqlite3" - } - } - - NodeAttestor "k8s_psat" { - plugin_data { - clusters = { - # NOTE: Change this to your cluster name - "demo-cluster" = { - service_account_allow_list = ["spire:spire-agent"] - } - } - } - } - - KeyManager "disk" { - plugin_data { - keys_path = "/run/spire/server/data/keys.json" - } - } - - Notifier "k8sbundle" { - plugin_data { - namespace = "spire" - } - } - } - - health_checks { - listener_enabled = true - bind_address = "0.0.0.0" - bind_port = "8080" - live_path = "/live" - ready_path = "/ready" - } - ---- -# Configuration for the SPIRE Controller Manager. -apiVersion: v1 -kind: ConfigMap -metadata: - name: spire-controller-manager-config - namespace: spire -data: - spire-controller-manager-config.yaml: | - apiVersion: spire.spiffe.io/v1alpha1 - kind: ControllerManagerConfig - metrics: - bindAddress: 127.0.0.1:8082 - healthProbe: - bindAddress: 127.0.0.1:8083 - leaderElection: - leaderElect: true - resourceName: 98c9c988.spiffe.io - resourceNamespace: spire - clusterName: demo-cluster - trustDomain: example.org - ignoreNamespaces: - - kube-system - - kube-public - - spire - - local-path-storage - ---- -# SPIRE Server Deployment. -apiVersion: apps/v1 -kind: Deployment -metadata: - name: spire-server - namespace: spire - labels: - app: spire-server -spec: - replicas: 1 - selector: - matchLabels: - app: spire-server - template: - metadata: - namespace: spire - labels: - app: spire-server - spec: - serviceAccountName: spire-server - shareProcessNamespace: true - containers: - - name: spire-server - image: ghcr.io/spiffe/spire-server:1.5.4 - imagePullPolicy: IfNotPresent - args: - - -config - - /run/spire/server/config/server.conf - livenessProbe: - httpGet: - path: /live - port: 8080 - failureThreshold: 2 - initialDelaySeconds: 15 - periodSeconds: 60 - timeoutSeconds: 3 - readinessProbe: - httpGet: - path: /ready - port: 8080 - initialDelaySeconds: 5 - periodSeconds: 5 - ports: - - containerPort: 8081 - volumeMounts: - - name: spire-config - mountPath: /run/spire/server/config - readOnly: true - - name: spire-server-socket - mountPath: /tmp/spire-server/private - readOnly: false - - name: spire-controller-manager - image: ghcr.io/spiffe/spire-controller-manager:0.2.3 - imagePullPolicy: IfNotPresent - args: - - "--config=spire-controller-manager-config.yaml" - ports: - - containerPort: 9443 - volumeMounts: - - name: spire-server-socket - mountPath: /spire-server - readOnly: true - - name: spire-controller-manager-config - mountPath: /spire-controller-manager-config.yaml - subPath: spire-controller-manager-config.yaml - volumes: - - name: spire-config - configMap: - name: spire-server - - name: spire-server-socket - emptyDir: {} - - name: spire-controller-manager-config - configMap: - name: spire-controller-manager-config - ---- -# Service definition for SPIRE server defining the gRPC port. -apiVersion: v1 -kind: Service -metadata: - name: spire-server - namespace: spire -spec: - type: NodePort - ports: - - name: grpc - port: 8081 - targetPort: 8081 - protocol: TCP - selector: - app: spire-server - ---- -# Service definition for SPIRE server bundle endpoint. -apiVersion: v1 -kind: Service -metadata: - name: spire-server-bundle-endpoint - namespace: spire -spec: - type: NodePort - ports: - - name: tcp-api - port: 8443 - protocol: TCP - selector: - app: spire-server - ---- -# Service definition for SPIRE controller manager webhook. -apiVersion: v1 -kind: Service -metadata: - name: spire-controller-manager-webhook-service - namespace: spire -spec: - ports: - - name: tcp - port: 443 - protocol: TCP - targetPort: 9443 - selector: - app: spire-server - ---- -# ClusterFederatedTrustDomains CRD. -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.8.0 - creationTimestamp: null - name: clusterfederatedtrustdomains.spire.spiffe.io -spec: - group: spire.spiffe.io - names: - kind: ClusterFederatedTrustDomain - listKind: ClusterFederatedTrustDomainList - plural: clusterfederatedtrustdomains - singular: clusterfederatedtrustdomain - scope: Cluster - versions: - - additionalPrinterColumns: - - jsonPath: .spec.trustDomain - name: Trust Domain - type: string - - jsonPath: .spec.bundleEndpointURL - name: Endpoint URL - type: string - name: v1alpha1 - schema: - openAPIV3Schema: - description: ClusterFederatedTrustDomain is the Schema for the clusterfederatedtrustdomains - API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: ClusterFederatedTrustDomainSpec defines the desired state - of ClusterFederatedTrustDomain - properties: - bundleEndpointProfile: - description: BundleEndpointProfile is the profile for the bundle endpoint. - properties: - endpointSPIFFEID: - description: EndpointSPIFFEID is the SPIFFE ID of the bundle endpoint. - It is required for the "https_spiffe" profile. - type: string - type: - description: Type is the type of the bundle endpoint profile. - enum: - - https_spiffe - - https_web - type: string - required: - - type - type: object - bundleEndpointURL: - description: BundleEndpointURL is the URL of the bundle endpoint. - It must be an HTTPS URL and cannot contain userinfo (i.e. username/password). - type: string - trustDomain: - description: TrustDomain is the name of the trust domain to federate - with (e.g. example.org) - pattern: '[a-z0-9._-]{1,255}' - type: string - trustDomainBundle: - description: TrustDomainBundle is the contents of the bundle for the - referenced trust domain. This field is optional when the resource - is created. - type: string - required: - - bundleEndpointProfile - - bundleEndpointURL - - trustDomain - type: object - status: - description: ClusterFederatedTrustDomainStatus defines the observed state - of ClusterFederatedTrustDomain - type: object - type: object - served: true - storage: true - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] - ---- -# ClusterSPIFFEID CRD. -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.8.0 - creationTimestamp: null - name: clusterspiffeids.spire.spiffe.io -spec: - group: spire.spiffe.io - names: - kind: ClusterSPIFFEID - listKind: ClusterSPIFFEIDList - plural: clusterspiffeids - singular: clusterspiffeid - scope: Cluster - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: ClusterSPIFFEID is the Schema for the clusterspiffeids API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: ClusterSPIFFEIDSpec defines the desired state of ClusterSPIFFEID - properties: - admin: - description: Admin indicates whether or not the SVID can be used to - access the SPIRE administrative APIs. Extra care should be taken - to only apply this SPIFFE ID to admin workloads. - type: boolean - dnsNameTemplates: - description: DNSNameTemplate represents templates for extra DNS names - that are applicable to SVIDs minted for this ClusterSPIFFEID. The - node and pod spec are made available to the template under .NodeSpec, - .PodSpec respectively. - items: - type: string - type: array - downstream: - description: Downstream indicates that the entry describes a downstream SPIRE server. - type: boolean - federatesWith: - description: FederatesWith is a list of trust domain names that workloads - that obtain this SPIFFE ID will federate with. - items: - type: string - type: array - namespaceSelector: - description: NamespaceSelector selects the namespaces that are targeted - by this CRD. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. - items: - description: A label selector requirement is a selector that - contains values, a key, and an operator that relates the key - and values. - properties: - key: - description: key is the label key that the selector applies - to. - type: string - operator: - description: operator represents a key's relationship to - a set of values. Valid operators are In, NotIn, Exists - and DoesNotExist. - type: string - values: - description: values is an array of string values. If the - operator is In or NotIn, the values array must be non-empty. - If the operator is Exists or DoesNotExist, the values - array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. - type: object - type: object - podSelector: - description: PodSelector selects the pods that are targeted by this - CRD. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. - items: - description: A label selector requirement is a selector that - contains values, a key, and an operator that relates the key - and values. - properties: - key: - description: key is the label key that the selector applies - to. - type: string - operator: - description: operator represents a key's relationship to - a set of values. Valid operators are In, NotIn, Exists - and DoesNotExist. - type: string - values: - description: values is an array of string values. If the - operator is In or NotIn, the values array must be non-empty. - If the operator is Exists or DoesNotExist, the values - array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. - type: object - type: object - spiffeIDTemplate: - description: SPIFFEID is the SPIFFE ID template. The node and pod - spec are made available to the template under .NodeSpec, .PodSpec - respectively. - type: string - ttl: - description: TTL indicates an upper-bound time-to-live for SVIDs minted - for this ClusterSPIFFEID. If unset, a default will be chosen. - type: string - workloadSelectorTemplates: - description: WorkloadSelectorTemplates are templates to produce arbitrary - workload selectors that apply to a given workload before it will - receive this SPIFFE ID. The rendered value is interpreted by SPIRE - and are of the form type:value, where the value may, and often does, - contain semicolons, .e.g., k8s:container-image:docker/hello-world - The node and pod spec are made available to the template under .NodeSpec, - .PodSpec respectively. - items: - type: string - type: array - required: - - spiffeIDTemplate - type: object - status: - description: ClusterSPIFFEIDStatus defines the observed state of ClusterSPIFFEID - properties: - stats: - description: Stats produced by the last entry reconciliation run - properties: - entriesMasked: - description: How many entries were masked by entries for other - ClusterSPIFFEIDs. This happens when one or more ClusterSPIFFEIDs - produce an entry for the same pod with the same set of workload - selectors. - type: integer - entriesToSet: - description: How many entries are to be set for this ClusterSPIFFEID. - In nominal conditions, this should reflect the number of pods - selected, but not always if there were problems encountered - rendering an entry for the pod (RenderFailures) or entries are - masked (EntriesMasked). - type: integer - entryFailures: - description: How many entries were unable to be set due to failures - to create or update the entries via the SPIRE Server API. - type: integer - namespacesIgnored: - description: How many (selected) namespaces were ignored (based - on configuration). - type: integer - namespacesSelected: - description: How many namespaces were selected. - type: integer - podEntryRenderFailures: - description: How many failures were encountered rendering an entry - selected pods. This could be due to either a bad template in - the ClusterSPIFFEID or Pod metadata that when applied to the - template did not produce valid entry values. - type: integer - podsSelected: - description: How many pods were selected out of the namespaces. - type: integer - type: object - type: object - type: object - served: true - storage: true - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] - ---- -# ValidatingWebhookConfiguration for validating ClusterSPIFFEID and -# ClusterFederatedTrustDomain custom resources. -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: spire-controller-manager-webhook -webhooks: - - admissionReviewVersions: ["v1"] - clientConfig: - service: - name: spire-controller-manager-webhook-service - namespace: spire - path: /validate-spire-spiffe-io-v1alpha1-clusterfederatedtrustdomain - failurePolicy: Fail - name: vclusterfederatedtrustdomain.kb.io - rules: - - apiGroups: ["spire.spiffe.io"] - apiVersions: ["v1alpha1"] - operations: ["CREATE", "UPDATE"] - resources: ["clusterfederatedtrustdomains"] - sideEffects: None - - admissionReviewVersions: ["v1"] - clientConfig: - service: - name: spire-controller-manager-webhook-service - namespace: spire - path: /validate-spire-spiffe-io-v1alpha1-clusterspiffeid - failurePolicy: Fail - name: vclusterspiffeid.kb.io - rules: - - apiGroups: ["spire.spiffe.io"] - apiVersions: ["v1alpha1"] - operations: ["CREATE", "UPDATE"] - resources: ["clusterspiffeids"] - sideEffects: None - ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: spire-agent - namespace: spire - ---- -# Required cluster role to allow spire-agent to query k8s API server. -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: spire-agent-cluster-role -rules: -- apiGroups: [""] - resources: ["pods","nodes","nodes/proxy"] - verbs: ["get"] - ---- -# Binds above cluster role to spire-agent service account. -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: spire-agent-cluster-role-binding -subjects: -- kind: ServiceAccount - name: spire-agent - namespace: spire -roleRef: - kind: ClusterRole - name: spire-agent-cluster-role - apiGroup: rbac.authorization.k8s.io - ---- -# ConfigMap for the SPIRE agent featuring: -# 1) PSAT node attestation -# 2) K8S Workload Attestation over the secure kubelet port -apiVersion: v1 -kind: ConfigMap -metadata: - name: spire-agent - namespace: spire -data: - agent.conf: | - agent { - data_dir = "/run/spire" - log_level = "DEBUG" - server_address = "spire-server" - server_port = "8081" - socket_path = "/run/secrets/workload-spiffe-uds/socket" - trust_bundle_path = "/run/spire/bundle/bundle.crt" - trust_domain = "example.org" - } - - plugins { - NodeAttestor "k8s_psat" { - plugin_data { - # NOTE: Change this to your cluster name - cluster = "demo-cluster" - } - } - - KeyManager "memory" { - plugin_data { - } - } - - WorkloadAttestor "k8s" { - plugin_data { - # Defaults to the secure kubelet port by default. - # Minikube does not have a cert in the cluster CA bundle that - # can authenticate the kubelet cert, so skip validation. - skip_kubelet_verification = true - - # We need to set disable_container_selectors = true if we make holdApplicationUntilProxyStarts = true in istio - # see https://istio.io/latest/docs/reference/config/istio.mesh.v1alpha1/#ProxyConfig - # If true, container selectors are not produced. - # This can be used to produce pod selectors when the workload pod is known - # but the workload container is not ready at the time of attestation. - # disable_container_selectors = true - } - } - - WorkloadAttestor "unix" { - plugin_data { - } - } - - } - ---- -# SPIRE Agent DaemonSet. -apiVersion: apps/v1 -kind: DaemonSet -metadata: - name: spire-agent - namespace: spire - labels: - app: spire-agent -spec: - selector: - matchLabels: - app: spire-agent - template: - metadata: - namespace: spire - labels: - app: spire-agent - spec: - hostPID: true - hostNetwork: true - dnsPolicy: ClusterFirstWithHostNet - serviceAccountName: spire-agent - containers: - - name: spire-agent - image: ghcr.io/spiffe/spire-agent:1.5.4 - imagePullPolicy: IfNotPresent - args: ["-config", "/run/spire/config/agent.conf"] - volumeMounts: - - name: spire-config - mountPath: /run/spire/config - readOnly: true - - name: spire-bundle - mountPath: /run/spire/bundle - readOnly: true - - name: spire-agent-socket-dir - mountPath: /run/secrets/workload-spiffe-uds - - name: spire-token - mountPath: /var/run/secrets/tokens - # This is the container which runs the SPIFFE CSI driver. - - name: spiffe-csi-driver - image: ghcr.io/spiffe/spiffe-csi-driver:0.2.0 - imagePullPolicy: IfNotPresent - args: [ - "-workload-api-socket-dir", "/spire-agent-socket", - "-csi-socket-path", "/spiffe-csi/csi.sock", - ] - env: - # The CSI driver needs a unique node ID. The node name can be - # used for this purpose. - - name: MY_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - volumeMounts: - # The volume containing the SPIRE agent socket. The SPIFFE CSI - # driver will mount this directory into containers. - - mountPath: /spire-agent-socket - name: spire-agent-socket-dir - readOnly: true - # The volume that will contain the CSI driver socket shared - # with the kubelet and the driver registrar. - - mountPath: /spiffe-csi - name: spiffe-csi-socket-dir - # The volume containing mount points for containers. - - mountPath: /var/lib/kubelet/pods - mountPropagation: Bidirectional - name: mountpoint-dir - securityContext: - privileged: true - # This container runs the CSI Node Driver Registrar which takes care - # of all the little details required to register a CSI driver with - # the kubelet. - - name: node-driver-registrar - image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.4.0 - imagePullPolicy: IfNotPresent - args: [ - "-csi-address", "/spiffe-csi/csi.sock", - "-kubelet-registration-path", "/var/lib/kubelet/plugins/csi.spiffe.io/csi.sock", - ] - volumeMounts: - # The registrar needs access to the SPIFFE CSI driver socket - - mountPath: /spiffe-csi - name: spiffe-csi-socket-dir - # The registrar needs access to the Kubelet plugin registration - # directory - - name: kubelet-plugin-registration-dir - mountPath: /registration - volumes: - - name: spire-config - configMap: - name: spire-agent - - name: spire-bundle - configMap: - name: spire-bundle - - name: spire-token - projected: - sources: - - serviceAccountToken: - path: spire-agent - expirationSeconds: 7200 - audience: spire-server - # This volume is used to share the workload api socket between the - # CSI driver and SPIRE agent - - name: spire-agent-socket-dir - emptyDir: {} - # This volume is where the socket for kubelet->driver communication lives - - name: spiffe-csi-socket-dir - hostPath: - path: /var/lib/kubelet/plugins/csi.spiffe.io - type: DirectoryOrCreate - # This volume is where the SPIFFE CSI driver mounts volumes - - name: mountpoint-dir - hostPath: - path: /var/lib/kubelet/pods - type: Directory - # This volume is where the node-driver-registrar registers the plugin - # with kubelet - - name: kubelet-plugin-registration-dir - hostPath: - path: /var/lib/kubelet/plugins_registry - type: Directory diff --git a/istio-1.24.3/samples/sleep/README.md b/istio-1.24.3/samples/sleep/README.md deleted file mode 100644 index b5c21550..00000000 --- a/istio-1.24.3/samples/sleep/README.md +++ /dev/null @@ -1,6 +0,0 @@ -# sleep has been replaced - -This sample has been replaced by the ["curl" sample](../curl/). -The new version is the same, except that the servie account, service, pod and container are now all called `curl` instead of `sleep`, to more accurately communicate the intended use in our documentation. - -The original file is still provided, but please update any documentation or samples accordingly. diff --git a/istio-1.24.3/samples/sleep/sleep.yaml b/istio-1.24.3/samples/sleep/sleep.yaml deleted file mode 100644 index 570086b9..00000000 --- a/istio-1.24.3/samples/sleep/sleep.yaml +++ /dev/null @@ -1,66 +0,0 @@ -# Copyright Istio Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################################################## -# Sleep service -################################################################################################## -apiVersion: v1 -kind: ServiceAccount -metadata: - name: sleep ---- -apiVersion: v1 -kind: Service -metadata: - name: sleep - labels: - app: sleep - service: sleep -spec: - ports: - - port: 80 - name: http - selector: - app: sleep ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: sleep -spec: - replicas: 1 - selector: - matchLabels: - app: sleep - template: - metadata: - labels: - app: sleep - spec: - terminationGracePeriodSeconds: 0 - serviceAccountName: sleep - containers: - - name: sleep - image: curlimages/curl - command: ["/bin/sleep", "infinity"] - imagePullPolicy: IfNotPresent - volumeMounts: - - mountPath: /etc/sleep/tls - name: secret-volume - volumes: - - name: secret-volume - secret: - secretName: sleep-secret - optional: true ---- diff --git a/istio-1.24.3/samples/tcp-echo/README.md b/istio-1.24.3/samples/tcp-echo/README.md deleted file mode 100644 index 50f2d82a..00000000 --- a/istio-1.24.3/samples/tcp-echo/README.md +++ /dev/null @@ -1,38 +0,0 @@ -# TCP Echo Service - -This sample runs [TCP Echo Server](src/) as an Istio service. TCP Echo Server -allows you to connect to it over TCP and echoes back data sent to it along with -a preconfigured prefix. - -## Usage - -To run the TCP Echo Service sample: - -1. Install Istio by following the [istio install instructions](https://istio.io/docs/setup/kubernetes/quick-start.html). - -1. Start the `tcp-echo-server` service inside the Istio service mesh: - - ```console - $ kubectl apply -f <(istioctl kube-inject -f tcp-echo.yaml) - service/tcp-echo created - deployment.apps/tcp-echo created - ``` - -1. Test by running the `nc` command from a `busybox` container from within the cluster. - - ```console - $ kubectl run -i --rm --restart=Never dummy --image=busybox -- sh -c "echo world | nc tcp-echo 9000" - hello world - pod "dummy" deleted - ``` - - As you observe, sending _world_ on a TCP connection to the server results in - the server prepending _hello_ and echoing back with _hello world_. - -1. To clean up, execute the following command: - - ```console - $ kubectl delete -f tcp-echo.yaml - service "tcp-echo" deleted - deployment.apps "tcp-echo" deleted - ``` diff --git a/istio-1.24.3/samples/tcp-echo/gateway-api/tcp-echo-20-v2.yaml b/istio-1.24.3/samples/tcp-echo/gateway-api/tcp-echo-20-v2.yaml deleted file mode 100644 index 11e27be3..00000000 --- a/istio-1.24.3/samples/tcp-echo/gateway-api/tcp-echo-20-v2.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: gateway.networking.k8s.io/v1alpha2 -kind: TCPRoute -metadata: - name: tcp-echo -spec: - parentRefs: - - name: tcp-echo-gateway - sectionName: tcp-31400 - rules: - - backendRefs: - - name: tcp-echo-v1 - port: 9000 - weight: 80 - - name: tcp-echo-v2 - port: 9000 - weight: 20 diff --git a/istio-1.24.3/samples/tcp-echo/gateway-api/tcp-echo-all-v1.yaml b/istio-1.24.3/samples/tcp-echo/gateway-api/tcp-echo-all-v1.yaml deleted file mode 100644 index da089536..00000000 --- a/istio-1.24.3/samples/tcp-echo/gateway-api/tcp-echo-all-v1.yaml +++ /dev/null @@ -1,50 +0,0 @@ -apiVersion: gateway.networking.k8s.io/v1 -kind: Gateway -metadata: - name: tcp-echo-gateway -spec: - gatewayClassName: istio - listeners: - - name: tcp-31400 - protocol: TCP - port: 31400 - allowedRoutes: - kinds: - - kind: TCPRoute ---- -apiVersion: v1 -kind: Service -metadata: - name: tcp-echo-v1 -spec: - ports: - - port: 9000 - name: tcp - selector: - app: tcp-echo - version: v1 ---- -apiVersion: v1 -kind: Service -metadata: - name: tcp-echo-v2 -spec: - ports: - - port: 9000 - name: tcp - selector: - app: tcp-echo - version: v2 ---- -apiVersion: gateway.networking.k8s.io/v1alpha2 -kind: TCPRoute -metadata: - name: tcp-echo -spec: - parentRefs: - - name: tcp-echo-gateway - sectionName: tcp-31400 - rules: - - backendRefs: - - name: tcp-echo-v1 - port: 9000 diff --git a/istio-1.24.3/samples/tcp-echo/tcp-echo-20-v2.yaml b/istio-1.24.3/samples/tcp-echo/tcp-echo-20-v2.yaml deleted file mode 100644 index 96494cc7..00000000 --- a/istio-1.24.3/samples/tcp-echo/tcp-echo-20-v2.yaml +++ /dev/null @@ -1,39 +0,0 @@ -# Copyright 2018 Istio Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: networking.istio.io/v1 -kind: VirtualService -metadata: - name: tcp-echo -spec: - hosts: - - "*" - gateways: - - tcp-echo-gateway - tcp: - - match: - - port: 31400 - route: - - destination: - host: tcp-echo - port: - number: 9000 - subset: v1 - weight: 80 - - destination: - host: tcp-echo - port: - number: 9000 - subset: v2 - weight: 20 diff --git a/istio-1.24.3/samples/tcp-echo/tcp-echo-all-v1.yaml b/istio-1.24.3/samples/tcp-echo/tcp-echo-all-v1.yaml deleted file mode 100644 index f71f21f3..00000000 --- a/istio-1.24.3/samples/tcp-echo/tcp-echo-all-v1.yaml +++ /dev/null @@ -1,61 +0,0 @@ -# Copyright 2018 Istio Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: networking.istio.io/v1 -kind: Gateway -metadata: - name: tcp-echo-gateway -spec: - selector: - istio: ingressgateway - servers: - - port: - number: 31400 - name: tcp - protocol: TCP - hosts: - - "*" ---- -apiVersion: networking.istio.io/v1 -kind: DestinationRule -metadata: - name: tcp-echo-destination -spec: - host: tcp-echo - subsets: - - name: v1 - labels: - version: v1 - - name: v2 - labels: - version: v2 ---- -apiVersion: networking.istio.io/v1 -kind: VirtualService -metadata: - name: tcp-echo -spec: - hosts: - - "*" - gateways: - - tcp-echo-gateway - tcp: - - match: - - port: 31400 - route: - - destination: - host: tcp-echo - port: - number: 9000 - subset: v1 diff --git a/istio-1.24.3/samples/tcp-echo/tcp-echo-dual-stack.yaml b/istio-1.24.3/samples/tcp-echo/tcp-echo-dual-stack.yaml deleted file mode 100644 index 94cdf7ea..00000000 --- a/istio-1.24.3/samples/tcp-echo/tcp-echo-dual-stack.yaml +++ /dev/null @@ -1,62 +0,0 @@ -# Copyright Istio Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################################ -# tcp-echo service -################################################################################ -apiVersion: v1 -kind: Service -metadata: - name: tcp-echo - labels: - app: tcp-echo - service: tcp-echo -spec: - ipFamilyPolicy: RequireDualStack - ipFamilies: - - IPv6 - - IPv4 - ports: - - name: tcp - port: 9000 - - name: tcp-other - port: 9001 - # Port 9002 is omitted intentionally for testing the pass through filter chain. - selector: - app: tcp-echo ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: tcp-echo -spec: - replicas: 1 - selector: - matchLabels: - app: tcp-echo - version: v1 - template: - metadata: - labels: - app: tcp-echo - version: v1 - spec: - containers: - - name: tcp-echo - image: docker.io/istio/tcp-echo-server:1.3 - imagePullPolicy: IfNotPresent - args: [ "9000,9001,9002", "hello" ] - ports: - - containerPort: 9000 - - containerPort: 9001 diff --git a/istio-1.24.3/samples/tcp-echo/tcp-echo-ipv4.yaml b/istio-1.24.3/samples/tcp-echo/tcp-echo-ipv4.yaml deleted file mode 100644 index 3745129c..00000000 --- a/istio-1.24.3/samples/tcp-echo/tcp-echo-ipv4.yaml +++ /dev/null @@ -1,61 +0,0 @@ -# Copyright Istio Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################################ -# tcp-echo service -################################################################################ -apiVersion: v1 -kind: Service -metadata: - name: tcp-echo - labels: - app: tcp-echo - service: tcp-echo -spec: - ipFamilyPolicy: SingleStack - ipFamilies: - - IPv4 - ports: - - name: tcp - port: 9000 - - name: tcp-other - port: 9001 - # Port 9002 is omitted intentionally for testing the pass through filter chain. - selector: - app: tcp-echo ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: tcp-echo -spec: - replicas: 1 - selector: - matchLabels: - app: tcp-echo - version: v1 - template: - metadata: - labels: - app: tcp-echo - version: v1 - spec: - containers: - - name: tcp-echo - image: docker.io/istio/tcp-echo-server:1.3 - imagePullPolicy: IfNotPresent - args: [ "9000,9001,9002", "hello" ] - ports: - - containerPort: 9000 - - containerPort: 9001 diff --git a/istio-1.24.3/samples/tcp-echo/tcp-echo-ipv6.yaml b/istio-1.24.3/samples/tcp-echo/tcp-echo-ipv6.yaml deleted file mode 100644 index ad70e706..00000000 --- a/istio-1.24.3/samples/tcp-echo/tcp-echo-ipv6.yaml +++ /dev/null @@ -1,61 +0,0 @@ -# Copyright Istio Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################################ -# tcp-echo service -################################################################################ -apiVersion: v1 -kind: Service -metadata: - name: tcp-echo - labels: - app: tcp-echo - service: tcp-echo -spec: - ipFamilyPolicy: SingleStack - ipFamilies: - - IPv6 - ports: - - name: tcp - port: 9000 - - name: tcp-other - port: 9001 - # Port 9002 is omitted intentionally for testing the pass through filter chain. - selector: - app: tcp-echo ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: tcp-echo -spec: - replicas: 1 - selector: - matchLabels: - app: tcp-echo - version: v1 - template: - metadata: - labels: - app: tcp-echo - version: v1 - spec: - containers: - - name: tcp-echo - image: docker.io/istio/tcp-echo-server:1.3 - imagePullPolicy: IfNotPresent - args: [ "9000,9001,9002", "hello" ] - ports: - - containerPort: 9000 - - containerPort: 9001 diff --git a/istio-1.24.3/samples/tcp-echo/tcp-echo-services.yaml b/istio-1.24.3/samples/tcp-echo/tcp-echo-services.yaml deleted file mode 100644 index 4ebde5ec..00000000 --- a/istio-1.24.3/samples/tcp-echo/tcp-echo-services.yaml +++ /dev/null @@ -1,86 +0,0 @@ -# Copyright 2018 Istio Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: Service -metadata: - name: tcp-echo - labels: - app: tcp-echo - service: tcp-echo -spec: - ports: - - name: tcp - port: 9000 - - name: tcp-other - port: 9001 - # Port 9002 is omitted intentionally for testing the pass through filter chain. - selector: - app: tcp-echo ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: tcp-echo-v1 - labels: - app: tcp-echo - version: v1 -spec: - replicas: 1 - selector: - matchLabels: - app: tcp-echo - version: v1 - template: - metadata: - labels: - app: tcp-echo - version: v1 - spec: - containers: - - name: tcp-echo - image: docker.io/istio/tcp-echo-server:1.3 - imagePullPolicy: IfNotPresent - args: [ "9000,9001,9002", "one" ] - ports: - - containerPort: 9000 - - containerPort: 9001 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: tcp-echo-v2 - labels: - app: tcp-echo - version: v2 -spec: - replicas: 1 - selector: - matchLabels: - app: tcp-echo - version: v2 - template: - metadata: - labels: - app: tcp-echo - version: v2 - spec: - containers: - - name: tcp-echo - image: docker.io/istio/tcp-echo-server:1.3 - imagePullPolicy: IfNotPresent - args: [ "9000,9001,9002", "two" ] - ports: - - containerPort: 9000 - - containerPort: 9001 diff --git a/istio-1.24.3/samples/tcp-echo/tcp-echo.yaml b/istio-1.24.3/samples/tcp-echo/tcp-echo.yaml deleted file mode 100644 index 05accba3..00000000 --- a/istio-1.24.3/samples/tcp-echo/tcp-echo.yaml +++ /dev/null @@ -1,58 +0,0 @@ -# Copyright 2018 Istio Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################################ -# tcp-echo service -################################################################################ -apiVersion: v1 -kind: Service -metadata: - name: tcp-echo - labels: - app: tcp-echo - service: tcp-echo -spec: - ports: - - name: tcp - port: 9000 - - name: tcp-other - port: 9001 - # Port 9002 is omitted intentionally for testing the pass through filter chain. - selector: - app: tcp-echo ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: tcp-echo -spec: - replicas: 1 - selector: - matchLabels: - app: tcp-echo - version: v1 - template: - metadata: - labels: - app: tcp-echo - version: v1 - spec: - containers: - - name: tcp-echo - image: docker.io/istio/tcp-echo-server:1.3 - imagePullPolicy: IfNotPresent - args: [ "9000,9001,9002", "hello" ] - ports: - - containerPort: 9000 - - containerPort: 9001 diff --git a/istio-1.24.3/samples/wasm_modules/README.md b/istio-1.24.3/samples/wasm_modules/README.md deleted file mode 100644 index 4a8a8702..00000000 --- a/istio-1.24.3/samples/wasm_modules/README.md +++ /dev/null @@ -1,3 +0,0 @@ -# WASM demo - -`header_injector` is used for istio e2e tests, more tests can be found [here](https://github.com/istio-ecosystem/wasm-extensions). diff --git a/istio-1.24.3/samples/wasm_modules/header_injector/Makefile b/istio-1.24.3/samples/wasm_modules/header_injector/Makefile deleted file mode 100644 index 377495d2..00000000 --- a/istio-1.24.3/samples/wasm_modules/header_injector/Makefile +++ /dev/null @@ -1,22 +0,0 @@ -.PHONY: docker-push docker-build build clean - -VERSION_LIST := 1 2 -HUB ?= gcr.io/istio-testing -IMAGE_PREFIX ?= /wasm -IMG := $(HUB)$(IMAGE_PREFIX)/header-injector - -all: docker-push - -build: plugin.cc plugin.h BUILD WORKSPACE - rm -f *.wasm - $(foreach VERSION, $(VERSION_LIST), bazel build :plugin-0.0.$(VERSION).wasm && cp bazel-bin/plugin-0.0.$(VERSION).wasm .;) - -docker-build: build - $(foreach VERSION, $(VERSION_LIST), docker buildx build . -t $(IMG):0.0.$(VERSION) --build-arg WASM_BINARY=plugin-0.0.$(VERSION).wasm;) - -docker-push: docker-build - $(foreach VERSION, $(VERSION_LIST), docker push $(IMG):0.0.$(VERSION);) - -clean: - rm -rf bazel-* - rm -f *.wasm diff --git a/istio-1.24.3/samples/websockets/README.md b/istio-1.24.3/samples/websockets/README.md deleted file mode 100644 index 26a1f382..00000000 --- a/istio-1.24.3/samples/websockets/README.md +++ /dev/null @@ -1,48 +0,0 @@ -# Tornado - Demo Websockets App - -This is a sample application that demonstrates the use of an upgraded websockets connection on an ingress traffic when using Istio `VirtualService`. -The `app.yaml` creates a Kubernetes `Service` and a `Deployment` that is based on an existing Docker image for [Hiroakis's Tornado Websocket Example](https://github.com/hiroakis/tornado-websocket-example). - -__Notice:__ The addition of websockets upgrade support in v1alpha3 routing rules has only been added after the release of `Istio v0.8.0`. - -## Prerequisites - -Install Istio by following the [Istio Quick Start](https://istio.io/docs/setup/kubernetes/quick-start.html). - -## Installation - -1. First install the application service: - - - With manual sidecar injection: - - ```command - kubectl create -f <(istioctl kube-inject -f samples/websockets/app.yaml) - ``` - - - With automatic sidecar injection - - ```command - kubectl create -f samples/websockets/app.yaml - ``` - -1. Create the Ingress `Gateway` and `VirtualService` that enables the upgrade to Websocket for incoming traffic: - - ```command - kubectl create -f samples/websockets/route.yaml - ``` - -## Test - -- [Find your ingress gateway IP](https://istio.io/docs/tasks/traffic-management/ingress/#determining-the-ingress-ip-and-ports) - -- Access with your browser - -- The `WebSocket status` should show a green `open` status which means that a websocket connection to the server has been established. -To see the websocket in action see the instructions in the _REST API examples_ section of the demo app webpage for updating the server-side data and getting the updated data through the open websocket to the table in the webpage (without refreshing). - -## Cleanup - -```command -kubectl delete -f samples/websockets/route.yaml -kubectl delete -f samples/websockets/app.yaml -``` diff --git a/istio-1.24.3/samples/websockets/app.yaml b/istio-1.24.3/samples/websockets/app.yaml deleted file mode 100644 index 4f44ea7d..00000000 --- a/istio-1.24.3/samples/websockets/app.yaml +++ /dev/null @@ -1,37 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: tornado - labels: - app: tornado - service: tornado -spec: - ports: - - port: 8888 - name: http - selector: - app: tornado ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: tornado -spec: - replicas: 1 - selector: - matchLabels: - app: tornado - version: v1 - template: - metadata: - labels: - app: tornado - version: v1 - spec: - containers: - - name: tornado - image: hiroakis/tornado-websocket-example - imagePullPolicy: IfNotPresent - ports: - - containerPort: 8888 ---- diff --git a/istio-1.24.3/samples/websockets/route.yaml b/istio-1.24.3/samples/websockets/route.yaml deleted file mode 100644 index f71b1d91..00000000 --- a/istio-1.24.3/samples/websockets/route.yaml +++ /dev/null @@ -1,32 +0,0 @@ -apiVersion: networking.istio.io/v1 -kind: Gateway -metadata: - name: tornado-gateway -spec: - selector: - istio: ingressgateway - servers: - - port: - number: 80 - name: http - protocol: HTTP - hosts: - - "*" ---- -apiVersion: networking.istio.io/v1 -kind: VirtualService -metadata: - name: tornado -spec: - hosts: - - "*" - gateways: - - tornado-gateway - http: - - match: - - uri: - prefix: / - route: - - destination: - host: tornado - weight: 100 diff --git a/istio-1.24.3/tools/_istioctl b/istio-1.24.3/tools/_istioctl deleted file mode 100644 index d1e29f21..00000000 --- a/istio-1.24.3/tools/_istioctl +++ /dev/null @@ -1,212 +0,0 @@ -#compdef istioctl -compdef _istioctl istioctl - -# zsh completion for istioctl -*- shell-script -*- - -__istioctl_debug() -{ - local file="$BASH_COMP_DEBUG_FILE" - if [[ -n ${file} ]]; then - echo "$*" >> "${file}" - fi -} - -_istioctl() -{ - local shellCompDirectiveError=1 - local shellCompDirectiveNoSpace=2 - local shellCompDirectiveNoFileComp=4 - local shellCompDirectiveFilterFileExt=8 - local shellCompDirectiveFilterDirs=16 - local shellCompDirectiveKeepOrder=32 - - local lastParam lastChar flagPrefix requestComp out directive comp lastComp noSpace keepOrder - local -a completions - - __istioctl_debug "\n========= starting completion logic ==========" - __istioctl_debug "CURRENT: ${CURRENT}, words[*]: ${words[*]}" - - # The user could have moved the cursor backwards on the command-line. - # We need to trigger completion from the $CURRENT location, so we need - # to truncate the command-line ($words) up to the $CURRENT location. - # (We cannot use $CURSOR as its value does not work when a command is an alias.) - words=("${=words[1,CURRENT]}") - __istioctl_debug "Truncated words[*]: ${words[*]}," - - lastParam=${words[-1]} - lastChar=${lastParam[-1]} - __istioctl_debug "lastParam: ${lastParam}, lastChar: ${lastChar}" - - # For zsh, when completing a flag with an = (e.g., istioctl -n=) - # completions must be prefixed with the flag - setopt local_options BASH_REMATCH - if [[ "${lastParam}" =~ '-.*=' ]]; then - # We are dealing with a flag with an = - flagPrefix="-P ${BASH_REMATCH}" - fi - - # Prepare the command to obtain completions - requestComp="${words[1]} __complete ${words[2,-1]}" - if [ "${lastChar}" = "" ]; then - # If the last parameter is complete (there is a space following it) - # We add an extra empty parameter so we can indicate this to the go completion code. - __istioctl_debug "Adding extra empty parameter" - requestComp="${requestComp} \"\"" - fi - - __istioctl_debug "About to call: eval ${requestComp}" - - # Use eval to handle any environment variables and such - out=$(eval ${requestComp} 2>/dev/null) - __istioctl_debug "completion output: ${out}" - - # Extract the directive integer following a : from the last line - local lastLine - while IFS='\n' read -r line; do - lastLine=${line} - done < <(printf "%s\n" "${out[@]}") - __istioctl_debug "last line: ${lastLine}" - - if [ "${lastLine[1]}" = : ]; then - directive=${lastLine[2,-1]} - # Remove the directive including the : and the newline - local suffix - (( suffix=${#lastLine}+2)) - out=${out[1,-$suffix]} - else - # There is no directive specified. Leave $out as is. - __istioctl_debug "No directive found. Setting do default" - directive=0 - fi - - __istioctl_debug "directive: ${directive}" - __istioctl_debug "completions: ${out}" - __istioctl_debug "flagPrefix: ${flagPrefix}" - - if [ $((directive & shellCompDirectiveError)) -ne 0 ]; then - __istioctl_debug "Completion received error. Ignoring completions." - return - fi - - local activeHelpMarker="_activeHelp_ " - local endIndex=${#activeHelpMarker} - local startIndex=$((${#activeHelpMarker}+1)) - local hasActiveHelp=0 - while IFS='\n' read -r comp; do - # Check if this is an activeHelp statement (i.e., prefixed with $activeHelpMarker) - if [ "${comp[1,$endIndex]}" = "$activeHelpMarker" ];then - __istioctl_debug "ActiveHelp found: $comp" - comp="${comp[$startIndex,-1]}" - if [ -n "$comp" ]; then - compadd -x "${comp}" - __istioctl_debug "ActiveHelp will need delimiter" - hasActiveHelp=1 - fi - - continue - fi - - if [ -n "$comp" ]; then - # If requested, completions are returned with a description. - # The description is preceded by a TAB character. - # For zsh's _describe, we need to use a : instead of a TAB. - # We first need to escape any : as part of the completion itself. - comp=${comp//:/\\:} - - local tab="$(printf '\t')" - comp=${comp//$tab/:} - - __istioctl_debug "Adding completion: ${comp}" - completions+=${comp} - lastComp=$comp - fi - done < <(printf "%s\n" "${out[@]}") - - # Add a delimiter after the activeHelp statements, but only if: - # - there are completions following the activeHelp statements, or - # - file completion will be performed (so there will be choices after the activeHelp) - if [ $hasActiveHelp -eq 1 ]; then - if [ ${#completions} -ne 0 ] || [ $((directive & shellCompDirectiveNoFileComp)) -eq 0 ]; then - __istioctl_debug "Adding activeHelp delimiter" - compadd -x "--" - hasActiveHelp=0 - fi - fi - - if [ $((directive & shellCompDirectiveNoSpace)) -ne 0 ]; then - __istioctl_debug "Activating nospace." - noSpace="-S ''" - fi - - if [ $((directive & shellCompDirectiveKeepOrder)) -ne 0 ]; then - __istioctl_debug "Activating keep order." - keepOrder="-V" - fi - - if [ $((directive & shellCompDirectiveFilterFileExt)) -ne 0 ]; then - # File extension filtering - local filteringCmd - filteringCmd='_files' - for filter in ${completions[@]}; do - if [ ${filter[1]} != '*' ]; then - # zsh requires a glob pattern to do file filtering - filter="\*.$filter" - fi - filteringCmd+=" -g $filter" - done - filteringCmd+=" ${flagPrefix}" - - __istioctl_debug "File filtering command: $filteringCmd" - _arguments '*:filename:'"$filteringCmd" - elif [ $((directive & shellCompDirectiveFilterDirs)) -ne 0 ]; then - # File completion for directories only - local subdir - subdir="${completions[1]}" - if [ -n "$subdir" ]; then - __istioctl_debug "Listing directories in $subdir" - pushd "${subdir}" >/dev/null 2>&1 - else - __istioctl_debug "Listing directories in ." - fi - - local result - _arguments '*:dirname:_files -/'" ${flagPrefix}" - result=$? - if [ -n "$subdir" ]; then - popd >/dev/null 2>&1 - fi - return $result - else - __istioctl_debug "Calling _describe" - if eval _describe $keepOrder "completions" completions $flagPrefix $noSpace; then - __istioctl_debug "_describe found some completions" - - # Return the success of having called _describe - return 0 - else - __istioctl_debug "_describe did not find completions." - __istioctl_debug "Checking if we should do file completion." - if [ $((directive & shellCompDirectiveNoFileComp)) -ne 0 ]; then - __istioctl_debug "deactivating file completion" - - # We must return an error code here to let zsh know that there were no - # completions found by _describe; this is what will trigger other - # matching algorithms to attempt to find completions. - # For example zsh can match letters in the middle of words. - return 1 - else - # Perform file completion - __istioctl_debug "Activating file completion" - - # We must return the result of this command, so it must be the - # last command, or else we must store its result to return it. - _arguments '*:filename:_files'" ${flagPrefix}" - fi - fi - fi -} - -# don't run the completion function when being source-ed or eval-ed -if [ "$funcstack[1]" = "_istioctl" ]; then - _istioctl -fi diff --git a/istio-1.24.3/tools/certs/Makefile.k8s.mk b/istio-1.24.3/tools/certs/Makefile.k8s.mk deleted file mode 100644 index cdf8f9d5..00000000 --- a/istio-1.24.3/tools/certs/Makefile.k8s.mk +++ /dev/null @@ -1,102 +0,0 @@ -.SUFFIXES: .csr .pem .conf -.PRECIOUS: %/ca-key.pem %/ca-cert.pem %/cert-chain.pem -.PRECIOUS: %/workload-cert.pem %/key.pem %/workload-cert-chain.pem -.SECONDARY: root-cert.csr root-ca.conf %/cluster-ca.csr %/intermediate.conf - -.DEFAULT_GOAL := help - -SELF_DIR := $(dir $(lastword $(MAKEFILE_LIST))) - -include $(SELF_DIR)common.mk - -#------------------------------------------------------------------------ -##help: print this help message -.PHONY: help - -help: - @fgrep -h "##" $(MAKEFILE_LIST) | fgrep -v fgrep | sed -e 's/##//' - -#------------------------------------------------------------------------ -##fetch-root-ca: fetch root CA and key from a k8s cluster. -.PHONY: fetch-root-ca -rawcluster := $(shell kubectl config current-context) -cluster := $(subst /,-,$(rawcluster)) -pwd := $(shell pwd) -export KUBECONFIG - -fetch-root-ca: - @echo "fetching root ca from k8s cluster: "$(cluster)"" - @mkdir -p $(pwd)/$(cluster) - @res=$$(kubectl get secret istio-ca-secret -n $(ISTIO_NAMESPACE) >/dev/null 2>&1; echo $$?); \ - if [ $$res -eq 1 ]; then \ - kubectl get secret cacerts -n $(ISTIO_NAMESPACE) -o "jsonpath={.data['ca-cert\.pem']}" | base64 -d > $(cluster)/k8s-root-cert.pem; \ - kubectl get secret cacerts -n $(ISTIO_NAMESPACE) -o "jsonpath={.data['ca-key\.pem']}" | base64 -d > $(cluster)/k8s-root-key.pem; \ - else \ - kubectl get secret istio-ca-secret -n $(ISTIO_NAMESPACE) -o "jsonpath={.data['ca-cert\.pem']}" | base64 -d > $(cluster)/k8s-root-cert.pem; \ - kubectl get secret istio-ca-secret -n $(ISTIO_NAMESPACE) -o "jsonpath={.data['ca-key\.pem']}" | base64 -d > $(cluster)/k8s-root-key.pem; \ - fi - -k8s-root-cert.pem: - @cat $(cluster)/k8s-root-cert.pem > $@ - -k8s-root-key.pem: - @cat $(cluster)/k8s-root-key.pem > $@ -#------------------------------------------------------------------------ -##-cacerts: generate intermediate certificates for a cluster or VM with signed with istio root cert from the specified k8s cluster and store them under directory -.PHONY: %-cacerts - -%-cacerts: %/cert-chain.pem - @echo "done" - -%/cert-chain.pem: %/ca-cert.pem k8s-root-cert.pem - @echo "generating $@" - @cat $^ > $@ - @echo "Intermediate certs stored in $(dir $<)" - @cp k8s-root-cert.pem $(dir $<)/root-cert.pem - -%/ca-cert.pem: %/cluster-ca.csr k8s-root-key.pem k8s-root-cert.pem - @echo "generating $@" - @openssl x509 -req -days $(INTERMEDIATE_DAYS) \ - -CA k8s-root-cert.pem -CAkey k8s-root-key.pem -CAcreateserial\ - -extensions req_ext -extfile $(dir $<)/intermediate.conf \ - -in $< -out $@ - -%/cluster-ca.csr: L=$(dir $@) -%/cluster-ca.csr: %/ca-key.pem %/intermediate.conf - @echo "generating $@" - @openssl req -new -config $(L)/intermediate.conf -key $< -out $@ - -%/ca-key.pem: fetch-root-ca - @echo "generating $@" - @mkdir -p $(dir $@) - @openssl genrsa -out $@ 4096 - -#------------------------------------------------------------------------ -##-certs: generate intermediate certificates and sign certificates for a virtual machine connected to the namespace ` using serviceAccount `$SERVICE_ACCOUNT` using root cert from k8s cluster. -.PHONY: %-certs - -%-certs: fetch-root-ca %/workload-cert-chain.pem k8s-root-cert.pem - @echo "done" - -%/workload-cert-chain.pem: k8s-root-cert.pem %/ca-cert.pem %/workload-cert.pem - @echo "generating $@" - @cat $^ > $@ - @echo "Intermediate and workload certs stored in $(dir $<)" - @cp k8s-root-cert.pem $(dir $@)/root-cert.pem - -%/workload-cert.pem: %/workload.csr - @echo "generating $@" - @openssl x509 -req -days $(WORKLOAD_DAYS) \ - -CA $(dir $<)/ca-cert.pem -CAkey $(dir $<)/ca-key.pem -CAcreateserial\ - -extensions req_ext -extfile $(dir $<)/workload.conf \ - -in $< -out $@ - -%/workload.csr: L=$(dir $@) -%/workload.csr: %/key.pem %/workload.conf - @echo "generating $@" - @openssl req -new -config $(L)/workload.conf -key $< -out $@ - -%/key.pem: - @echo "generating $@" - @mkdir -p $(dir $@) - @openssl genrsa -out $@ 4096 \ No newline at end of file diff --git a/istio-1.24.3/tools/certs/Makefile.selfsigned.mk b/istio-1.24.3/tools/certs/Makefile.selfsigned.mk deleted file mode 100644 index 2a87d071..00000000 --- a/istio-1.24.3/tools/certs/Makefile.selfsigned.mk +++ /dev/null @@ -1,98 +0,0 @@ -.SUFFIXES: .csr .pem .conf -.PRECIOUS: %/ca-key.pem %/ca-cert.pem %/cert-chain.pem -.PRECIOUS: %/workload-cert.pem %/key.pem %/workload-cert-chain.pem -.SECONDARY: root-cert.csr root-ca.conf %/cluster-ca.csr %/intermediate.conf - -.DEFAULT_GOAL := help - -SELF_DIR := $(dir $(lastword $(MAKEFILE_LIST))) - -include $(SELF_DIR)common.mk - -#------------------------------------------------------------------------ -##help: print this help message -.PHONY: help - -help: - @fgrep -h "##" $(MAKEFILE_LIST) | fgrep -v fgrep | sed -e 's/##//' - -#------------------------------------------------------------------------ -##root-ca: generate root CA files (key and certificate) in current directory. -.PHONY: root-ca - -root-ca: root-key.pem root-cert.pem - -root-cert.pem: root-cert.csr root-key.pem - @echo "generating $@" - @openssl x509 -req -sha256 -days $(ROOTCA_DAYS) -signkey root-key.pem \ - -extensions req_ext -extfile root-ca.conf \ - -in $< -out $@ - -root-cert.csr: root-key.pem root-ca.conf - @echo "generating $@" - @openssl req -sha256 -new -key $< -config root-ca.conf -out $@ - -root-key.pem: - @echo "generating $@" - @openssl genrsa -out $@ 4096 -#------------------------------------------------------------------------ -##-cacerts: generate self signed intermediate certificates for and store them under directory. -.PHONY: %-cacerts - -%-cacerts: %/cert-chain.pem - @echo "done" - -%/cert-chain.pem: %/ca-cert.pem root-cert.pem - @echo "generating $@" - @cat $^ > $@ - @echo "Intermediate inputs stored in $(dir $<)" - @cp root-cert.pem $(dir $<) - - -%/ca-cert.pem: %/cluster-ca.csr root-key.pem root-cert.pem - @echo "generating $@" - @openssl x509 -req -sha256 -days $(INTERMEDIATE_DAYS) \ - -CA root-cert.pem -CAkey root-key.pem -CAcreateserial\ - -extensions req_ext -extfile $(dir $<)/intermediate.conf \ - -in $< -out $@ - -%/cluster-ca.csr: L=$(dir $@) -%/cluster-ca.csr: %/ca-key.pem %/intermediate.conf - @echo "generating $@" - @openssl req -sha256 -new -config $(L)/intermediate.conf -key $< -out $@ - -%/ca-key.pem: - @echo "generating $@" - @mkdir -p $(dir $@) - @openssl genrsa -out $@ 4096 - -#------------------------------------------------------------------------ -##-certs: generate intermediate certificates and sign certificates for a virtual machine connected to the namespace ` using serviceAccount `$SERVICE_ACCOUNT` using self signed root certs. -.PHONY: %-certs - -%-certs: %/ca-cert.pem %/workload-cert-chain.pem root-cert.pem - @echo "done" - -%/workload-cert-chain.pem: %/workload-cert.pem %/ca-cert.pem root-cert.pem - @echo "generating $@" - @cat $^ > $@ - @echo "Intermediate and workload certs stored in $(dir $<)" - @cp root-cert.pem $(dir $@)/root-cert.pem - - -%/workload-cert.pem: %/workload.csr - @echo "generating $@" - @openssl x509 -sha256 -req -days $(WORKLOAD_DAYS) \ - -CA $(dir $<)/ca-cert.pem -CAkey $(dir $<)/ca-key.pem -CAcreateserial\ - -extensions req_ext -extfile $(dir $<)/workload.conf \ - -in $< -out $@ - -%/workload.csr: L=$(dir $@) -%/workload.csr: %/key.pem %/workload.conf - @echo "generating $@" - @openssl req -sha256 -new -config $(L)/workload.conf -key $< -out $@ - -%/key.pem: - @echo "generating $@" - @mkdir -p $(dir $@) - @openssl genrsa -out $@ 4096 diff --git a/istio-1.24.3/tools/certs/README.md b/istio-1.24.3/tools/certs/README.md deleted file mode 100644 index f8dfcd08..00000000 --- a/istio-1.24.3/tools/certs/README.md +++ /dev/null @@ -1,46 +0,0 @@ -# Generating Certificates for Bootstrapping Multicluster / Mesh Expansion Chain of Trust - -The directory contains two Makefiles for generating new root, intermediate certificates and workload certificates: -- `Makefile.k8s.mk`: Creates certificates based on a root-ca from a k8s cluster. The current context in the default -`kubeconfig` is used for accessing the cluster. -- `Makefile.selfsigned.mk`: Creates certificates based on a generated self-signed root. - -The table below describes the targets supported by both Makefiles. - -Make Target | Makefile | Description ------- | -------- | ----------- -`root-ca` | `Makefile.selfsigned.mk` | Generates a self-signed root CA key and certificate. -`fetch-root-ca` | `Makefile.k8s.mk` | Fetches the Istio CA from the Kubernetes cluster, using the current context in the default `kubeconfig`. -`$NAME-cacerts` | Both | Generates intermediate certificates signed by the root CA for a cluster or VM with `$NAME` (e.g., `us-east`, `cluster01`, etc.). They are stored under `$NAME` directory. To differentiate between clusters, we include a `Location` (`L`) designation in the certificates `Subject` field, with the cluster's name. -`$NAMESPACE-certs` | Both | Generates intermediate certificates and sign certificates for a virtual machine connected to the namespace `$NAMESPACE` using serviceAccount `$SERVICE_ACCOUNT` using the root cert and store them under `$NAMESPACE` directory. -`clean` | Both | Removes any generated root certificates, keys, and intermediate files. - -For example: - -```bash -make -f Makefile.selfsigned.mk root-ca -``` - -Note that the Makefile generates long-lived intermediate certificates. While this might be -acceptable for demonstration purposes, a more realistic and secure deployment would use -short-lived and automatically renewed certificates for the intermediate CAs. - -## Creating Certificates Using an Existing Istio CA - -```bash -make -f Makefile.k8s.mk fetch-root-ca -``` - -The `fetch-root-ca` target retrieves the root CA certificate and key from an Istio-enabled Kubernetes cluster. This process is useful when establishing a trusted certificate chain across multiple clusters or environments using an existing Istio root certificate. **By default, it fetches the certificate and key from the `istio-ca-secret`, and if that is not available, it retrieves them from the `cacerts` secret.** - -The command generates the certificate and key files in a directory named after the **current context** from your `kubeconfig` file. - -```bash -make -f Makefile.k8s.mk $(cluster name)-cacerts -``` - -Afterwards, running the above command will generate an **Intermediate CA** certificate based on the root CA. For example, if you want to create an intermediate CA for `cluster01`, you would run the following command: - -```bash -make -f Makefile.k8s.mk cluster01-cacerts -``` diff --git a/istio-1.24.3/tools/certs/common.mk b/istio-1.24.3/tools/certs/common.mk deleted file mode 100644 index ba3f90c9..00000000 --- a/istio-1.24.3/tools/certs/common.mk +++ /dev/null @@ -1,101 +0,0 @@ -#------------------------------------------------------------------------ -# variables: root CA -ROOTCA_DAYS ?= 3650 -ROOTCA_KEYSZ ?= 4096 -ROOTCA_ORG ?= Istio -ROOTCA_CN ?= Root CA -KUBECONFIG ?= $(HOME)/.kube/config -ISTIO_NAMESPACE ?= istio-system -# Additional variables are defined in root-ca.conf target below. - -#------------------------------------------------------------------------ -# variables: intermediate CA -INTERMEDIATE_DAYS ?= 3650 -INTERMEDIATE_KEYSZ ?= 4096 -INTERMEDIATE_ORG ?= Istio -INTERMEDIATE_CN ?= Intermediate CA -INTERMEDIATE_SAN_DNS ?= istiod.istio-system.svc -# Additional variables are defined in %/intermediate.conf target below. - -#------------------------------------------------------------------------ -# variables: workload certs: eg VM -WORKLOAD_DAYS ?= 1 -SERVICE_ACCOUNT ?= default -WORKLOAD_CN ?= Workload - -#------------------------------------------------------------------------ -# variables: files to clean -FILES_TO_CLEAN+=k8s-root-cert.pem \ - k8s-root-cert.srl \ - k8s-root-key.pem root-ca.conf root-cert.csr root-cert.pem root-cert.srl root-key.pem -#------------------------------------------------------------------------ -# clean -.PHONY: clean - -clean: ## Cleans all the intermediate files and folders previously generated. - @rm -f $(FILES_TO_CLEAN) - -root-ca.conf: - @echo "[ req ]" > $@ - @echo "encrypt_key = no" >> $@ - @echo "prompt = no" >> $@ - @echo "utf8 = yes" >> $@ - @echo "default_md = sha256" >> $@ - @echo "default_bits = $(ROOTCA_KEYSZ)" >> $@ - @echo "req_extensions = req_ext" >> $@ - @echo "x509_extensions = req_ext" >> $@ - @echo "distinguished_name = req_dn" >> $@ - @echo "[ req_ext ]" >> $@ - @echo "subjectKeyIdentifier = hash" >> $@ - @echo "basicConstraints = critical, CA:true" >> $@ - @echo "keyUsage = critical, digitalSignature, nonRepudiation, keyEncipherment, keyCertSign" >> $@ - @echo "[ req_dn ]" >> $@ - @echo "O = $(ROOTCA_ORG)" >> $@ - @echo "CN = $(ROOTCA_CN)" >> $@ - -%/intermediate.conf: L=$(dir $@) -%/intermediate.conf: - @echo "[ req ]" > $@ - @echo "encrypt_key = no" >> $@ - @echo "prompt = no" >> $@ - @echo "utf8 = yes" >> $@ - @echo "default_md = sha256" >> $@ - @echo "default_bits = $(INTERMEDIATE_KEYSZ)" >> $@ - @echo "req_extensions = req_ext" >> $@ - @echo "x509_extensions = req_ext" >> $@ - @echo "distinguished_name = req_dn" >> $@ - @echo "[ req_ext ]" >> $@ - @echo "subjectKeyIdentifier = hash" >> $@ - @echo "basicConstraints = critical, CA:true, pathlen:0" >> $@ - @echo "keyUsage = critical, digitalSignature, nonRepudiation, keyEncipherment, keyCertSign" >> $@ - @echo "subjectAltName=@san" >> $@ - @echo "[ san ]" >> $@ - @echo "DNS.1 = $(INTERMEDIATE_SAN_DNS)" >> $@ - @echo "[ req_dn ]" >> $@ - @echo "O = $(INTERMEDIATE_ORG)" >> $@ - @echo "CN = $(INTERMEDIATE_CN)" >> $@ - @echo "L = $(L:/=)" >> $@ - -%/workload.conf: L=$(dir $@) -%/workload.conf: - @echo "[ req ]" > $@ - @echo "encrypt_key = no" >> $@ - @echo "prompt = no" >> $@ - @echo "utf8 = yes" >> $@ - @echo "default_md = sha256" >> $@ - @echo "default_bits = $(INTERMEDIATE_KEYSZ)" >> $@ - @echo "req_extensions = req_ext" >> $@ - @echo "x509_extensions = req_ext" >> $@ - @echo "distinguished_name = req_dn" >> $@ - @echo "[ req_ext ]" >> $@ - @echo "subjectKeyIdentifier = hash" >> $@ - @echo "basicConstraints = critical, CA:false" >> $@ - @echo "keyUsage = digitalSignature, keyEncipherment" >> $@ - @echo "extendedKeyUsage = serverAuth, clientAuth" >> $@ - @echo "subjectAltName=@san" >> $@ - @echo "[ san ]" >> $@ - @echo "URI.1 = spiffe://cluster.local/ns/$(L)sa/$(SERVICE_ACCOUNT)" >> $@ - @echo "[ req_dn ]" >> $@ - @echo "O = $(INTERMEDIATE_ORG)" >> $@ - @echo "CN = $(WORKLOAD_CN)" >> $@ - @echo "L = $(L:/=)" >> $@ diff --git a/istio-1.24.3/tools/istioctl.bash b/istio-1.24.3/tools/istioctl.bash deleted file mode 100644 index 60a13d0f..00000000 --- a/istio-1.24.3/tools/istioctl.bash +++ /dev/null @@ -1,338 +0,0 @@ -# bash completion V2 for istioctl -*- shell-script -*- - -__istioctl_debug() -{ - if [[ -n ${BASH_COMP_DEBUG_FILE-} ]]; then - echo "$*" >> "${BASH_COMP_DEBUG_FILE}" - fi -} - -# Macs have bash3 for which the bash-completion package doesn't include -# _init_completion. This is a minimal version of that function. -__istioctl_init_completion() -{ - COMPREPLY=() - _get_comp_words_by_ref "$@" cur prev words cword -} - -# This function calls the istioctl program to obtain the completion -# results and the directive. It fills the 'out' and 'directive' vars. -__istioctl_get_completion_results() { - local requestComp lastParam lastChar args - - # Prepare the command to request completions for the program. - # Calling ${words[0]} instead of directly istioctl allows handling aliases - args=("${words[@]:1}") - requestComp="${words[0]} __complete ${args[*]}" - - lastParam=${words[$((${#words[@]}-1))]} - lastChar=${lastParam:$((${#lastParam}-1)):1} - __istioctl_debug "lastParam ${lastParam}, lastChar ${lastChar}" - - if [[ -z ${cur} && ${lastChar} != = ]]; then - # If the last parameter is complete (there is a space following it) - # We add an extra empty parameter so we can indicate this to the go method. - __istioctl_debug "Adding extra empty parameter" - requestComp="${requestComp} ''" - fi - - # When completing a flag with an = (e.g., istioctl -n=) - # bash focuses on the part after the =, so we need to remove - # the flag part from $cur - if [[ ${cur} == -*=* ]]; then - cur="${cur#*=}" - fi - - __istioctl_debug "Calling ${requestComp}" - # Use eval to handle any environment variables and such - out=$(eval "${requestComp}" 2>/dev/null) - - # Extract the directive integer at the very end of the output following a colon (:) - directive=${out##*:} - # Remove the directive - out=${out%:*} - if [[ ${directive} == "${out}" ]]; then - # There is not directive specified - directive=0 - fi - __istioctl_debug "The completion directive is: ${directive}" - __istioctl_debug "The completions are: ${out}" -} - -__istioctl_process_completion_results() { - local shellCompDirectiveError=1 - local shellCompDirectiveNoSpace=2 - local shellCompDirectiveNoFileComp=4 - local shellCompDirectiveFilterFileExt=8 - local shellCompDirectiveFilterDirs=16 - local shellCompDirectiveKeepOrder=32 - - if (((directive & shellCompDirectiveError) != 0)); then - # Error code. No completion. - __istioctl_debug "Received error from custom completion go code" - return - else - if (((directive & shellCompDirectiveNoSpace) != 0)); then - if [[ $(type -t compopt) == builtin ]]; then - __istioctl_debug "Activating no space" - compopt -o nospace - else - __istioctl_debug "No space directive not supported in this version of bash" - fi - fi - if (((directive & shellCompDirectiveKeepOrder) != 0)); then - if [[ $(type -t compopt) == builtin ]]; then - # no sort isn't supported for bash less than < 4.4 - if [[ ${BASH_VERSINFO[0]} -lt 4 || ( ${BASH_VERSINFO[0]} -eq 4 && ${BASH_VERSINFO[1]} -lt 4 ) ]]; then - __istioctl_debug "No sort directive not supported in this version of bash" - else - __istioctl_debug "Activating keep order" - compopt -o nosort - fi - else - __istioctl_debug "No sort directive not supported in this version of bash" - fi - fi - if (((directive & shellCompDirectiveNoFileComp) != 0)); then - if [[ $(type -t compopt) == builtin ]]; then - __istioctl_debug "Activating no file completion" - compopt +o default - else - __istioctl_debug "No file completion directive not supported in this version of bash" - fi - fi - fi - - # Separate activeHelp from normal completions - local completions=() - local activeHelp=() - __istioctl_extract_activeHelp - - if (((directive & shellCompDirectiveFilterFileExt) != 0)); then - # File extension filtering - local fullFilter filter filteringCmd - - # Do not use quotes around the $completions variable or else newline - # characters will be kept. - for filter in ${completions[*]}; do - fullFilter+="$filter|" - done - - filteringCmd="_filedir $fullFilter" - __istioctl_debug "File filtering command: $filteringCmd" - $filteringCmd - elif (((directive & shellCompDirectiveFilterDirs) != 0)); then - # File completion for directories only - - local subdir - subdir=${completions[0]} - if [[ -n $subdir ]]; then - __istioctl_debug "Listing directories in $subdir" - pushd "$subdir" >/dev/null 2>&1 && _filedir -d && popd >/dev/null 2>&1 || return - else - __istioctl_debug "Listing directories in ." - _filedir -d - fi - else - __istioctl_handle_completion_types - fi - - __istioctl_handle_special_char "$cur" : - __istioctl_handle_special_char "$cur" = - - # Print the activeHelp statements before we finish - if ((${#activeHelp[*]} != 0)); then - printf "\n"; - printf "%s\n" "${activeHelp[@]}" - printf "\n" - - # The prompt format is only available from bash 4.4. - # We test if it is available before using it. - if (x=${PS1@P}) 2> /dev/null; then - printf "%s" "${PS1@P}${COMP_LINE[@]}" - else - # Can't print the prompt. Just print the - # text the user had typed, it is workable enough. - printf "%s" "${COMP_LINE[@]}" - fi - fi -} - -# Separate activeHelp lines from real completions. -# Fills the $activeHelp and $completions arrays. -__istioctl_extract_activeHelp() { - local activeHelpMarker="_activeHelp_ " - local endIndex=${#activeHelpMarker} - - while IFS='' read -r comp; do - if [[ ${comp:0:endIndex} == $activeHelpMarker ]]; then - comp=${comp:endIndex} - __istioctl_debug "ActiveHelp found: $comp" - if [[ -n $comp ]]; then - activeHelp+=("$comp") - fi - else - # Not an activeHelp line but a normal completion - completions+=("$comp") - fi - done <<<"${out}" -} - -__istioctl_handle_completion_types() { - __istioctl_debug "__istioctl_handle_completion_types: COMP_TYPE is $COMP_TYPE" - - case $COMP_TYPE in - 37|42) - # Type: menu-complete/menu-complete-backward and insert-completions - # If the user requested inserting one completion at a time, or all - # completions at once on the command-line we must remove the descriptions. - # https://github.com/spf13/cobra/issues/1508 - local tab=$'\t' comp - while IFS='' read -r comp; do - [[ -z $comp ]] && continue - # Strip any description - comp=${comp%%$tab*} - # Only consider the completions that match - if [[ $comp == "$cur"* ]]; then - COMPREPLY+=("$comp") - fi - done < <(printf "%s\n" "${completions[@]}") - ;; - - *) - # Type: complete (normal completion) - __istioctl_handle_standard_completion_case - ;; - esac -} - -__istioctl_handle_standard_completion_case() { - local tab=$'\t' comp - - # Short circuit to optimize if we don't have descriptions - if [[ "${completions[*]}" != *$tab* ]]; then - IFS=$'\n' read -ra COMPREPLY -d '' < <(compgen -W "${completions[*]}" -- "$cur") - return 0 - fi - - local longest=0 - local compline - # Look for the longest completion so that we can format things nicely - while IFS='' read -r compline; do - [[ -z $compline ]] && continue - # Strip any description before checking the length - comp=${compline%%$tab*} - # Only consider the completions that match - [[ $comp == "$cur"* ]] || continue - COMPREPLY+=("$compline") - if ((${#comp}>longest)); then - longest=${#comp} - fi - done < <(printf "%s\n" "${completions[@]}") - - # If there is a single completion left, remove the description text - if ((${#COMPREPLY[*]} == 1)); then - __istioctl_debug "COMPREPLY[0]: ${COMPREPLY[0]}" - comp="${COMPREPLY[0]%%$tab*}" - __istioctl_debug "Removed description from single completion, which is now: ${comp}" - COMPREPLY[0]=$comp - else # Format the descriptions - __istioctl_format_comp_descriptions $longest - fi -} - -__istioctl_handle_special_char() -{ - local comp="$1" - local char=$2 - if [[ "$comp" == *${char}* && "$COMP_WORDBREAKS" == *${char}* ]]; then - local word=${comp%"${comp##*${char}}"} - local idx=${#COMPREPLY[*]} - while ((--idx >= 0)); do - COMPREPLY[idx]=${COMPREPLY[idx]#"$word"} - done - fi -} - -__istioctl_format_comp_descriptions() -{ - local tab=$'\t' - local comp desc maxdesclength - local longest=$1 - - local i ci - for ci in ${!COMPREPLY[*]}; do - comp=${COMPREPLY[ci]} - # Properly format the description string which follows a tab character if there is one - if [[ "$comp" == *$tab* ]]; then - __istioctl_debug "Original comp: $comp" - desc=${comp#*$tab} - comp=${comp%%$tab*} - - # $COLUMNS stores the current shell width. - # Remove an extra 4 because we add 2 spaces and 2 parentheses. - maxdesclength=$(( COLUMNS - longest - 4 )) - - # Make sure we can fit a description of at least 8 characters - # if we are to align the descriptions. - if ((maxdesclength > 8)); then - # Add the proper number of spaces to align the descriptions - for ((i = ${#comp} ; i < longest ; i++)); do - comp+=" " - done - else - # Don't pad the descriptions so we can fit more text after the completion - maxdesclength=$(( COLUMNS - ${#comp} - 4 )) - fi - - # If there is enough space for any description text, - # truncate the descriptions that are too long for the shell width - if ((maxdesclength > 0)); then - if ((${#desc} > maxdesclength)); then - desc=${desc:0:$(( maxdesclength - 1 ))} - desc+="…" - fi - comp+=" ($desc)" - fi - COMPREPLY[ci]=$comp - __istioctl_debug "Final comp: $comp" - fi - done -} - -__start_istioctl() -{ - local cur prev words cword split - - COMPREPLY=() - - # Call _init_completion from the bash-completion package - # to prepare the arguments properly - if declare -F _init_completion >/dev/null 2>&1; then - _init_completion -n =: || return - else - __istioctl_init_completion -n =: || return - fi - - __istioctl_debug - __istioctl_debug "========= starting completion logic ==========" - __istioctl_debug "cur is ${cur}, words[*] is ${words[*]}, #words[@] is ${#words[@]}, cword is $cword" - - # The user could have moved the cursor backwards on the command-line. - # We need to trigger completion from the $cword location, so we need - # to truncate the command-line ($words) up to the $cword location. - words=("${words[@]:0:$cword+1}") - __istioctl_debug "Truncated words[*]: ${words[*]}," - - local out directive - __istioctl_get_completion_results - __istioctl_process_completion_results -} - -if [[ $(type -t compopt) = "builtin" ]]; then - complete -o default -F __start_istioctl istioctl -else - complete -o default -o nospace -F __start_istioctl istioctl -fi - -# ex: ts=4 sw=4 et filetype=sh From 537bee6da060b09172090668a0b9fc0cc5ee762e Mon Sep 17 00:00:00 2001 From: German Date: Fri, 13 Feb 2026 10:09:14 -0800 Subject: [PATCH 7/9] remove demo script --- demo-multi-region-backup-restore.sh | 618 ---------------------------- 1 file changed, 618 deletions(-) delete mode 100755 demo-multi-region-backup-restore.sh diff --git a/demo-multi-region-backup-restore.sh b/demo-multi-region-backup-restore.sh deleted file mode 100755 index 0962cfab..00000000 --- a/demo-multi-region-backup-restore.sh +++ /dev/null @@ -1,618 +0,0 @@ -#!/bin/bash -# ============================================================================= -# DocumentDB Multi-Region Cluster Demo -# ============================================================================= -# This script demonstrates: -# 1. Deploying a multi-region DocumentDB cluster -# 2. Writing sample documents using Python/PyMongo -# 3. Creating a backup -# 4. Deleting the original cluster -# 5. Restoring into a new cluster from backup -# -# Prerequisites: -# - kubectl configured with cluster access -# - CSI driver with snapshot support (run ./operator/src/scripts/test-scripts/deploy-csi-driver.sh for Kind/Minikube) -# - DocumentDB operator installed -# - Python3 with pymongo installed (pip3 install pymongo) -# ============================================================================= - -set -e - -# Configuration -NAMESPACE="documentdb-demo-ns" -CLUSTER_NAME="multi-region-demo" -RESTORED_CLUSTER_NAME="restored-demo" -BACKUP_NAME="demo-backup" -PASSWORD="DemoPassword123!" -USERNAME="default_user" -PORT=10260 - -# Colors for output -RED='\033[0;31m' -GREEN='\033[0;32m' -YELLOW='\033[1;33m' -BLUE='\033[0;34m' -NC='\033[0m' # No Color - -log_step() { - echo -e "\n${BLUE}===================================================================${NC}" - echo -e "${BLUE}$1${NC}" - echo -e "${BLUE}===================================================================${NC}\n" -} - -log_success() { - echo -e "${GREEN}✓ $1${NC}" -} - -log_info() { - echo -e "${YELLOW}ℹ $1${NC}" -} - -log_error() { - echo -e "${RED}✗ $1${NC}" -} - -wait_for_cluster_ready() { - local cluster_name=$1 - local max_wait=300 - local waited=0 - - log_info "Waiting for cluster '$cluster_name' to be ready (max ${max_wait}s)..." - - while [ $waited -lt $max_wait ]; do - STATUS=$(kubectl get documentdb $cluster_name -n $NAMESPACE -o jsonpath='{.status.phase}' 2>/dev/null || echo "NotFound") - if [ "$STATUS" == "Ready" ]; then - log_success "Cluster '$cluster_name' is Ready!" - return 0 - fi - echo " Current status: $STATUS (waited ${waited}s)" - sleep 10 - waited=$((waited + 10)) - done - - log_error "Timeout waiting for cluster to be ready" - return 1 -} - -wait_for_backup_complete() { - local backup_name=$1 - local max_wait=180 - local waited=0 - - log_info "Waiting for backup '$backup_name' to complete (max ${max_wait}s)..." - - while [ $waited -lt $max_wait ]; do - STATUS=$(kubectl get backup $backup_name -n $NAMESPACE -o jsonpath='{.status.phase}' 2>/dev/null || echo "NotFound") - if [ "$STATUS" == "Completed" ]; then - log_success "Backup '$backup_name' completed!" - return 0 - fi - echo " Current status: $STATUS (waited ${waited}s)" - sleep 10 - waited=$((waited + 10)) - done - - log_error "Timeout waiting for backup to complete" - return 1 -} - -cleanup_port_forward() { - if [ -f /tmp/demo_pf.pid ]; then - PID=$(cat /tmp/demo_pf.pid) - kill $PID 2>/dev/null || true - rm -f /tmp/demo_pf.pid - fi -} - -# Cleanup on exit -trap cleanup_port_forward EXIT - -# ============================================================================= -# STEP 1: Create Namespace and Credentials -# ============================================================================= -log_step "STEP 1: Creating Namespace and Credentials" - -cat < /tmp/demo_pf.log 2>&1 & -PF_PID=$! -echo $PF_PID > /tmp/demo_pf.pid -sleep 10 - -# Check if port forward is working -if ! nc -z 127.0.0.1 $PORT 2>/dev/null; then - log_error "Port forwarding failed. Trying pod-based forwarding..." - cleanup_port_forward - POD_NAME="${CLUSTER_NAME}-1" - kubectl port-forward pod/$POD_NAME $PORT:$PORT -n $NAMESPACE > /tmp/demo_pf.log 2>&1 & - PF_PID=$! - echo $PF_PID > /tmp/demo_pf.pid - sleep 10 -fi - -# Create Python script for writing documents -cat > /tmp/write_documents.py << 'PYTHON_SCRIPT' -#!/usr/bin/env python3 -""" -Demo script to write documents to DocumentDB cluster. -Demonstrates various MongoDB operations. -""" - -import sys -from datetime import datetime -from pymongo import MongoClient -from pymongo.errors import ConnectionFailure - -def main(): - if len(sys.argv) != 4: - print(f"Usage: {sys.argv[0]} ") - sys.exit(1) - - host_port = sys.argv[1] - username = sys.argv[2] - password = sys.argv[3] - - # Connection string with TLS - connection_string = f"mongodb://{username}:{password}@{host_port}/?authMechanism=SCRAM-SHA-256&tls=true&tlsAllowInvalidCertificates=true" - - print("Connecting to DocumentDB cluster...") - try: - client = MongoClient(connection_string, serverSelectionTimeoutMS=30000) - # Test connection - client.admin.command('ping') - print("✓ Connected successfully!") - except ConnectionFailure as e: - print(f"✗ Connection failed: {e}") - sys.exit(1) - - # Use demo database - db = client.demo_database - - # ================================================================= - # Insert sample data into various collections - # ================================================================= - - print("\n--- Creating 'users' collection ---") - users = db.users - users.drop() # Clean start - - user_docs = [ - {"name": "Alice Johnson", "email": "alice@example.com", "department": "Engineering", - "role": "Senior Developer", "salary": 95000, "joined": datetime(2021, 3, 15)}, - {"name": "Bob Smith", "email": "bob@example.com", "department": "Marketing", - "role": "Marketing Manager", "salary": 85000, "joined": datetime(2020, 6, 1)}, - {"name": "Carol Williams", "email": "carol@example.com", "department": "Engineering", - "role": "Tech Lead", "salary": 110000, "joined": datetime(2019, 1, 10)}, - {"name": "David Brown", "email": "david@example.com", "department": "Sales", - "role": "Sales Representative", "salary": 65000, "joined": datetime(2022, 8, 20)}, - {"name": "Eve Davis", "email": "eve@example.com", "department": "Engineering", - "role": "DevOps Engineer", "salary": 90000, "joined": datetime(2021, 11, 5)} - ] - - result = users.insert_many(user_docs) - print(f"✓ Inserted {len(result.inserted_ids)} users") - - print("\n--- Creating 'products' collection ---") - products = db.products - products.drop() - - product_docs = [ - {"name": "Cloud Database", "category": "Database", "price": 299.99, - "features": ["Auto-scaling", "Multi-region", "Backup"], "in_stock": True}, - {"name": "API Gateway", "category": "Networking", "price": 149.99, - "features": ["Rate limiting", "Authentication", "Logging"], "in_stock": True}, - {"name": "ML Platform", "category": "AI/ML", "price": 499.99, - "features": ["Model training", "Inference", "AutoML"], "in_stock": True}, - {"name": "Container Registry", "category": "DevOps", "price": 99.99, - "features": ["Image scanning", "Geo-replication"], "in_stock": True} - ] - - result = products.insert_many(product_docs) - print(f"✓ Inserted {len(result.inserted_ids)} products") - - print("\n--- Creating 'orders' collection ---") - orders = db.orders - orders.drop() - - order_docs = [ - {"order_id": "ORD-001", "customer": "alice@example.com", "product": "Cloud Database", - "quantity": 1, "total": 299.99, "status": "completed", "date": datetime(2024, 1, 15)}, - {"order_id": "ORD-002", "customer": "bob@example.com", "product": "API Gateway", - "quantity": 2, "total": 299.98, "status": "processing", "date": datetime(2024, 1, 20)}, - {"order_id": "ORD-003", "customer": "carol@example.com", "product": "ML Platform", - "quantity": 1, "total": 499.99, "status": "completed", "date": datetime(2024, 1, 22)}, - {"order_id": "ORD-004", "customer": "alice@example.com", "product": "Container Registry", - "quantity": 3, "total": 299.97, "status": "pending", "date": datetime(2024, 1, 25)} - ] - - result = orders.insert_many(order_docs) - print(f"✓ Inserted {len(result.inserted_ids)} orders") - - # ================================================================= - # Demonstrate query operations - # ================================================================= - - print("\n--- Running sample queries ---") - - # Count documents - user_count = users.count_documents({}) - print(f"Total users: {user_count}") - - # Find with filter - engineers = list(users.find({"department": "Engineering"})) - print(f"Engineers: {len(engineers)}") - for eng in engineers: - print(f" - {eng['name']} ({eng['role']})") - - # Aggregation: Average salary by department - pipeline = [ - {"$group": { - "_id": "$department", - "avg_salary": {"$avg": "$salary"}, - "count": {"$sum": 1} - }}, - {"$sort": {"avg_salary": -1}} - ] - dept_stats = list(users.aggregate(pipeline)) - print("\nSalary by department:") - for stat in dept_stats: - print(f" {stat['_id']}: ${stat['avg_salary']:,.2f} avg ({stat['count']} employees)") - - # Order statistics - completed_orders = orders.count_documents({"status": "completed"}) - total_revenue = sum(order['total'] for order in orders.find({"status": "completed"})) - print(f"\nCompleted orders: {completed_orders}") - print(f"Total revenue: ${total_revenue:,.2f}") - - print("\n" + "="*60) - print("✓ All demo documents written successfully!") - print("="*60) - - # Summary - print(f"\nDatabase: demo_database") - print(f"Collections created:") - print(f" - users: {users.count_documents({})} documents") - print(f" - products: {products.count_documents({})} documents") - print(f" - orders: {orders.count_documents({})} documents") - - client.close() - -if __name__ == "__main__": - main() -PYTHON_SCRIPT - -# Run the Python script -python3 /tmp/write_documents.py "127.0.0.1:$PORT" "$USERNAME" "$PASSWORD" - -log_success "Demo documents written to the cluster" - -# Cleanup port forward -cleanup_port_forward - -# ============================================================================= -# STEP 4: Create Backup -# ============================================================================= -log_step "STEP 4: Creating Backup of the Cluster" - -cat </dev/null; then - log_error "Cluster still exists!" - exit 1 -else - log_success "Cluster successfully deleted" -fi - -# Show backup still exists -echo "" -log_info "Backup still available for restore:" -kubectl get backup $BACKUP_NAME -n $NAMESPACE - -# ============================================================================= -# STEP 6: Restore into New Cluster -# ============================================================================= -log_step "STEP 6: Restoring Backup into New Cluster" - -cat < /tmp/demo_pf.log 2>&1 & -PF_PID=$! -echo $PF_PID > /tmp/demo_pf.pid -sleep 10 - -# Create verification script -cat > /tmp/verify_restore.py << 'PYTHON_SCRIPT' -#!/usr/bin/env python3 -""" -Verify that restored data matches original data. -""" - -import sys -from pymongo import MongoClient -from pymongo.errors import ConnectionFailure - -def main(): - if len(sys.argv) != 4: - print(f"Usage: {sys.argv[0]} ") - sys.exit(1) - - host_port = sys.argv[1] - username = sys.argv[2] - password = sys.argv[3] - - connection_string = f"mongodb://{username}:{password}@{host_port}/?authMechanism=SCRAM-SHA-256&tls=true&tlsAllowInvalidCertificates=true" - - print("Connecting to restored cluster...") - try: - client = MongoClient(connection_string, serverSelectionTimeoutMS=30000) - client.admin.command('ping') - print("✓ Connected successfully!") - except ConnectionFailure as e: - print(f"✗ Connection failed: {e}") - sys.exit(1) - - db = client.demo_database - - print("\n" + "="*60) - print("VERIFYING RESTORED DATA") - print("="*60) - - # Verify users collection - users = db.users - user_count = users.count_documents({}) - print(f"\n✓ Users collection: {user_count} documents") - - if user_count == 5: - print(" Expected: 5, Found: 5 - PASS") - else: - print(f" Expected: 5, Found: {user_count} - FAIL") - - # Show sample user - sample_user = users.find_one({"name": "Alice Johnson"}) - if sample_user: - print(f" Sample user: {sample_user['name']} - {sample_user['role']}") - - # Verify products collection - products = db.products - product_count = products.count_documents({}) - print(f"\n✓ Products collection: {product_count} documents") - - if product_count == 4: - print(" Expected: 4, Found: 4 - PASS") - else: - print(f" Expected: 4, Found: {product_count} - FAIL") - - # Verify orders collection - orders = db.orders - order_count = orders.count_documents({}) - print(f"\n✓ Orders collection: {order_count} documents") - - if order_count == 4: - print(" Expected: 4, Found: 4 - PASS") - else: - print(f" Expected: 4, Found: {order_count} - FAIL") - - # Run same aggregation as before to verify data integrity - pipeline = [ - {"$group": { - "_id": "$department", - "avg_salary": {"$avg": "$salary"}, - "count": {"$sum": 1} - }}, - {"$sort": {"avg_salary": -1}} - ] - dept_stats = list(users.aggregate(pipeline)) - - print("\n✓ Aggregation results (should match original):") - for stat in dept_stats: - print(f" {stat['_id']}: ${stat['avg_salary']:,.2f} avg ({stat['count']} employees)") - - print("\n" + "="*60) - print("✓ DATA RESTORATION VERIFIED SUCCESSFULLY!") - print("="*60) - - client.close() - -if __name__ == "__main__": - main() -PYTHON_SCRIPT - -# Run verification -python3 /tmp/verify_restore.py "127.0.0.1:$PORT" "$USERNAME" "$PASSWORD" - -# Cleanup -cleanup_port_forward -rm -f /tmp/write_documents.py /tmp/verify_restore.py - -# ============================================================================= -# Summary -# ============================================================================= -log_step "DEMO COMPLETE!" - -echo -e "${GREEN}" -echo "============================================================" -echo " Multi-Region Backup & Restore Demo Completed Successfully!" -echo "============================================================" -echo "" -echo " What was demonstrated:" -echo " 1. ✓ Created namespace and credentials" -echo " 2. ✓ Deployed multi-region DocumentDB cluster (3 nodes, HA)" -echo " 3. ✓ Wrote demo documents (users, products, orders)" -echo " 4. ✓ Created backup of the cluster" -echo " 5. ✓ Deleted original cluster" -echo " 6. ✓ Restored from backup to new cluster" -echo " 7. ✓ Verified restored data integrity" -echo "" -echo " Resources created:" -echo " - Namespace: $NAMESPACE" -echo " - Restored Cluster: $RESTORED_CLUSTER_NAME" -echo " - Backup: $BACKUP_NAME" -echo "" -echo " Cleanup command:" -echo " kubectl delete namespace $NAMESPACE" -echo -e "${NC}" From 84c30b9bf5654eba232a25253bd253c3dcb629ad Mon Sep 17 00:00:00 2001 From: German Date: Fri, 20 Feb 2026 09:46:55 -0800 Subject: [PATCH 8/9] fix: default to published Helm chart for operator install Address review feedback to install from the official published Helm chart (documentdb/documentdb-operator) instead of building from local source. - Change BUILD_CHART default from 'true' to 'false' - Use official Helm repo (documentdb.github.io) instead of OCI registry - Pull chart locally for k3s manifest generation - Keep BUILD_CHART=true as option for local development - Update README examples to reflect new default Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: German --- .../k3s-azure-fleet/README.md | 7 ++- .../install-documentdb-operator.sh | 43 ++++++++++++------- 2 files changed, 32 insertions(+), 18 deletions(-) diff --git a/documentdb-playground/k3s-azure-fleet/README.md b/documentdb-playground/k3s-azure-fleet/README.md index 8eec07d0..4625bc1f 100644 --- a/documentdb-playground/k3s-azure-fleet/README.md +++ b/documentdb-playground/k3s-azure-fleet/README.md @@ -181,14 +181,17 @@ Installs cert-manager on all clusters: ### 5. `install-documentdb-operator.sh` Deploys DocumentDB operator on all clusters: -- Packages and installs the operator Helm chart on the AKS hub +- Installs the operator from the published Helm chart on the AKS hub - Installs CNPG from upstream release + DocumentDB manifests on k3s via Run Command - Verifies deployment across all clusters ```bash -# Build from local chart (default) +# Default: install from published chart ./install-documentdb-operator.sh +# Build from local source (for development) +BUILD_CHART=true ./install-documentdb-operator.sh + # With custom values file VALUES_FILE=custom-values.yaml ./install-documentdb-operator.sh ``` diff --git a/documentdb-playground/k3s-azure-fleet/install-documentdb-operator.sh b/documentdb-playground/k3s-azure-fleet/install-documentdb-operator.sh index 622b7900..f1b4c105 100755 --- a/documentdb-playground/k3s-azure-fleet/install-documentdb-operator.sh +++ b/documentdb-playground/k3s-azure-fleet/install-documentdb-operator.sh @@ -2,14 +2,13 @@ set -euo pipefail # Install DocumentDB operator on all clusters -# - AKS hub: installed via Helm (from OCI registry or local chart) +# - AKS hub: installed via Helm (from published chart or local source) # - k3s VMs: installed via Azure VM Run Command (CNPG from upstream, operator manifests via base64) # # Environment variables: -# BUILD_CHART - "true" (default) builds from local source; "false" pulls from OCI registry -# CHART_REGISTRY - OCI registry URL (default: oci://ghcr.io/microsoft/documentdb-kubernetes-operator/documentdb-operator) -# CHART_VERSION - Chart version when using OCI registry (default: 0.0.1) -# VERSION - Local chart version number (default: 200) +# BUILD_CHART - "true" builds from local source; "false" (default) uses published Helm chart +# CHART_VERSION - Chart version when using published chart (default: latest) +# VERSION - Local chart version number when BUILD_CHART=true (default: 200) # VALUES_FILE - Optional Helm values file path SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" @@ -25,16 +24,20 @@ fi CHART_DIR="$(cd "$SCRIPT_DIR/../.." && pwd)/operator/documentdb-helm-chart" VERSION="${VERSION:-200}" VALUES_FILE="${VALUES_FILE:-}" -BUILD_CHART="${BUILD_CHART:-true}" -CHART_REGISTRY="${CHART_REGISTRY:-oci://ghcr.io/microsoft/documentdb-kubernetes-operator/documentdb-operator}" -CHART_VERSION="${CHART_VERSION:-0.0.1}" +BUILD_CHART="${BUILD_CHART:-false}" +HELM_REPO_URL="https://documentdb.github.io/documentdb-kubernetes-operator" +CHART_VERSION="${CHART_VERSION:-}" HUB_CLUSTER_NAME="${HUB_CLUSTER_NAME:-hub-${HUB_REGION}}" echo "=======================================" echo "DocumentDB Operator Installation" echo "=======================================" echo "Hub Cluster: $HUB_CLUSTER_NAME" -echo "Chart Directory: $CHART_DIR" +if [ "$BUILD_CHART" = "true" ]; then + echo "Chart Source: local ($CHART_DIR)" +else + echo "Chart Source: published (documentdb/documentdb-operator${CHART_VERSION:+ v$CHART_VERSION})" +fi echo "=======================================" # Check prerequisites @@ -62,8 +65,17 @@ if [ "$BUILD_CHART" = "true" ]; then helm package "$CHART_DIR" --version "0.0.${VERSION}" --destination "$SCRIPT_DIR" CHART_REF="$CHART_PKG" else - echo "Installing from OCI registry: $CHART_REGISTRY (version $CHART_VERSION)..." - CHART_REF="$CHART_REGISTRY --version $CHART_VERSION" + echo "Using published Helm chart..." + helm repo add documentdb "$HELM_REPO_URL" --force-update 2>/dev/null + helm repo update documentdb + CHART_REF="documentdb/documentdb-operator" + if [ -n "$CHART_VERSION" ]; then + CHART_REF="$CHART_REF --version $CHART_VERSION" + fi + # Pull chart locally (needed for k3s manifest generation in Step 2) + rm -f "$SCRIPT_DIR"/documentdb-operator-*.tgz + helm pull documentdb/documentdb-operator ${CHART_VERSION:+--version "$CHART_VERSION"} --destination "$SCRIPT_DIR" + CHART_PKG=$(ls "$SCRIPT_DIR"/documentdb-operator-*.tgz 2>/dev/null | head -1) fi echo "" @@ -89,11 +101,10 @@ echo "=======================================" # Generate DocumentDB-specific manifests (excluding CNPG subchart) echo "Generating DocumentDB operator manifests..." -# k3s VMs need a local chart package for helm template, even when AKS uses OCI -if [ "$BUILD_CHART" != "true" ] && [ ! -f "$CHART_PKG" ]; then - echo "Building local chart package for k3s manifest generation..." - helm dependency update "$CHART_DIR" - helm package "$CHART_DIR" --version "0.0.${VERSION}" --destination "$SCRIPT_DIR" +# k3s VMs need a local chart package for helm template +if [ ! -f "$CHART_PKG" ]; then + echo "Error: Chart package not found at $CHART_PKG" + exit 1 fi DOCDB_MANIFESTS=$(mktemp) From f874c2af81c27d95452f09b4735ebf478096a7a1 Mon Sep 17 00:00:00 2001 From: German Date: Wed, 11 Mar 2026 15:41:12 -0700 Subject: [PATCH 9/9] fix: address PR review feedback for k3s-azure-fleet playground - Convert ALL_MEMBERS from string to bash array to prevent word-splitting and glob expansion issues when passing cluster names to joinMC.sh - Remove fleet-networking installation since Istio handles all cross-cluster networking (mTLS, service discovery, east-west traffic) per reviewer feedback - Clean up unused FLEET_NET_DIR variable and trap Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- .../k3s-azure-fleet/setup-fleet.sh | 79 +++---------------- 1 file changed, 9 insertions(+), 70 deletions(-) diff --git a/documentdb-playground/k3s-azure-fleet/setup-fleet.sh b/documentdb-playground/k3s-azure-fleet/setup-fleet.sh index 71362c09..7614ded8 100755 --- a/documentdb-playground/k3s-azure-fleet/setup-fleet.sh +++ b/documentdb-playground/k3s-azure-fleet/setup-fleet.sh @@ -33,22 +33,21 @@ for cmd in kubectl helm git jq curl; do done # Get all member clusters (hub is also a member + k3s clusters) -ALL_MEMBERS="$HUB_CLUSTER_NAME" +ALL_MEMBERS=("$HUB_CLUSTER_NAME") # Add k3s clusters from deployment info IFS=' ' read -ra K3S_REGION_ARRAY <<< "$K3S_REGIONS" for region in "${K3S_REGION_ARRAY[@]}"; do if kubectl config get-contexts "k3s-$region" &>/dev/null; then - ALL_MEMBERS="$ALL_MEMBERS k3s-$region" + ALL_MEMBERS+=("k3s-$region") fi done -echo "Members to join: $ALL_MEMBERS" +echo "Members to join: ${ALL_MEMBERS[*]}" # Clone KubeFleet repository KUBFLEET_DIR=$(mktemp -d) -FLEET_NET_DIR="" -trap 'rm -rf "$KUBFLEET_DIR" "$FLEET_NET_DIR"' EXIT +trap 'rm -rf "$KUBFLEET_DIR"' EXIT echo "" echo "Cloning KubeFleet repository..." @@ -94,73 +93,13 @@ echo "✓ Hub-agent installed" echo "" echo "Joining member clusters to fleet..." chmod +x ./hack/membership/joinMC.sh -# Note: $ALL_MEMBERS is intentionally unquoted — joinMC.sh expects individual context names as separate args -./hack/membership/joinMC.sh "$TAG" "$HUB_CLUSTER_NAME" $ALL_MEMBERS +./hack/membership/joinMC.sh "$TAG" "$HUB_CLUSTER_NAME" "${ALL_MEMBERS[@]}" popd > /dev/null -# Install fleet-networking -echo "" -echo "Setting up fleet-networking..." -FLEET_NET_DIR=$(mktemp -d) -if ! git clone --quiet https://github.com/Azure/fleet-networking.git "$FLEET_NET_DIR"; then - echo "ERROR: Failed to clone fleet-networking repository" - exit 1 -fi - -pushd "$FLEET_NET_DIR" > /dev/null - -NETWORKING_TAG=$(curl -s "https://api.github.com/repos/Azure/fleet-networking/tags" | jq -r '.[0].name') -echo "Using fleet-networking version: $NETWORKING_TAG" - -# Install hub-net-controller-manager -kubectl config use-context "$HUB_CLUSTER_NAME" -echo "Installing hub-net-controller-manager..." - -helm upgrade --install hub-net-controller-manager ./charts/hub-net-controller-manager/ \ - --set fleetSystemNamespace=fleet-system-hub \ - --set leaderElectionNamespace=fleet-system-hub \ - --set image.tag=$NETWORKING_TAG \ - --wait || echo "Warning: hub-net-controller-manager installation may have issues" - -HUB_CLUSTER_ADDRESS=$(kubectl config view -o jsonpath="{.clusters[?(@.name==\"$HUB_CLUSTER_NAME\")].cluster.server}") - -# Install networking on each member -for MEMBER_CLUSTER in $ALL_MEMBERS; do - echo "" - echo "Installing fleet-networking on $MEMBER_CLUSTER..." - - kubectl config use-context "$MEMBER_CLUSTER" - - # Apply CRDs - kubectl apply -f config/crd/ 2>/dev/null || true - - # Install mcs-controller-manager - helm upgrade --install mcs-controller-manager ./charts/mcs-controller-manager/ \ - --set refreshtoken.repository=$REGISTRY/refresh-token \ - --set refreshtoken.tag=$FLEET_TAG \ - --set image.tag=$NETWORKING_TAG \ - --set image.pullPolicy=Always \ - --set refreshtoken.pullPolicy=Always \ - --set config.hubURL=$HUB_CLUSTER_ADDRESS \ - --set config.memberClusterName=$MEMBER_CLUSTER \ - --set enableV1Beta1APIs=true \ - --set logVerbosity=5 || echo "Warning: mcs-controller-manager may have issues on $MEMBER_CLUSTER" - - # Install member-net-controller-manager - helm upgrade --install member-net-controller-manager ./charts/member-net-controller-manager/ \ - --set refreshtoken.repository=$REGISTRY/refresh-token \ - --set refreshtoken.tag=$FLEET_TAG \ - --set image.tag=$NETWORKING_TAG \ - --set image.pullPolicy=Always \ - --set refreshtoken.pullPolicy=Always \ - --set config.hubURL=$HUB_CLUSTER_ADDRESS \ - --set config.memberClusterName=$MEMBER_CLUSTER \ - --set enableV1Beta1APIs=true \ - --set logVerbosity=5 || echo "Warning: member-net-controller-manager may have issues on $MEMBER_CLUSTER" -done - -popd > /dev/null +# Note: fleet-networking is NOT installed because Istio handles all cross-cluster +# networking (mTLS, service discovery, east-west traffic). Installing both would +# create conflicting network configurations. # Verify fleet status echo "" @@ -183,7 +122,7 @@ echo "✅ KubeFleet Setup Complete!" echo "=======================================" echo "" echo "Hub: $HUB_CLUSTER_NAME" -echo "Members: $ALL_MEMBERS" +echo "Members: ${ALL_MEMBERS[*]}" echo "" echo "Commands:" echo " kubectl --context $HUB_CLUSTER_NAME get membercluster"