From dc2dd4292c3ebc392906cae9a5fd4a0ede615124 Mon Sep 17 00:00:00 2001 From: David van der Spek Date: Mon, 11 Sep 2023 13:29:17 +0200 Subject: [PATCH 01/18] feat(istio): init re-onboard + upgrade + split Signed-off-by: David van der Spek --- istio-cni/Pluralfile | 6 + istio-cni/helm/istio-cni/.helmignore | 23 + istio-cni/helm/istio-cni/Chart.lock | 9 + istio-cni/helm/istio-cni/Chart.yaml | 15 + istio-cni/helm/istio-cni/README.md | 1 + .../helm/istio-cni/charts/cni-1.19.0.tgz | Bin 0 -> 5959 bytes .../helm/istio-cni/charts/ztunnel-1.19.0.tgz | Bin 0 -> 2852 bytes istio-cni/helm/istio-cni/deps.yaml | 19 + .../helm/istio-cni/templates/_helpers.tpl | 62 + istio-cni/helm/istio-cni/values.yaml | 36 + istio-cni/helm/istio-cni/values.yaml.tpl | 1 + istio-cni/plural/icons/istio.png | Bin 0 -> 2693 bytes istio-cni/plural/notes.tpl | 1 + istio-cni/plural/recipes/istio-cni-aws.yaml | 17 + istio-cni/plural/recipes/istio-cni-azure.yaml | 17 + istio-cni/plural/recipes/istio-cni-gcp.yaml | 17 + istio-cni/repository.yaml | 12 + istio-cni/terraform/kube/deps.yaml | 12 + istio-cni/terraform/kube/main.tf | 11 + istio-cni/terraform/kube/terraform.tfvars | 2 + istio-cni/terraform/kube/variables.tf | 8 + istio-ingress/Pluralfile | 6 + istio-ingress/helm/istio-ingress/.helmignore | 23 + istio-ingress/helm/istio-ingress/Chart.lock | 6 + istio-ingress/helm/istio-ingress/Chart.yaml | 11 + istio-ingress/helm/istio-ingress/README.md | 1 + .../istio-ingress/charts/gateway-1.19.0.tgz | Bin 0 -> 6820 bytes istio-ingress/helm/istio-ingress/deps.yaml | 19 + .../helm/istio-ingress/templates/_helpers.tpl | 62 + .../envoy-filter-ingressgateway-settings.yaml | 11 +- .../envoy-filter-proxy-protocol.yaml | 13 +- istio-ingress/helm/istio-ingress/values.yaml | 10 + .../helm/istio-ingress/values.yaml.tpl | 13 + istio-ingress/plural/icons/istio.png | Bin 0 -> 2693 bytes istio-ingress/plural/notes.tpl | 1 + .../plural/recipes/istio-ingress-aws.yaml | 15 + .../plural/recipes/istio-ingress-azure.yaml | 15 + .../plural/recipes/istio-ingress-gcp.yaml | 15 + istio-ingress/repository.yaml | 12 + istio-ingress/terraform/kube/deps.yaml | 12 + istio-ingress/terraform/kube/main.tf | 11 + istio-ingress/terraform/kube/terraform.tfvars | 2 + istio-ingress/terraform/kube/variables.tf | 8 + istio/helm/istio/Chart.lock | 16 +- istio/helm/istio/Chart.yaml | 19 +- istio/helm/istio/charts/base-1.19.0.tgz | Bin 0 -> 27980 bytes .../istio/charts/istio-operator-1.7.0.tgz | Bin 2977 -> 0 bytes istio/helm/istio/charts/istiod-1.19.0.tgz | Bin 0 -> 28448 bytes .../helm/istio/charts/kiali-server-1.37.0.tgz | Bin 5992 -> 0 bytes istio/helm/istio/crds/crd-all.gen.yaml | 3104 ++++++++++++----- istio/helm/istio/crds/crd-operator.yaml | 6 +- istio/helm/istio/deps.yaml | 11 +- .../istio/istio-nginx-sni-proxy/nginx.conf | 21 - .../istio/templates/authorizationpolicy.yaml | 14 - istio/helm/istio/templates/configmap.yaml | 10 - .../helm/istio/templates/destinationrule.yaml | 30 - istio/helm/istio/templates/envoyfilter.yaml | 54 - istio/helm/istio/templates/gateway.yaml | 19 - istio/helm/istio/templates/istio.yaml | 78 - .../federation-service-monitor.yaml | 2 +- .../templates/monitoring/service-monitor.yaml | 16 - istio/helm/istio/templates/secret.yaml | 11 - istio/helm/istio/templates/serviceentry.yaml | 33 - .../helm/istio/templates/virtualservice.yaml | 42 - istio/helm/istio/values.yaml | 164 +- istio/helm/istio/values.yaml.tpl | 178 +- istio/plural.lock | 18 - istio/plural/recipes/istio-aws.yaml | 11 +- istio/plural/recipes/istio-azure.yaml | 11 +- istio/plural/recipes/istio-gcp.yaml | 11 +- istio/repository.yaml | 3 +- istio/terraform/kube/deps.yaml | 20 +- kiali/Pluralfile | 6 + kiali/helm/kiali/.helmignore | 23 + kiali/helm/kiali/Chart.lock | 6 + kiali/helm/kiali/Chart.yaml | 10 + kiali/helm/kiali/README.md | 1 + .../helm/kiali/charts/kiali-server-1.73.0.tgz | Bin 0 -> 7223 bytes kiali/helm/kiali/deps.yaml | 19 + kiali/helm/kiali/templates/_helpers.tpl | 62 + kiali/helm/kiali/templates/secret.yaml | 11 + .../helm/kiali/templates/service-monitor.yaml | 17 + kiali/helm/kiali/values.yaml | 75 + kiali/helm/kiali/values.yaml.tpl | 15 + kiali/plural/icons/kiali.png | Bin 0 -> 43979 bytes kiali/plural/notes.tpl | 1 + kiali/plural/recipes/kiali-aws.yaml | 20 + kiali/plural/recipes/kiali-azure.yaml | 20 + kiali/plural/recipes/kiali-gcp.yaml | 20 + kiali/repository.yaml | 12 + kiali/terraform/kube/deps.yaml | 26 + kiali/terraform/kube/main.tf | 11 + kiali/terraform/kube/terraform.tfvars | 2 + kiali/terraform/kube/variables.tf | 8 + 94 files changed, 3210 insertions(+), 1592 deletions(-) create mode 100644 istio-cni/Pluralfile create mode 100644 istio-cni/helm/istio-cni/.helmignore create mode 100644 istio-cni/helm/istio-cni/Chart.lock create mode 100644 istio-cni/helm/istio-cni/Chart.yaml create mode 100644 istio-cni/helm/istio-cni/README.md create mode 100644 istio-cni/helm/istio-cni/charts/cni-1.19.0.tgz create mode 100644 istio-cni/helm/istio-cni/charts/ztunnel-1.19.0.tgz create mode 100644 istio-cni/helm/istio-cni/deps.yaml create mode 100644 istio-cni/helm/istio-cni/templates/_helpers.tpl create mode 100644 istio-cni/helm/istio-cni/values.yaml create mode 100644 istio-cni/helm/istio-cni/values.yaml.tpl create mode 100644 istio-cni/plural/icons/istio.png create mode 100644 istio-cni/plural/notes.tpl create mode 100644 istio-cni/plural/recipes/istio-cni-aws.yaml create mode 100644 istio-cni/plural/recipes/istio-cni-azure.yaml create mode 100644 istio-cni/plural/recipes/istio-cni-gcp.yaml create mode 100644 istio-cni/repository.yaml create mode 100644 istio-cni/terraform/kube/deps.yaml create mode 100644 istio-cni/terraform/kube/main.tf create mode 100644 istio-cni/terraform/kube/terraform.tfvars create mode 100644 istio-cni/terraform/kube/variables.tf create mode 100644 istio-ingress/Pluralfile create mode 100644 istio-ingress/helm/istio-ingress/.helmignore create mode 100644 istio-ingress/helm/istio-ingress/Chart.lock create mode 100644 istio-ingress/helm/istio-ingress/Chart.yaml create mode 100644 istio-ingress/helm/istio-ingress/README.md create mode 100644 istio-ingress/helm/istio-ingress/charts/gateway-1.19.0.tgz create mode 100644 istio-ingress/helm/istio-ingress/deps.yaml create mode 100644 istio-ingress/helm/istio-ingress/templates/_helpers.tpl rename {istio/helm/istio => istio-ingress/helm/istio-ingress}/templates/envoy-filter-ingressgateway-settings.yaml (72%) rename {istio/helm/istio => istio-ingress/helm/istio-ingress}/templates/envoy-filter-proxy-protocol.yaml (56%) create mode 100644 istio-ingress/helm/istio-ingress/values.yaml create mode 100644 istio-ingress/helm/istio-ingress/values.yaml.tpl create mode 100644 istio-ingress/plural/icons/istio.png create mode 100644 istio-ingress/plural/notes.tpl create mode 100644 istio-ingress/plural/recipes/istio-ingress-aws.yaml create mode 100644 istio-ingress/plural/recipes/istio-ingress-azure.yaml create mode 100644 istio-ingress/plural/recipes/istio-ingress-gcp.yaml create mode 100644 istio-ingress/repository.yaml create mode 100644 istio-ingress/terraform/kube/deps.yaml create mode 100644 istio-ingress/terraform/kube/main.tf create mode 100644 istio-ingress/terraform/kube/terraform.tfvars create mode 100644 istio-ingress/terraform/kube/variables.tf create mode 100644 istio/helm/istio/charts/base-1.19.0.tgz delete mode 100644 istio/helm/istio/charts/istio-operator-1.7.0.tgz create mode 100644 istio/helm/istio/charts/istiod-1.19.0.tgz delete mode 100644 istio/helm/istio/charts/kiali-server-1.37.0.tgz delete mode 100644 istio/helm/istio/istio-nginx-sni-proxy/nginx.conf delete mode 100644 istio/helm/istio/templates/authorizationpolicy.yaml delete mode 100644 istio/helm/istio/templates/configmap.yaml delete mode 100644 istio/helm/istio/templates/destinationrule.yaml delete mode 100644 istio/helm/istio/templates/envoyfilter.yaml delete mode 100644 istio/helm/istio/templates/gateway.yaml delete mode 100644 istio/helm/istio/templates/istio.yaml delete mode 100644 istio/helm/istio/templates/secret.yaml delete mode 100644 istio/helm/istio/templates/serviceentry.yaml delete mode 100644 istio/helm/istio/templates/virtualservice.yaml delete mode 100644 istio/plural.lock create mode 100644 kiali/Pluralfile create mode 100644 kiali/helm/kiali/.helmignore create mode 100644 kiali/helm/kiali/Chart.lock create mode 100644 kiali/helm/kiali/Chart.yaml create mode 100644 kiali/helm/kiali/README.md create mode 100644 kiali/helm/kiali/charts/kiali-server-1.73.0.tgz create mode 100644 kiali/helm/kiali/deps.yaml create mode 100644 kiali/helm/kiali/templates/_helpers.tpl create mode 100644 kiali/helm/kiali/templates/secret.yaml create mode 100644 kiali/helm/kiali/templates/service-monitor.yaml create mode 100644 kiali/helm/kiali/values.yaml create mode 100644 kiali/helm/kiali/values.yaml.tpl create mode 100644 kiali/plural/icons/kiali.png create mode 100644 kiali/plural/notes.tpl create mode 100644 kiali/plural/recipes/kiali-aws.yaml create mode 100644 kiali/plural/recipes/kiali-azure.yaml create mode 100644 kiali/plural/recipes/kiali-gcp.yaml create mode 100644 kiali/repository.yaml create mode 100644 kiali/terraform/kube/deps.yaml create mode 100644 kiali/terraform/kube/main.tf create mode 100644 kiali/terraform/kube/terraform.tfvars create mode 100644 kiali/terraform/kube/variables.tf diff --git a/istio-cni/Pluralfile b/istio-cni/Pluralfile new file mode 100644 index 000000000..052ec05ce --- /dev/null +++ b/istio-cni/Pluralfile @@ -0,0 +1,6 @@ +REPO istio-cni +ATTRIBUTES Plural repository.yaml + +TF terraform/* +HELM helm/* +RECIPE plural/recipes/* diff --git a/istio-cni/helm/istio-cni/.helmignore b/istio-cni/helm/istio-cni/.helmignore new file mode 100644 index 000000000..0e8a0eb36 --- /dev/null +++ b/istio-cni/helm/istio-cni/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/istio-cni/helm/istio-cni/Chart.lock b/istio-cni/helm/istio-cni/Chart.lock new file mode 100644 index 000000000..4f1ad0b8f --- /dev/null +++ b/istio-cni/helm/istio-cni/Chart.lock @@ -0,0 +1,9 @@ +dependencies: +- name: cni + repository: https://istio-release.storage.googleapis.com/charts + version: 1.19.0 +- name: ztunnel + repository: https://istio-release.storage.googleapis.com/charts + version: 1.19.0 +digest: sha256:5f9e835cde6c2cda3a01add30d38cee44a3c2595306f17914015c3ee3ed6e0d8 +generated: "2023-09-11T12:24:33.670239+02:00" diff --git a/istio-cni/helm/istio-cni/Chart.yaml b/istio-cni/helm/istio-cni/Chart.yaml new file mode 100644 index 000000000..36d28b9c9 --- /dev/null +++ b/istio-cni/helm/istio-cni/Chart.yaml @@ -0,0 +1,15 @@ +apiVersion: v2 +name: istio-cni +description: helm chart for istio-cni +type: application +version: 0.1.0 +appVersion: "1.19.0" +dependencies: +- name: cni + version: 1.19.0 + repository: https://istio-release.storage.googleapis.com/charts + condition: cni.enabled +- name: ztunnel + version: 1.19.0 + repository: https://istio-release.storage.googleapis.com/charts + condition: ztunnel.enabled diff --git a/istio-cni/helm/istio-cni/README.md b/istio-cni/helm/istio-cni/README.md new file mode 100644 index 000000000..cbd2e045b --- /dev/null +++ b/istio-cni/helm/istio-cni/README.md @@ -0,0 +1 @@ +A helm chart for istio-cni \ No newline at end of file diff --git a/istio-cni/helm/istio-cni/charts/cni-1.19.0.tgz b/istio-cni/helm/istio-cni/charts/cni-1.19.0.tgz new file mode 100644 index 0000000000000000000000000000000000000000..d77c176821c9f25206646dbdda700e65f09bbc3a GIT binary patch literal 5959 zcmV-N7r5vjiwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc zVQyr3R8em|NM&qo0PKBzbK5x1`2MX=fuFiFX=h^Dd1<@n-*j%=#O?WM;^c|by}Rjj zY+8bCUL;aWQck^TzWXzLku1q_l6KqPTl7a_iy#Ps00@!*9WvTJS`eXv6-nZszRT0; zbUH5%56%Bhr&IsmIqYa+wggi+( zL#CuhLk+o5DwW-K+kga=w_~DEs`iX5HGpgr770$H*504?KkfZ#KS_dNhb=I+yy2uhf8-)KVS*aga@ zB5`c=5+Kdu_?*WyTp1`2;0YXYHly=Q5N$Ca=5vT~i81h5$y`h+BVuLXrz?nXMzUCy z$|bT0NF3|>5)_B`$0Lv^mMBamI)iJ%lrE8opca_Gif6zOBW<799AO^wDT#xa&*zlQ z153p%>$l zNBMA|nG1wPhAxPx0KP;aXoMh9Daz*3fI14L9{-Th*OVPop~n%PKrd6g6`{gVVFXhm zF#^uOS9kF7ApTanc%qy7^W7+`# z@>xKxq{76#y2_@QzcC%@#WBB@kVzC)AQXg|R6GGPn^8v9%1l<8$;Si}&PJ#_C42Ty!)9%IOov_!%R@MG6sO67OGUHO()J$WTOS0sb>&zU|fOB(v%BjQ5q^pnhH+B#jY7O z#laxf{WoJu?Qn!dYV9;tFzSM)xg?RbAqzQE8qmn7$e8X#D(I5NIL8PQ9^tN$ER2k} zN=<$m6E))^*(6?byQtl@1XiTDVwGS)(iE9otFk6e8;ex%C5=#6={e_8(rJuVY-JaG zr|JGK_(>M4O!}r}Td7oDHJk_}nNnn`Y;xQytJ+3GkdbMO(QW}PFrorOLvpSj4#?DU zpY#4&L|P4+5NMWm!KbOxm87qw$;W9r^G(GZ^t1-nfYpht7PXY9MYn4Iw2gC+EemN- z*pJSpdYV51Q$j_z+7lx+`ptR{UeChjOH8I1pYuqTfFq1iVdLEk>60~S1lr4r>b`NM^;-VYL#La zE;6QQg2$Fu6J4TBhnBp2c1#5~Ga;P;SrQs+o@hyw80rAEs=&hWw*&ZFhEln2 z0AZTxiLsNo?+GSctjw!ZTCV@U8COJhw@FlLxca=)>3GhhBCsr(qR>u^E(Nt9s<5)G zARVGiXzMC?9P9sC8WDx?RHB{6C-%ii38HYm3LM;f^EODxr}t}I6Ih_YuBn$Va`e5O8e%`d6<-dbe>DT+|52cMZiRa}wS!5U;aJh8S_d)fuC<%Dk3G2yh*`!4Kx z-V?aMCDk5BF@Z|haZbpN)eGb4q$R|8ckT2E*9&C1*Q$p^8!?*3X7W&i$J)d)lz}H) zQ&#Vuz#A^ya+fD5QFKaUs#bx=uh+Wed!F?&yKa)RQoYEg#)J>FE?Li6TJ~OGj6~{r zPave(G^TQ4=je!sS13%?j72D5$7te?R*`>Tr~=o*5~dlABMCFX6J2<1aB&9nPz03c z&b-AJBZM%B?0w3K9~);Iu|IB8NM3O^M2a$I;F+qda9WH@t zTB{T1OAbSPm$Dh()vFTy!Lz_U`9D%iV`*j|I&8b3*8`dy>EIf@ zN`unbWQ|BOUw4JDRn9!hO6IPxG}Z~KwrK}L>&$v5$X1KE9y8rYwT6VJG{6Ang3Jgb zyJmSuL!1keE_Oi)5>hsQ*4*)YR7n(B^|9`t5GYe_y=&`nCdky&ks=CbSv*4Z4ER*5 zlheo3Oe$mV&~9kyzB>oDaG)@0B@Rp4BU_NpR4j=nB@_-OFA@>;DNymf`E zsxlV#Sq~)--BQ4b#>F3*@*cMSZ!1hvqcrW|*=2tes88yf?lIiA|GR(iqPG8YaQNcz zasTH>JpRoM1a4Le^sENAw?4=$3{lEi7RRf6^2F%>dEO<57>Urnwf6C++U(g$*I>|U zyVA1xGc5GfDHTzfgoZZOFmpYv$8jUjKbt%M`A=2y{hHcjIw#L zCaPdAJo_^0j9oE)%?i|;C<}+D3;q$Kz9+KSo=uUIz7;%6wLjqdA1f=F;&i5Z}X%~FEudLhDa)vB=oRa_J zo~`r$)E-iN3pe1N`Tt=5;Gj1Dzj(3t{Bi#O5zp684(=4|(GA!-FYp*IaHjj7TkJb{ z>;Y`fzndJDnccq7^NoeyIIP=kPK9@5ek^-+p#>$3}ob_m#0Z zPlF?p5_9TFQ3mg_DLPXfyrs&0gwJ_giv+(lze4{RdkWgbCOoZDrJCq&VZ#PJGJo@Q|#!WJ?*cEpTr ztuB0SIdK8FDL#P-SaGu9cfs!j2f?1dTL#dA;1@wKA*0n|wMy?Qj`@6SPHKHK2)|`q zRlS-#coc4LH!5b49Fr&#D5Y*NgkbSp-oJwohR}b zbUFvlyeD?Lu(>#nFPHNGKwdt=h zhS7F0x2}%rl3)N-$M?Q5){mqShNQ$T%Jf3Ko5#L8z)}iB_e<**f!aYyW{RllE<{wW z1G2%yO824&&IM0UEijWX3I$2AOhf^j7El_mG=N>$(T>c{7NC?1P2=A4&fcNF4aP)e z@3a$Cf`)RZMB8Rk$J&?N-0!TWbJ!gTQ2g&CiSL5@43tI46#N1uPpq_=VfgRl7#`s6 z!R_sWOEt8Pu=Vr`kHz88f-$P-gpr_1j4+p7h$+iHc?Cag)N(1hO*{D}VPVFF%fz8< zZj|2TE|^%;DeAW}Tws*NHi=*zCTtF|y>+)u#9XC+c`8mpevyAu;aARU_zY~5r!|fO zC?2Dz3;Gi{C07VC6IhSPoTHM}K9D%J)CWcV7T|1VG-Jp|4z}bY<|eBP{ZCXXS!q{X z*`*S9q0^zDW|^bcQ7z64j|DmkD4UmCy~0%&j$DOa6mcfcSiE{j(`AzTpD@hS11L@f z<$|i!QB0(?A zgHS4ZD@cgvD5yzv;>@H3VWZM(6h zl6O$*koFL|HF!nl+ndmZdRb>o&(m@>7j?e9ssng-d)vCX2{aP3r1s0((T=}dROf*r zYP^oK7F6EA!g9oUeb0SeZ!6Ia4Q!Z4Fs>nqC_^dF1)pNKvi8n@QIA|q&t!5Y?i#2C>jffoLz9P%BeX85vA0(I_uUs zb?Z?p15|U1s=V6BJlZn-*Km9WC1|qt0`?BKjz-9ngy;pthl;S5_aKOv%PI$Jy=csA zuJxk@tyawEW1gurQ+6BcRf$y(!Qnd4@V1c{o3XHs5F*F_kS0I+?go%8yG_GZ%N(vZ z^90OWm#Cu6Y1xb_?y_Wq8g15&9t{WMqqE_g@vwK=ugUw;rMYcxc-6@9n+JURCacRS z*D|oh&ev%i_Amc>cJXd(ck7x6eIs~M*XBGG@sy(AD`^!j6*l+8`ryJ#LC z4=$RydULb3{ncD?zlqy=^}oSfms)JRtx~3NX(PhstGPVgKQ~kQm)>C5KOSp}&rjaJ z9Sk2R1{SFq{wBN^{qx@7V%#70UZ3=jABJ-y=HgD&!?WZ5R=I5!hZ)5<+9C(0?A+LY z?cE1jAhm$sMZ!t%b^m01es(kl={oiM!X|NTpNzmbjnrS1LNJ9)pokN37{ z%D1)ojWw)xpt%X~MJjl5_I7;I|FwUz)xb6$Sgj9Z?wZ@1HzpeC=$*bE^oN)CSh`KM za4q6*jg6Lb^j+@$miGIv&)`w27hJ0H#(Ax!;wG=w zlrneW&7G*~*T^&@W2o*ywj`o0GS;r|TWsQr`FsP{*Jww%^(_}gG&NrZdtk2^s?zSJ zeJq^dDVY;@hZ~pbk{9OvE^acpjR$`~U(1xsm2A&sdz#MfCHplk_MnR`sZFA%>1@_a zbfca(t(J>~+s1I%JXd$?&hQ#!V^z3ctP0(p$|eT4nyP32-i52&1FN5vZK?O}5}xTK}L3)P^g{vG@Jbs9I# z&^?6xfhCX|-x(L?inN%|8%f%%vc~ z@gHtU-y%wpaFJ;7kIH%+suV`TbtSonQ4>{i|Pc zqZH065&G`HvR4SuaUnnVWD1qyA)GyY3Q2JXme{(Wsk$$ z-!$5cAnJcg1xmRNAZV3N%Ln;knXoMf1Zu=z&6R9OpWoes45w#n8E&D=? zm_&)g~|bPQ9!%Q!YY=6e4Lxc4Vr6zvCjlz1{&RtF|lnt#cUAkrr9!v`RHR*1$BgeA7j(UCD zcZ*f7R5!gGl*f@Wn3NzUKqUy&y+P)#UqohtEsY#Zn!KOMno$k$dWy&^*(Om!8I=k} z%Z2~9=NS=%Da5F?4w)>Fwn!9lW+M37&%DV-IOC*z5qbcB=b3p?FoOYC3lyb`);Wt; zz!|*zWt68NxN9s;gsivI)VCernUXXz(I+KFSyAoTjVv>m?jYOkZS9sWlefY;X|>Gl z^_%;luawAeVlX~|BXje==e^;=eYU8QOlm?UhlEFTX0Kb%FW_E>`MUdYWy<-?+(_!R z>}{)Q%vTt}bXCkEyI_YtR56$vf?$R*{ZvU3l*MG!YN=IG`0Gh&LCW1coo1iBPws-^?`AP z((}%k{&006G<++hF! literal 0 HcmV?d00001 diff --git a/istio-cni/helm/istio-cni/charts/ztunnel-1.19.0.tgz b/istio-cni/helm/istio-cni/charts/ztunnel-1.19.0.tgz new file mode 100644 index 0000000000000000000000000000000000000000..efb4d7f43520ee7c86d69ec08e094157000b085e GIT binary patch literal 2852 zcmV+<3)}P`iwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc zVQyr3R8em|NM&qo0PH$lbKADEdFHR!EA=6ni74vBP0E@3;IZA-(^&Rcc4qEvJ2phD zBwT|4F96C`9sl<;07#0Yl-j3tlhbpI%)}zF*e~oZ77P4lav_lS50*rka7|MF>e*Wq zMbWq8vHKfEQTuN+dN+PG7?0nLNAKPZN8?w~VEAq@dIiz*v$EZCZHRgm{b^cl;r=F# zWb7j<&7_E7H3&$SRiA@!@Ld=M6m_ClW?bKo$WutHt-xF=VA?PVg$+R>(@Y8!Mh7gh z&`V=79rybVEM&6Ji9v1pbF#7kx=#dElF{DayW!p7yJ47#MR0@bTdAmygPzCVEAW@! zfgmZyCDlO7TqWqhOL_}tmia79Wa>%#|ASRavahZCe}z{1|BCP&^|O^oRggUXl1__Y=r`fNDu}qPbY>>CkVO)t2Vy;AsM=GJTE{KDGXtjVd(Tb zZ-EtjDa<%YJZ~rrQwZ10&bS69TyG|67`U!Yj0?K(fy|I=%NEHpzIH!22O~4!xI&A$ zh=c)mpfTJ(1YOt{LK@{+xiAi$Wq1?*oye$yI#dil z|GE>&*8EJ;V&-O2jd?;TQacApvUFO4i`oK{I;cWW`2RUmNZrcoM3Ib%1!PL5XqK33 zc+CW)QX4?AVoHkCZd`A|Ad|F4HV&XR$r^elm9>|_UNnq4TceH=#?Ub;$4*Od-daOh zt+-zXOZ&rS@q#X#Nm{LqRq&iGa^*M+swJ~5T4_-m_ZuL|@)-7_D0N>crc$kA7)Imw zC(PLr(+1=mG$sm-vv^U_;0*NrO*s*_o1e>k~AD5<{x^l+Kv7 zCxw(LOq?20Nv-Z!W}Joj%>rlHyc3jQCoK?*>cYzJthQ8h9CTq2!cyKsO2pclz7$l$ zO+G`oCCqr+ss%A?#tTIfoadac0q>YKfVou8f)h5g0T@-v1ToH<47@fK-8VrOhCAq$ z1UyM2fhxiT*bjLt?2-sCx~^k`9t_(faDNZsxrYetHU`X9+M-CqrY z8zyKBht3YBXo9rNw*r7>?ahDdj3gLuxwGr`j$fQeT?%)9--Ga@FEb*IoXg>!aiPwt(cf9XV_``3?t>HJz_*XQXQxoQb}43ufB zVES}5?2x!#FnGGyrIpwwB*kfCd2O@Vz7lBA9rC4)fiscc730NWdEcLvCoLDT%}9=_ zt=1mkeC{Ng$Z4`fnsclM0c2*UNEO4;9n(hF=DEZ5fntUwgzr--g+3L0{j|v&qDOa_ zk~6HcxilvG z0Zo(htg^R3v!9q{4E-e%ZkE6GE!ItlAZpRDUhl%2?`Hf0K(VTWduu-Ua5=p=I=?zT ztPys#1#cRKMb&FGhJ1hTaMr0+E@St$f|T8K>fE$~>u0(eaU8|!F`1l1yWH(5T>b$b z8y7=0qN(liYujHD)mORb7k3QB#o~sGTHZl>3F#%M%o9-=d4odl#?^C!pVwyN=BuF= z3tG!EMJ>(zye=Low$@XX--FyBEN{+s=4VaWic}sO8({4+X`{@hk6lp6)Sl5V*^5|Jbv*5z;_JF`+P=FbKNtnMIz#Ic5@$#asr# z_4Rckg_axxcjcq(5TUeqG1_<-+AFS-LT#iX3k(-hE;y2mY4=*daiD8>d@{FR&_u>A#vOxVe#Vdw1C4vH#NuHwcP90u3fsQwiJn>Qm%s@OP;dAZ_#qjmJV3>x$tm=se4$ zGVMnr= 0.7.12' + - type: helm + name: istio + repo: istio + version: '>= 0.1.101' + - type: terraform + name: kube + repo: istio-cni + version: '>= 0.1.0' diff --git a/istio-cni/helm/istio-cni/templates/_helpers.tpl b/istio-cni/helm/istio-cni/templates/_helpers.tpl new file mode 100644 index 000000000..266d4fa0d --- /dev/null +++ b/istio-cni/helm/istio-cni/templates/_helpers.tpl @@ -0,0 +1,62 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "istio-cni-plural.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "istio-cni-plural.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "istio-cni-plural.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "istio-cni-plural.labels" -}} +helm.sh/chart: {{ include "istio-cni-plural.chart" . }} +{{ include "istio-cni-plural.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "istio-cni-plural.selectorLabels" -}} +app.kubernetes.io/name: {{ include "istio-cni-plural.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "istio-cni-plural.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "istio-cni-plural.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} diff --git a/istio-cni/helm/istio-cni/values.yaml b/istio-cni/helm/istio-cni/values.yaml new file mode 100644 index 000000000..7ecb43c8c --- /dev/null +++ b/istio-cni/helm/istio-cni/values.yaml @@ -0,0 +1,36 @@ +global: + hub: gcr.io/istio-release + +cni: + enabled: true + cni: + resources: + requests: + cpu: 100m + memory: 100Mi + # privileged: true # Possibly needed for ambient mode + excludeNamespaces: + - istio + - istio-ingress + - kube-system + # ambient: + # enabled: false + # redirectMode: ebpf + # redirectMode: iptables # this is the default. For GKE and new AKS it would need to be ebpf + +ztunnel: + enabled: false + hub: gcr.io/istio-release + istioNamespace: istio + redirectMode: ebpf + # redirectMode: iptables # this is the default. For GKE and new AKS it would need to be ebpf + resources: + requests: + cpu: 100m + memory: 1024Mi + meshConfig: + defaultConfig: + proxyMetadata: + ISTIO_META_ENABLE_HBONE: "true" # Needed for ambient mode + CA_ADDRESS: istiod.istio.svc:15012 # Hack until new chart is released + XDS_ADDRESS: istiod.istio.svc:15012 # Hack until new chart is released diff --git a/istio-cni/helm/istio-cni/values.yaml.tpl b/istio-cni/helm/istio-cni/values.yaml.tpl new file mode 100644 index 000000000..9e26dfeeb --- /dev/null +++ b/istio-cni/helm/istio-cni/values.yaml.tpl @@ -0,0 +1 @@ +{} \ No newline at end of file diff --git a/istio-cni/plural/icons/istio.png b/istio-cni/plural/icons/istio.png new file mode 100644 index 0000000000000000000000000000000000000000..171656a1fa09510aa361432e7a93b4e95ad6673c GIT binary patch literal 2693 zcmb7FdpMMN8-B;mG;jJQLy_3lunzSpHhrl`#-Wfyr5tt^(*cp>6gi}E&U`LHTBWVc zvI)&lPA%2guo1<6rD>+bH-ti?7&K$X_xsJvC9bPKzUI2#dEa?{&vQTbeLv584SlbR z9YIk;5kU}wgT1XQf?&w-LYIKZm~G8=JijHa4Wt@DTsN<9-OTHYYyE!oG>D zp4NMPcgBHlZ<2V~g=XoveadzWYvq5YPzv4f=N)M&`UHo6XB72OLdTEZde_IhS)N=@ zLL~`X&9<$px2N~&rK)Xw9rmgzu2&R3y@vFx-Kom#FT}a-@ktYH{|Ljw!>ZZ^hb9l% z`v1Jq&|%$7Rz)0k=FF<0A0?5rtP`69gNr*NB>34sKnkw5cIr* zt<`~O?pTjwdcL3fU;iBvOA7oBr7l~&I=MK?Dwu+`+EsvCGkOghyngL5r_oB3n^*qx zhV57e#n3s`-3hlFTSM6A#nGqO9z2lk{A9YO%i%YLApZxKMD^GFJb!(1ZYY(l#I}y)la#0cb#5}&2IDv?Wqpr z-E-an%Enbu1^YqO=;^^L=eLN6DCv^$eT)_;okVXwqCk$qo4A)awj;7jidg z>M!?tV@^uYt&iHtc<~-|wAJ8_^PV&CyQDluXkJyPGddFxl~S#DepCSES{_y2L&Rpk zGVD45y8Y0gjgoGSrjZf`ZfhnXxg9WQ0)v0d2UTVjYr&Zc4F?ipa9n~FvebVI7Na|j zR>PY1FVx6@jONjOsfkfGL~;@b6x01+aXw_>3xl~Z*!DTt=TQmIW(>hs#{!yv*j6{(!{^Kx{n<~2&GNi||wNn=2NGc}Qv;Oq05W}Afqj4$xzbBzoL z3UB?TXW~_Zrdq#c9VEBy@@j5*#+0mArX^OJi>pV8UW4X3q{F2M9k#U^ahD! zE8vNebbV+;F9^!y)&_}DrKV0o_9^k>+wdMOzH(%XEfOZy^PyFZf=nh0ScoOEslXV8 z^bz9%fYdC=?>Lc;@PrwD(%d(&^o|6KMw#qIYg<$XY=C7ms>h|NE!0Ga2`2>smify7 zz5`CeCi3h{vL@})oOW3gy((!FFgDl(Y$3!MU5wKrBO=d{69Lm+01Y+?@LvVD6msTO zkm2DVa0;r%$(x)b%V^88Y9&yf=WFAQ`<4lUET>~)`Y$ZpY(A?Y2pp5&W zu$#^#JQNjPx$}bcsigh7hfmCP&GP4r;GTe+nrQ-?Zm#=g(`pLUEhy;5M%rP?n5w6i zNM&NiIX>xAP2j^gJ2lS4bcoG#+iN__dzd;?yK1?YcJ7>Ml6b@ZxbGy7@`;U(lfodo z6c^o9>0NG$fJdxt&KP~mmDX~Li-LkNI;XJ z?{leCanEEXUg^Z;4=uQH*SnIGEL^5{GP6iY1uK&OM9D)S=0t8{Xz`D!SCmC|pXz52`s2In zO{+`Fb|aVte{pEv9PVmS=8E%mr@HS^7^XsvStb9nckS+xH_FVn*YFejchC_q zcR?T_GMZC4+Jz5!eTr+KOxE^YHy3cVOk;T+b2)=zA?Ezau5}jaE38e4=ISI^rblXA88YOO*#F&0##g`oQD9|uyqo~mJV*8wP$v`u@mdM83xgix*jse8+5Gv@|W zHxQaUsbgI?1ZO*M-XEMOYT$1l8Cl@S|M}R#>czymDc zVQyr3R8em|NM&qo0PKDHbKADoV1MRcaaQg(Uz|^(CEH1QwUeE76W`X;#PQm0J9jdf z2qKRpe4zkd0F}dBB;{-jtNn=NdHHh`kNy@9qZDN#Xs*n&A2C}(qGbhUTtJF>#@Ce1 z;Y2FR!AX;hXriGPO679Aw@3BMnDV`hD3oe%Mpha??h%#>PSe5YZ~Grdf7_39Hjh5w z`ihHGj-vsXg3+MD%g7SP{%0h4Ardr@zN$G@i((old}(X7|3_+_;}}SuXEY(YDbcFY z%rD&$U+D7szam+I^3O2}~{LLq3X6NgX2g=fM031bP zN|JE|umdMEKt`q+rhO1R)6J$?rumZyBnneqrG)^JBq*gOKS81BOdBSYFcW;~8zN)4 z)O@1Su$dvIn3{^N7RaD5rM2bLhR+rmketR`%=h95JS}5TqQEGUC{{GVqa?9SaTH5b zeIVf8YP$66CgpL(z`kL&=Mj}qNJEx|bhT;ZM~rc0%&p-yNlp7rKh`UY07wNphU*(s z{&Hbu5BRLBltxxajD15ik4$5lvK!D?%4n4HG@ws&BNu#$YJr8+zAEQJjiEPsGTa~b zT5n|{h;}JG-Prc)oT$YZdV5k4CHJa#8j`aA#ze)XQ&hOjjbj``&-J1PlQhMIhzib@ zE31rl;3du|L&ut=5LB%p;Y{I2Rq8~}Q!V``Gbos24z0wJ6pAm2qKVOKiOP4-k}|q1 zmXHg&q8ZLng1~PvaaIZ=_pGC_{14e&^-g3i{kRbge53+uXCY{>Y5u1)0rga>g^7tX)z6?&QouM*_>34veUv zwEP7~@?s35;c#hwEpf@kdJLoe?_N_)1YOb^V)I@~{eO`}N5yi7<&*?inGlAtC3 z+&P#r=+0P@kJW=Gk>}Klv!8!fG^4*64xOP$kSQ`p(*e;AobeQpt*GG4_>>h9RM#XU zWGlnZXa`=ADQ4C<=DGH)T)Sc@*$`z0z=JmpYIm7tzeS9vc!3!viVOQh@eG9r(TrC- z=NX@`FLHq-eZiSjf>5U1Yu$B>s~ zt2C!8Wd3a&xf|#9yyw3#HLQUy$s8dsvJ7$~J=&{#_cO%>Sy3*4O7@@Hb4zWbVrw01 z5M!{z4~ws|fk&BkwSbvKIGLStbtX`1$8O-xiYyCcwt9Ghi9pYv9qXt~6z#o@?wEwL z8J!mbfrM7^jHfTD6ona8eP5(=tPHkeRUGX^JMjJ5H`H=@lDA7vbcN1%rSQlZ@yYeg zWVavfxWH?PM9a*AC}6y^elI^Q$8QL^EaMhUMo0O6&{nEox^@DxcEMz{1Cu3XM=L@z zjb{Q}z+_22{>(`EEQY^x0r-(D^Gt^s+`1%F+Iu8cET<^6DKE=G84)TDqdu&80SRGH zR{(M+5uw)N>a5M(7^Cb|0 zFgcn1XbXG!(V!En21mMa6RkcQdgAuFwcv$_{+zx5fXzgVAt1oZZs^-Ph1ZjrAz2v# z*5-==E_1a8KGl(zQK`+OYRkA2ZF&K1tW^v9jHD^mvQ4rx!E-&JMcEs}jARlGKpsB6Hi21hp7ANk%HM6&=J8G6 zLi-qGTlmIsp`+N_vI)>*MV9s6)evkNT>NoNA1F(E;}+FY3CiZZzJHFaSQ=zic0nV2 zNpQ*81*!(tAkGU(+RzpLeL!^i1X{G1XOtpqX->Az>AfH&q*YLF~S%e5;YQ^3`DAlgi&dRM;M66#n)6MYh^j7wj-%TWCFW z?1FVNQil!37Te;lr(W(O8yj;en^+q*q1jpO6wU)+;X>UXi_JD|ji*yu!Zc==1*^o) z+c0?7K;Qx8VmOqLYWrsf8qDQxDQro|6!HZTi zg2vpAspZQzqH-D8has%W=6)J^f6&@FboX#i^^a3uQ0qE`V=EQ0>9Xyk)NTVhCCO)v zl{={jvcp}(1j=2N*pNQnvV1)Oysi6aBxr9b)*fPM?_d)}`Yz1->ffihLeX#t&CKuS zrj@m|ZP#YIwb^EM+pAkl!d-5-7+gAn-*u`{JrjCwber>pcj$P{ z2i2sekv^>i$z&WuI=YqXwnSi8H`s)?ll(~kyLq@=q0j%71E;;yH$Sf21_mw$dnf%9!wR>$#uCMnVM=wmk?q)Nax(G|b%?k$NKH^X97gq~q(x`Ft zc+cT$a?U_iRp){-HG|%N$iaWe9>jK%y&>P-yUEt@yZLBL5`^A=^`Q5@2fu?71xw)R zfw`s2i()pTAE7tsL8~=wN?gL%kfLpCEEju*x-oQFd`Ea}QMcbqm*IWo(8f?nhil4F zIdxpWBY7TwC?`B<(^yWp*4DjMJZufMi zT0z(x;oA?m?!&h$lEL_SDUFt+LAx1O@Q4d|g#R=}phxn&w;TL6g4x^MbzC(MtA-ki zOfB7w@4oHq?VP8tf)4*fJ@~KM=4OKed$l0)CtNpMVMz6uuc%ry0AiBoaC1ZQTvHkU zZs@BB32jvgb*DrHjoD0?<=Jhd83+wvZnmJW0^CfZwJT==ja{);v}s)K?u9UIbK3MA zz8Q6}*yc(+{tZA4^Z#g5J9f>$sNVYR(e~WUEe-$DKKjqR+VNjCdH$hRgWM7SJ=-5O z=YKqT_U!BWkI!<2>%T~z%e~det#HuZ)oGA^5UNZtJwfZo5*0~_BI9y?{T+tUg2|jD zIBpI0%wr4XCcm1@hcPHkoLTA2eg{TbicG7`|E*a@KPH={tvRuLJYcgnWI_M z5jeiGcr~vfb_rJ~gV&n%4!^lt5K+z~*6pr}IaAa4;eDKK!jhx*ux9B7F| z;3{PM23j^SH3+dfTjk}YldNXyxT>u+o%lX%Y&+v_RqS%wafqhAmLin3(52U)nhf-$ zZ-Cz1Ann2F3?4~bu28(-%bW;=-v4?&iud;iLp_WlIhoRoDvC1xshFa(VDS%Bx!c{4 zoE^9zGXzOlf@VR=xNEs+HDm~H^CHXkM#F=H{il_5n)N6_SNX*jTdZaYvdU)4>N=Z^c7T~6Z8d0u2@tun(NR4y>9|&h~baLMpzbzfm@?9tV^f!5^CiNWs(1nq!mpVYdd# z<7fUhmAg~DHwt)%kZ+m-SjX2X@f(X)qCeX2Aok(q|Ig3?Bc1^rYr5dcZkHrVO$<@@hXPG7#iI6nX7DrC(f)ISy1%X;H@a&dX`=KbsA%cJ+_$N%T&uu6)4PklyK*MTR^3GTY)C^yT%P8#9U}avNvWDR+AvajMc8>;ANGq_~qP6=(MXmb$ zMDiex^~>8Hw4PuZMFkbEynEo)y1;?>>~=v9d)Ac1h!Hp#ScvmcQiH&i^cO z^1$1G+>!qoJ$u^R|L5@F>A~0h&*!*Yyh~ULk8a6t*bILy9~5SRc7q&uXW)9Ub>M0~ z-~>6Tik7|Ael5ql8ElG*?1vd#o6-7_3;LV(kl7hek6Z~9f3^G-JZu8XH1g6+2R+A` z#nqMd)6f5C=C2AI?&Mf)S$$ALC~N_YD-3`C~@g{^vYR%gKRL zGsW$m{@~8}Ux!Z`_W#+l(bxGOpXF-kN5{<2rm3}CFjU_OI+j!a)hudg4R6b+e`+?p zD_`El##;jH{Z{t>^L&78>%ZU`K5PJZXZ$y8?*Df9{(p|^`g-s21u7_Vw_(|g z3%8l0%do_7%2l=blYSrUHC9fA3XF)Dk|g{v7FrMUjudL4V=?2a;t${1`9a>GobwE~ zv>>;9$oT7jVH8DX_pT&4H90wHW|+T=!ek4)?Mb)XK)+a_n3{)f;`x;}VEQJbQuW?N zgTdfa*!?|aDP{BjFSyP#baAlf`z>sWd`xVF@{^b%3$u*E^t8owQ3L%ntPkZK+V zPmWfT4jf$l%Rnvt*=dcIDCP){QpEfP&(|%U28DJ%VMO0*j>lVH`C)M|zOG5N0de0@8Uaj~fNZT%am)ILDmB37hdKnoK4MXHt)!%_3i+Uy(GmGZ^dB4F_)Va4Z!UWRCHi^Ld6O zr_#(%GsMUMkKI*N*AYeUFA(8v`R?5#kJ_()Gcy?V5A)x94Yapw5?TpgE(uE^EN zVp9O`O@mHs)BTwUo;Td{Bv>A3EK6(i`AOIM#L2kL8IQ0F-ahoZ{M!ca?7+{AZX&Pn zul7>RP}#jtyJ-nJv4bpEysKnM#|yXjul@R@t6x#P0$Jo{hxjCX4Lr97w#D&2h=O%c zAQ$|~?_k@>haH#%^GPR0^2E{;vp~0nbZbFpA10y7z`%^t-0q_T6C(W^Z{d6iZANgi*N!BH`_Yoj(gFexmHVNB5e3yX%N| z$9j~t*80JAKt^Yntdk6D8;bh_cQkblyNsjgl$-M%H0qS2G`mXMO{JAPs=@l{a6@nn zYs3pvpbVCUR3_c9AghK8J5F_Ait@xJgu>I+6-cn;oEM?Bfdvp_bGZ;+*mNd7ZFM%o>^P0|uoiJ|> zY2j*t!W(UC*_NmlJe5&&5(mTqN1<5jGbIRs%6#aU1etL5H z!`L2h6Zkg1LSZp#9WT-?s@?rfHcsRMG`B z-kr(4nv-=Kv)=`6^?agDK1wt_=r$8@&dx`1arEngW@xnAf6wa!HAnae)G-jURO?`t z8R01;3hBhj3fV@De4R zGfZtnW!ODMsUR05Q8dwE0D~oEDLj&ju#||D{)Xi)_b$Nb``>o=>VCKhzUF~#r_}vj zuoMMMJZIysU?+Y&>DMDWO?lw-$Oj{{+K<}dq}9 z%D#2o`cY|@71z;(ZaHD=s$Sb8WX0{dT>^8oM#?&SWBR-cH=t!BqsMSoOfxDM)^Kp` zNT}9UBho+mNLo_G#ae@3P&UsnH~>(yuq5!&iRD+{xs*N}6RF@=lxo*&k~>696PKW1 zGK&7L(STfXt`?P%@P|0LGbv1KtvXaw&|-5Mn9t(5XhGTt!_4f6BX8DxXl>+a(h+TU zhS{dS{bY7;P&6s24_e9y+Ml*CX^~^k;|M&B**c(B+%MMmMC`N&5r%MWsC3WT!jRjQ z`%(#-=a^bYWg9Fi6|EU>9ksFlR89?bHLe0#9f9Bufiq5I**KAdT6UV)tzwO1$#Olg ztG+6>SbjHo5=~~DKc5oOH!XSIIW)3f*`$$Lh+zlb1XNlUDQEt!#9Iy#2NP;94SQFREK)|giL8Ruh|5&=7Klv)8PiL)(gmI*?r zGTI2;o>NLA8Buf;yjcWqymPgZ?u^RBoxWDujYz={Y)*?eq(f-n*mC@L{F z(W5TiIM>ZYOYZm-o~6F5iP*mzI=Ju50dOaQg*XalRG5!-6x|_20-e9NRarx1zAsrr zIdh-p6pmLNK@?3e6)i}{q${lWFARZRC004 z0E6L`+pdkOwUbZ(bFe?$9}R}X{k_J(&?O+e=QGDARt`>^vJ?}~qpYswQqHFc+(y9=$%kI6HcAJgJgl9ifsFR%dSNCgZ1* z)0Y>|ANdpbs+fK^a&>j8SX5U1yk;&m#TuoKn|j|~8|-iY_q&_k|Af@8JpNEjF;N)| z1{Hzdme^o0(292@sKVz;6zD$*Abe}^e(R_*yC}py*XWvNP(Jq{pQk#5@_B{wlWH|~ zr&;A~+i^YDo+;99z?!muIH99+rWL{oxZNf)h#bu6vGxqtf~E0a`BTZ)>+ALP`g;9a SUH>lt0RR8ud=fqYf&c)5n0(s+ literal 0 HcmV?d00001 diff --git a/istio-ingress/helm/istio-ingress/deps.yaml b/istio-ingress/helm/istio-ingress/deps.yaml new file mode 100644 index 000000000..c49199476 --- /dev/null +++ b/istio-ingress/helm/istio-ingress/deps.yaml @@ -0,0 +1,19 @@ +apiVersion: plural.sh/v1alpha1 +kind: Dependencies +metadata: + application: true + description: Deploys istio-ingress crafted for the target cloud +spec: + dependencies: + - type: helm + name: bootstrap + repo: bootstrap + version: '>= 0.7.12' + - type: helm + name: istio + repo: istio + version: '>= 0.1.101' + - type: terraform + name: kube + repo: istio-ingress + version: '>= 0.1.0' diff --git a/istio-ingress/helm/istio-ingress/templates/_helpers.tpl b/istio-ingress/helm/istio-ingress/templates/_helpers.tpl new file mode 100644 index 000000000..dca208f47 --- /dev/null +++ b/istio-ingress/helm/istio-ingress/templates/_helpers.tpl @@ -0,0 +1,62 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "istio-ingress-plural.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "istio-ingress-plural.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "istio-ingress-plural.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "istio-ingress-plural.labels" -}} +helm.sh/chart: {{ include "istio-ingress-plural.chart" . }} +{{ include "istio-ingress-plural.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "istio-ingress-plural.selectorLabels" -}} +app.kubernetes.io/name: {{ include "istio-ingress-plural.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "istio-ingress-plural.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "istio-ingress-plural.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} diff --git a/istio/helm/istio/templates/envoy-filter-ingressgateway-settings.yaml b/istio-ingress/helm/istio-ingress/templates/envoy-filter-ingressgateway-settings.yaml similarity index 72% rename from istio/helm/istio/templates/envoy-filter-ingressgateway-settings.yaml rename to istio-ingress/helm/istio-ingress/templates/envoy-filter-ingressgateway-settings.yaml index 0d5acf7b3..8c1ebd488 100644 --- a/istio/helm/istio/templates/envoy-filter-ingressgateway-settings.yaml +++ b/istio-ingress/helm/istio-ingress/templates/envoy-filter-ingressgateway-settings.yaml @@ -1,13 +1,10 @@ -{{ if eq .Values.provider "aws" }} +{{- if eq .Values.provider "aws" }} apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: name: ingressgateway-settings - namespace: {{ .Values.istio.namespace }} - labels: {{ include "istio.labels" . | nindent 4 }} - # annotations: - # helm.sh/hook: post-install,post-upgrade - # helm.sh/hook-weight: "10" + labels: + {{- include "istio-ingress-plural.labels" . | nindent 4 }} spec: configPatches: - applyTo: NETWORK_FILTER @@ -25,4 +22,4 @@ spec: skip_xff_append: false use_remote_address: true xff_num_trusted_hops: 1 -{{ end }} +{{- end }} diff --git a/istio/helm/istio/templates/envoy-filter-proxy-protocol.yaml b/istio-ingress/helm/istio-ingress/templates/envoy-filter-proxy-protocol.yaml similarity index 56% rename from istio/helm/istio/templates/envoy-filter-proxy-protocol.yaml rename to istio-ingress/helm/istio-ingress/templates/envoy-filter-proxy-protocol.yaml index 31ca264cf..dff592424 100644 --- a/istio/helm/istio/templates/envoy-filter-proxy-protocol.yaml +++ b/istio-ingress/helm/istio-ingress/templates/envoy-filter-proxy-protocol.yaml @@ -1,17 +1,14 @@ -{{ if eq .Values.provider "aws" }} +{{- if eq .Values.provider "aws" }} apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: name: proxy-protocol - namespace: {{ .Values.istio.namespace }} - labels: {{ include "istio.labels" . | nindent 4 }} - # annotations: - # helm.sh/hook: post-install,post-upgrade - # helm.sh/hook-weight: "10" + labels: + {{- include "istio-ingress-plural.labels" . | nindent 4 }} spec: workloadSelector: labels: - istio: ingressgateway + {{- include "gateway.selectorLabels" .Subcharts.gateway | nindent 6 }} configPatches: - applyTo: LISTENER patch: @@ -20,4 +17,4 @@ spec: listener_filters: - name: envoy.filters.listener.proxy_protocol - name: envoy.filters.listener.tls_inspector -{{ end }} +{{- end }} diff --git a/istio-ingress/helm/istio-ingress/values.yaml b/istio-ingress/helm/istio-ingress/values.yaml new file mode 100644 index 000000000..7f603f191 --- /dev/null +++ b/istio-ingress/helm/istio-ingress/values.yaml @@ -0,0 +1,10 @@ +provider: "" + +gateway: + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: topology.kubernetes.io/zone + whenUnsatisfiable: ScheduleAnyway + labelSelector: + matchLabels: + istio: ingress diff --git a/istio-ingress/helm/istio-ingress/values.yaml.tpl b/istio-ingress/helm/istio-ingress/values.yaml.tpl new file mode 100644 index 000000000..a6c52c0cf --- /dev/null +++ b/istio-ingress/helm/istio-ingress/values.yaml.tpl @@ -0,0 +1,13 @@ +{{- if eq .Provider "aws" }} +gateway: + service: + annotations: + service.beta.kubernetes.io/aws-load-balancer-name: {{ .Cluster }}-istio-nlb + service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: '*' + service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing + service.beta.kubernetes.io/aws-load-balancer-type: external + service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: instance + proxy.istio.io/config: '{"gatewayTopology" : { "numTrustedProxies": 2 } }' +{{- end }} + +provider: {{ .Provider }} diff --git a/istio-ingress/plural/icons/istio.png b/istio-ingress/plural/icons/istio.png new file mode 100644 index 0000000000000000000000000000000000000000..171656a1fa09510aa361432e7a93b4e95ad6673c GIT binary patch literal 2693 zcmb7FdpMMN8-B;mG;jJQLy_3lunzSpHhrl`#-Wfyr5tt^(*cp>6gi}E&U`LHTBWVc zvI)&lPA%2guo1<6rD>+bH-ti?7&K$X_xsJvC9bPKzUI2#dEa?{&vQTbeLv584SlbR z9YIk;5kU}wgT1XQf?&w-LYIKZm~G8=JijHa4Wt@DTsN<9-OTHYYyE!oG>D zp4NMPcgBHlZ<2V~g=XoveadzWYvq5YPzv4f=N)M&`UHo6XB72OLdTEZde_IhS)N=@ zLL~`X&9<$px2N~&rK)Xw9rmgzu2&R3y@vFx-Kom#FT}a-@ktYH{|Ljw!>ZZ^hb9l% z`v1Jq&|%$7Rz)0k=FF<0A0?5rtP`69gNr*NB>34sKnkw5cIr* zt<`~O?pTjwdcL3fU;iBvOA7oBr7l~&I=MK?Dwu+`+EsvCGkOghyngL5r_oB3n^*qx zhV57e#n3s`-3hlFTSM6A#nGqO9z2lk{A9YO%i%YLApZxKMD^GFJb!(1ZYY(l#I}y)la#0cb#5}&2IDv?Wqpr z-E-an%Enbu1^YqO=;^^L=eLN6DCv^$eT)_;okVXwqCk$qo4A)awj;7jidg z>M!?tV@^uYt&iHtc<~-|wAJ8_^PV&CyQDluXkJyPGddFxl~S#DepCSES{_y2L&Rpk zGVD45y8Y0gjgoGSrjZf`ZfhnXxg9WQ0)v0d2UTVjYr&Zc4F?ipa9n~FvebVI7Na|j zR>PY1FVx6@jONjOsfkfGL~;@b6x01+aXw_>3xl~Z*!DTt=TQmIW(>hs#{!yv*j6{(!{^Kx{n<~2&GNi||wNn=2NGc}Qv;Oq05W}Afqj4$xzbBzoL z3UB?TXW~_Zrdq#c9VEBy@@j5*#+0mArX^OJi>pV8UW4X3q{F2M9k#U^ahD! zE8vNebbV+;F9^!y)&_}DrKV0o_9^k>+wdMOzH(%XEfOZy^PyFZf=nh0ScoOEslXV8 z^bz9%fYdC=?>Lc;@PrwD(%d(&^o|6KMw#qIYg<$XY=C7ms>h|NE!0Ga2`2>smify7 zz5`CeCi3h{vL@})oOW3gy((!FFgDl(Y$3!MU5wKrBO=d{69Lm+01Y+?@LvVD6msTO zkm2DVa0;r%$(x)b%V^88Y9&yf=WFAQ`<4lUET>~)`Y$ZpY(A?Y2pp5&W zu$#^#JQNjPx$}bcsigh7hfmCP&GP4r;GTe+nrQ-?Zm#=g(`pLUEhy;5M%rP?n5w6i zNM&NiIX>xAP2j^gJ2lS4bcoG#+iN__dzd;?yK1?YcJ7>Ml6b@ZxbGy7@`;U(lfodo z6c^o9>0NG$fJdxt&KP~mmDX~Li-LkNI;XJ z?{leCanEEXUg^Z;4=uQH*SnIGEL^5{GP6iY1uK&OM9D)S=0t8{Xz`D!SCmC|pXz52`s2In zO{+`Fb|aVte{pEv9PVmS=8E%mr@HS^7^XsvStb9nckS+xH_FVn*YFejchC_q zcR?T_GMZC4+Jz5!eTr+KOxE^YHy3cVOk;T+b2)=zA?Ezau5}jaE38e4=ISI^rblXA88YOO*#F&0##g`oQD9|uyqo~mJV*8wP$v`u@mdM83xgix*jse8+5Gv@|W zHxQaUsbgI?1ZO*M-XEMOYT$1l8Cl@S|M}R#>czymDc zVQyr3R8em|NM&qo0POv5ciT9UFOKhHzY6@)_nhvzCz9h%Pxp?WxgDqD9mm#4a{BJw zyFUjaAqf+T;1Hl}@0@w>-vfZ8NQoq>D9W+ZtOqk43j_-PstSdw4`x)dXA4|K{y4Z~yJ&r=NcL>FqDS{P^~#e|vNCG3hw#fMxR z2UIbsj^}i(3&>*{`mx~t;N&kqKAimJ$6*vMj=r$RdlCEc^k_iLhesh@u~VYg?ory1 z{w=F~!PPRE4Lz~4?b!c4T5omiYY+XiAhZA1G)R~{m;i9>|C3+d{99B&SDmNjHo4- zTWt2+Y9*_R6FpAsL9sZb!KJMw{eqB~t%PDD9td^j`!SR9l)QRnSsevb z%|*N-_e&PDR1|ZWN@wN|$w)}aX8|L2rxO~pQ}RkgER;(=SFc`^R|_wCWry}GBy1I_ zM_ZVz7!4)iO4mrqnua_GDEVtLV{yn7lf>7f$!Ce~$7?PI~#)c4II(|Se!Td`GS^oXv; z4*B``-8B1aVc5STn;|FnY_=5QOTJv}Uz6Cf`(DI^J(x`W&YQR$Uu|YdS7_FTrvj2lx?q}jpG(cJ{Uv3Ec(HGGgi&x=m&~-Dn*zGy>54h> z*_Cq*$#85-47Io<|N7Ua%z`OGgP^j|*B+8T6m9K)EqOY(1D*T-aF^o2TTrsV~V`eD@8At0S$uTf`w+)ylN^a zA{J96;$q1GVWHn|`maY@`#-fEx)lMA{r}_7C)@h}r$4{x&wo!s>HZIeB0sQyJ|ZNbGZsjDvZ7Ixl{NoPZIRO&vm-s0l|IRRP%&HE?`k^# zuYVn-X9d&vAmwyp=MS^0Oub&fS*UD3EwhAFiP_RQA!C#114xORrm{wW29j<5BJEi@ zYd3GXadNX0!=E&aS||@4a$I6Rm4RoHv^^rem=f9n_iUubUS)i{1c7%Z?Qiw(#{VM-=?)t4R@*R0kd7vjCBuS`vU``V2-BUT2Bxclq9Fpmh70>D_7D2$` zv^L{QNFv=?>nu`&eAZ2THm>K0DsP!Nr9OM~*Cg}<_Lxd=tf%rBDr>|#D=o|32JT7>qmxoFgDpWWw!M*i#7`eeowJ$dz- zyjq{U`tPr90&VI4Yydhv1i0+~Uw+xP|Ns2v=bwB1{}hx;kC-jk!$-4OUj6@n_^&sE zzx?c~ztt8;Kv`^81$W@L^W|Ap$(?o5LSZWXOs7h&7 z4-g@dh*kQb{?Ai#^5-`vKOSvVsq&&hLGMPfP{I?zDVd&+wm$o1>$9RbD}Of_46209 z*8bN*kHv%3ilC{-eNS27-2Z<*+1mfVynXvizyF_tz9UnuHPZ5LP)Sj22$j{bH@ zkch>pQnS}Wc8^=r&N!@5p2+lE5c3Mv}~jZ}&ucTSUB=S^K$K7?kgQ zcI7~39B$uQ{p(*xJNG*2*D(zj3{t_y%-0(`vx2saqQXCG4l;xCh8obkFKBzW`t*}F z;64M@%>UN@Pxg(^U1s({G2B}Kc z=0RHKHMwWRqv7|;Tp6doXEI9f9Bt;ujC#w0tx>+I1{wv`jOdoPcMM@Qd%MOMM14PviYNsQ4pJ*;D3yrmf(;i!ECNO&E=|OrVObXH zvCbjg#?jH;gfa48`EURILsqr^(@-vtec?&-5A#2Fy3p~T(lDsiiiSS%g_o>YsI1|7 zXF7Cg2Z)CY8<&!fpvXqf{MC-72}mkjo?9LA*>+7&!spY{czj7_%u|6il?x$N<**~u zqpYz_UG_hZ&3_KU@+W#cvi)Cqm)G4IYuf)OC%>Hh^7hAV`|sqW_y0TzeMjEikn5W% zxp;RuB?Iys3t3E+-P`90BR3HX&qkMIVSf;@5fwfWVY;u+MwhaDfTIyFxU9Etgw7MG z#A=+1l6P#*L%wqtM8i<1qKE!fwnH-+G>D8h_SGr*!dO&)J~GCqy_eA&F#WUn!;-~Z z(FHptQ=Yq&^Fvft&RRqFRIZ{RS@2K}tNihqg|>)A5}nq#?9J}A9C}o-g@}3f?=-S` zkg`^E`VUIK*g^cA%GJoQWBwR$ss6h4!xfjd-%*gnG$?f;^<9UHB%pEemm@-?C$#O9 z+n?H!To>H_#`|Svj0U5ahl<7LB1l$Y-jhW*ROM8q-iQ8@!nYi1LsuX%w+g4rV4c zF|Ss{K8p$UVj(4wETVet7p{kfvh9*5*Q2?G6bUZcQ!kdlC5UJ zBboC+u~-g?wjWFsoX-^Hfh1H_BsCZ-A`fCdwo#qOrm?%tzCPC5ZeaJ_aH&?o_azRh z2OztSnkcxt;GRCpR_t2GqGPVkW9I8!Nds97mcKc_v=wDx z^Scw!z`{x&%2A8Ni@9PkrzSd?DHgAI$jJSYdrP8XI-hfo@ZDh`B%(5nncpa(U0%6j ztDO~18rOT;6XCP!Uv|bZ?SLLV$pYqC&64tN1ptqU&tv9U_j7fv)r-lJUQ+Ka-d|o{ zysIs7esy_qJ+1wDaxwmNF?M`?cXs{muCZjpSJ&6(t%gsQ)xtrb!NEDox3|YzN9T zyCaQduo_9*v^=$oK5us2=L#NeXv9ocpxLxJ7i9to&ktvn;{5D(`e9d;+rR(cioZ{$ zXVVErkXaQ~j;g8|v+0s;C3TprqAcwsl~el9qM-fi#A?m7J`BF(DKG8TuRdVY*yjt-QI^u5YSn` zDm&4MaR&hgly{j0vDkdCEf;qtt&A2M$JW$5(oR&>|Q6wP||A zJ+t%v$|@FY)3+qSi!ZnXYXcF1hH0FAXY>U=v zBieLbOX?~niAya)lww#ZR0^%TwuB~gu5GHNG%)4{B|k@04NjdAfMe)=ENX2r;;_|- zweGL4F0Xf0SFy;4n@OFy2ISUhN;DY~wIA2~U=yuQAw^s1tDU;cH-4d1>Vq%-C7JC+ zfTnzsfBx&pT%djHzQTfeY~qfGRq?-D4#VmYVT{9YQ$v-*@ZE-|ai(WBUc;?lcU*_t zJ+f216tTMAa5x~o9hQw_aqGM8y^Gq^GdCzkg=P2h^H{8MPon-qmhzo0$by4QPs4C2 zWVTuC41U=BVQ16#{>_wn|K^r|)5cUB)W2Cae5i>$*UKsp)F(3<(9q-I;x!S83OI|6 z1IPF{UTUnHzC)T-fCUz0Fb1O!g3oSWSh);ycTcCh{v#V|Ar|silEC$k{OY z9@Snd+g{c2x7Pe>)cf@cT}u_fNfjZ!P-b`@t_<#{%ft*CPG-2XSvR&+let?O=IeBb z&6t{DsWVF5heqoQtMflsG(JteXT}DxPFAY4)e$^e2LzW6rXZ%jC&JL~^pOx1XFgnQ znzS5fF0s|o57X(Wzz2zh2(&uU0;=NHpdD9+vmbAxMNECxJPWmq+QZx<;d9f;li^8` zZE2#G0d*2{l((E1ZLBN%F+U4YDTT+40xU=-*EkTsStg?ad3W*t?DneZ%u*gTbPn2l0xt_X$Yo>({Ud!CvC!w?V$A-LFj?=SE|NAhw36bXdix`oFP8(j z$k>k`=>vwN(#rZsANVR+rM_t+)jh@6T7uge>pcTyqS!Ta*n#1Gz_eu~k_wHsOFKGF ze{bwvkyyBmn1OC2nQd<{evqYBe+B?u)m z>V08hh2^qKhg}Y4kW>s3)`#XLk<1=pMp=9^cBU@p_Ru4Y7vpuBzn#ZB8?P-?9b}Fb zUmK>{1P!_3CjGsrV)V%kK9_bpWgI|Dl0AM;gtI%)#D}(GVOv;ORMzt$!~f- z%6GN1Q-~dmF$~gbTT80*lKqm(t3!yGja+$`p5R#S3dTiQOPcf6*O!gTi~h=3L<7EV^rB}}DT!tTun;j<%T?oqi;&&So3DpL;Zztjd~B}8)}-w`9y8xPi31|}DyqEoEf>RWMuV#< z6${k|Dl3A&s)z=GyKfmg&fzQ<2MleA7057`TYwLF`8$2!`(P4i(-g6%Y4Ti%FZ^km zOC+0^JFv^>$-4KqgvE~|8q*b1sF7{cY|BY(-xO-{+BJipwD#R;Ia%M35YWm~3(6;H zY(*CVTOV{*k^O1c2%;ZYOOlWk5A``=%)`Zm{|_^f1Fml{TDPnq8_fb(wE#tqQQ}wy z4piQVJ&W3}sJ+_Dc=9r2Jhr(Olhm#W@Z{jD$4yE*_FGKG3*NZTOBvy348cFXavH>T?ddmH5|aOqO&mzaBJBfi*TEg@sBO2cL$Oo*jzux^Xl0n;zFo;Il2+?Ze|&6` ze1sYB@(KhE{brSZtrgf}cF3VuOyT6Pr=&AMil(Xz|Zt-UujZU;P9)12}^tXWJ%od5SI&9pSAe>TE?_&uOD zM^cYhov+FF$KU4(0X}T7EU_V2Mz=8G2vHTG;B|zH zIj&<5b303RV;Um8@bZARbc9WyFD%wCWhD(0F21Hm?ipV!VM4UnA)w4^@j-JQe3?=J zP4w1ILl&~7x|7?WmX(41yTs*oV$&dCYZjPzC6kM*w|mTeMpg{yqPW+kv!G_eL&8GE zW2P!%^LNRSQoTzUk-iaTy)bn#+Kn)c*#a13W$D1e5Pw`g+}_`we)N*uSwHsi0F%$g ze3J|W>Z6#aX)Afsy%e#^ANnvkM83$;6+m@bQ>`qPAgcherd#J`oiNY2U`pF&oaJd+EGJuADLypC>vpYIAj6>LlqMs- z%W@IB$WGFG@Z#^bz9}GLu57c}10-Q-1^EDVG%D6N!@NZCHT(0!!-WA(L$P?Bhsgf< z;UPs{BR090P;<04c=$ zcZ6Xe1ILth|7C9l)Pi1C4S@Tg2GW<2h}D%osAe(H;GpT9T;u%GL%?43Do3BRLBi!5?Wuv~Ifm86h)j?5^x)M7Ug zbar{MDQpx2F4Mf&60%c=jY&WhhUTGLYLSf&=p8Iy-4ZbA1CjE9Ncg~KVgR$*v%+lz zM4QZZONjjTj6qa_YxWT`%{65Xo9vpk)-DS*`?_`Zdw0#FGvT{wx?NU$H*N2gA-^vR zdrkVj&9<2AeVS}L$@_M5ugU!bh@BSs_T4m$%DvyW$(H@xr$Kc8+S%ys^7Ad>Z3=MO zVfF#039!k6H&@!3Dkw7rEh}2ci54=V*G`ZxU!Zns*L3Si-KRO^WVUUp%_Q#Atv!&H zzBy6x+|_H_c}DlEZ9}O3v@sRhnF%=kjWiDq52V*3CkCJzGK~idt&x$i*c>TY_OrpdIuZED9XLgr%0oG%mr~(!Q7zX}c|BHV7Pl z0?(7^2!$f84lglVe}>6Tw}e2au!O;=z;t)XB?74eqa>MJ?uS=l35{Bjb_}g3yT9hSPm@34eiB5kldDwuX7dH`2R2T&1~S{QcNV+$JT!xBCL zV-Lnq*dLZ~2p~}Ze;L%}MNMuCWRNFg6PHthMhpSYE)-Y95>iCrF-9yMexG4cN1lqW z{cuPu;m}Bc>%_PeI>98dggb^K?1V_ffZ4>^1~vr{Hu}hCSrJcP1`z1tl9;%fkeCJL zt^eHDG8ZxOO>E#gUr3<8yeT>Efzb=K+a&TZztY+(Mr^8u9=`nD%c-_?k`w^nAAest> zOAOOaK)nRiNGM$do*cOTdHVGT&^A~-lWGvB07YpSc!zLW1*lIDngpgpKuSR+VaOU? zBT#`G0WqH{pbWV=G;?p6SE8pokv3w{vIz2WFB$R0eYk@{)Y;T48ZVgoAf)r?Thq-H zyIF~}!)2D8JuJ8axlBjK9k7V(-Ux8AukBtW;;+*^wUpY8S|;FgbxjK!u~8R$!UB7EL|UDI7`CZDzo5N>SLPFg#M=o^ORa3U|*! zwS38U%~J4VVIBwlt+-4ABF>oILbru9x=C_ zFkDCYp%COpa20YCaAPyJz+-fxEjEB+H~=slU>7h<1}FRw9Cio?RRDq+0%L|e9{|c0 zNHcAlK_JYuX#$HZ)3zHe5M{6sTgXXiQ$27puvKFwp$*&U!GD2U5(Q_|rU4*~4R(IO zd}AvH@r#M*!NKgn^b!D8$KCHn^#)UIaJA-CX`sCW+&92I(@V;(*hWf9coV2W$5sm% zY)qBVLB_I)8r&DKjlQPn#*96PPfUeQ{-A0Fu2S4O0H8|TY(ez^@Dd7$xYh;A8eEgZ z(A4%uP{TMUKuBqwp`&3UARs7cogkle>n6dWn!yphK=@>cD?uy{8G=(3q8Qls>qZX4 zqJ~h9SDoD|B9N_M(*i}XLc*KmFcFR^-V4$M6wiopU_jwYV8~MiBq@*&35Yg@ zOScDsn6yWd!e%=H5u*wSP#`wiqC{bm@o*^+u9#R5>JtX(sTse?(YYOTr@b(n5aIUF zV0#!IQ!k_n)B%pt0YnWtxV*C+hr>TYU>% z5_hKny3!=b&~Pk3g$yy~5I8!ppfY5mK#Uw5F3t-ad=$=2hb*|`-q5%;07M$V#>61c zbhk3$s50HP*%mPdhZ0l5e{q;qEs$Z{hQC9*L?TvK`e>6y-~od5rYWd!Bm(Z~V`lCU zR)X-*=WFgKG%$77@ZM-<0Rst~Syb@ah%=+gQWtquIIajb$Et!+NTwCYKTycV>L%aH z5)^<0mV1?#g=b)8pTNtaj&!YZvMgbNvv7_iT$Yw4bgmX?Wg+spEFE@Wz!_ea4w2_& z3773v>?&|=w#)pg=yq56Uuhq}Szwk9yBwf-VNbyeGE>YFI$sQ`4)UC`PO`>|;{iju zf;+dG^2jV5B%90#p*Hd;J~uminW88 z@BUsARLq_GX6XvlhTg;R)_>IcH=%TWrUwG1poNTfqdf>C{}qwH5^!J9tP3{bwLcwf3(y^ z79^fW0?vr6;Id6#q$Rw&3zQ>S!Q(!ek}Y`!WldJF+BSEx6`QEnHZj?h6&>3@r?N#C z+vHcGc{f>>zy%D-#B9+~NLFS=#{jvRppNaGVP^>|v=G^vmb%W_OxZv>)=}FIol)2_ zm$OY*V0oPtOu4f=K|^1eLHwjEu*K|w$PBfFnM`PwXj=LJ zPvLj@2tMLnCA>=v_vHOyGD$4~^GPkCO*q^G`Ry}Ii|k=;X9+6X6vIjyMBFy#wAdlU zqyNYcFt2-oa#1azGg4uiswQi-CNC9KXUp7GOXz0~agQ9rvRN(l!gPOO3eR}8bYNlF z@~OUq?0sBTtR-x2EU1rp{wyp*7E~ubi`EiiO}FwXK&A#f=dK)EOR#t7Ao;dgSwPlp zR@9Mun-zm(;O12V@^H(Xy0URCf#(yGnQN)*{9F{npydS1*tG-|=J4!YOZ(>V7P||1 zqY{7|xhyl@FIrV-h`DgTI&-BxS>^M5V1$O3lG&}K59@noU0gAd9S zG}`zOS;IwM0ipntL2T(Ts~w(Gd`K?ZW*J**lWXkUdNvoiZN_nN0Ne*PkiLu@?^8l` zq)oGMjcJFkOZKm8_pfW$Q2)BNt62ZKb|v+%Yd_o9wSjM9)wNWsE81!aSN>_EegI&! z19buf?g_33I@oa#hJaEZP!&efqY#9erF*kncOk;LWVus{JLNY}asvh!BCVfh)ilcH zmQq=7_y(~AkjD_lp)%MheL-^9C2<{s)V>p6&4pWRMNV9Vnz!!l3->t;f)XT=He$yz z7Z^UTrt@@$kvI(R40s zT(%8A-i!E4AgDiK0rQloIH5ML>J?Sq^2*%mR1Y5}EMPx4%Gw`mevpc)WQ&*DIvxgJ zk{OFbrkEUL$RdLz{1S@$a4_dA@a2}~+^Nf=krYZvC1ScLYFwGjVrCyluTyFfQHTY! zkz_?5O#>Daf=jZdLBg`8^F9|Z`7BW)md8F@v*4IUeBg<2t;bt;aOHouVv71y(eHPsKl^FuZO>w9J)A9A zX*u{**+1By*C#Wk=!sq7-jc0owzfsY!n4ukr?->RpX;QKUXA4qyS3ItIOmJ(hK>6x4sDdePNG6Ptl^$uIDar#$sM?G-mx>EL+P?7Qam?l{W}(OQ zkk9$zIAltTRvs>n3%DqQI0@Krsa8Qb?xJ4CvInhVrWK(FrJkSV2-SMTWkfxTu%GEA zE=%w%nhjDJxntX_(nYoASEJOfH@B9RhQmJ6YnSH+)?_l1tO{1Hwx2HZE@;q#*zh=r z-Qqg&H)XWcX0X^{sk21f3fe}_HG@Gm19qwmfM}^^lxE zzIsT`9qJ)DtEq?N>>)XONKQjNBxeuF*~EGe$yr&thvWoN56M~gMGwi@Lvn5v>mfOt zTj(J<>%QwDIlFGEhifC>mJsM6IeSRX+M+!qr<;06&Tmo1_mG^2VZVpu?7Wd4lCwZP zBxeuFSx-GAX9cT0Bxjdh>>)XuJJv&T_K=)=bft&n>>)WD`0XJ%dlb1Ik`u*V56Rg> za`up%y)dnz9+IF@IeSRXjCx4UI{M>4 za$f0!Y8C?x4w~M{HO?-xwuH*;2KKL*|BaU@cvA|W z>usr{jBiWrgkZbu?<)2?$^q}DGu;^io2>9wQe3vr4Y%}k5)+#(ZV8+-ju^f?@?`JK zaZC6eOqrI&4e=qA)ZM-BOEe zbU^Q5`RbN{Ngs%m4@ANTJ`)3&&7Ku*BOuyjwp&8vw`UBZ5?r&7kZG}A3*H1$hYsN zVN~w@zD>65=ROUh``6A!Z7QDIA&Qw8}DQH>ILQb@h5xsVT zeE9;kQ@f^HPwGC+At$qKQ*9=3pKk4etn|%^is!Cg+s-q(Uu_#g^{0)g(9TT2>2IWY zaCjiS7C|8>v;s@rVHULInjrBDD)?@XVqmGQixq)rP{H;7xCVQ1kH9#nV17TOgFP5W zJAvC^A6SB;2q3x*$4ao&G6bj{Zi1zQ^xNPp;4l;{wYp7&;we}<2&#gmjxyUVwG*yr zoCQlTv<0N`gT!V?JJ9M{s)e9vi3hM3WBb%R5&u+)q7D%QIc>sXWvOHU|}+d5L7M$WWB!mxzE z!$5R9dq&rVih-!IfS=JC8^aQMhwR~tf=?oHrNEFgEWwlBFen;n*@MphV( ztC3d^M%T!`z+h}xLaqor-i9R{>IQIW0G1mui#qaDeC>xrVhM*v0$eA?rO*i`i6z`I9API!A_mMR z&Ni?qfUwa=KFf-D`Z9n(7nj7u)r7<>FmL_mzLvR&k#E{6VZ?pz%9BuY5E<1%&voHB z_oxDcz9UU0ldxTArj1d3@weN{@x?pB=VT>(rd8wTkGIp?v#ZaCvGZc)vrusw!0+9W zO>mbE1qfad6bD%q*wU>-}Df7e`bAmIXV0F3YLdDAd}0FBXD866o7>X}r7 zI0Yz5!@xU)(<(rHg3u%|9RgAcDhWf@=o*0v+z5#IQ~_nk&7qll%e)dj-HEgjiOeo6cNhdc)xAfXQBu1=Muo`<6ap$7^|S)Z)U{~p zkxt=Al5R5thEs~dCWYaV0{46?+)=oD7P>WYn4&lwQ6xHO_niYHf5Oo|;i!c;giqkA zX@}&AK<|Y2502Q`{lr4iIJ<8diL{A9*WAU-bj&~lq9zz86L$K8DDWl>Ocd^A3DL5F zdC=a1DMt*Z<=!}!@U4!;tLzw~vJIpADUc2RB;p3A1?FV;asiGf3C55tBSX3ep#^Rv z{Qe4lmk+~)ETBAsy!~HZ6K$~p6vF|4 z;Q+gUVKO-3hv2Y7IH&>;%n%qercD!AWSO?zXn`n$h1fz)N}K9| zlYy-oGYM_jMi2fA+>$6bn>GyqVQjGT1LhlBF^FGGL=O&T2d0+*usZI3H>x+7YJ;ma zr%D6u9pJtJ?wMXvcEvVQQo@@+4LY`3z+hvlgbp&6P1NANfNk_OMK@;bL40B=bn*vP zD{z(K)&T%j;${n~2Y{DQK*Y5!P}bm@9EPU0H-Z|*IRQdS>kJ(Y69EB1LF)whtXnq; z4%G~f=mo+jLtF`BamWyyq7cQvzF#+T7#1z8Aafjxq#Z&STrePzz+mWKa6B)#+Yz|@ zQOHfL@VTHY!*IBe*jsS4xxEqQ;OhsCmeu*JgORYhMZfCoRuO@01)CNqf)x_pB!`J` zOz~cjCZKpmi~|D-R{}$xDj-RLd`LjFDO|ce2*jj4k`y-E5r`O7K!5_V(H12NlZ=N; zfpEpdf>56@NKei9O^(j(pgZk_*@OtUhX&ij@R)ibRiF-Vlnx+j(81-M?Km9%5d!mQ z3(3gQt6H3+J<*Fm>kN5@bR=lG=f{OW)Eu@7LmC313po*mU?@T`fd!Qz8wFzI z;BawX;NYWhZaQSa9ruRDtpOm?05&EDd8WIS2}hObuFbZHF*uZ%68?+BtZIP_<2L*q z+9eXPy3$9RECLS@tT#mS3HdZ(JR+gXuB(U78yevEeEBgdq7Ima+m6K%&3!H^> zB;m5OETMC?Kr0K8&t>Vb0|U!ly#CdRvZr)(iPmf)s#nO=^)u;mJmA_V;Era%PRWVCdWX4&Z?N*JMU~?*1J%TtuoP4#_{=RmJTbA;2CO`uz6~rv9Y;qEwj}uVc%xJq0k;C ze=X-6l*MKV4R8j{Xe(Bac?SoU-Bzp}%zXFvlAvPl+&4>y$bhrt4Cw_0^n${9F)_Em z=lQXZ^S61{7x6GZ@~v(3OWWvow%a~>y~lI>`!$Jviobnx?VjP^uX}sE;*M{&D$dJvOnz_LG%Ov%2%6*^)Xr({HQ*3YygTJ zqr|Za9H_hzdlt1{QG2zQ@#JO5cx-bmCaGN$;K{*PkDHWs?6*QBc(EJzc_}0Oj3M~P zR}SPGr$DjF6RP3BO7k#~E~pD)VE&_}F0vr;JQ8q5WCfRP@**wa-Cdv@$qF9#$&_r# zD=2HSg4MRUldaf9y|#(TrmX1L{yCK`y4WVa63x5GvIH(*P$p)JjzY3BD>??q%>;F9 z?+iOjSfPc;*0j`h&SuI6(y@-(cIb@4mbsj5x&q7VtYFHW-3c1{$_(NsU4boTha7sv zfHOcXb(;rT{N>VOnGlb302=*`^p)(jeltIj6-AAs+olet>!13zUm$37wG&(^NHCt2KG4pgLRT zu3ADrbBKH75SGnqsTZdE3sZQ;tEB@A!m=G2vqYY9A`n9N*D zUFYYb7zQmTSjMg;s4$0T?^@b7hqu^W$QzZYeBKHcyUOadgikNE)Z&Fph%t@G_D%Um zgzUCr1DOA7sYMpBbA~pP`HUwEl^uLgrl8TrhsYW(@(K_Im<(b|hgt3LoZ>@r(KgH2 zQkz_3=hm~i$Za!@iv!?3sDbolyN3GLwOz&f*R?CD ze_i|8zOD^?6RWPJT3yjrOStk+8}$PKqaCOdAaGA`JguBGkNfZ(q32VGxuciL?2@9B~M8yfUc~!5d@|IWT zR;POSFku1v!BN)!So4EaR3%%y)YkDZ_>#<695Th^AVU@zB;l7(+=qiXXMr!bH0MrT z7LBA(N-7c41v@2k8p!ld$t-3z_M?m8vKqg z|1O7I9IsD~zVOgLCFhA$Vl_@He8=Vn14V>KE2gMV71d49FcgXwP$XV0S+E+)<#EQz zz@Vu;zB)A!07oRf#Q(uvY0E=*C`KzbP>laU{tbA zITM6UShyCCa~>!b%VEfrUZXr*3{9ya7e_K;o^E^*izGTFRYh!FDT~^wTZj!t&LHJC z4X;Xk7Z~h!E)sy-PO=5Y~2n4ZnkQSk@;rh?exNt;}1p70p(Nh*)?wy8QHZQu=e<=FP@$L*)t>zkq%t!Q=f!d8q}p^W zYe&mnkF%e!O2GYtRoC1v5ZI}$0esVtuU%#pi~XEXm4>%9UhjZ!TLA9zop^lqKs{wX z&2x`Z=9I9TvopV=J~mu~ZiIHYOdV(T zz1ZzRmfU64Nw!k7;g?pIZ-~a8G>7oG?sW#_?D{_&f1g~wyEs1^-(6n+dUJc-6wS6N zdviN=7yj*Rdhz>NQ{$j1%H(}p(U^VTv23)~^!buTjlTcbAqD_MimnvzD;t_(qg?Rte%p#n}#-u4cm1 zAs~x{4kwq%>^*o!NUOko+=!3^j0$NP$KNK@9#|YYB-NXMO34?Y4UJcu@iCjYb5RAj z%&+8ha(!8rNITL7G!LyM67;RIn1)h|&(>Jf+e+i}mcj8kGlx3n9i9)Gs$1AjZ&v2H zv5`94y0W6tC$W0YW{-p`X=?2DAl7AU75rq^X{=uqi-*R5p=v{OBlUL;ZGYzY*?s`gi`lrsiRf=j#Po9u;I-r(0^wlH+aP*YRHeLEul)iX(IlefDJjz7U z*fU-HZhSEr-CR$g4WSPqn3K~>z?F9viNJST)50;{p8g39M7Y?vQT66&%n*d^uha_` zPzg_xC?vTQPG>xnx-pR^MDOSGgk|Rr$l2}mLsM3)E%ASweWKH|X;XL~XyN6P(Pk8v z;=bUvv5&ox8M8jW=9>xkP&VI^+cF<7#=kXf@&P$}*IdK+;^WPy<|;0)Cl}-C-LDt# zZ^odKXYcE8kxK>NUyd8Ioi%%-tF!Z_Rzb6D&iklKg#Vb_TxS;u>1~=74`jx8xJUyn z8mAa2o?1j^q1pk&oK;1WMzv@QWn{(-Q^9BRT(THJLU@>kecJ88lq59HcSi-Qsog^B z?aJmv!X~3|-$22jj}hE2MsV|&K147(cRq{oz%*ao{ACjwnErJqEHLBTPUSK^QRXc# z?(GkGtl%QA{TapymOTseIr9t{5AzpWZv&b5z*0ou*4AtnAD9jfDl|~m3NWY`Y7{{Y z;>YGzxWW<7%p%fCGtI@w4s5jRAjFwosBOip&*n4<)I|#3)4CpmObI#}6yr3_SA;!8 zBE5q!@h{nOsHx47Kmy4Xa3qg3o$Jbz91@Y@e3c@O?3BMI_t~p+t3+y(sg~&^k!arUCa!D8fO= z7SucyoSH&5*veMu=F8<&b0+~+9f`BlpKQ&i=%k$t6(j`));o6^YJK#^_LFmZPZTpw z?S|17GF4v zTC#YOa15IT(80@jrf``5+Ip;I64^YbO>me4=g2Z)6j>v}ARwU{b-mJ@NDYTm05xjN zl`->q%sjxxaRDN%=tFi@4Y+x#o4)K>SG{p^nUPwFjZ@)vs7$XWcW1ZL8&{!ECwFfE zWljKPny_xNGH>^t#}yB|82A*&tRHv+9(V`*hkImTaDo8X4*=wcajD+iL7N0(gAB-) z2H1B{VfZ0#C1r=qDygn?lhxEf$epjmA{-IqX_eR7z&8}e&h_rVS7vV#eQAs@drI~W z;o<#u9EL^D(Tpj2(mRfN$5HP%Dp2n@>K#Y5ob-;P-f`4Bj(W!tywToqR9)!B`7e6M z(N3A(aa2*HcO31>Tkkk(D%LxW4#nOd({a?J(G^3@OfH!9AU%t4vytY?nB+AUSs?3-hx~>5ngrAasmoV-Q#Uuifp0Z%t?8;r-DsvsTg`66&BuN7 z(NyzRsZ4gJ+LSk)$r`U|);YS3p5r>7b=gCjo<^{J?$KZS$nK8SZ3>dbLZvn2b5OYH zD}5KCinoKji$CqC+;UIs1nc(F&xzvZVh{h@t zj-^+DfB1MY`EYmff2J4X>$59e)coP{+Wz5BHOvRXD?%n({;$e^baf#eBciuQU|)td z=gLfJ+0p&s`sVuLwMntNJb$eje0M#mV{21YiLvqapIxkde;zZ_l__5_spu*)FSQbt z|1-{>q%`3F8@PX6A|G6Hg=DV9(u}QpDv777X8w>|n#T@9p~xbkF%1>7*Dv-xVZuYQ zq*25|Ik1oJ<<+g7RZwKxwx*$QC<-gw-Q5dFv?v@3cXxNEaCdiim&74)_d*MIcXw#^ zKD+Nd9rr}{OGjkPm}{<;D>5H4*Eh!a$3K?}if%fnJx)F2`Kf|;R@(cBhrAL2i02xbv9@^UfvexbD&|eyS;0K8z*KE7J>Q z<|raCJkA2Vtu#2v8;?M9$TA_Miy#pQ-&p) zhEn%K4WnZcJq9pGmnLbA+aJn41Xcw26@=4C+!H5)(QfDwUedbqDXFz}52o! z>WMgO4OEq(MCN8pgjwrjo~xC0Pdyd_62|tc=c#j=z2fBQ?8{!9PX)hZjXAvUk6`em z0+C4UM}H4&tcGtG+E#4KBFe@6WlLB!E`bHm;vfkGaPLkTPPC8Jc}BJ_8JJXZBi*NwImu>9n((`#OD4m`~wr4TWB`c zTl`g#$H1HWY16*`Ei@!WGisjyz4QR_&q?YHb=VSk1~UtqxazZeHzxyOo6yA})an;P zP>zSQUlodb(GQ7F#GrRg`>^VNKIT~7Ow8aaeKU@a|6*J^_Sh?9Kw(d*3{*=oQc;0yqPod6Jp zqHQKfqhht=8Zrc~%`WG5mdbBggsrMu(r&y#dxSBU{Wi(*hY$Sc)>YMI*?0so!1D6+ z_4A`FGVAc(-LO>O#;n+94TG1=_;Cs+D2owcBb9`rejSe zl-AoBtHOm59;W z!yU>75FZvipH(9UgKOhzE^T-eC5BOk<9yc(bsSsnzEf76ZD!tAiTwqG2KemS>?&kNzRoeB1vk5``f(ekTSCxa@!<~ zH#BW-wvR(0$$~sW|SpH&D` z)!_+$O*$qrkOLi+?+i5Jm3C*ZQ`ji)2doXDUE-V0X(NKP0!o(WEN$Sf&1iN_$HM$k zYgN-RBDH=Wr}v!@!j%WKE>5Z7Vmy$fQnfji%F|5@^tHz(MN53s^l(-TI5A$+G|U-pntj&`8fBApkC^Cfl3c30P?HomxcdbL=B!s^9{lEUM78NehlsmcXl8*+fsU(2naoNYJ$bXw(>}SIw@NMEY=@wS!NiDq;A0>>rify|e z+Q3zOu|iR?ky{$h)hMru8=0+ntneHTno&+{^{z}XYb`&e3Yirnj^XvJmP92uDr<&i z{Sg4zPQ(3#lJr7(OG$<6e25Lxa2a&E+n>TMWR+c6Fb%!kH|AD6$FMcTBhZkxOvt#U zI=jAS(1%%aeQ_j^IbgScLZ{ec?J69)xIU17Ek$A4UB;*o_%DoO=u^sQ3JN> z*iK3;0nZwF)PX`?b>=NcV_&7Ufn|gf8hm7>P(cO$qscT(^`v%c#oNH0e}tda`e+s* z=?Hq}oo%kqD?yW`=O$q3XM}$3-Y=jwamfszmNN`FT7sjmL(Ew4+K$+0Edm(H`AHh? zg6xE959q^zGdrnVJoX52y>52LQIZ2VnXuT+I3*}@ zU3&?g4mwAo;$p;P(#!}1RFRQ1^OVLM3-yH7#M~c1V6YJ1^TO7v)+bS44@?}CJa7&1qS1pOz#ZZmsu?yG)^!ZvZ+UO08C=$~rRg6Y`P zLZ^F;^aU8U-d?j}OUc##*<2!f6*|UTLJN^{z*Qb>H^9(6j;AoE-U zL52?3t05YY;B02HR$!GQYARi#FTIE&xM$ihhjb!TAum`?QJ|L-%QvLalp`&Nf+>f;*O&L$ng=@(gCmwDkLwoB>`V5$J%^^bH{$Vqd7ZZ+D2&khKK-zM zj!R~sEiudQ#hl>;=aTd_nbW$ZH5qz2o8k^lo;iwcZT1{^quGIsZ=ahMVlvXK{O9)^ zZQ@LMQ6$h62#j?}22@T8t9hEo`nYrF(JDp092z3?MCfHSO@|&bpevDfv8;2;(Z!=9 zijS4Znt)3-Nnp&I*~{5h zP~&Jtl_P>yAJDtH&2GED(5@vcLaObL>-Gfup#^Of@MIhXgP}t|&E&E`exm<;Ki|#W!$iNv=J*@D&}RqP0xOG~ z;3H$y@o zM=`Xyn+dWj?T%=181y%Zv=xHQiq3h`Tc;3F z`oJt4FcMp@bpXm4ullO-{q{WTyvE*&t!_Mz6MslfK|V)o9G@Ja!+1O%229+C1hxyq ztZ&Qgg=?3V0yTiYCuu>)#6ampe?D>{AXq!*L59?7IK+)62)Zv{P#5{w>>&klZw*0Z z;o21nnb@;?fG^Q=m91RFsCTE9QVD`PVj70z|Hj7+6V;A?1qg z%<~L5t!O447;aMO)#I-N_(TE`vykw}w0e;%AC^-~#i$c3(%D8Or{v;9#=RKRo1!QC z6?ooLlyak!q7|GIa}FqvMN!NeHNke*voS@nAtmYa{ zcYC2#wq2A4gQBG;{(!#4GRgChzOf;$N=ryKn@~d_HD~iH+myr7Po%akbS9G-Ovj)T zP}p(V&21?WT5!NJvvjFfW= zo@BkNAZhP#EYEb6c1w&`gKGTQ(RRNe4WyKqRfd1RVG)Nj7a+OiAZ{WEqTf|@iu5Ww zkG%Tk$|omsLkLGYb1mFX?CPr7(DN;W3>d@ytl1Q_|3U2H+3^fNjDSU4+yt(H#o#clZudyzieG`(n&H~h_$MK)} z*D8GTeVXwl2=W+g%s!`YZ?IGrNa;A+YWDlXV(8AOdJc6A(q$Y#m?sP}mpCO3SkB@t zi->qjm=b%X&gCcfyj2hy;)e}Ye~mwuyz)rQd8y5V^YLNdq?n094 ztk-uKK2d`>pT{ZH=0%9QR7481UrymK6>NjUgxUz@<9=rpEOx>P4By&i3v8TH3I?H~ zO;laKl<+z)&B<@oB%$pS+J5t4!?eQ$@uE&il#iz4thik5tlo;U8)@Sf)y-Tv!`P{mps>YPu8-V<)z!a@UQYZ2 zKh&}kk$Li$@ceBO~sXOezWBq)9(B%_{-=8*WW+b@a660bh*i! zS!0#%v-L^!^5J7lgh&Ep+AAAh+R*<^E^7sv?5Cy<2>-{9>?CxK2Cl`O_fDilA0V0V zU&#bQR}#(R%Xxgw$MwpTJb=>8^D0!#E89(@No_sR1V%+Yo@dz!;mPE2JhsA3pS6(9 zurk~7FB1LD#e=JvW%0vFCwS%R!8)l$bqkV=>+kxM(Nm9_=^wUgkWUA?qW*y+mH+|< z?PFHOw`h9b!30h+w1FWBq=vuEUDP#AASMd8gpisTdEM}U+~H~m%&Q|Aj8Vcx_2c8c z{g-KjG`ZbG3Q3X;@Ewc|DmF4TFqO$gJx)9sI`I3(UUp6Cx8^NFryUZ#LmVnb;B!me zk!c|9%~=o1yQEqrDU5=%&F97nK*~9N&R+q_H&_uWK<~O9tRJO5Hw(3Pj>A?9#*sfR znvBdq=@w-?IlJJoS=Aq;ea>xhD>6Q+N>bRqSGO_GXE~c~-<+A3iylEOW7Iu*d^JTA@2L>Q&d*50d<(y8EliIKg# zU_FGyi?;ltMkRWhIl<6$cm60{-dn7;NNV+9>wSLXdJmZ%&{s=pvW;CNETp_9^>DFr zg0Bg-tuD5pHIJ=eG?T%Fh!~R!&cb5b)lT#;!ngY$gkPC(*Mmc>h*}Bl{T5m?h1PKi zulz(alCVnr!T0#EUtyh0!yO%MzD!ptEkGHW|M4_q`SC5Iv26C)qEPBOl3>TVe-Vx} zP~hqUG|mS1o~5l&90lt&z>Wz?LiZ?pBr7)}L9m_8u~q|W$6_74Jq9K!F6m~ZaG%#N zeaCZyDN%NK-u{jkUeu=5{P4+%KpVeghU+XNGf?6Wq74=E^RlaB)-WW!DiB8J=GTk` zU~WOCg4_=!Cq2pq!?QlsOz}RF%FgNCUq061^wS{huky%HCm%n14wA1X+BKhJER3tZ zNpblCbDBN|pWP%F5+-J#c930r#oXfAfIc%j1L& z<^a*~08D^$3LA{bzuv!4pn1I8E}aPyndlBCO^|a9hN$4Cvm5PJSsVP4(Q3}v zNQSZ=OqS!i&_w(zmf6TP%-spA7EB$fN->KQ#k^Ox`F^-|wA$3Vc2rqp(|hF9Pa#Cm zn%|h8xiNJbX-txhkTJ}UioqXcDy1drVFS3|W9=AN^E_)@;xBmAJQ`iE?;?p!QkAOx zLjf?xU=X2bwF}6IhQ4z)Z<_lUeBF6&cb7`}beC9Rq<|>r{~3gJ{~d&Zt)o67DN=7T zPy4R)H7Z&kU%I^N({0)DZdsK_RT9ZhAIPOO%&EG)kKy^#w~EGls02d{HTh$mL<-K; z8aR)1E`v5n!!rxDim0m`lO()lmI zF)p*$SYoVAJ`tn~0d?Ee+MBq}RCK$2xLINTXjM)1K*x?l9 zw+9h$;Cu|X#YRL!ah-L#KJUtJe2SFCuH1?5Ql1==7zqAqDSfdqw>}ILhm%v$0u_8n zV}+tB;WPbPj+I>wX$>341ti)1p5vmobAn~&J21+=@kq!!2xQ=}WJw$+Y)bt-hI72x z=YyPt=c3!`hvSdqbE|FP_a;p$3ip`X;hn46QbjKL>2?Z-XGq?h?u_QvbRMTWGEto`t`))sM-amG@3FacmMlS=74B;WwvMutyrPNWSZ8i+9l zt@urfT6oL`MO#5$s?K4|=={bZay;h==Yi)1A3!@k8JGxkiV$s7yD5UeHkW{}FK@{= z>|UsFy8Sq5>79de6#oHQ$*u|MJnsHcONgh!;9nk+&2HvmGh!l&^ayu?S>zC{ zG(!T0ULGFPfs@V5+wFCnvW|fe0Bjx(2_wQA;t6Ff_a9`&q620|q&aRMelXH4-KWLA zSu;`Yf1s+sUQ+w_?f(BG?cMpAa`MvgggCoLISro@&sp~Z8G9LAa^HU3grB>{NbM2M zv*J4LuG58kPRId2s%X)Eu&eOJMYDOJ6PLI#vBh1BHR9y1>1#ZIQtKnTj7G4_QOhll zVeWi_u`P@oi!Q!o{W%q)=+2^x{1!_dz1~IQ-C_9P++ixq`%9YMszm8)V8R}smtg~$ z_X>l&^WixoahUaS3fP_;%wH`+C82=gA@+7Xx){GaC%mV{xO z_}mn+u|GI9_DMm=TjJrUI3UIw8MWbwav^yKhW=X3a_$q7*V#|(`Jbpn%d2c_WS2({L$`G0-4jE*2LM4!-rp9~khUCB8d;O`52Soo7FG0kk z(=-W*x*V~rKLpClho&(6p-!C%X*1?~?zgX>39UrF`fdSLFqM zdU~@F3c=rGrpPJSD@O&yn#R!iZ}F07W#>0?9jx#uSU7m+FOhi)J%wBP$d>|ts@x@U z%5Nt3kR&l2;%h{Ucwwi>QGq@`hdFkoekohS)=Uj31WO(AU)nOWL4ByE4yE&!b^1s` zWyFYUT3xA+%ghe z!;&cF$A}IP_Sq8vBusIE?JJX3!4DBrnti-9E}}&ntQ5I_oL1?*p6B0nLg@sN@%w#d zRt3OE{E4ph{V76V+^F!?WNeHENy&JjQ2E0ig3%5_+*qFDgoW~65mi=Y{DruM4JKNS zs!q&QO1QrQHtldEq46q-EliaP<}PxeUELvEtOOH*I@Ay)vQ%HBoV88ruj*U`{Xf;Y zz}eXP!*(P~1B1($i1qAFuje~P(biNfb8D%If5U3hjQ@z$3e`}5IVe^j(K*;jz@yYH z7TxrjCkANp5qJny2dd?X&_#PS8h0~CK6IgN{_pbKa^8CJ_={GUt;pO}!sq`oQ3QPZ z%S7>etSoxD`e&2U=xhmUUKyZ^gY^B3m7wau55M3Rq};B^wXohWH{Ys52iF>G%C@Bg(%2aR!yL^+$E*bCG%4!3 zO6j*Q2$H>6{y@C`H`CGxyn#rcbBJYmVz{{nvlXXO>H5q~WY}x~z5^5OQrYFmucG*1 z9B2RTj`NZQHN{vslL)Xgx+39unTS#Y@RJ( z3kJfrm<>f(Bq=+L_>&pW7>(`7L$Z6(jk*wADb=wEin~uerWwr{B5g9!8dgLq@Ra24 zaKuV`k9!L3kK}Y#H|WNM?lbQ#NT)qduQ;h?oh2Q8Xz9Y}IWRPZTp3wO$vuIY`nkr^-?4o;E_VQ>Sy{+TFKZ4TM5aP>DM;J;Zx^ zXz^QKX)!-N!$uHku9-(jPCt))NAeDX5Gz)i};Gdya+<&=W+g#&WX)1AP#)QB9a?e8euhVL0e_z-ka&EhRDE8m) z>xI6A;#qmm@xj^KSEwwE;}Tvk6JHn0c7G=9E!GQWodgjxP{2#cwENx;box4M_+4S|F z3-SZlw~z4I5Q)sNQ<8t`q*6_^&Gl%T$*t`fh0Qyx@5K;*FKndY_V($thuiIh^bUv;w$Gj$Xd8_gK^c za7-bbT6#Y=3o|yRdq=P@>j38Ey&qG4ek>_8cY2;M5{};Z@jM{v=-wtr2Yr0(r_mpr zlCQhl%H1FLR+sjEd^ptx2whUW*DThe7%)rE#s!9XP^<2$j7Q=#V`L{{vG7~V8@M2x z7!D{qjxhLT7Eh3vdk>)*yYQdBfmngs(+=0>?(D?0o0v>AYzPHo!mApEwCF>*Z{J>5 zCk_Y437t89A(f}eBb7hRp3k3IYiHve^hfH2FE4>|abL-E78=PSu(-E@irJ1zq`T@sMOl|K@6$62>ETs_9kRvs6 zeVMoId$X|k{oiuwb{06c>sZr@>3d2{@ygn)-lRF5O>&X=1D~e*_USBPvFy33z!+$g zf#wWb9yrgO%sLk_&p6O zK$NZMRzb6+>g}Tj7%TE5Z1se%tK~!l)0`l#wBh=_lfjGr^qL6a*$Dcb5p6G>|9$X$ zW{-ZQ>umk}*gsjK;$?7WFYRT*c&GY=875WA82o++^UhT2NNN^s7?W5@y!S{FV)B0X zg(1|ab|8S>;l)&4*toV4<(NbgahuRjo72qi^%$9)*o zVx*ukGcmx@{eM`k9wfc&S*?YtvePxRx6?YA4LH8D&$yGikeHu>opx)|JS&{Z6Yc|% z)0_pP4)Pmw>&O@F-R_h1*Ux;PuuXPuO>*Dp>ZM=RO8604xDF?U{+|84YB-q3kMQ?w zR)>K@hk*v823^5!`&3^!7OoPaa2|3W6LZixKCQgNxx{&x*ED5pm@n! z>ez@xX+5TJRlcG6k3!hnDLstQ(ObNwsI=8*NW9Wsad|l~BW;!Bk27l{*#ouU0HGXz z5(ct9MP8~Qhj@tJFrd`BO?qX~L;h_b-t(tV?L>oqI}5gQzQl_TgGEdFGQ1DPQjG3p zZf>{#_U7#5X?1l+|K(8sGu5hUpPD2lT9Tep_m?!;IAG9CZlr=^!@jMdx!VwPW8%Jj z6rq52ID5Fk*}~-D%w&gTVEx7@s#v6|JuRAK(uvGmUn8$V0}3 zE&S-FLCcE%*3HuFron9u?74(zNsZ;L*XDcb8 z%mxq+x{jRGsfW;2kmdO z+8;VeLX%#9>~rAg=>`B#Ao!FxgtyP;5(bT4Q!MAu|n; zI}Fr!k}=6B4+#k`QAyV?D&iHVx%QU2S(_?dbFFz;mx(L80m8JHE$lE`C{(G`dh+#; zMfWDYK+|P3v0BF(5=h)BA?OcM9?2dNULtahTzHj_QG#e&Zl}brzNSzJ1$r`X!S}=G z$?PlzA8J!e4W^)ObdENb-ywb&cr2T=LH*uPM_rNdlQi3w{hliX{?p_ordlZW0_#!F z%A!{x_!0>=vS(yPiH1-Dv$XxQR{r6Zs6U~l|Z`%`l zPqODt%L%9^_>ObB;8KBQ@;m29Ui^fZS4G0>@AF#ErB5sj1U%+Q&bEpOMVMH^k#OC| zgZaz1V1a5T*kONnFZ#t*_Gd?HQmlJ^g+;>G%OTiM5ru94`cTgjd-`eOv1V@XmUb{x z79sQuKJbos60q~g`dHfKPj*KnlOMxKLFKsvrFwRAA7*lSP0-64ubSn61NBa>Pti44 zhKN7g{vHV!5q=wI%78%S^Y4??fn<4isA^h5wY&WEq0SH>8nnyMSfKxfKe+e;>Hyh6 zt5kXHudS?Vtv5sLk2qCZ!;BqPK*3PO!}oP@w^WT!ypr5tUIX}7fwK9F?{v@v6YP#= za6;mU-WsxDl7V(OzCw%a096R6kA|+1o$o`1epKc?7U?+~h{!g9h;&ntc|nfi@@BhyP8j{4uUE!8!OYF)-aSgrKWGaS9|T9 zN*bST3~<1IP}ri6d_Wy5`2K(upZ?6G?q(WBo#v9PjO3LN*cV){Ns@+N_ y?-sYC?zf{NgF&*s6z7^x^vPbm@Ul7}kE7D!tf*o_@Q;nt-nX-EKwu0|VE+p`sp6sl literal 0 HcmV?d00001 diff --git a/istio/helm/istio/charts/istio-operator-1.7.0.tgz b/istio/helm/istio/charts/istio-operator-1.7.0.tgz deleted file mode 100644 index 1ac8a691725836d43ee014f5ede80983bd1dcd50..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 2977 zcmV;S3tsdeiwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc zVQyr3R8em|NM&qo0PI_BZ`-(&?`wUEfm@(=f2`%lBwYdbBIl;N!L>=?q+Kiyhk};I zHa8ThB`K%gtiSt#q$KOXj?*Sh+x?p_5{VBpBsDXf8U9R_rlKtpltc^J8O@2*{*uJ( z+2fUNx7$4&4(kWJTgTwBiI~+Xg_J+NK!)MTa#5rs&snSF~>pqxQ zeQ`fXAqo9}Qc=MJSoFLIRVZnq?fb9DVhD{yz*Ipa zIvp!fJ{28CG%DShl7;D@I)q13(5T(}x&Nv6bKg(+%)7?rjgXNFyf)Z@UVBZKlNbZ2 zN~otqDnqmba*i{q=jp@`MeLYof3-yH#6)S7onrVRUu@4m^1I%*-u`c1YWlw*EJgLm z24IK&_lCnkUH^yOqrLt=MVY6Q0A``|bG2z3rKNo4X)+7I>9FTLhtrtM@FHdG5<`hv zS(A{<4P2sJ&=8NqP^4V{1dJ*TVhSqjOgZQ|f+8`3QEQcu5WVM+DvUr2NK(eu)TrU* z!@E>zm>?*028i$_ge)}*4WZyuI!h%+a6|PR5=j?CBSa#+MhOyURB5^NJzAT00RQ`c zWFdd&tRz;b{E&Dz6J* zN|-`JN#cSU6KAOz0>%7g&fUxV1kh@kG3WIz5aE=hOe-%R9eA)NU|s+ijj7I_0m38= zpx^Dr*?Ww!kjnu22Z!&dt&{j?imEo^pfRA=fAx-UF8oC{4% zz1e~MD}|Kx;(K1ualNcxx4j_X&- zoD7SecTIT|z{p9(STOWr)FdLB7*OZg1N_r@)1V|G+=N z|KPli!g94*{|T#A`}Vfkv|5?L$Rk*-Jee|Mi=I33Fq0xpl-CB5&|mDcnOYmnl8|c} zx;5nvYTcl<;pM+xdH@TQlTt;4oUgs}(H;izwfyr%r&Q&JeFlIrE>5_%5T zuhjPKk7BCK$IA}ovSc+G#Hq2pe0GDAxe(VCW36nD1z|M0v(K(|l7!+XjoeI1ZJkM& zDlOu?GQuh4_Bc}hmhpECx!0r;x4t#$=A0sevET}|>*_+X71gW#I5L_~Q{$7dJa^^xp{LZVP6YHM;(&YjG9*9gy0yUjK> z2km2;MCP%of?$w+=N+Z_` z!O|E*Mrf>Zb0l*~&m^MqLR_@5X|vkxf41B9Xyrcs-^WZUztj)hmH#_BtoeWaUT?V1 z|2;`*xOM;SzO{F6$FS@MeobdjrISA})Hd_yW?fA>d}a2qHfRCd-uh#-w$(2}e&de{ zhGU$XooKqtUweAF>AvH0ZLo{m^<60<6R;YN%d@8X`ME~T_LfRh$|%!2nx%aZGp=l&VTM(&b9C5m>Iuvu7j0HGa}%5&(oTadRQ*f-;=pi3$lL?v~wM z+?4xzMLm zl{uBY!QiOb_+Fvh)^;Yi;n1L4+{j(n>`VZs(=(wjBr3FC{Cb*2-k~YN`6uyw~}H&s1ova9fjq zdvg5xWc=~u?aAos^!)4|j2c#T2ZxLE*Ouxgf^VdV>jDEXrO2WzRN2^eLG(N*45DxN zY-D|YaWX!>Iv;Q4|3wS>?fCTSAREj_gA|=&c=(@9sI^8 zA5Je%&(C&IFAUY1+z*~=+UoyhcK$I!z+Lg*LBCgz{|<)zz5n+VrH22iBvwA#?<@OD zTTbYwa19e7b$&T!+0C_1+A(TLLuDstdIa!l@M>URHIXya7uCu{3N1px0=ODoG+fM$ z%liRs!7ly(m?haCVh48V|M0LD|Mk25!-Kv4KSjAq|MSG^_Z0rs0-!p&%XDcVzDnt< zyT;|#!pxzZpQ=9ofI5Cxsp-E>;Ds_OYM$Wy?;rN+_@Be!aIn|^rzp?i^7pe5{C0Zv zE5wA;DJrcx7WAz;6QZy)H4&m$%@Z}@4<(3@#X#f^`0D}#vF)NLmo(*XK*W?i3h9hZ zHmo@9L&0-Uw@X%NNi@!u0h|eLf|i*JU^h^=#>|a!bGN|u^K!J$sM7z_Y2M-Vw&xcR zrc#=4Txo|ksPoc9rz-nb;dNQA+QsSRsE$Abs(^qlUL__j#X$MYfst(j$Mz`VzMDC6 z&~vIl*xN?9Au0n(L_VBqL)4sMvy@1}H98D&hEb**<|IjwtM&w^LaxaQ8KDFcN}&`e zOo$QDEUjdf2u6$|*9u~?v-uHRpc ze7F!vYCO6KCQG+$o9*#oj3jCc&Xzu$rOYB`3z|mil@ITPM4)^sg7R-Ia*Yo~9H*S> zWyi`Douo$eI}t9Bbx1rTq_5Wp42#P#I14meqh~pVn#39Nh$~7-~ge7y* za~hUTYH(!$CuA1XYhS}T#znGMB*>31PCpDTE7dtKCl5vCr}lL^LCI00YTJ(@7uZhu zH5WI$ZBr*je=G!?Hwe#N^`_2scV>$pk&i|vM-mrfDANKd>|C1CW zdC%d}>Pg*a-w_RZ4~QM^l^5{tIk`Gi{r=dM#{@O+(a3u=@*a)6M^)Em}eg=&3{!YtoXXV~r$`@X6d>=Ox_t>!-=*xQuI_UFu z=DULPd>-EA5r8V2et^A3tMvR{za8OX4^#QhVJcF z>0m1%_ao|c{lma7t@4lATaSTqX;oEXGtKWC*K)5Vd@houHRyKLW>R;9R9dZn(zVpS X?90A9LHYjx00960GQ|p4089V?C%xJ0 diff --git a/istio/helm/istio/charts/istiod-1.19.0.tgz b/istio/helm/istio/charts/istiod-1.19.0.tgz new file mode 100644 index 0000000000000000000000000000000000000000..0a32610aad032df1efb47e9ffa7e36353eddcb99 GIT binary patch literal 28448 zcmV)LK)JskiwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc zVQyr3R8em|NM&qo0POwyavQg@FpBTL^%VFh?~0WYhoUUoS=?WC{TNDixRx#~k&btM z`EqD*1|$&;2NM88iOX@-d580c=SfbX0nA`7q%M|Z%b8iVVsQqS2GHmmx*JqT%7RvJ zj=A(!coF``{XctqdwZ`A4&dLty}jbUdk1^%|7af^ygqpG`t|;cga6oT?;pH=^&e>O z0bnUTiIAB8$KGf6RUF(Cd2mdBAzV-vbB79C`3GaR;;R5*z zS)R6o)t>Thvzt=TgR^(`rEpkFr*XB@wbU#Y@Bhbmw!L5U(#JGpdQ+!c z4B;q13nJ#|k_JR=^C_KeZEbI(!?ehdNJ*oa*n;|Nzg%(C&c}5 zLe=)my}?%<^wNFv6Pe>BWxRtve%eBalQ^V4?y)42x-Ms7NTb;az8WTcMmngyxA&j9 z_wORS#57bubkP3G|J>R_Xr4?usL|L$NaC6KYl%65T9H9w87)_HfR8?AZ zfoG&6@oWnr{WpT~s&+W`$q+AM)vKZ^d%BTxVrUY~DMn&}!%){kG!hbrA&e`fTnMS3 zeW+p)BFWGPxr#{#ohOl`3vx)NI0@wk z^(7Gm$vHuReurYtrZgmoPEk5R-WEcF_&!_21N|8$9y;g-0aer=hd}8ujR;4W&yod+ zq}W1;TuF|5_EVS7L1P4793CS_df%Yp)kdGr+n?Eiugu<3^N%)bP%5%nKud85F5F#-xpo(M?-G+7zUyHp=IbVj2Y zH1f~){~Drq=Y64YU=1wU-he)+P=E&tLZPs4PLM`p#HNN!Bpl{M!3OnI87u_zDOLdC zAmBs@H3D6J2=#XrQbtV9X*5&4h?w|vN=cBmVUhTxH&6wz5XpiB3Us#}jcFp8DA8p? zf^;+56^O%RMk8lIMstFuEDYJD>Dmr3qzfw1oL!=jMKiULX+V6;VfiLN6(izH3nD{U zPql~o5>0T3BSiyPB2mb2fUwV*5H1~n?^w^G&xAy5Y8Kb$1PcX@SP4m#+?DW14fTSM z7>9JJ=;n~{CE+~{1!YlJ5vLb>i_#Vd@q~o118^LNE4vi}5{GQ1wz6tD`*jS(Q!22H zP81{1ldM)9ugMuSw{S`=aJ-9VBqAKve9GAZIf90#D^JlBhl1={45cCL3cJv{ z0(w4K*;hM=aaDvjMH0s$C4p@<#ex$Y8@6-ZEU*Z`j#+?0vLqo;>jjIbWL! z&D7sH%=R>0aHq*&MnC!kh{t;}nKO3LDQ$Sw;gpgvKt2vbwHv}qyb`*eB|Xq{M3#gX z-e1nCKiAt_*FzKv=xu0_)9gA^KwQvR(>*Au_9crH^a9B_mS};cKi7Z4{2*aE+eMtr zFb_htSJ@QWn1yVDLlm=+`YX?{AW|0i1LljCATo(t7s-V1h)5z@I9-aS{$?OAY0Z(yn9~L3RBttfs*FoC7!KS%JoJWfM6Q(lpsC-AB?{4Lr0@cYUs5^O z^wVKAswcg~g_j5^%*K4dxF?98a4J{cgh=dVtDu$#D_Tba!|hKoa6qo5hnCrCw`tE* zaoVeFE+w{VWM+*+!qFv5LSPHXXPgrevnbH}&smSch!^MQmRP>VrmRL(F0NFBi%Uuc{Caf6ud5zACW~2 zMkYf(g_6~X1d%imk}Vv>lxbO5Pb11Hk*_e<(3Dc_QreYPwflBX!jN^)U*@M$(j*SB z#GUjFGGd4OCarkMco?{(F+xIO4%3c-*rl7~gC2pG^4JU*-P#9dKkQbmkk)v%&BCOp zllB0u{0JZ!n7tfNqmd+$VuYa721_Nq1_hB{;qQN;g%V|zlqT%{v!c%=p#~rWy;7O7 zfmoVi_Mx*@RvU0uHYgQ>1y%bG1b7-1kkUwQ+vq2EOQ!YF2UGk5Xct<1GFn)$Yh*7& zSoJi!*kel#pL@Qkum{jFgprLl_|P^a-b=o_Vizi(;n{G2S9)F7i_k+5jm5zWx0 z7P1Q{=!cXXeuXD zMRXaUBp3t~xr_Af(mGwJba4J(fd5V@RgpwKQOv=}2v#N6)tn*NN?L1BY9qnGzEY%q zcYd5H>9?J(7|XeyBG}iPyVtXLwj`X>fPj?(3&m5H+LESZfL$${*;zJ|*fLYm(v#ha zh*bZ-Wc*^^9m@dAc?UI2t;UulAz2W~L53m)tKxEBEBkt3Pm?f2znmZ+3&nviJ@XCd z7Y+qWr4)#+)rwhlxE)}bJb&n<}))F#kDESHHtBp0?p`>fKIAa z92!yy`YcQL|D2$ZT^j32k*;vO5I`Ta?o8Brr|43>#@V`UBSgHJm;Ev$7z?m@jj`_& zA;y(6@03;~dpsvNAbdQUxt=tKr3?cs)(S8z1^YK7PoX&}_{ z3vJM=W@?dylExv)9~KL5i<_=A_j0 zX;UL?Parf?(1+G+5o1X;276oVG9p}CDRjRJBIcUirTT*k_wR!EY+Tb=F8ATJki8aLh^codk(a4K7HCmOlN2bA@gd?dmfO zYa~(aEojuu&PLnDO0Hhh1rDupWlkeWkR4N6!#UM>qmVH>G7v~G(7&L$pBbnBR+>_% zU_xDcvdc4*sv3Y~XqrSCOPU&3vm`B>QXXY1_bTx}$1W-#?J|vi|kTw@1Dg|Pf zQ3klydPC-4SX|^JBugAgB#cpDLKNz%?VB-R)rFuuHwD>YgX#YK28Xz9bB4R^oZ`0k ze>kD$Ei94fq-9K{wY738@;sRUK5GPp18SqUpOcUP@l?neCzFthxn8<}`4@yk)g%fC zN8iD2`c8?9U}P{oEJ0rn40DUQnj%gRi_pwho6sJr>-N%JnOEWQtP(yrgExLSs{Akd zB;K+VC}>WwH8?$u<^78SGOE1WkH`~D5=^a zlO@=Q3boS=0(iL*O;Yy+?bl=mm7;c6TMmd4?)uYHCI_4dbH)Zm2T2%O3zvniZ$Au) z&xsT%y&syRX5VK?BzHl%2bsW>v*tIvAersdo<}ORQ#GVUt1ap)3oUgIfii^@M9O@h zndMrQFAIb!+~LIbA9yXf_5XGlfg5+=?0aQV!F! zwVJkg^Mb7OY8n;DvHhy~USQ}PR6%@27gSq&h)@J4<-CE*3c3*vSAvS1MS8@PQWGZ< z5XAc7rAq_iD2>n`LZ87euym+nvl+747>hA{wyqo?py!TL(ob6;Fm}a1g%Z>pFnVmU zz)eAvq^~w3aFAqyV#1rkXE8|+Pqlu)rb^HffPK;qVb>zC0#p_G-%$0xJO3Lh{r7I+ zcWR8uv*I}xD457I3?Iwr_0hDSdFIAH|imTqXX?4lrVhHOk%GDIJ#noQT3vj)E~Fj%*f#AL6kE*aFi?Xfw4oce~aU zrH$$tvszH$3|Xl{K8t)3OVP66G>wgrMzdBBiDt}#ruo*|RxgZWVru6L7!iQJsiTWA z7in&%58zfvu43wgtR4|KY)^^DmQ|eD6z0#4L2*1ysUk&ELw9HCwx1Jk<|(X!CP3-6 z{6_dB!kjW;#M{%e(NRZjG-L43&H}U_l3pq-CE=<5>0P>jF)lK6C$yf)<^%x(xd;=K%YK&x*a30{3~5N^xr=& z+g`iv?PZY!2p;Zv=WIe9jxq7#BHD7fKFh>w*Z!=_--iVft* zSD;&Y+L-%qg21_L+frz2n{39MC63H~b=~$iAHreaG8}-jlJE#wG;9ZgrfRQ%Rw6;z;xDdC08$6-T5o@=jD zEMo^TAY6$rM!U?oKFG>y3U`gBD;x?Uw0@{3On7ShVn;{SEg0+DcE&=bW(2A8R3l`w zV^y}16BG>iwz*?dsDl~{D*O)NobeR?{#3Uek;`zE9pzfs9D}hBsFW)ewsdxWdgRikXZrG($|*zfhzH1SPc?8w=IElrDXi1Kz zQ|cR&lcJ6--I_O-i*Vc5w#_EFQZyPo+6>3i6A-TQv(!l;9-QN7MijK|*Zba!J#Ww3 zYqekPs$cu|SHslSu2C?Vb`WMv20rb?$b=@i{Q=Ug@527mT-Y9fq*b6%)4{~didI$} zijbS-4Ce3iOOt)bEsH&8$gi2HRQ_mSIlj|AG?kC8VvTE=t*oOR^#20;z+XzH{_7I+ zh(@!&U_1R~S<7E+I^8msakJ}8K?9oJZ}vQ97die?j>eSjI;9!Xkj&JcG;UWt7D;kt zPvz|A!p0j_nf>XKped$`OBqKU?b3#*KC}Zjo79&_l}xxf(M(^z(Qij{PQ;vrK?l9q zb33IGl@y04AR%7C^q0JYXr#u%qCgbd?(4dTs_IaeFm^@TdQ7;I*e66@67WIKH(h9N z0HxEGQf8Kqs&G)%*3Vhu%C@+oVGUK9<512Vm)6?ftE{%Sf1nL=u7L=gJr#`LQh@YP zz?|Sv&XGSS{)O;R*YGhmMMiEiM^?Fl#x4LSkuni#$8=Ep<=%d}c-E?=ZP$SB+?vhM zS)@AXpnuc&f=0V2q_epclEk|xz!C>+wp%{3+Ro%s_kh$i%@V0*9lh-hc41GDXo=pQ zoxMFi8g~bS<9@HJ#Dj6~{OIuLbky%253LR7ZEv82!+=D9YEv2-EY(eSP(#C+i8fz1j(jkq(UT*NLEGca}Wwm>P@kdXObAr@$L%kwV5Hkv@ zLWS#yHR(O*QxUh2(LFQ;a&I*`BYSyhWDk$&l7uU?V1W_Eggs%{)q=Ag0!os> z5S>F(TYqM6$i`u?NTHnTv1Ik&nX*fB5X#JI~Zh?v`R4H`+p zu`ji~98ATqY}%TtHFNC~_h$lUW|EgOoTa3Zo+Tk>P28|L#cNe!m}ACGq7VTx)~9*7tBFQzWRiq zDG5wmlVmfJVsF#Bkl1p@ojN^U(WYnQyBx#pwGXG69CAhB$RzFHyFVC>#CHgn zEpHkeYGQf7*aw)27IbEpP+RrLrCyi*p@$B^_9CpsS(l|OLZhD!wSkjLGvQ!6)MxHX zVr;YE!orYo@>8v=ap>heL@^VxY20Hxciqz%I#~V8lxf)n*3)1O)i5IKSe;6f)-J6Y z`c9w`SCfBeY$%EwPKb~wR(n~=Glmg?qK>eViekcZwV<`shgLP)Kdj;?DfGrnP%Pd(q|o!8PGKs>*#<084u~Xt0i7EX3+5`Ix!slq$7EG2^P7E zVS@d#Yr?Jx{Xb;^QEHnmTWCP@Gb)jg1?uF`L`yVxvc00V*{RtL)?vz`U*@5ou59+I z2}ADDKxtd;f9!khS3h`rUc0q_&`1kean-Gctt8p@;D1gSKnzOh4|{ny_HO{kxj~3cZ~a0%{%gBNC6bCa4zqP#QoRmU9LeXwiX zFHHUbv|tIG%v=yH<|=(cxF&!oK&s)8VNH^t!ifw;kAM*@l`(;NS<%z#_?eJx6x#@5 zelHoyjv&&rI<%zNkTXsc#ELOlt7vYnvO_=c*tGgij(7VIRD=pfO^L$`IKz*WMhpUs zhq_^y0pZA*B6W~Ni_!5=XBJ5^BdlWh7>PLsS1ZP((uGpGxnKbaRbOiU3V!;okNhz0 z(CQ=wLSjc`&WeEjYF43RrIH9~7OA71Qb876-HUNVb{?4FnBmH}#>SjoQ6k*42=~Nh z8yOVKI2*_w`W=8~;na)>NoHVDV=?lQ^@S0c@M2h_k>nRRHtrS~JNCBH&AEN>V^S=-4F)+jn!?P};|x&jF$z{Vk#Q^prss!ih;9c)*^sKTr6 zpl`xS9k+liDryU9Q;ynZ0|Qi=IBE+a5v0c#ihKO?{Rl~RLBMYY4G%T4f*(Z^m32VTABZ+htU%l1EZQ*XipukF3C)-=$QF&GWN1t5}|@3__ivy8p2K14QS*)fsK zs&DJ<;22~~`wHe_be?X^Sl85etThuSfu);1h6#|l39y_EOqf=38yXWf8o|^IEt4FM zhC4|6<7>%13c#sT6-q-~tQFSFh*=ik0NsEKYs8}FzX@kXkhSji!_m<6VC+}KxiDM5n8C%9S_dWe(4_`o$qKv zQJzFOAwUqfX1sT4G;1yQv!F*cs-FklEFp+Jz6M)Cgq3oFX9R3MyReB%vdv_r!$dtN z{S%F5%l+=4Z++G$SeQt_H#X~>FKyeBrFQc)9~~HZxaMW5a_SThyGm2M-ua<$1Bm-m z%T;!*{L#cQ1*t95`;C={1Wur)kT?o34^R>d$q8PhwjdUvkjbQ8K@tTxl1^j7Qm`NpaJC(iD@91a6lhgt93oD|g&D{@H*6TJ&58-Z z;-qAQPPHlHQuPLjy4*E$#xhB)lPbWf&Eci7LeF+>-`eOhBa&@H#vM5QT1CFrQBt2E z*zv`1m&`2NJMC*jrVeWz`w`8BFpJSzu7=(PZ{BI`zU+R6-Iz1a54Lx}!@2`(* z@_)X1^?F z4So8Qm6;LkVpLUV>y%t6otnfT+k9{Q#Sup7=3bYg)Ja@a%2s4(ObePE@f9TYVhKm! zFaiz=MC$wvBrq<=3lb4+)qL&heIwlwve4CgAvdA=Zy4n>obG~YGiSJYl`GraRttN<=mHC9WaSdxjLR0sXSk?{5e-!<4bQ& z{EIi3hG#K}^7X3<Wnwk>mj(yqm~5iKO*Lx1LZHb(NA;g#g_| zvJ)8=y3>w1Ug|dF88h&v=`+Dy6_u`O8n6#647Y6FsaVy8b}G6J=!F_pjk;b_;9hu> zcFUEnYkGmNPQe}UY}%EQ(@9dI?$>u!-Nf=0$u6~ckQi&*vXygwZE&&DT5qwe_dbU5yH2cviAM>~zJPoI>`Vh%f% z+_H(oCC1KbUcuJ7uSi6Iu zkX{h<{JB*x^!)AQ1Q+yu%k=n+6Of~19HQqjr;$XBj~^T8IVUl}5Pk# z_FonB|CjB(gIfQ8jOXLW*7qpO6ym0kqEm24us_Wyh*I7myQMX=Iys$)v|H5Xvuk9@ zry3T+b%57%wWI7#EE8FKP$PD>P+BZ?)w0yB;>&V>^T!MzTh0RWoaumv>#F7R6?w)a zaF?q2j8%7Op^(^W3!$Bz0wvjkB_19^eDp%g;kmTdKr20TVn1c>mI?)ihb~Us4GBch zG#!5>NZ`r`x4{CpUVbHRR;Q4H3+?P|-EFZdW;kTCZ+v>6t4X=GqTLdyDhu=W9L!dY z25KCgpP!u%$7iR+S@-#bMr%LeE0mX@^U}RnJnmJc-3!U`r_K{1aeM26 zMnT6(E;V35mRf4d&06bT5Oz=J8>Us0=AwA+pd;p?RF)|h(&wk{CJ18Eph~&Eu4+=i zc$Bp`S?W?nnEp!r25fkKBdu(lifx97ELk+WjA%4#TD>yYa+(g$Z90iAB6b<2O_!TY zLzO$I0bXv6EfEu6jeCKw&h@2DBG*$jjv%z4(T&Q}NSB9SBe+ZGoJ{RZJGc|aqP1+p zdyO+$jstl4Fz8`;wt}aL%#}=L!gCRd))_}b;m3*jz5aHj(wz8l;;k#LfN3_Hnx%w- zIQ#IqAPcxLW)UkHuJPYLw!Qrq&AkTldN|f8J}D92zmf?tv+2F1()_uzaf{~q+q{$a zU9qR$)b*zR<~MZ~O{|-6wrlzY-^a#B$P9hWblbc2blEJG-N%nevS0Bcytd+BD56n7 zB8d*N4$X9>WT$A;`qH9K{Zu?9`QO--IlDg%V6*(+-hX{i^#6IaxA(f1{~zP|_z^u@ z_@X=LzvV26QRhd*cwzsOXz88whU4y_KYn|D_HKY0?(u_n)x7vYc$77YT%S*{uc*gd zF?Q`Ku1hK!uIaZ4b2w)qSHsNaC5Hy?t_^CYzQX_R6GoFsa{L~u-DzTsvJ z94x3%Fq#M#cc$Q$3^%a_`mJGab1>=Q^1el;!jkX_6rK^;*hP(y3iuZ?_^CgVIKYyq zzhZdxdp-+-W+slCq?3#8-UgCIOy9>)>?LoG53p&;gtaZ$l14MsJ3mA*;RaM4kw4)C zUmz9+gd>yaT%>sh(;Gc7gazuX_gPXc6A|%z^TpFGNMbEo`~P_H!@drBjRAj9%$ZMY z7E&K42I9ip`o=H7NNH-^>1|%_%j^U(_ZsKi19G2Wm%1-9vz7anTuB1Qm?C>!y+G;0 zz)DrD`}d9Cw+bSPu?Uy|{Cwh5y)U2Oe58nJf-BAr&pJ+26pPRwiIC{~mhpC+BoLz< z_?V|D6jGnJ_0yQjsf8)38hRc=RJ~*sb#I~`THw3NJe+uS?`A9nn0f<{nLYk5;V?>`z zOR^O#P>l8P8z^oJ`n~pPaktR5Ll3SY2R9klF0wx$G3DJydT(PhY}|>->~+6$Ga7G_ zO)57f@Q?+LOWkE8*w5VV(oTK&_U2&2pozEXa2b{bw(!fV)3w!bSxM6=g_xAFJHMoH&WbnAo; zIt%4&7sX5nI)OkYBXdAb2YXuqWK_Btr!hBm+;Dxf9ic!x=?!hnGr59j>0B^Sq4%Oe z=hLTZc%1f%V67LvOOo~mSanwD`-4@tchf1fR%pjo^jxx`c1A68(Lw+CY&1SP?f!Ip zG=AG19lh`V3ihtUqrvgnuO~;RqjB%-baZ}pe0+4igBlRF2?q!dV)3%EteHgf6bxS_ z-KZp3J%C>4+&@*RY(6{$sVenFyT|6s|1qAs6R)2%c075jJqw9BYqtA#!%S@1b7z-|f4OlRxz-S04O#vguDhIy-|SGl z@wFKKAozVt?0%wt4rTstZDP$oE-%ErxBy(k z|J!>9FN^2@FJ9K?|Bv!idJ3tPKi9W|@uMrr@i}9%*DX@kjDFhd=qku2vj}`yXZoe$$e|mYaSI2)m z%ACY8tPM_J;Fy&gNTPp0ZbT&%}1xA+yt|U|qk+gn( z#O4|%#^hOz*n6m}y{AjNm%ZD0!=r2V6L=DLk(y%Vd=$Qy? zl&f3O4NqNL@tDm@wRFg3Wfgm1tHE?SwoRFBRt&||0?LN^re4k|T~|>xbn#E0nkbu% zj~`v7JuT@r*>taY%9k(b{06eZC=kMKRAhE0>NHz!&5e6?=0f8~Hm)k)4t)iII~ii$ z4?1wS>AIo~r^UjAG_~{H^Ww2NdiBH45jg#S{Ft8E=K9Y8 zWKxS1rofSsbMTp4xf*FYoJQ6X%I^Ehz=15w=3)VpFZWoL8cGtQA(kWzsU#?7EOhFm z>EFv!ye>zO3kP%xNMce5XLoejOwuIF{=XiIEYr`;Aj!(-7aXFLZZNCnJ~DSG`qjqy z{QpA{=}>2=4XAKFPLGQ&Na?!+W0YFtAv8=Zd~wA+oHyA9stw#kj& zyxTbZLtRE^w!ZDyO$SwjZ#;Yc^Vx7T?hkf4KeYE>HSRVnhbrZU=Dg1j&!(b=2JFTA zk|7}jmPpSj3pt(4_@1p9pwrEcP6Fi)QJXP~TW6GA9&1Z3@Rf5>Bu>*hp_p(aVjQ_} zRVIMC4V;w?xNz_9?cD+DG$9lskd^6L;Ij-;cZEJ{;j_VC=!8-?gguvj>W+!F}av`U(?n z_H2EQihQyy^cOO5XFpVo)mgodYk6z6JW;;GacvEILZPGL(^9F^YuBN1K&z+LwXdmr z@%~eIV(B-kO;w%t%f0sg+M(T`o7=WuoSo}Byw~VT@8icZn4dnW0jz_xlrH5xK@wj$ zw@;a*G>~&_H@#*EgbNx4bV-8*a^VA5E4&D8`b9o7GDsOAEzY*SH<#r~eWNSa_h%^; z&cWU(W9A|@t!8!y{awVdPN_e~5#pptBejWbw(#ztkL>N|8Ym~-8RK+DBOJn2Xs!~X zRdyv(stpL6$<|qzvM{PMvjs_^t%`B#X{|tc-&%R^WCsSU`I1K8CvDS3*IBLgWasX4 zF@%|h*=@OZx|=P3Dbiofa(uC)Y1xA58F6|=RXMu2s@h*ja=OUq{3}OQbm&s#UeZ+5 zBvpd|XaUSTl7sV^nvcIMTxq8VDVcFoClvQwo)i_rp1-tR@1{@5{+qc|-J1b;v;B8} zf3Mvx+J9fQ>->L@@>FG4C}mc73JEx#Jb8!j=DhTJdhaA>y&$Vy^lXVk#qIMfJKN01 zFm;&~52`6~5KLxJ`_rd}OTl!`kBa0?Yw|;7aVq(OTqgkOu_ThZf4)8?NU?CW*rzmg zjwP9`%y}+@TUXwJ2c^~A7x-$J@ENJVmKHZX-q=9PmS z=8cBb_UNPxx?#(bg@k7lsT+4*et!Eg3)yTnj5)zUk41{7z-7=*Z)=L&xNn10Ifup5 z2auqu6|$I9#;IJvEfTJOliE&&PnBn9RSh(%#-|f6^jIXxm6PadDvZx*`^Agb=B>{n ziD{Icbs{(@)M907Y_bC~g#~J~8inN<3TNf%>SHIe$2*E8h52641v}%|Pg9qqsFH0_PR{gCq>~9YYmU zm3^#qjxE=(Aj}A1J`?UaOA}?O0~)#a&E|qdR5DJZSvLsyk6;@-SOdSwmF$INNy2=W zs;Q98#`*|n3?+UnkD$~-7CF1N%dYsRU{Q5yoR8I44FK<2}bC4_fsteuSuLSh`!B~cPOT+i6k z_gzyKb!Q|$mQoMb)K1Aj*`|LbIqq5V)aA3nxYjU|>#FIB70jZ&S8l&b*|87AKjt?~ zN=ygl26niE-Kk>kOX{FeZ?LJR+E1TR_4SRa>cCne#DKF2>E!CnrHtRYNfJ#{Sk61B z1s9bTKUEJI606|wkc4?U`;cQV{T)0d-P4wwLh2w?dXQ(&;)UevAXYNK{2hniQ z?R_b*GS|91Y{R4TU;4eHaktkydv`i|Jm{1r;gzM*3K0MG?x&;P+3B19+bTS1EirHL zBx;%X_Le^3G)}|?(pGVXx-1jG>y_A2H4AH|$gbOnCDpc4Wh_zR66A1nKE#U{F8kfE z(?;jr-qCp2JsBMLPb;Ue%)g3_R|wp0M{tGH;kbKvShJNU=nr3J3)9(wRXOh^={|mDT`DO z747;?2KXXs1f0dicTLniKCWImL42Pr;sIxH1YID?`LFAZQ-xMai*m4bQI;%B7UTqS zB6P~EsO%M$iB1hUr#xuJn9Ei3k4xF8ro2F#nvmltH@1c9Q#0BUgG^H@l^4CV92?0# z1UWPzlEygI3s4iXRZ)rNB#edj&7IL`){;bk-Y#AUw|ajX#)$?;3l-&5`|q=oRc8&bsK{Io0uzTjmbwCcWV?= z|H6*dUV`5+fhl7@q7Bp#d7OH$Z~kbYhMn{Vcw`Sak#Yq`s(HU`@Npk8>$;QOu>x`+ z+Jv^d=yFc|xvi>0Gwj7Cu?dymO5^TzDq{P6nnb>qH>g}GC1Bg+lD)KZXR_uhR929f zS!n7&D1^~>F{ca6SKp<#CPQYcU65aelXO=B2aQXHAT@(bBBGjM99o9>e>q1=b~GDF z0i;_sF8Xj^fJU&9CGI8^MvvQKpIv3uSz@vt$1E^0Edhh^kgGVPK9%7L&JO5wg>YJP z3zaqS>Q(ki5aq+*)AyZS^-)-{7S~I??>g&QJ5Q>z#dgs0>YOn7~BOY=6*j!iFO$Rw^y02(4lW7~- z@lHdZ^{7UjgheH}*8XgLkNQ(2*n+T#sE-0Av5hsS0!8G~p>>l)A{?2!fJ{1a@Mzgp z+h(ORZ(yk^NKF`{0HV66$nOYvG{J#7Q%pnMYh$3=Oz(zLA4t&2+-}XcPP>y*9n=6& z#_jPx#^>e=gt5ihaW@Lah8d4fr~v0<5;S1zn(()V6O=kquo`l+z!#ddOqP@-X4lI( zq1(DB#oH8Fb9^Sm_puf~U@xbivy(JPgrs~gDx=u~o4oJd{(#ELrJG?WX zCeNY^sCl&(P@9_Z3jxeyzbWV<4oME^?DcxUvoencDTYwzBB1bgGn`Q5F~GdUE4U%Y z1=7A-3!*LX7yyFwQGuuK`?Y|&g>C_C&iHXHi23urYEG7qCVq19d!PH1^#8);g7*;w zcwPRt*ZZ%F`9ELP`9B}$G4fH5L29o|JMh_Jp|7oUVu@|2Fb>01EfQn~x%Zv;_#TT_ zTD`nf!o($kvl%5T;U%MiQYJ_w=u-7aVkn)3x?j$hN>U7{FSlHsu&A1EA=F4Y-2lsZ zRz&0UxlXo_E0e4A?)><=I`7VpRTWNXv}F3W8+|I%xQ+;wtEh%j6UCb33@`;Y9iPv* z&I4oC$hnFpiKdLpB*Kz}D|;oDQZbW={+Z}}cWKbKT`3xY46MXm=a$P|B$!$vECiiJ zTWJ$9CsTT*7L8zkZq)tE)5;sb_fMaS_MFsap%l`Pk|>wY%W8@43|r2T@X)x96uvep z^)_>8mA`Yl+S{qhn6y5vdC8I#mHnvoF;yN|gvICxRkBGsH7O{b968lAF8 z=?l&!8ruA$Q{4Q98ol$Q?&!$g{ZMteL}rT9*Q&PH-T- zkceGmuB#Bc$mfCB$!N+N`=&9noxlY(X5WgUWpmS&wppz7iD8w7dL5+$)V!W#RG z@X#B|g+#(w6R3a4vqrg}$QNRdf zc(S(Gbj!8AN2d%d8B;W2(%Iaqw!Zf+ZF*PnpP7;eVorP#kjNxzh4i9OltoVCX(kTM zA)gmA+&oXE3MEYJpyx`KKn=~Xw4FI4>0V<8?G(-rhUG}^qpO$`eP6V_%kP4$IyubT zvZvA-DLSZcofnLaJn!?dVGpGT)9G@##;siRTC+O9U~RTb7w*hbPy+ps5pl}o(G`VM zw0gO3F)wSvXiNQ^GP!1!nrXys4mbBzoeK2Sb~}TX`lUcD$@T$yt}w5FusipPRJ!+v z#HhluJjvyJs=Ft}!&Fqzxtuj`$dl6>09mBCr)7$3a?Ir@Zu-$&y=YD5_lC&#N*Onx z^8JluF~k6 zLNbnL1k~gQL(b2iur)U8yO^&__TQKV0Tny}-^xi6%*baag1heirKdxIjwjzMc!RfFS!tj5$G#|NgP?*HB&$JMI zteVo(M)t*q5?6gQNsnn%SyRn3i6qr0HB}{GIr8swCq&<`xm(}fP_C~mUw_AWt}zk? z;E5vOMspUxzv)fsyQraLaQMUI{8Uh9x60}wsS>3tLyY2GfvlRn8{N%bdFi@pDr7hy zk>qsE)$dM^=@!{dUAsKzv-wytji&IrQRgA8fC0ypTuBmvy0W1kKM|5G>?=5erf>v# z*Xd3(d2Q%4#gPz@;*LEPN!X`PRec%MBUg|`=|+83-N663{nN$G`>$NiSX8xcQ|f-k z{wUCo^{WP9nHdE62Uz0J#c^g8x;{0q4eOYrs*IckOcD60Rif0l{qAJc`_dxN-}? zhlX#MOYZ>FPywV7P@1?<+M8LwG&0xEt)B||uko!Z@l4#$6)@NMfA76~xnK1E z-hc73rvH!eY@=>~V@U#igP+L|Wp%e};sUm|(YeW$6Jt5o9udZ43%qTNMLG3VLxM&= zK{z`Vmw2`X_f6AiPB@8VxI$XoHV|PGa7z8OQtc>SJBrti;$O;9{O)ewCL&nk83XLZYdOHah*v-YojI{vj4SeH7!&WTA3gJ())%V@_XL65_ zv$BLpg^Tr$vie3{;nc}8pCt!=$?a3tR!{u^v;XJgy8Z5taK8{4+6 zjj^$vjcsQ$+1NJcH=pmXZr!?7w`!{YnC_ZB=iRUB>2uEWJWa8j!tcn}fcdhC-~KdO z+xxTdH}_TZCSkkB*eBig&%!WqosBO~Vj|<$qQLTb z&cp0T-(-A8fYz3^n}=6~*pcxGq7`^|-14_F-dz8|GQ&rS%DUxJ!UAMcV$Q!KiHjer z=Yn*12@1S85zF^fgyLJ3Jszd4cVC@NCF6&LeHf6t_ulJ~#l!2Bz! zHXr*hi&uKXa0}Ub#L;imOQa;FS+dSbWI?RnGAAa1Fgtef+S80B{Q=ml{Bb|m3KGIF z$3BCS02b;_fgr_W5pa#*Ls*u}xjhtk7Y+1B`g$6BdB&YkD|`p~7odM~S6Dn(K^TYw zpN$DFuug%1b3Wi!i9ovUU!<~E+mIt6tsUm_2@_Ur7LO&g`hKn78oY%TJ5ylrivx6N#lF)0GhYk(Z)ncm>7p|3z;@=(q#tzR`WOf=SI81Z032A zGXE;YAq>$Ss+XoB_HmEa(jFCvlhW|eC1Nng2=nR6zrt6T{0U54JGJ0E5uiJm6^;9! ztO$YJMn%tL(4ZxgXCti7{;hiCvyb}3d;2|LcDX8{6{PMh$XkTmIwEt~xz|0L;fp_j zgg0(@e4*K3dOTJ#MU7G!5WW_%uVsQ)}8q8T{)1l}Fic+djx{}}yu z%TC;&iy_v(P+}#Sc~t#s`a4GrAv%{v5XvWfrkF{TYPqNgiQbSZJoD>1p_V!XgN*l4 zva<;`2jSDf|Im!9rtW*wcMbX#b$o{{^9qfrX& zZCtbKE;~~Zc}mFzc_I2{;mQ52_WLXa`#2HE#FFxDK9E70^L#1^AktFGKBfw^2@W^#>Lj0=<^c3lir5@d13ko;llcDBMt;IC6urnCyM;{hL5( zRls$>d~BG840`fk&1RoNUsnZ$_SQ3$5qtyAMUJRJT4fwGF6eD_e3Of2nnk=hFL2pp z?~?fl87e0_eB-4a+tq!BWL@>20ZnQ+N62S|$ceMk`-KUBynNy^sE71B{gH%+oNhdf zO6!`eZ)Q8Ug!(tcxQevkdEy}hAM-uq0M7GnSzsSmDvb&Rp>zobz)BH}a;*wAV5f^H;DRbD3 zoecDW7@hup*lACx0R#1wZx~4m#c&7)ZYVnQlOC>9hph!r5Majais!1POaDqJ5U-t7 zIN)t0Mj@V@>iWsHr$w)*V!sgU)`V-bjbPJrH z2m(wNZ5f*^Ga=jF>(xHtRKEEK8$yAz(wC~af4pE zV^}=MY&C(jRd2?j0(U28U7IznlV6PTRPn{uYT+m6=}-K(mDJ8H`s`Ja=4v}_)rQ1_ zLT{w@qZPJTU6vY!GnIV-kghX@wqFmW3V)0tjeP`M9cL141H!lfZqK)7=kE&}ySma= zu)iP_dAdo^499RX3B*9p z?nb&#nW&Xy^Qb(Qh5A&YOISB^4DXYJe4VC?Tn!{j)!EQsqV+A ze|n;^sjGkP@e!;76|Fs-4!?A&vo*s{}cR><++k!Ev2Zgat-Rf943v1lu|(~M=G5|=tX zN++ve#+`~fus?Zk!JdnF__l?MT&Vc{)CwP+o4DhMBIx{g6cp<}JklZth~H>n)$2e9 zB|TSyH@q){e+Fx}NA7vAuCI4Pc@0_(hqf*r_!)jk;(gK{J;C31xasRGhZBb)t_Nl4 z#~PBOg-8$#r$o3L=C)Yo^qXhhFpH-;ZaCLRn=TmVg)OJ?tWu@4>C)^@>d*w*aa?d}Qj>rBmkB-@HnZ$F5vA(;0- zM!fPX0rTd~oQFqhu-@ADKTCqxbU)`|c#$W^U4zpDx+_GDmtK_)^~3N;bK{w9FdL=_ z*!9QwVjtMeo1azQ=QWh-dzgjV1%kcO*rC><`G)3xBAVG1!PlQw3lj?hpWR<~jD@|v zoFEw}<7{%ukmb=}=g@zpWu_2l-6s)v!3wN-qy z0v~b!RUWYFVgNtK&hB9@}qCnGg0nJMa8Hpkt%DX%kHr5 zlFaU~kJ^M{hIo4=pxtmMsgy;aBlxK2xn(MV0N!9*pAYlXpN#XX5DtvVe$)UA+f#qeOQ>mAL z=~v-qoX#9)P~Z4~%Am$a9|2#-GADue#i0J-{`Zak z1n@plZ}FXvvbTE#9% z+VfT=?$!T=3gANoQM3F1QUlxvQ3KrnA2q$2Xt;}Z+HcN>?Szm_~qwVQK)ry-d89X1iIzIyy?m$ zXl|weRJ|ltvT0^oy56?ZW>7x2D{*6jloj#MFt4O z7P7;Wohn?~hqHH)8y;X2Tx{$Wp_FN7s2Bi+T%B_IgI^d_pmCY&Al!dRH3$2!P!i~U zMQEa#u4Kny~$#dAOZ3gW@Rn-Yg_ucpV z3ddk|7YeWCO%{r>sC}gYt)wI!!aw=!x*4dQMAScr|63C@sdAreKoGp4Xc?^5Ytk4* zXCk&M2E3|zx~2I(Iy#^94YK-A>7wJ%!S7MaNzK-Gf9m}@Jm|B^>%VIz7tr+E2|_+_ z&^*w<$j+jg3zkp)E!G@PISFfQ@(_Q`t{R5%2mLCQQ?hLVUqQST3{6c<3f4sVyWFN> zbfrk%zaNLc7V=7+(w_!&aq-TVxVlPBqEd8_w4`-pBZMlMghU!JWmco4=BHqYfoT$= zGD0+XMLXFMigpz6rc&hDkI2O3SrKs5dYI=$Uks)O)S9RqB+^T?w`C_q>e#34wAwt> z@^VZ|vf}-m8JBR$9orxUrA7BGKc*Fiq-O*LMW1=q8<@}1g64EIje<9ZVUi}bv`&8K zYR8Nh%wtLM27NmX^iQq}zz4kErh!CCihEf$hF!jcakbuewr7i%{$${6Vpk-!G=R)2 zN~kUw_=NI=aA)ircs(+u_vIUBh5rZ+IX_2XPy`@w?QG>#!yM5LB*%k`9#SD8*hm47 z7H`u_lJU{k-`cX4F-I?PMQ2}5EVs8iABsc)c_|SlRt;JwSEvcT`J9WbN-o&6wzODD z&@0P~-u^Bvg}@xNk;V{Q8CzZTl7W3={Cs+M-D>eUjP|Dg(HBH~Q`ktiya|3gXcZe? zoCbc6!HLP(7iS{kFK9`LMyqE-bx6%-k+%-_Yr!5TS%xC72xK||lb!S<52ox5$byyS z@j*64Mm58Amv5{=@rm*5sjWq8c6aB@dXuL+zFAU08;36s{wGe&JqJpkdSR0gqK=^~ zRSQR}8j+J}ns2t|U%WgC)H{-H?kuNLcz)vY!C9D`_|BTPu3Q@wCV_6%@dpORhR@;~ zE0!a?gi*YTKfOn&1o~LqRFCerM%-^i8hRIo!>N@JxU5#05e^4bV;=qS33WGQ$k9Q@ z-+651uqCDuz+lPJof+HOx)$I+J&NT{=)U)r3m~~USKVf$((Y2+$;xwE%T+N6m@zoE zdn|&}*#wF$&dLUf`H0Skgafk zPq>Mtv+7mQ=Xj8#IxGQU#nO!G9cAZj9!=jHR6OTR(`~teTv?8o6_bgdSw8~h#L4ue zL>w1SP#hi{^t$J*EP?^kz~^V9c4O=dP@JLr*YTKl8rYkHgPa2SAZfabOn3{G46@uC zJ08@5?HX<6r1wzPixG284W@xM?`({nezXvr_1V%Zq2b@lcj>Tw9oeC)DO2)l?C21U z?5_t}D;bws9;xKHgmpiH#;7+Qd)suQ;2Noj9`<=jrKn*5YfF%jf%S-*E*9~Qw_ zf$6LOSxS&MBHi`h4v)G@&#Wd@8W{GFFR?%>h4RgD=mGXc&$VA$*jEC6L#U2?keVa- zIh)+@B_)X!&IS=1i?aKwUrbz4;ul|?>%^UsxDK#q5qag<6cQblcyU>n_$xnMu8DoK z@l(x(5csW^@v}UAV$!A;!XODbmEYEp?{zmT^93H;k$u^Pb7q1VS>mVXtma^>BKMcB zCjQeW5MF{bTfP=sg+zU5G04Ay87_LOGS9MR5++i@gaMY5;_5atVOw)$vp)7{%~29} zO1*C*n|58y>8`u58}`%a->F>)0C*4rTg%-)&u<5R&z+T^k%n8HlnfH#2#|*RJeqm4 z($hP*)QuON!8$QHKW+5_d+vT6FGx=s5Yg5 zO}4h-4hQf7{e^ou&}R%naa4hEg@GG5#PqFK%&+YKMtb2!p}uv1wzKv zHms$j38Gz>fsGXCFr2Lm_p$AvA=k`hoVh>F+^{@oWX%t?mvtI#_LLm%*N+sxLfq04 zkT9c9Ta2$-pW9V5jriC{A{aUcK&p=2H|rD@9_po@DLA-LZ~|!^-f2j~>S~)JujeJ9 zIL0+upc~Iw!BfKM=b!v;RP-qcFIEHv^0wREg;(ZJz(U8?d44ZH;dU=1B|E;_{G)${ z#6PI?^Yi28-4h~cRx2@VsRiPMH>-WXzwMWfz{MRFc;CF+@?z@u+EB5sA~mmoyaVm` zkBh(n!sl6~orj$x*8YD2cef=+?c`5$yBk#|dz(C}5=uy~6AP96TH_o%{KQBI4%|zl zfm@S4*2PvJ@3sbB?1Aj8rSY=!rrd~b$tI@#i(~7j;RA!#O2KOZ*>&;Br*$I1H!rm8 z1)*5a$wNfZd6K}lmfSPGN|p9%1onC21x#(w455#urQGrxcmFZ=-sQ%`!i2x+TnGcM zG1mLZ{}dnGek6$Q4ORTOG#Z5N?-kO=P-(W9n9Ke1#BoxUjaxFx?sR$=g#Gvl3A1CL zLoRkV$KQop-V6$yLsx!VUHp)GfW*2U>Q{64H&kAyJcpbplo$c&AEP58r!jF_9>~YX zcTI>S_1V01JF&5=>RohY^z@cY@t68XrGN=IYn|n(Om%iWZ~3+eoI<6TUPN-d{cweF^{c_%@wDa2uSXdkagFXIoZYvtHM)p7+7Jw^ic z1vONy$H!B3`olVv>ZnGn25Z*+&;?bjkT#Jt0n5xV{_T%gx~}4P086O=RP|^)6x#jQ zZiFlkFKD3H3Ax6(JU(R~V}KJGkmAjp=tWk#FbU5%d9gHW2-Z{RxJJg8N4G6aJkl6H zyMrXXKh&J+2y8LkS!|^Om(?II_U{^l91Oc#%ls|mw_FI||3H3WEkbJzX`!eWS7y0k0n5<8RX?lv^G@1NW$BixGhZE3sI9qY3DKu?iFq+Xm-6cQL@%y7|eqzwY# zzL7-*F?CT7irm>)tUD;Oc6IrU(;kaSu9Kmbah(R7z>YNTJhllY845bSNR(WP3JA~= zP2RXl<)J+7D3=d)i+T{*iY?bNn{|*3NE)&P=CukzjHH<%rFbsUh)am_$B8_8Sqp4z zfYY@KzX~@xcI4bcbc4LYn3UxYg^xyY>>J*$?ViojPRN>-CTo|G`7>rIz`tr5&qd_KRM?%Ne<~*SbvE=`& z-+7p>j$io=ScQsOGm{u#Dv_TK1sQOC%TpL!zG6r1v%+%D*a%Lo2uG-<(OhIq9520bwMwGD;4J zdx0^dZwdKPVBeazdroN;s|gS}$yY35o%o^LkEP-d+z9H6NHbX;k-vz&fy6}bibYk= z&gZ^Q_D?|X#^*bW?tehvo4d#JP2e#rQMe#@_F`0#6yDIh2(OzJfnbFgYWDs7i6x@h z_MZT!o2#K&!gE^>|KqdXKiy_sMR)A)?G6Wr+syo=w7>Qa=E7i4qi}P20+8($$8N62 zqR%Z|BA;CTpm>)YABW^BMItl`$-f{LDc0cst6L2cf*~gYQ%>f6>ENDjxZI)lIguhJ zkgopGPc6~u@y$Z%a$SeZ+pe^QhdR^VWp3OSbDMn?0Wn;-UsHNMkyw8x(+o?W4U?Lo zp@~wDLaZ206n=q-Y=e7?BWn^6`f{?Hfy z$`;`lmL~{Jl~(XNB+GA$BFm*jqKo1dpI<44-~C|yIlC&%~Ao=$;|MG*&ZHWxaR`Ynz5#J$4T zi3y{j_sxX~qhr!e-Mz+RV^+OatR3b=L`c$~OIMYFT5irkmfZOyD@601U9B(=f-T0r zB0GN|yPg!kBK%YB+5x%UkE=rMt#b~SuKMqPh5F_$xyHX}&?Jg#L@pDsQxHSA1}Q~> z*T7F;QPi&}YaFQex6DZuDxK9KkgRfzFbkY*X3=H@) zimk+zW!=)D##O??1R8aB#q6E%p9}$D9!P}7SACjBVZ3W|3dDA6@pUC*?Vx?M3y->o zGVIRzDzAok->!YBUY!I6LO z{qVX;95<@EuM~K@TrMSBMh*=SwWbnO)x>LQC(y((4!FOfQ7>kM5VDJ|9_S7KjwRC> zZugUEiXEj0rO@#ckIMP62yN$n_6cVr1qu@;NJ|gxpZ;^^`hJxkFTEsencBRxlzPhn zqtzgX$K0q)O}#YXCctAszUV57=-Jcauyb!XbNaE>%qZC~kY2F#tyvH9UavDdUbua? zdF$K*xv214!+0|msj|{3)iChNcFu7 z7oK{eI?ggd2~2?#^POtVXe}yEK1x-+OX2uYA^76jxNLN!!<3B8cUngBGK*4~@3ctP z132DtHOqdd*#dkt6r4tlecky}G8vz|uCA-M4IjjFIy^@%(1BGI{)px_M98yL`i z2>iYOhjfWYjk7?g2K+laVu{K3FQQR50iI zWL8Y5n-$PPdTuJunBm^#&6#|B=t5!A=wFSf3I4&a)96DktrLVB(qy2-KoFjZg)D2s z(oawTG2I%^qECcaQmRe?eN!Id8TzTJVfg3EGzl^2B*ec3*qrk45@@tzR{M1`cmCee zM8x-cUHJ_KSQ>Foo<&f1rWCP%zw70}MfCZ5y7r`)zQB>c{<_L%99&LN0IGCn{RY}s z^i5ZzZ>D!xw5Q_2bROO4AC1_aqL4F^1x^}w{k7|NVt}(BI{gH;74}t9iNIC*az&|$ zq_0e=z{f~*)`43%hp=;U#Q@XC_X*$b^cUa+F*>4HS-H-Wz;q&0yyrsUGm`^*82vAT1ordH?0d;$-eng`WA>ZR zmuI6{df~9IwT7L@hvf4>e*RqjG+^XccWr(^4X}3K=5>b=*nJq-{&AfF{M>upx!GLw z+s9VigNQsk*^1LoZLm#%Sz34nk$j2r480$n;`qtUW;?@Pks_~i0QJ{GR3NXB04IV9 z6+@ze0)|yV{ZCM`Y{}=_>48@kr)mz(7{AjR%HWKVsOm6UbkpCLz9D9KrF4hR8%CTy za2!QO>Mu0cy()Jm+uLl%?}X+ynN)k}sYo?DVY-$k!htt@?Vm~yBa8LLs`zvA0H&VK ze&zDdl7R=vYo6U=%xxoC^xpOHaqQ@Qy=}I^bRbgu1Hk~h4MacLuY!aCQtk$29`M+t zi{d;#?d~o%HzF~8?oeJnxDR>$hNF_DpB?tGH}kS59GC(E8j3ujv%q14+ZB4SH?1-- z*%LM>REob|;EQ~%#r9-(MxvKyr1C9bL~JY) zh5WCCs+wy8@oM1NqL^xa+9PgxB&%XcDGJh@v{nn3neXo}rTR7PlUm!X^+5AzO8HWr z8PC5Qp&W{3{jHBe??mmymbo7vxhHjX#`W%-JJxPip$atwVat|bw5Pb ztZFqa$xSMr8=ut=K94Jo>*ZXjM4OO#*muaado=As-WLyA)THYJ!VRS>&sA#VR|-{T z%FpKN$i|-6dmR3Jux^?!ycOfFsdb%dwhz|%%wWSn!*RQ|{p zvp!5jV`{voKK&v2=AM#;uao7HU!Pa~yy2|D&5~Tro8V17UPX(6bNcG|>oN(k>`4$Q zNrhgHa|z~@)2IVZe22|4+A`;9O?|C{Q^74hqM$BYH8skAhu7xEMH7FZHe*2@?`D|^ zUSBW^Rp<>xKA(HyK_N!R#{RAw*Shee{bcF&Xy}et1p?|%BnKE}Q)e$7@szYz-Zlpy z&X5Ek|F~qt(Vl|=2}1|+dY~233diTA+iVMd|EE}?_qZZtvw)gvIj$`19Q)t8hUg_H zc9RzZF90@vQ%QOkagY|_G^W&ES38NYdunGdB4&+A81lqtJA+yqE^NA9C!SQYkH4N zXL}}+EbeDyb87~|mvfN!H6F*i+nob=FJq>5|G4|Ehnc{KEOl8@P3%y6IAOoGkwT`N zL$j-HI2cDgyujmFl!GGB_B`+!b5T`==$llP6tRXgiaDVHc#uxSPG?DJUS-H1!57`g@Aa4bVvN>jfROdTx5%S#r(xmNU&_Ag&4_^mb6MXS%P z4*J^d<`0;qrZ46Bb9K$KExukH`0)@WW{C!GFqb-XQ8HT!EX5rnmbGP^6(*OxnWOd} z;_}CO{O+qc9fzV^4nKZsRhuqd&Xc5u^S>`E*@|Uqa+J+r26|Mt5dID!$lxvpRx-Q^ zE84w=sE^9ToD{J-v(dlN+OqO5lrs!8g{iUYV6#$2&F-G}pNw9xOYN3qo!O$1&Mg8TKy*TD0-6sW^(k8;uh0=5t!JW%U4L`8`Ro!P>}PsRGt?|?haZj}94WRY>~&{b;>-3PRdB)vVn%HK`2$@jc&r+vTX|Ga#z z{d{&8$T6cJDKqT2?0>V@xi=)qgd4)FKmRnWBF6|fUNe@Uq z`*}K^R7su=_tZf+m5sV{d @s9kwgt~K5K~3lXOG8`aCTM)$>-eRZEY-B#AoH0I zuvEsIUoxB#g+IOJ^}AsLl4}1@EUuT?OxI_dbug;*x5S>Uns=F6f>%k^I9;c$lAKVW z*;l=VmK$yAS-A}^7U58c+LT|QR#KXla~}kvFsZVAyyxb=2>p5|_u9mQm}_wR_BnfG zsgU>J(Ytm2bL`EcIcbMAZ|gE) zcN&7e->x8B&>ow#qhV6^kG){Hrx0wXs-wNDM$0_-JcIF%xkk9-ziQYFxOqOb1*ps9085nGWG|*Vp zCg#P`4Q>w*(A_*aaTCbjatUdqd_Q(tA&EQJ5kl6Hk&?H9rJcw6eutbX&HZIt^;J|o zyWe>oT+n#QG1Vj;SqjnE8xt2y5b%skKbVBfWHu(11a~6x%Ja~P5S~ky{pXtTD@vR) zhbOH#Mt%u%aYR()JI)$QBp1_64t_zulps2MXOWF@ocfNtkIa$!T;{Zjm^ch6R&TPH zX^R_8X}P>h+Jd{N)CLrA9R zxXfyequ}>bJUmh(&y-ADYBdrt#ommx-isFs>-7+ONe%nzmvpaXl6@)5%=C$g>bZz{I*oxQDh#T``Yd~R*hMe*W`@&)mcmkr zCT~|vnb`crEziY zybUD#e?rm_^mWXzs9?RRaZ!NoTzLwS@26>?XLY2&8bRiHg0%+|xK#a@M#v%ia54{i z=kImVsBcIy95tty+BKksbOEXnp%G#4;5zcTp@XshMUI6JeEBo1wehEt%A|r)F%P^- zv;yEKSp?Fu`GyEwxuWVOK^qdsKu7T1@7(G#t8DH87{5@^8-^@)IY{Gw*w##p2h05? zNMd#UHkf|!CnyR5a%F?kzRfQJE}xoAO(()e&7k(%Rv32Jw@x_?86wWmD{}%LXypFH z)RKYO4w(-dNjymoV+P?Hc@$s7B9y712XOr3EKG|t1maf(e66cRh91HfR8QS{Y?1BY z@NS%EHslLJofH1?-D{E!r;Lz4;&3#6j|ws}0t|xqQAM`{p<|E;$&qX<-ZVjz;=COK z8j;hX2X6g3iTkk>4$u#u5=i0c%=5K$9b}Dt^Y!1cYyR^K0qDBffhH6^d%)xL} zOU<-N6a7jVDk1$9M(G^N(;$2#N8zb59$U*^%2RZjA1cDz()vn0v&=x)dD^!<42TEC z{4eziXOlc|?fsN*VI%DiJf;xGn!~OcayI7*22$Sa7`O6|aWV9ZUOWRa_xpYMKZ(MD z0Kk<~`^&Yv0OMEpNML`dsU59ADcdpJ_2^S?J_ z^+qnJUaaUsB@T# zPqEsjg|;FDyP}SLS4cX3e#X7>3!lFt%d)AqHLcfz=TLl;3NaoKVkJD-{UvTCU%D)& zMa*yB3VvbjT}tI4{4SVmvjgX|w5Oq;S6#HusHD-5vMNaqu6XN%Cd>T=u>`7ZIM5U@Mf>e7E+G6X_!gen!x-Y= zC&tOM4?+NZE^)#ghn|8_>_qBXR1!O*TLTznR13qS*7O$^i?6KR%j^3sNn~XVSa>}6 zV2(&2Bg&yIVhklFrMT9@t?Y6fu4lMpecWkP-nhF<43%6Y6esHp8B%_kvIGqRt{VL% z6OUJsmywB(hJ0o?*lzTFUresQ!%ZPUd+OkiN-)Y>VKUrgJp^y^d~!X^S@o_tA6}Zg mChgKW^k{MHuQJo0n-%_`&+6+3H|S+}z}uk>60lN8u>S*xf4&s} literal 0 HcmV?d00001 diff --git a/istio/helm/istio/charts/kiali-server-1.37.0.tgz b/istio/helm/istio/charts/kiali-server-1.37.0.tgz deleted file mode 100644 index 7be5b24a0b78d4446c5025a967ac53498a773c38..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 5992 zcmV-u7nkTCiwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc zVQyr3R8em|NM&qo0PKBja~n63a6Zqkz%$;h*nY$zB~enst5luNaW<~?TS-c`_EISp zIMXDt!T=KhBZ{l&zh42E7t9+;i838;h!3_n(`Yo%jYfB)fw?A_lAZ){1ET+Gj)e-A zIHq4cWf=?xgVW*A{682B>i-`e4o|*191hNo2WNxf(b-pn!{d{)~e zHQ2hXdgs27f)nyH2uU~_p_?NQCrSD9FgQL723`a*6eLmR;or5qAR-ZFh$q01$Y{Ox5cIg!f}C6^Oo?Lku!| zDHT>E?2~wAAB-uV@v(-S1CD}(&Ae+^F1U!~$m<~@72#eFSvq1&n8JjCFfSp-gpTaH zo~A|q_l)xyg_+=KA~i`KLJaF3nnCptN(C)@l2htg7D?rXZhu0a&B|hsVRCn*JXSj`#Y1C*>LX zdYV$IbtxXA&3bPQ#y4Kf7|J3Tydxoy& zMC#g{(It{;l5n9QGD>}d!|MeW5ej*nU`6bLfG~^Df>4SkfCR++1|mcl!f2YRQ~=6U ziAMfr+CeMh3i(EmeS>cmtulu^@SY(x2et~@5T@`oXh>vc2jZ<%n0K1U4{8o#K_nb> z5KCr^3y3x#G?fqqULDCO?||oww}9VLBC?V8^|~zQWU73GQ#D6Y39MkY)b#z6r)Z9E zKrg`8j4u$@OPlVMA~B%F94oZssX!MzRe*lFcw4Y%0wGQ%c+Zd^v$;aLwjLL)`H|85 zD8%e*g{EYtS*J8{JXHuQBvNMZKPL(;cuFJh8DapDCS!q#wHq`tYhT#L71zz$G0H|v zgMCPVUFz;>4sxXDuR=tjGszano2)vvWmN1_qByU%_Y5z2n&B4qnsimk4giJ>8$ zl9(uI#mF{hNX1G)oG8OCfCDs1^VgS|t#}@WJY@>au|x@om`FYCWmW^h4Tz zi$8FIVlDt_3r}#0_zei#Y|elN>JT&AdMd$T(}&!+K?sK-NJ%CX%Au6Hi#_DOeCcb5 zC?eVr#&n!nxnsRrW}}3sQ^JT^>M95^u4k)xfl$ID_wO-giewMw3APn*LdJ#Z^ zB@~QeNCdgT3dYy4%pQ7_&j=eUeho~6NHSxD%`}8nE!GkpnL!q6gpLM-fgZUSlptYK z?(*jr`rE;`x}OV}j0NY)p#0nx)*ri6?0>DKDOMo+?>}6loGzI=lEzU(e@`bM7$}gY7BUu}G(MAYCajNW{I=(rBlP|I zOASld%-F&&0`H0=N#c}R7Z1<^TgW_ci56U3OKbUe`P@ig?YnDF%sOeDMyT$62i^}( zEJId<83%|=8#VF(g_&r^@#!RhNDFn~X*%nO4iL{{3oH8(c!p(ncRkG~!XPs&vq>K0 zczx8%z{nIm*Ut5G_zeX=+ZbRck(rhH0zGF?KsP#_L%l%v+Ah?sbi)2_r9{g|Mi5X5 z&5E5QwIElrOp*u$MC*D>`RuK(Qjwq*E>#-MK{tgnGO(hO^(%vt{+=^By;kP)IOfbU zRIcly0kR#O1C0YY?;9qM(A^y(ETn1FAq0VL5hqEuW#e_i=T7O{tSwWqaJjWD(mGV7 zYlnU>G;!0~`W^k2as?SN!F8c#1H${eX(h%C&mihembRhX^2!4<79o5d#$ZHdu%Olb9J+V`K4A3TBqsvpg_c$JU#RB0X5z*GTw0R3ZrXSZZH9J zCpvIE=+^nz0ozosD*&51Szs2O(`1g{r!hJ_U8i^3d%u7Q(r)^??q>hxUVUpfYcQzU zzdA%!yY~I|j_M{};l%D=6Oh6A$2Xbq%iu>Wk#FL{K@l)D)9cW;7%Ywqx&2Y1&tGOc z7bQev5H}ppJQ#yQ5Z0Cp(3Oe%8XKg9n`)o#`WyLQHfYOP8B<@!i@c4Xi1bw0F~{=n zuq?*BpvZT?8=Pt4{FJ<~-O)|;6_r7#b#^y*o|G?HJWNmVPtBfs=xsADHEVSC1A{FW-HLy~q_xGLakdwRK}Vi8X3#0lhGA4CrefA8e{)y<~W(673|3&zbN*= zZ9+*%6kQ_1B4WcJ%sBBiTuYv!1!n4jJgadn(|*n@>{gN4B;HIj{xBqi8Jgmomj|anj{C5{+Tm9YZ^}I?B@u7E3STrhAT)bjSy~uan(2MTn zQkYfDQd_#Vh&+@<1V-hm(%K3w0xrKJMwm8e(a<7rcie4CfsIuJ6HvH10EGPuLRHW> zLcS6y_+AhMUy$3n~s^wfDwY_e&48182>TU5Bw;O^_c_ z0!)obG)@Fe$!%vF&IDV5-ep&1t87cWt>L_`5pD?-Zic%Vgj&}`v&O2HoIp47E8+8w zb~?lDt6IrsmtRJ$JFqvR+f}TJ{}ad5NOw)`X+vXc{ok?vJDWk<8vtwaKZZw#_49wH zXNO1o^?w(ozW(DRk^RC5_`VQ>KfV=U(xNLFx9yvo`Fq=Fkr`~Wf3XVZZyh>TQPSMM zEh#$9u;*#>2ASZL5;ptE97V|S$N2U#6*I62!r7Cb7{0-T;t4ID+l=1}7lnsVK4WXi z%NeGJ^2sD)S9Cm35|;U+khy1dl<@ zAvJr!G88x|y}foIn~m(qU#%7W-rYN|^uUSLt!UolZm(|N_q&G%q2eU0lj4nL{2)I$ zun7;H0e%=G-HMxWGoRj$Q=T2{c>f3~U(u~*Dt}omfB8zkE85)I2>#Ovl%=TVXssi!5V5S4?7_F&0AIF$QrJm^_zt0opp2zXsmp$vQR-WY>o#sty zPj&Pix3&b95T-^FIa6?}%4QM5l=8(#L2d|z8N8Murq~|dx92@d$Rr1fn(qYQ=mVq6 z3(nOKgo0d31#xliq5wc%io~FN`w-u<|~A; z={z*^TG0J{e-4%^6A5QIm?tK&iOj*=VLv*5F`0N71aHJrb?dh_$^@%!_4uP;BI zzk2OpGC`yt1dpq{G1=l5Fs(k#o_{oq%Z=io@Io5xzWwmG@!QuwzkXY9&@Nn^QGqNA zHmIyhF47-9T)aEKYR9@dr_~;L>_mL^=H2V@4{u(-{r-_{G)`CQrci5Jm*?+3zI}Z$ zzBs>XaAaLG?upDwXKpx6V|b_Sx0W?x;|(Hrp>$}AHD1g9)-|;`s2jHkm3i9M5D4{n z{MHy--GYVLq7UV^+NyqJQ2qwKKyj|My3!Tb)VLVB9fJ}}=@J~SUQewUIripL$WNGu zs9mk{7^`qA;j&zINqCA}8yEM394A9uQ#{)j5*NP-wFjHazj5t)*!p($mg*~zlRC7; zN@>$-Fl|`3jW)NO&P|@yIMFgIoHODZP`$M-*k1VSI9(n+N_IElR+lf$1$y2xsQFC| z0pk(8K+o5KB|Lhu7Q$TW@WP?CdLIN@sX{9hRoqb?!Fem9ZcSQ6wy`$dh`xkZqhmaJ zG<6!)lM`pSP^XY7vJI6M=f}Ia8Q^`Dv`9B;CjvMzs?C*csO?evQe8t99^}euNnQZ3DGEfUH zt_hn3*WXCTlXd4_8&Ktt$~xc)D17M78#{yFSjzwSN~&d_yZxM>!M}uHsPC}U-G3ZTjcnvI) zL5Amf<>m#gPoJ5;Lmulc_J+sb91YLD9e(p-J&hS*m_^Wj@gEpGB7b!*`^ zV>Q1rNk<<|PHOQYV@@@SWukV~U6{x1qoaIVthS@W(s%-*b8~o25=}SFkI5c!s;}I! z?v4?-%Pz!;TDDzNF#RoJ#Y~@b+1gMJ*m@+e=3noR_w7rqblCsgWT-z;1YoWIKd9gT zesVh8+y6T$+wLjVEdQ2s+x6H1uO5EL40daCe>hLo{FONjvBj~$6{hx13~~Vx5fG}M zF5Z|=bT~@8Wqf7=GxZMCoJS*sQ^h@#z;(`+mm$~7ui54JRO-89{tHf_m))(MP|UVE z2)y?E@1Pd{I~wfof80^2&rUJHp*fz!1^Kt}*Br0fPSOibVVgs}j#M>fX0`2Me6Eq9@p?b1qnxAr7^NQqQm{IujQ^=fu$|&UO}SWL5moVq=4R9k zP^vmYxK+T6LFgYKA18@yYa+rBb0#4h(=uRE>1^>{Dy(3dQrS?goAq*{AGUH@aP}`g zv8`l(JPf;KS{Wj-Nlb+2tAWYAcb__6cKF4A>Hqqe{^((?7{;w*Tnws}=SPiP_O-sX zjb(5xZPXAp9fUS?25LPrqCk8TD9&lCl)-HRg5+ZL@KH|H+#W1x_I7q- z7Sxy#0fn3|J2o3S+x$}*5D(?Ymt zzyGna@t+X}-pZ~p^^2GTct24i!p>uN&Xz^(XGz?A-iVwk?Z%yu3g7C0Kq3)kT*4W4_Eia!v$gYqUjg zjuLH>JGzCLuu;lThyKs6J>SLopX0;k{onf0UjOf)bl(4+i|ZGlD7%ioY;{pa_r?F_ z4V$?aV)Pz<&xd<8M0;|$`Lxjn8R9S2L77XPaP<>MWQscBUHwzs5(&2o1jDqK3fh&2 zZW}`P_oIG)Wv2SwU3mka-}!~UjJ_i8qB~92uf{8os%4TdkLEZ?*EJ<|=t{SX%K#sL+9|)fN6n5A zUA?l`nsr^!T8jPyt`zLNOmOpdEB6UDN3VKI@#C%}9=7(&z3?K6h`m{5oHNrHUK?0k zT~%FktJOaF+{@pezO1(YvRjz8Gy~V|{~R~&e?L1J?)QIoQr6jjc}VdOZwBtQ$-eB% WzU<3`%Krrb0RR6Eq~u@#o&W%5x1II? diff --git a/istio/helm/istio/crds/crd-all.gen.yaml b/istio/helm/istio/crds/crd-all.gen.yaml index 0387315da..45f40e73b 100644 --- a/istio/helm/istio/crds/crd-all.gen.yaml +++ b/istio/helm/istio/crds/crd-all.gen.yaml @@ -1,6 +1,153 @@ # DO NOT EDIT - Generated by Cue OpenAPI generator based on Istio APIs. apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: wasmplugins.extensions.istio.io +spec: + group: extensions.istio.io + names: + categories: + - istio-io + - extensions-istio-io + kind: WasmPlugin + listKind: WasmPluginList + plural: wasmplugins + singular: wasmplugin + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Extend the functionality provided by the Istio proxy through + WebAssembly filters. See more details at: https://istio.io/docs/reference/config/proxy_extensions/wasm-plugin.html' + properties: + failStrategy: + description: Specifies the failure behavior for the plugin due to + fatal errors. + enum: + - FAIL_CLOSE + - FAIL_OPEN + type: string + imagePullPolicy: + enum: + - UNSPECIFIED_POLICY + - IfNotPresent + - Always + type: string + imagePullSecret: + description: Credentials to use for OCI image pulling. + type: string + match: + description: Specifies the criteria to determine which traffic is + passed to WasmPlugin. + items: + properties: + mode: + description: Criteria for selecting traffic by their direction. + enum: + - UNDEFINED + - CLIENT + - SERVER + - CLIENT_AND_SERVER + type: string + ports: + description: Criteria for selecting traffic by their destination + port. + items: + properties: + number: + type: integer + type: object + type: array + type: object + type: array + phase: + description: Determines where in the filter chain this `WasmPlugin` + is to be injected. + enum: + - UNSPECIFIED_PHASE + - AUTHN + - AUTHZ + - STATS + type: string + pluginConfig: + description: The configuration that will be passed on to the plugin. + type: object + x-kubernetes-preserve-unknown-fields: true + pluginName: + type: string + priority: + description: Determines ordering of `WasmPlugins` in the same `phase`. + nullable: true + type: integer + selector: + properties: + matchLabels: + additionalProperties: + type: string + type: object + type: object + sha256: + description: SHA256 checksum that will be used to verify Wasm module + or OCI container. + type: string + url: + description: URL of a Wasm module or OCI container. + type: string + verificationKey: + type: string + vmConfig: + description: Configuration for a Wasm VM. + properties: + env: + description: Specifies environment variables to be injected to + this VM. + items: + properties: + name: + type: string + value: + description: Value for the environment variable. + type: string + valueFrom: + enum: + - INLINE + - HOST + type: string + type: object + type: array + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition metadata: annotations: "helm.sh/resource-policy": keep @@ -49,24 +196,20 @@ spec: description: A list of namespaces to which this destination rule is exported. items: - format: string type: string type: array host: description: The name of a service from the service registry. - format: string type: string subsets: items: properties: labels: additionalProperties: - format: string type: string type: object name: description: Name of the subset. - format: string type: string trafficPolicy: description: Traffic policies that apply to this subset. @@ -85,12 +228,11 @@ spec: - UPGRADE type: string http1MaxPendingRequests: - description: Maximum number of pending HTTP requests - to a destination. format: int32 type: integer http2MaxRequests: - description: Maximum number of requests to a backend. + description: Maximum number of active requests to + a destination. format: int32 type: integer idleTimeout: @@ -117,6 +259,9 @@ spec: connectTimeout: description: TCP connection timeout. type: string + maxConnectionDuration: + description: The maximum duration of a connection. + type: string maxConnections: description: Maximum number of HTTP1 /TCP connections to a destination host. @@ -146,50 +291,78 @@ spec: - simple - properties: consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + minimumRingSize: {} required: - consistentHash - required: - simple - properties: consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + minimumRingSize: {} required: - consistentHash properties: @@ -200,11 +373,9 @@ spec: properties: name: description: Name of the cookie. - format: string type: string path: description: Path to set for the cookie. - format: string type: string ttl: description: Lifetime of the cookie. @@ -212,15 +383,29 @@ spec: type: object httpHeaderName: description: Hash based on a specific HTTP header. - format: string type: string httpQueryParameterName: description: Hash based on a specific HTTP query parameter. - format: string type: string + maglev: + description: The Maglev load balancer implements + consistent hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev hashing. + type: integer + type: object minimumRingSize: + description: Deprecated. type: integer + ringHash: + description: The ring/modulo hash load balancer + implements consistent hashing to backend hosts. + properties: + minimumRingSize: + type: integer + type: object useSourceIp: description: Hash based on the source IP address. type: boolean @@ -228,14 +413,13 @@ spec: localityLbSetting: properties: distribute: - description: 'Optional: only one of distribute or - failover can be set.' + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' items: properties: from: description: Originating locality, '/' separated, e.g. - format: string type: string to: additionalProperties: @@ -252,26 +436,36 @@ spec: nullable: true type: boolean failover: - description: 'Optional: only failover or distribute - can be set.' + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' items: properties: from: description: Originating region. - format: string type: string to: - format: string type: string type: object type: array + failoverPriority: + description: failoverPriority is an ordered list + of labels used to sort endpoints to do priority + based load balancing. + items: + type: string + type: array type: object simple: enum: - - ROUND_ROBIN + - UNSPECIFIED - LEAST_CONN - RANDOM - PASSTHROUGH + - ROUND_ROBIN + - LEAST_REQUEST + type: string + warmupDurationSecs: + description: Represents the warmup duration of Service. type: string type: object outlierDetection: @@ -292,6 +486,9 @@ spec: is ejected from the connection pool. nullable: true type: integer + consecutiveLocalOriginFailures: + nullable: true + type: integer interval: description: Time interval between ejection sweep analysis. type: string @@ -301,6 +498,10 @@ spec: minHealthPercent: format: int32 type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local + origin failures from external errors. + type: boolean type: object portLevelSettings: description: Traffic policies specific to individual ports. @@ -321,13 +522,11 @@ spec: - UPGRADE type: string http1MaxPendingRequests: - description: Maximum number of pending HTTP - requests to a destination. format: int32 type: integer http2MaxRequests: - description: Maximum number of requests to - a backend. + description: Maximum number of active requests + to a destination. format: int32 type: integer idleTimeout: @@ -355,6 +554,9 @@ spec: connectTimeout: description: TCP connection timeout. type: string + maxConnectionDuration: + description: The maximum duration of a connection. + type: string maxConnections: description: Maximum number of HTTP1 /TCP connections to a destination host. @@ -385,50 +587,78 @@ spec: - simple - properties: consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + minimumRingSize: {} required: - consistentHash - required: - simple - properties: consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + minimumRingSize: {} required: - consistentHash properties: @@ -439,11 +669,9 @@ spec: properties: name: description: Name of the cookie. - format: string type: string path: description: Path to set for the cookie. - format: string type: string ttl: description: Lifetime of the cookie. @@ -452,15 +680,31 @@ spec: httpHeaderName: description: Hash based on a specific HTTP header. - format: string type: string httpQueryParameterName: description: Hash based on a specific HTTP query parameter. - format: string type: string + maglev: + description: The Maglev load balancer implements + consistent hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev + hashing. + type: integer + type: object minimumRingSize: + description: Deprecated. type: integer + ringHash: + description: The ring/modulo hash load balancer + implements consistent hashing to backend + hosts. + properties: + minimumRingSize: + type: integer + type: object useSourceIp: description: Hash based on the source IP address. type: boolean @@ -468,14 +712,13 @@ spec: localityLbSetting: properties: distribute: - description: 'Optional: only one of distribute - or failover can be set.' + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' items: properties: from: description: Originating locality, '/' separated, e.g. - format: string type: string to: additionalProperties: @@ -492,26 +735,37 @@ spec: nullable: true type: boolean failover: - description: 'Optional: only failover or distribute - can be set.' + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' items: properties: from: description: Originating region. - format: string type: string to: - format: string type: string type: object type: array + failoverPriority: + description: failoverPriority is an ordered + list of labels used to sort endpoints to + do priority based load balancing. + items: + type: string + type: array type: object simple: enum: - - ROUND_ROBIN + - UNSPECIFIED - LEAST_CONN - RANDOM - PASSTHROUGH + - ROUND_ROBIN + - LEAST_REQUEST + type: string + warmupDurationSecs: + description: Represents the warmup duration of + Service. type: string type: object outlierDetection: @@ -532,6 +786,9 @@ spec: host is ejected from the connection pool. nullable: true type: integer + consecutiveLocalOriginFailures: + nullable: true + type: integer interval: description: Time interval between ejection sweep analysis. @@ -542,6 +799,10 @@ spec: minHealthPercent: format: int32 type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish + local origin failures from external errors. + type: boolean type: object port: properties: @@ -553,15 +814,15 @@ spec: to the upstream service. properties: caCertificates: - format: string type: string clientCertificate: description: REQUIRED if mode is `MUTUAL`. - format: string type: string credentialName: - format: string type: string + insecureSkipVerify: + nullable: true + type: boolean mode: enum: - DISABLE @@ -571,16 +832,13 @@ spec: type: string privateKey: description: REQUIRED if mode is `MUTUAL`. - format: string type: string sni: description: SNI string to present to the server during TLS handshake. - format: string type: string subjectAltNames: items: - format: string type: string type: array type: object @@ -591,15 +849,15 @@ spec: upstream service. properties: caCertificates: - format: string type: string clientCertificate: description: REQUIRED if mode is `MUTUAL`. - format: string type: string credentialName: - format: string type: string + insecureSkipVerify: + nullable: true + type: boolean mode: enum: - DISABLE @@ -609,19 +867,31 @@ spec: type: string privateKey: description: REQUIRED if mode is `MUTUAL`. - format: string type: string sni: description: SNI string to present to the server during TLS handshake. - format: string type: string subjectAltNames: items: - format: string type: string type: array type: object + tunnel: + properties: + protocol: + description: Specifies which protocol to use for tunneling + the downstream connection. + type: string + targetHost: + description: Specifies a host to which the downstream + connection is tunneled. + type: string + targetPort: + description: Specifies a port to which the downstream + connection is tunneled. + type: integer + type: object type: object type: object type: array @@ -641,12 +911,10 @@ spec: - UPGRADE type: string http1MaxPendingRequests: - description: Maximum number of pending HTTP requests to - a destination. format: int32 type: integer http2MaxRequests: - description: Maximum number of requests to a backend. + description: Maximum number of active requests to a destination. format: int32 type: integer idleTimeout: @@ -673,6 +941,9 @@ spec: connectTimeout: description: TCP connection timeout. type: string + maxConnectionDuration: + description: The maximum duration of a connection. + type: string maxConnections: description: Maximum number of HTTP1 /TCP connections to a destination host. @@ -702,50 +973,78 @@ spec: - simple - properties: consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + minimumRingSize: {} required: - consistentHash - required: - simple - properties: consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + minimumRingSize: {} required: - consistentHash properties: @@ -756,11 +1055,9 @@ spec: properties: name: description: Name of the cookie. - format: string type: string path: description: Path to set for the cookie. - format: string type: string ttl: description: Lifetime of the cookie. @@ -768,14 +1065,28 @@ spec: type: object httpHeaderName: description: Hash based on a specific HTTP header. - format: string type: string httpQueryParameterName: description: Hash based on a specific HTTP query parameter. - format: string type: string + maglev: + description: The Maglev load balancer implements consistent + hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev hashing. + type: integer + type: object minimumRingSize: + description: Deprecated. type: integer + ringHash: + description: The ring/modulo hash load balancer implements + consistent hashing to backend hosts. + properties: + minimumRingSize: + type: integer + type: object useSourceIp: description: Hash based on the source IP address. type: boolean @@ -783,14 +1094,13 @@ spec: localityLbSetting: properties: distribute: - description: 'Optional: only one of distribute or failover - can be set.' + description: 'Optional: only one of distribute, failover + or failoverPriority can be set.' items: properties: from: description: Originating locality, '/' separated, e.g. - format: string type: string to: additionalProperties: @@ -806,26 +1116,35 @@ spec: nullable: true type: boolean failover: - description: 'Optional: only failover or distribute can - be set.' + description: 'Optional: only one of distribute, failover + or failoverPriority can be set.' items: properties: from: description: Originating region. - format: string type: string to: - format: string type: string type: object type: array + failoverPriority: + description: failoverPriority is an ordered list of labels + used to sort endpoints to do priority based load balancing. + items: + type: string + type: array type: object simple: enum: - - ROUND_ROBIN + - UNSPECIFIED - LEAST_CONN - RANDOM - PASSTHROUGH + - ROUND_ROBIN + - LEAST_REQUEST + type: string + warmupDurationSecs: + description: Represents the warmup duration of Service. type: string type: object outlierDetection: @@ -846,6 +1165,9 @@ spec: from the connection pool. nullable: true type: integer + consecutiveLocalOriginFailures: + nullable: true + type: integer interval: description: Time interval between ejection sweep analysis. type: string @@ -855,6 +1177,10 @@ spec: minHealthPercent: format: int32 type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local origin + failures from external errors. + type: boolean type: object portLevelSettings: description: Traffic policies specific to individual ports. @@ -874,12 +1200,11 @@ spec: - UPGRADE type: string http1MaxPendingRequests: - description: Maximum number of pending HTTP requests - to a destination. format: int32 type: integer http2MaxRequests: - description: Maximum number of requests to a backend. + description: Maximum number of active requests to + a destination. format: int32 type: integer idleTimeout: @@ -906,6 +1231,9 @@ spec: connectTimeout: description: TCP connection timeout. type: string + maxConnectionDuration: + description: The maximum duration of a connection. + type: string maxConnections: description: Maximum number of HTTP1 /TCP connections to a destination host. @@ -935,50 +1263,78 @@ spec: - simple - properties: consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + minimumRingSize: {} required: - consistentHash - required: - simple - properties: consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + minimumRingSize: {} required: - consistentHash properties: @@ -989,11 +1345,9 @@ spec: properties: name: description: Name of the cookie. - format: string type: string path: description: Path to set for the cookie. - format: string type: string ttl: description: Lifetime of the cookie. @@ -1001,15 +1355,29 @@ spec: type: object httpHeaderName: description: Hash based on a specific HTTP header. - format: string type: string httpQueryParameterName: description: Hash based on a specific HTTP query parameter. - format: string type: string + maglev: + description: The Maglev load balancer implements + consistent hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev hashing. + type: integer + type: object minimumRingSize: + description: Deprecated. type: integer + ringHash: + description: The ring/modulo hash load balancer + implements consistent hashing to backend hosts. + properties: + minimumRingSize: + type: integer + type: object useSourceIp: description: Hash based on the source IP address. type: boolean @@ -1017,14 +1385,13 @@ spec: localityLbSetting: properties: distribute: - description: 'Optional: only one of distribute or - failover can be set.' + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' items: properties: from: description: Originating locality, '/' separated, e.g. - format: string type: string to: additionalProperties: @@ -1041,26 +1408,36 @@ spec: nullable: true type: boolean failover: - description: 'Optional: only failover or distribute - can be set.' + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' items: properties: from: description: Originating region. - format: string type: string to: - format: string type: string type: object type: array + failoverPriority: + description: failoverPriority is an ordered list + of labels used to sort endpoints to do priority + based load balancing. + items: + type: string + type: array type: object simple: enum: - - ROUND_ROBIN + - UNSPECIFIED - LEAST_CONN - RANDOM - PASSTHROUGH + - ROUND_ROBIN + - LEAST_REQUEST + type: string + warmupDurationSecs: + description: Represents the warmup duration of Service. type: string type: object outlierDetection: @@ -1081,6 +1458,9 @@ spec: is ejected from the connection pool. nullable: true type: integer + consecutiveLocalOriginFailures: + nullable: true + type: integer interval: description: Time interval between ejection sweep analysis. type: string @@ -1090,6 +1470,10 @@ spec: minHealthPercent: format: int32 type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local + origin failures from external errors. + type: boolean type: object port: properties: @@ -1101,15 +1485,15 @@ spec: upstream service. properties: caCertificates: - format: string type: string clientCertificate: description: REQUIRED if mode is `MUTUAL`. - format: string type: string credentialName: - format: string type: string + insecureSkipVerify: + nullable: true + type: boolean mode: enum: - DISABLE @@ -1119,16 +1503,13 @@ spec: type: string privateKey: description: REQUIRED if mode is `MUTUAL`. - format: string type: string sni: description: SNI string to present to the server during TLS handshake. - format: string type: string subjectAltNames: items: - format: string type: string type: array type: object @@ -1139,15 +1520,15 @@ spec: service. properties: caCertificates: - format: string type: string clientCertificate: description: REQUIRED if mode is `MUTUAL`. - format: string type: string credentialName: - format: string type: string + insecureSkipVerify: + nullable: true + type: boolean mode: enum: - DISABLE @@ -1157,19 +1538,38 @@ spec: type: string privateKey: description: REQUIRED if mode is `MUTUAL`. - format: string type: string sni: description: SNI string to present to the server during TLS handshake. - format: string type: string subjectAltNames: items: - format: string type: string type: array type: object + tunnel: + properties: + protocol: + description: Specifies which protocol to use for tunneling + the downstream connection. + type: string + targetHost: + description: Specifies a host to which the downstream connection + is tunneled. + type: string + targetPort: + description: Specifies a port to which the downstream connection + is tunneled. + type: integer + type: object + type: object + workloadSelector: + properties: + matchLabels: + additionalProperties: + type: string + type: object type: object type: object status: @@ -1205,24 +1605,20 @@ spec: description: A list of namespaces to which this destination rule is exported. items: - format: string type: string type: array host: description: The name of a service from the service registry. - format: string type: string subsets: items: properties: labels: additionalProperties: - format: string type: string type: object name: description: Name of the subset. - format: string type: string trafficPolicy: description: Traffic policies that apply to this subset. @@ -1241,12 +1637,11 @@ spec: - UPGRADE type: string http1MaxPendingRequests: - description: Maximum number of pending HTTP requests - to a destination. format: int32 type: integer http2MaxRequests: - description: Maximum number of requests to a backend. + description: Maximum number of active requests to + a destination. format: int32 type: integer idleTimeout: @@ -1273,6 +1668,9 @@ spec: connectTimeout: description: TCP connection timeout. type: string + maxConnectionDuration: + description: The maximum duration of a connection. + type: string maxConnections: description: Maximum number of HTTP1 /TCP connections to a destination host. @@ -1302,65 +1700,91 @@ spec: - simple - properties: consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + minimumRingSize: {} required: - consistentHash - required: - simple - properties: consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - required: - - consistentHash - properties: - consistentHash: - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - format: string + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + minimumRingSize: {} + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. type: string path: description: Path to set for the cookie. - format: string type: string ttl: description: Lifetime of the cookie. @@ -1368,15 +1792,29 @@ spec: type: object httpHeaderName: description: Hash based on a specific HTTP header. - format: string type: string httpQueryParameterName: description: Hash based on a specific HTTP query parameter. - format: string type: string + maglev: + description: The Maglev load balancer implements + consistent hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev hashing. + type: integer + type: object minimumRingSize: + description: Deprecated. type: integer + ringHash: + description: The ring/modulo hash load balancer + implements consistent hashing to backend hosts. + properties: + minimumRingSize: + type: integer + type: object useSourceIp: description: Hash based on the source IP address. type: boolean @@ -1384,14 +1822,13 @@ spec: localityLbSetting: properties: distribute: - description: 'Optional: only one of distribute or - failover can be set.' + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' items: properties: from: description: Originating locality, '/' separated, e.g. - format: string type: string to: additionalProperties: @@ -1408,26 +1845,36 @@ spec: nullable: true type: boolean failover: - description: 'Optional: only failover or distribute - can be set.' + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' items: properties: from: description: Originating region. - format: string type: string to: - format: string type: string type: object type: array + failoverPriority: + description: failoverPriority is an ordered list + of labels used to sort endpoints to do priority + based load balancing. + items: + type: string + type: array type: object simple: enum: - - ROUND_ROBIN + - UNSPECIFIED - LEAST_CONN - RANDOM - PASSTHROUGH + - ROUND_ROBIN + - LEAST_REQUEST + type: string + warmupDurationSecs: + description: Represents the warmup duration of Service. type: string type: object outlierDetection: @@ -1448,6 +1895,9 @@ spec: is ejected from the connection pool. nullable: true type: integer + consecutiveLocalOriginFailures: + nullable: true + type: integer interval: description: Time interval between ejection sweep analysis. type: string @@ -1457,6 +1907,10 @@ spec: minHealthPercent: format: int32 type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local + origin failures from external errors. + type: boolean type: object portLevelSettings: description: Traffic policies specific to individual ports. @@ -1477,13 +1931,11 @@ spec: - UPGRADE type: string http1MaxPendingRequests: - description: Maximum number of pending HTTP - requests to a destination. format: int32 type: integer http2MaxRequests: - description: Maximum number of requests to - a backend. + description: Maximum number of active requests + to a destination. format: int32 type: integer idleTimeout: @@ -1511,6 +1963,9 @@ spec: connectTimeout: description: TCP connection timeout. type: string + maxConnectionDuration: + description: The maximum duration of a connection. + type: string maxConnections: description: Maximum number of HTTP1 /TCP connections to a destination host. @@ -1541,50 +1996,78 @@ spec: - simple - properties: consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + minimumRingSize: {} required: - consistentHash - required: - simple - properties: consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + minimumRingSize: {} required: - consistentHash properties: @@ -1595,11 +2078,9 @@ spec: properties: name: description: Name of the cookie. - format: string type: string path: description: Path to set for the cookie. - format: string type: string ttl: description: Lifetime of the cookie. @@ -1608,15 +2089,31 @@ spec: httpHeaderName: description: Hash based on a specific HTTP header. - format: string type: string httpQueryParameterName: description: Hash based on a specific HTTP query parameter. - format: string type: string + maglev: + description: The Maglev load balancer implements + consistent hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev + hashing. + type: integer + type: object minimumRingSize: + description: Deprecated. type: integer + ringHash: + description: The ring/modulo hash load balancer + implements consistent hashing to backend + hosts. + properties: + minimumRingSize: + type: integer + type: object useSourceIp: description: Hash based on the source IP address. type: boolean @@ -1624,14 +2121,13 @@ spec: localityLbSetting: properties: distribute: - description: 'Optional: only one of distribute - or failover can be set.' + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' items: properties: from: description: Originating locality, '/' separated, e.g. - format: string type: string to: additionalProperties: @@ -1648,26 +2144,37 @@ spec: nullable: true type: boolean failover: - description: 'Optional: only failover or distribute - can be set.' + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' items: properties: from: description: Originating region. - format: string type: string to: - format: string type: string type: object type: array + failoverPriority: + description: failoverPriority is an ordered + list of labels used to sort endpoints to + do priority based load balancing. + items: + type: string + type: array type: object simple: enum: - - ROUND_ROBIN + - UNSPECIFIED - LEAST_CONN - RANDOM - PASSTHROUGH + - ROUND_ROBIN + - LEAST_REQUEST + type: string + warmupDurationSecs: + description: Represents the warmup duration of + Service. type: string type: object outlierDetection: @@ -1688,6 +2195,9 @@ spec: host is ejected from the connection pool. nullable: true type: integer + consecutiveLocalOriginFailures: + nullable: true + type: integer interval: description: Time interval between ejection sweep analysis. @@ -1698,6 +2208,10 @@ spec: minHealthPercent: format: int32 type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish + local origin failures from external errors. + type: boolean type: object port: properties: @@ -1709,15 +2223,15 @@ spec: to the upstream service. properties: caCertificates: - format: string type: string clientCertificate: description: REQUIRED if mode is `MUTUAL`. - format: string type: string credentialName: - format: string type: string + insecureSkipVerify: + nullable: true + type: boolean mode: enum: - DISABLE @@ -1727,16 +2241,13 @@ spec: type: string privateKey: description: REQUIRED if mode is `MUTUAL`. - format: string type: string sni: description: SNI string to present to the server during TLS handshake. - format: string type: string subjectAltNames: items: - format: string type: string type: array type: object @@ -1747,15 +2258,15 @@ spec: upstream service. properties: caCertificates: - format: string type: string clientCertificate: description: REQUIRED if mode is `MUTUAL`. - format: string type: string credentialName: - format: string type: string + insecureSkipVerify: + nullable: true + type: boolean mode: enum: - DISABLE @@ -1765,19 +2276,31 @@ spec: type: string privateKey: description: REQUIRED if mode is `MUTUAL`. - format: string type: string sni: description: SNI string to present to the server during TLS handshake. - format: string type: string subjectAltNames: items: - format: string type: string type: array type: object + tunnel: + properties: + protocol: + description: Specifies which protocol to use for tunneling + the downstream connection. + type: string + targetHost: + description: Specifies a host to which the downstream + connection is tunneled. + type: string + targetPort: + description: Specifies a port to which the downstream + connection is tunneled. + type: integer + type: object type: object type: object type: array @@ -1797,12 +2320,10 @@ spec: - UPGRADE type: string http1MaxPendingRequests: - description: Maximum number of pending HTTP requests to - a destination. format: int32 type: integer http2MaxRequests: - description: Maximum number of requests to a backend. + description: Maximum number of active requests to a destination. format: int32 type: integer idleTimeout: @@ -1829,6 +2350,9 @@ spec: connectTimeout: description: TCP connection timeout. type: string + maxConnectionDuration: + description: The maximum duration of a connection. + type: string maxConnections: description: Maximum number of HTTP1 /TCP connections to a destination host. @@ -1858,50 +2382,78 @@ spec: - simple - properties: consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + minimumRingSize: {} required: - consistentHash - required: - simple - properties: consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + minimumRingSize: {} required: - consistentHash properties: @@ -1912,11 +2464,9 @@ spec: properties: name: description: Name of the cookie. - format: string type: string path: description: Path to set for the cookie. - format: string type: string ttl: description: Lifetime of the cookie. @@ -1924,14 +2474,28 @@ spec: type: object httpHeaderName: description: Hash based on a specific HTTP header. - format: string type: string httpQueryParameterName: description: Hash based on a specific HTTP query parameter. - format: string type: string + maglev: + description: The Maglev load balancer implements consistent + hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev hashing. + type: integer + type: object minimumRingSize: + description: Deprecated. type: integer + ringHash: + description: The ring/modulo hash load balancer implements + consistent hashing to backend hosts. + properties: + minimumRingSize: + type: integer + type: object useSourceIp: description: Hash based on the source IP address. type: boolean @@ -1939,14 +2503,13 @@ spec: localityLbSetting: properties: distribute: - description: 'Optional: only one of distribute or failover - can be set.' + description: 'Optional: only one of distribute, failover + or failoverPriority can be set.' items: properties: from: description: Originating locality, '/' separated, e.g. - format: string type: string to: additionalProperties: @@ -1962,26 +2525,35 @@ spec: nullable: true type: boolean failover: - description: 'Optional: only failover or distribute can - be set.' + description: 'Optional: only one of distribute, failover + or failoverPriority can be set.' items: properties: from: description: Originating region. - format: string type: string to: - format: string type: string type: object type: array + failoverPriority: + description: failoverPriority is an ordered list of labels + used to sort endpoints to do priority based load balancing. + items: + type: string + type: array type: object simple: enum: - - ROUND_ROBIN + - UNSPECIFIED - LEAST_CONN - RANDOM - PASSTHROUGH + - ROUND_ROBIN + - LEAST_REQUEST + type: string + warmupDurationSecs: + description: Represents the warmup duration of Service. type: string type: object outlierDetection: @@ -2002,6 +2574,9 @@ spec: from the connection pool. nullable: true type: integer + consecutiveLocalOriginFailures: + nullable: true + type: integer interval: description: Time interval between ejection sweep analysis. type: string @@ -2011,6 +2586,10 @@ spec: minHealthPercent: format: int32 type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local origin + failures from external errors. + type: boolean type: object portLevelSettings: description: Traffic policies specific to individual ports. @@ -2030,12 +2609,11 @@ spec: - UPGRADE type: string http1MaxPendingRequests: - description: Maximum number of pending HTTP requests - to a destination. format: int32 type: integer http2MaxRequests: - description: Maximum number of requests to a backend. + description: Maximum number of active requests to + a destination. format: int32 type: integer idleTimeout: @@ -2062,6 +2640,9 @@ spec: connectTimeout: description: TCP connection timeout. type: string + maxConnectionDuration: + description: The maximum duration of a connection. + type: string maxConnections: description: Maximum number of HTTP1 /TCP connections to a destination host. @@ -2091,53 +2672,81 @@ spec: - simple - properties: consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + minimumRingSize: {} required: - consistentHash - required: - simple - properties: consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - required: - - consistentHash - properties: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + minimumRingSize: {} + required: + - consistentHash + properties: consistentHash: properties: httpCookie: @@ -2145,11 +2754,9 @@ spec: properties: name: description: Name of the cookie. - format: string type: string path: description: Path to set for the cookie. - format: string type: string ttl: description: Lifetime of the cookie. @@ -2157,15 +2764,29 @@ spec: type: object httpHeaderName: description: Hash based on a specific HTTP header. - format: string type: string httpQueryParameterName: description: Hash based on a specific HTTP query parameter. - format: string type: string + maglev: + description: The Maglev load balancer implements + consistent hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev hashing. + type: integer + type: object minimumRingSize: + description: Deprecated. type: integer + ringHash: + description: The ring/modulo hash load balancer + implements consistent hashing to backend hosts. + properties: + minimumRingSize: + type: integer + type: object useSourceIp: description: Hash based on the source IP address. type: boolean @@ -2173,14 +2794,13 @@ spec: localityLbSetting: properties: distribute: - description: 'Optional: only one of distribute or - failover can be set.' + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' items: properties: from: description: Originating locality, '/' separated, e.g. - format: string type: string to: additionalProperties: @@ -2197,26 +2817,36 @@ spec: nullable: true type: boolean failover: - description: 'Optional: only failover or distribute - can be set.' + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' items: properties: from: description: Originating region. - format: string type: string to: - format: string type: string type: object type: array + failoverPriority: + description: failoverPriority is an ordered list + of labels used to sort endpoints to do priority + based load balancing. + items: + type: string + type: array type: object simple: enum: - - ROUND_ROBIN + - UNSPECIFIED - LEAST_CONN - RANDOM - PASSTHROUGH + - ROUND_ROBIN + - LEAST_REQUEST + type: string + warmupDurationSecs: + description: Represents the warmup duration of Service. type: string type: object outlierDetection: @@ -2237,6 +2867,9 @@ spec: is ejected from the connection pool. nullable: true type: integer + consecutiveLocalOriginFailures: + nullable: true + type: integer interval: description: Time interval between ejection sweep analysis. type: string @@ -2246,6 +2879,10 @@ spec: minHealthPercent: format: int32 type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local + origin failures from external errors. + type: boolean type: object port: properties: @@ -2257,15 +2894,15 @@ spec: upstream service. properties: caCertificates: - format: string type: string clientCertificate: description: REQUIRED if mode is `MUTUAL`. - format: string type: string credentialName: - format: string type: string + insecureSkipVerify: + nullable: true + type: boolean mode: enum: - DISABLE @@ -2275,16 +2912,13 @@ spec: type: string privateKey: description: REQUIRED if mode is `MUTUAL`. - format: string type: string sni: description: SNI string to present to the server during TLS handshake. - format: string type: string subjectAltNames: items: - format: string type: string type: array type: object @@ -2295,15 +2929,15 @@ spec: service. properties: caCertificates: - format: string type: string clientCertificate: description: REQUIRED if mode is `MUTUAL`. - format: string type: string credentialName: - format: string type: string + insecureSkipVerify: + nullable: true + type: boolean mode: enum: - DISABLE @@ -2313,19 +2947,38 @@ spec: type: string privateKey: description: REQUIRED if mode is `MUTUAL`. - format: string type: string sni: description: SNI string to present to the server during TLS handshake. - format: string type: string subjectAltNames: items: - format: string type: string type: array type: object + tunnel: + properties: + protocol: + description: Specifies which protocol to use for tunneling + the downstream connection. + type: string + targetHost: + description: Specifies a host to which the downstream connection + is tunneled. + type: string + targetPort: + description: Specifies a port to which the downstream connection + is tunneled. + type: integer + type: object + type: object + workloadSelector: + properties: + matchLabels: + additionalProperties: + type: string + type: object type: object type: object status: @@ -2385,6 +3038,8 @@ spec: - HTTP_ROUTE - CLUSTER - EXTENSION_CONFIG + - BOOTSTRAP + - LISTENER_FILTER type: string match: description: Match on listener/route configuration/cluster. @@ -2409,7 +3064,6 @@ spec: properties: name: description: The exact name of the cluster to match. - format: string type: string portNumber: description: The service port for which this cluster @@ -2418,11 +3072,9 @@ spec: service: description: The fully qualified service name for this cluster. - format: string type: string subset: description: The subset associated with the service. - format: string type: string type: object context: @@ -2442,7 +3094,6 @@ spec: properties: applicationProtocols: description: Applies only to sidecars. - format: string type: string destinationPort: description: The destination_port value used by @@ -2454,36 +3105,32 @@ spec: properties: name: description: The filter name to match on. - format: string type: string subFilter: properties: name: description: The filter name to match on. - format: string type: string type: object type: object name: description: The name assigned to the filter chain. - format: string type: string sni: description: The SNI value used by a filter chain's match condition. - format: string type: string transportProtocol: description: Applies only to `SIDECAR_INBOUND` context. - format: string type: string type: object + listenerFilter: + description: Match a specific listener filter. + type: string name: description: Match a specific listener by its name. - format: string type: string portName: - format: string type: string portNumber: type: integer @@ -2493,33 +3140,27 @@ spec: properties: metadata: additionalProperties: - format: string type: string type: object proxyVersion: - format: string type: string type: object routeConfiguration: description: Match on envoy HTTP route configuration attributes. properties: gateway: - format: string type: string name: description: Route configuration name to match on. - format: string type: string portName: description: Applicable only for GATEWAY context. - format: string type: string portNumber: type: integer vhost: properties: name: - format: string type: string route: description: Match a specific route within the virtual @@ -2535,7 +3176,6 @@ spec: - DIRECT_RESPONSE type: string name: - format: string type: string type: object type: object @@ -2571,11 +3211,15 @@ spec: type: object type: object type: array + priority: + description: Priority defines the order in which patch sets are applied + within a context. + format: int32 + type: integer workloadSelector: properties: labels: additionalProperties: - format: string type: string type: object type: object @@ -2625,7 +3269,6 @@ spec: properties: selector: additionalProperties: - format: string type: string type: object servers: @@ -2633,34 +3276,28 @@ spec: items: properties: bind: - format: string type: string defaultEndpoint: - format: string type: string hosts: description: One or more hosts exposed by this gateway. items: - format: string type: string type: array name: description: An optional name of the server, when set must be unique across all servers. - format: string type: string port: properties: name: description: Label assigned to the port. - format: string type: string number: description: A valid non-negative integer port number. type: integer protocol: description: The protocol exposed on the port. - format: string type: string targetPort: type: integer @@ -2670,18 +3307,15 @@ spec: behavior. properties: caCertificates: - description: REQUIRED if mode is `MUTUAL`. - format: string + description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. type: string cipherSuites: description: 'Optional: If specified, only support the specified cipher list.' items: - format: string type: string type: array credentialName: - format: string type: string httpsRedirect: type: boolean @@ -2710,28 +3344,24 @@ spec: - MUTUAL - AUTO_PASSTHROUGH - ISTIO_MUTUAL + - OPTIONAL_MUTUAL type: string privateKey: description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - format: string type: string serverCertificate: description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - format: string type: string subjectAltNames: items: - format: string type: string type: array verifyCertificateHash: items: - format: string type: string type: array verifyCertificateSpki: items: - format: string type: string type: array type: object @@ -2756,7 +3386,6 @@ spec: properties: selector: additionalProperties: - format: string type: string type: object servers: @@ -2764,34 +3393,28 @@ spec: items: properties: bind: - format: string type: string defaultEndpoint: - format: string type: string hosts: description: One or more hosts exposed by this gateway. items: - format: string type: string type: array name: description: An optional name of the server, when set must be unique across all servers. - format: string type: string port: properties: name: description: Label assigned to the port. - format: string type: string number: description: A valid non-negative integer port number. type: integer protocol: description: The protocol exposed on the port. - format: string type: string targetPort: type: integer @@ -2801,18 +3424,15 @@ spec: behavior. properties: caCertificates: - description: REQUIRED if mode is `MUTUAL`. - format: string + description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. type: string cipherSuites: description: 'Optional: If specified, only support the specified cipher list.' items: - format: string type: string type: array credentialName: - format: string type: string httpsRedirect: type: boolean @@ -2841,28 +3461,24 @@ spec: - MUTUAL - AUTO_PASSTHROUGH - ISTIO_MUTUAL + - OPTIONAL_MUTUAL type: string privateKey: description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - format: string type: string serverCertificate: description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - format: string type: string subjectAltNames: items: - format: string type: string type: array verifyCertificateHash: items: - format: string type: string type: array verifyCertificateSpki: items: - format: string type: string type: array type: object @@ -2878,6 +3494,72 @@ spec: subresources: status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: proxyconfigs.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: ProxyConfig + listKind: ProxyConfigList + plural: proxyconfigs + singular: proxyconfig + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Provides configuration for individual workloads. See more + details at: https://istio.io/docs/reference/config/networking/proxy-config.html' + properties: + concurrency: + description: The number of worker threads to run. + nullable: true + type: integer + environmentVariables: + additionalProperties: + type: string + description: Additional environment variables for the proxy. + type: object + image: + description: Specifies the details of the proxy image. + properties: + imageType: + description: The image type of the image. + type: string + type: object + selector: + description: Optional. + properties: + matchLabels: + additionalProperties: + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -2914,7 +3596,7 @@ spec: jsonPath: .spec.location name: Location type: string - - description: Service discovery mode for the hosts (NONE, STATIC, or DNS) + - description: Service resolution mode for the hosts (NONE, STATIC, or DNS) jsonPath: .spec.resolution name: Resolution type: string @@ -2937,7 +3619,6 @@ spec: addresses: description: The virtual IP addresses associated with the service. items: - format: string type: string type: array endpoints: @@ -2945,20 +3626,16 @@ spec: items: properties: address: - format: string type: string labels: additionalProperties: - format: string type: string description: One or more labels associated with the endpoint. type: object locality: description: The locality associated with the endpoint. - format: string type: string network: - format: string type: string ports: additionalProperties: @@ -2966,7 +3643,6 @@ spec: description: Set of ports associated with the endpoint. type: object serviceAccount: - format: string type: string weight: description: The load balancing weight associated with the endpoint. @@ -2976,13 +3652,11 @@ spec: exportTo: description: A list of namespaces to which this service is exported. items: - format: string type: string type: array hosts: description: The hosts associated with the ServiceEntry. items: - format: string type: string type: array location: @@ -2996,29 +3670,27 @@ spec: properties: name: description: Label assigned to the port. - format: string type: string number: description: A valid non-negative integer port number. type: integer protocol: description: The protocol exposed on the port. - format: string type: string targetPort: type: integer type: object type: array resolution: - description: Service discovery mode for the hosts. + description: Service resolution mode for the hosts. enum: - NONE - STATIC - DNS + - DNS_ROUND_ROBIN type: string subjectAltNames: items: - format: string type: string type: array workloadSelector: @@ -3026,7 +3698,6 @@ spec: properties: labels: additionalProperties: - format: string type: string type: object type: object @@ -3049,7 +3720,7 @@ spec: jsonPath: .spec.location name: Location type: string - - description: Service discovery mode for the hosts (NONE, STATIC, or DNS) + - description: Service resolution mode for the hosts (NONE, STATIC, or DNS) jsonPath: .spec.resolution name: Resolution type: string @@ -3072,7 +3743,6 @@ spec: addresses: description: The virtual IP addresses associated with the service. items: - format: string type: string type: array endpoints: @@ -3080,20 +3750,16 @@ spec: items: properties: address: - format: string type: string labels: additionalProperties: - format: string type: string description: One or more labels associated with the endpoint. type: object locality: description: The locality associated with the endpoint. - format: string type: string network: - format: string type: string ports: additionalProperties: @@ -3101,7 +3767,6 @@ spec: description: Set of ports associated with the endpoint. type: object serviceAccount: - format: string type: string weight: description: The load balancing weight associated with the endpoint. @@ -3111,13 +3776,11 @@ spec: exportTo: description: A list of namespaces to which this service is exported. items: - format: string type: string type: array hosts: description: The hosts associated with the ServiceEntry. items: - format: string type: string type: array location: @@ -3131,29 +3794,27 @@ spec: properties: name: description: Label assigned to the port. - format: string type: string number: description: A valid non-negative integer port number. type: integer protocol: description: The protocol exposed on the port. - format: string type: string targetPort: type: integer type: object type: array resolution: - description: Service discovery mode for the hosts. + description: Service resolution mode for the hosts. enum: - NONE - STATIC - DNS + - DNS_ROUND_ROBIN type: string subjectAltNames: items: - format: string type: string type: array workloadSelector: @@ -3161,7 +3822,6 @@ spec: properties: labels: additionalProperties: - format: string type: string type: object type: object @@ -3211,7 +3871,6 @@ spec: items: properties: bind: - format: string type: string captureMode: enum: @@ -3221,7 +3880,6 @@ spec: type: string hosts: items: - format: string type: string type: array port: @@ -3229,14 +3887,12 @@ spec: properties: name: description: Label assigned to the port. - format: string type: string number: description: A valid non-negative integer port number. type: integer protocol: description: The protocol exposed on the port. - format: string type: string targetPort: type: integer @@ -3247,8 +3903,8 @@ spec: items: properties: bind: - description: The IP to which the listener should be bound. - format: string + description: The IP(IPv4 or IPv6) to which the listener should + be bound. type: string captureMode: enum: @@ -3257,25 +3913,83 @@ spec: - NONE type: string defaultEndpoint: - format: string type: string port: description: The port associated with the listener. properties: name: description: Label assigned to the port. - format: string type: string number: description: A valid non-negative integer port number. type: integer protocol: description: The protocol exposed on the port. - format: string type: string targetPort: type: integer type: object + tls: + properties: + caCertificates: + description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. + type: string + cipherSuites: + description: 'Optional: If specified, only support the specified + cipher list.' + items: + type: string + type: array + credentialName: + type: string + httpsRedirect: + type: boolean + maxProtocolVersion: + description: 'Optional: Maximum TLS protocol version.' + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + minProtocolVersion: + description: 'Optional: Minimum TLS protocol version.' + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + mode: + enum: + - PASSTHROUGH + - SIMPLE + - MUTUAL + - AUTO_PASSTHROUGH + - ISTIO_MUTUAL + - OPTIONAL_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + serverCertificate: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + subjectAltNames: + items: + type: string + type: array + verifyCertificateHash: + items: + type: string + type: array + verifyCertificateSpki: + items: + type: string + type: array + type: object type: object type: array outboundTrafficPolicy: @@ -3285,7 +3999,6 @@ spec: properties: host: description: The name of a service from the service registry. - format: string type: string port: description: Specifies the port on the host that is being @@ -3296,7 +4009,6 @@ spec: type: object subset: description: The name of a subset within the service. - format: string type: string type: object mode: @@ -3309,7 +4021,6 @@ spec: properties: labels: additionalProperties: - format: string type: string type: object type: object @@ -3334,7 +4045,6 @@ spec: items: properties: bind: - format: string type: string captureMode: enum: @@ -3344,7 +4054,6 @@ spec: type: string hosts: items: - format: string type: string type: array port: @@ -3352,14 +4061,12 @@ spec: properties: name: description: Label assigned to the port. - format: string type: string number: description: A valid non-negative integer port number. type: integer protocol: description: The protocol exposed on the port. - format: string type: string targetPort: type: integer @@ -3370,8 +4077,8 @@ spec: items: properties: bind: - description: The IP to which the listener should be bound. - format: string + description: The IP(IPv4 or IPv6) to which the listener should + be bound. type: string captureMode: enum: @@ -3380,25 +4087,83 @@ spec: - NONE type: string defaultEndpoint: - format: string type: string port: description: The port associated with the listener. properties: name: description: Label assigned to the port. - format: string type: string number: description: A valid non-negative integer port number. type: integer protocol: description: The protocol exposed on the port. - format: string type: string targetPort: type: integer type: object + tls: + properties: + caCertificates: + description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. + type: string + cipherSuites: + description: 'Optional: If specified, only support the specified + cipher list.' + items: + type: string + type: array + credentialName: + type: string + httpsRedirect: + type: boolean + maxProtocolVersion: + description: 'Optional: Maximum TLS protocol version.' + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + minProtocolVersion: + description: 'Optional: Minimum TLS protocol version.' + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + mode: + enum: + - PASSTHROUGH + - SIMPLE + - MUTUAL + - AUTO_PASSTHROUGH + - ISTIO_MUTUAL + - OPTIONAL_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + serverCertificate: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + subjectAltNames: + items: + type: string + type: array + verifyCertificateHash: + items: + type: string + type: array + verifyCertificateSpki: + items: + type: string + type: array + type: object type: object type: array outboundTrafficPolicy: @@ -3408,7 +4173,6 @@ spec: properties: host: description: The name of a service from the service registry. - format: string type: string port: description: Specifies the port on the host that is being @@ -3419,7 +4183,6 @@ spec: type: object subset: description: The name of a subset within the service. - format: string type: string type: object mode: @@ -3432,7 +4195,6 @@ spec: properties: labels: additionalProperties: - format: string type: string type: object type: object @@ -3501,20 +4263,17 @@ spec: description: A list of namespaces to which this virtual service is exported. items: - format: string type: string type: array gateways: description: The names of gateways and sidecars that should apply these routes. items: - format: string type: string type: array hosts: description: The destination hosts to which traffic is being sent. items: - format: string type: string type: array http: @@ -3529,21 +4288,18 @@ spec: type: boolean allowHeaders: items: - format: string type: string type: array allowMethods: description: List of HTTP methods allowed to access the resource. items: - format: string type: string type: array allowOrigin: description: The list of origins that are allowed to perform CORS requests. items: - format: string type: string type: array allowOrigins: @@ -3566,20 +4322,16 @@ spec: - regex properties: exact: - format: string type: string prefix: - format: string type: string regex: description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string type: string type: object type: array exposeHeaders: items: - format: string type: string type: array maxAge: @@ -3589,14 +4341,41 @@ spec: properties: name: description: Name specifies the name of the delegate VirtualService. - format: string type: string namespace: description: Namespace specifies the namespace where the delegate VirtualService resides. - format: string type: string type: object + directResponse: + description: A HTTP rule can either return a direct_response, + redirect or forward (default) traffic. + properties: + body: + description: Specifies the content of the response body. + oneOf: + - not: + anyOf: + - required: + - string + - required: + - bytes + - required: + - string + - required: + - bytes + properties: + bytes: + description: response body as base64 encoded bytes. + format: binary + type: string + string: + type: string + type: object + status: + description: Specifies the HTTP response status to be returned. + type: integer + type: object fault: description: Fault injection policy to apply on HTTP traffic at the client side. @@ -3619,10 +4398,9 @@ spec: - http2Error properties: grpcStatus: - format: string + description: GRPC status code to use to abort the request. type: string http2Error: - format: string type: string httpStatus: description: HTTP status code to use to abort the Http @@ -3678,17 +4456,14 @@ spec: properties: add: additionalProperties: - format: string type: string type: object remove: items: - format: string type: string type: array set: additionalProperties: - format: string type: string type: object type: object @@ -3696,17 +4471,14 @@ spec: properties: add: additionalProperties: - format: string type: string type: object remove: items: - format: string type: string type: array set: additionalProperties: - format: string type: string type: object type: object @@ -3732,21 +4504,17 @@ spec: - regex properties: exact: - format: string type: string prefix: - format: string type: string regex: description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string type: string type: object gateways: description: Names of gateways where the rule should be applied. items: - format: string type: string type: array headers: @@ -3768,14 +4536,11 @@ spec: - regex properties: exact: - format: string type: string prefix: - format: string type: string regex: description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string type: string type: object type: object @@ -3801,19 +4566,15 @@ spec: - regex properties: exact: - format: string type: string prefix: - format: string type: string regex: description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string type: string type: object name: description: The name assigned to a match. - format: string type: string port: description: Specifies the ports on the host that is being @@ -3838,14 +4599,11 @@ spec: - regex properties: exact: - format: string type: string prefix: - format: string type: string regex: description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string type: string type: object description: Query parameters for matching. @@ -3868,25 +4626,24 @@ spec: - regex properties: exact: - format: string type: string prefix: - format: string type: string regex: description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string type: string type: object sourceLabels: additionalProperties: - format: string type: string type: object sourceNamespace: description: Source namespace constraining the applicability of a rule to workloads in that namespace. - format: string + type: string + statPrefix: + description: The human readable prefix to use when emitting + statistics for this route. type: string uri: oneOf: @@ -3906,14 +4663,11 @@ spec: - regex properties: exact: - format: string type: string prefix: - format: string type: string regex: description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string type: string type: object withoutHeaders: @@ -3935,14 +4689,11 @@ spec: - regex properties: exact: - format: string type: string prefix: - format: string type: string regex: description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string type: string type: object description: withoutHeader has the same syntax with the @@ -3954,7 +4705,6 @@ spec: properties: host: description: The name of a service from the service registry. - format: string type: string port: description: Specifies the port on the host that is being @@ -3965,7 +4715,6 @@ spec: type: object subset: description: The name of a subset within the service. - format: string type: string type: object mirror_percent: @@ -3986,30 +4735,79 @@ spec: format: double type: number type: object - name: - description: The name assigned to the route for debugging purposes. - format: string - type: string - redirect: - description: A HTTP rule can either redirect or forward (default) - traffic. - properties: - authority: - format: string - type: string - redirectCode: - type: integer - uri: - format: string - type: string - type: object - retries: - description: Retry policy for HTTP requests. - properties: - attempts: - description: Number of retries to be allowed for a given - request. - format: int32 + mirrors: + items: + properties: + destination: + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + type: object + percentage: + properties: + value: + format: double + type: number + type: object + type: object + type: array + name: + description: The name assigned to the route for debugging purposes. + type: string + redirect: + description: A HTTP rule can either return a direct_response, + redirect or forward (default) traffic. + oneOf: + - not: + anyOf: + - required: + - port + - required: + - derivePort + - required: + - port + - required: + - derivePort + properties: + authority: + type: string + derivePort: + enum: + - FROM_PROTOCOL_DEFAULT + - FROM_REQUEST_PORT + type: string + port: + description: On a redirect, overwrite the port portion of + the URL with this value. + type: integer + redirectCode: + type: integer + scheme: + description: On a redirect, overwrite the scheme portion + of the URL with this value. + type: string + uri: + type: string + type: object + retries: + description: Retry policy for HTTP requests. + properties: + attempts: + description: Number of retries to be allowed for a given + request. + format: int32 type: integer perTryTimeout: description: Timeout per attempt for a given request, including @@ -4018,7 +4816,6 @@ spec: retryOn: description: Specifies the conditions under which retry takes place. - format: string type: string retryRemoteLocalities: description: Flag to specify whether the retries should @@ -4032,15 +4829,25 @@ spec: authority: description: rewrite the Authority/Host header with this value. - format: string type: string uri: - format: string type: string + uriRegexRewrite: + description: rewrite the path portion of the URI with the + specified regex. + properties: + match: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + rewrite: + description: The string that should replace into matching + portions of original URI. + type: string + type: object type: object route: - description: A HTTP rule can either redirect or forward (default) - traffic. + description: A HTTP rule can either return a direct_response, + redirect or forward (default) traffic. items: properties: destination: @@ -4048,7 +4855,6 @@ spec: host: description: The name of a service from the service registry. - format: string type: string port: description: Specifies the port on the host that is @@ -4059,7 +4865,6 @@ spec: type: object subset: description: The name of a subset within the service. - format: string type: string type: object headers: @@ -4068,17 +4873,14 @@ spec: properties: add: additionalProperties: - format: string type: string type: object remove: items: - format: string type: string type: array set: additionalProperties: - format: string type: string type: object type: object @@ -4086,22 +4888,21 @@ spec: properties: add: additionalProperties: - format: string type: string type: object remove: items: - format: string type: string type: array set: additionalProperties: - format: string type: string type: object type: object type: object weight: + description: Weight specifies the relative proportion + of traffic to be forwarded to the destination. format: int32 type: integer type: object @@ -4122,14 +4923,12 @@ spec: description: IPv4 or IPv6 ip addresses of destination with optional subnet. items: - format: string type: string type: array gateways: description: Names of gateways where the rule should be applied. items: - format: string type: string type: array port: @@ -4138,18 +4937,15 @@ spec: type: integer sourceLabels: additionalProperties: - format: string type: string type: object sourceNamespace: description: Source namespace constraining the applicability of a rule to workloads in that namespace. - format: string type: string sourceSubnet: description: IPv4 or IPv6 ip address of source with optional subnet. - format: string type: string type: object type: array @@ -4163,7 +4959,6 @@ spec: host: description: The name of a service from the service registry. - format: string type: string port: description: Specifies the port on the host that is @@ -4174,10 +4969,11 @@ spec: type: object subset: description: The name of a subset within the service. - format: string type: string type: object weight: + description: Weight specifies the relative proportion + of traffic to be forwarded to the destination. format: int32 type: integer type: object @@ -4194,14 +4990,12 @@ spec: description: IPv4 or IPv6 ip addresses of destination with optional subnet. items: - format: string type: string type: array gateways: description: Names of gateways where the rule should be applied. items: - format: string type: string type: array port: @@ -4211,18 +5005,15 @@ spec: sniHosts: description: SNI (server name indicator) to match on. items: - format: string type: string type: array sourceLabels: additionalProperties: - format: string type: string type: object sourceNamespace: description: Source namespace constraining the applicability of a rule to workloads in that namespace. - format: string type: string type: object type: array @@ -4236,7 +5027,6 @@ spec: host: description: The name of a service from the service registry. - format: string type: string port: description: Specifies the port on the host that is @@ -4247,10 +5037,11 @@ spec: type: object subset: description: The name of a subset within the service. - format: string type: string type: object weight: + description: Weight specifies the relative proportion + of traffic to be forwarded to the destination. format: int32 type: integer type: object @@ -4295,20 +5086,17 @@ spec: description: A list of namespaces to which this virtual service is exported. items: - format: string type: string type: array gateways: description: The names of gateways and sidecars that should apply these routes. items: - format: string type: string type: array hosts: description: The destination hosts to which traffic is being sent. items: - format: string type: string type: array http: @@ -4323,21 +5111,18 @@ spec: type: boolean allowHeaders: items: - format: string type: string type: array allowMethods: description: List of HTTP methods allowed to access the resource. items: - format: string type: string type: array allowOrigin: description: The list of origins that are allowed to perform CORS requests. items: - format: string type: string type: array allowOrigins: @@ -4360,20 +5145,16 @@ spec: - regex properties: exact: - format: string type: string prefix: - format: string type: string regex: description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string type: string type: object type: array exposeHeaders: items: - format: string type: string type: array maxAge: @@ -4383,14 +5164,41 @@ spec: properties: name: description: Name specifies the name of the delegate VirtualService. - format: string type: string namespace: description: Namespace specifies the namespace where the delegate VirtualService resides. - format: string type: string type: object + directResponse: + description: A HTTP rule can either return a direct_response, + redirect or forward (default) traffic. + properties: + body: + description: Specifies the content of the response body. + oneOf: + - not: + anyOf: + - required: + - string + - required: + - bytes + - required: + - string + - required: + - bytes + properties: + bytes: + description: response body as base64 encoded bytes. + format: binary + type: string + string: + type: string + type: object + status: + description: Specifies the HTTP response status to be returned. + type: integer + type: object fault: description: Fault injection policy to apply on HTTP traffic at the client side. @@ -4413,10 +5221,9 @@ spec: - http2Error properties: grpcStatus: - format: string + description: GRPC status code to use to abort the request. type: string http2Error: - format: string type: string httpStatus: description: HTTP status code to use to abort the Http @@ -4472,17 +5279,14 @@ spec: properties: add: additionalProperties: - format: string type: string type: object remove: items: - format: string type: string type: array set: additionalProperties: - format: string type: string type: object type: object @@ -4490,17 +5294,14 @@ spec: properties: add: additionalProperties: - format: string type: string type: object remove: items: - format: string type: string type: array set: additionalProperties: - format: string type: string type: object type: object @@ -4526,21 +5327,17 @@ spec: - regex properties: exact: - format: string type: string prefix: - format: string type: string regex: description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string type: string type: object gateways: description: Names of gateways where the rule should be applied. items: - format: string type: string type: array headers: @@ -4562,14 +5359,11 @@ spec: - regex properties: exact: - format: string type: string prefix: - format: string type: string regex: description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string type: string type: object type: object @@ -4595,19 +5389,15 @@ spec: - regex properties: exact: - format: string type: string prefix: - format: string type: string regex: description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string type: string type: object name: description: The name assigned to a match. - format: string type: string port: description: Specifies the ports on the host that is being @@ -4632,14 +5422,11 @@ spec: - regex properties: exact: - format: string type: string prefix: - format: string type: string regex: description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string type: string type: object description: Query parameters for matching. @@ -4662,25 +5449,24 @@ spec: - regex properties: exact: - format: string type: string prefix: - format: string type: string regex: description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string type: string type: object sourceLabels: additionalProperties: - format: string type: string type: object sourceNamespace: description: Source namespace constraining the applicability of a rule to workloads in that namespace. - format: string + type: string + statPrefix: + description: The human readable prefix to use when emitting + statistics for this route. type: string uri: oneOf: @@ -4700,14 +5486,11 @@ spec: - regex properties: exact: - format: string type: string prefix: - format: string type: string regex: description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string type: string type: object withoutHeaders: @@ -4729,14 +5512,11 @@ spec: - regex properties: exact: - format: string type: string prefix: - format: string type: string regex: description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string type: string type: object description: withoutHeader has the same syntax with the @@ -4748,7 +5528,6 @@ spec: properties: host: description: The name of a service from the service registry. - format: string type: string port: description: Specifies the port on the host that is being @@ -4759,7 +5538,6 @@ spec: type: object subset: description: The name of a subset within the service. - format: string type: string type: object mirror_percent: @@ -4780,21 +5558,70 @@ spec: format: double type: number type: object + mirrors: + items: + properties: + destination: + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + type: object + percentage: + properties: + value: + format: double + type: number + type: object + type: object + type: array name: description: The name assigned to the route for debugging purposes. - format: string type: string redirect: - description: A HTTP rule can either redirect or forward (default) - traffic. + description: A HTTP rule can either return a direct_response, + redirect or forward (default) traffic. + oneOf: + - not: + anyOf: + - required: + - port + - required: + - derivePort + - required: + - port + - required: + - derivePort properties: authority: - format: string type: string + derivePort: + enum: + - FROM_PROTOCOL_DEFAULT + - FROM_REQUEST_PORT + type: string + port: + description: On a redirect, overwrite the port portion of + the URL with this value. + type: integer redirectCode: type: integer + scheme: + description: On a redirect, overwrite the scheme portion + of the URL with this value. + type: string uri: - format: string type: string type: object retries: @@ -4812,7 +5639,6 @@ spec: retryOn: description: Specifies the conditions under which retry takes place. - format: string type: string retryRemoteLocalities: description: Flag to specify whether the retries should @@ -4826,15 +5652,25 @@ spec: authority: description: rewrite the Authority/Host header with this value. - format: string type: string uri: - format: string type: string + uriRegexRewrite: + description: rewrite the path portion of the URI with the + specified regex. + properties: + match: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + rewrite: + description: The string that should replace into matching + portions of original URI. + type: string + type: object type: object route: - description: A HTTP rule can either redirect or forward (default) - traffic. + description: A HTTP rule can either return a direct_response, + redirect or forward (default) traffic. items: properties: destination: @@ -4842,7 +5678,6 @@ spec: host: description: The name of a service from the service registry. - format: string type: string port: description: Specifies the port on the host that is @@ -4853,7 +5688,6 @@ spec: type: object subset: description: The name of a subset within the service. - format: string type: string type: object headers: @@ -4862,17 +5696,14 @@ spec: properties: add: additionalProperties: - format: string type: string type: object remove: items: - format: string type: string type: array set: additionalProperties: - format: string type: string type: object type: object @@ -4880,22 +5711,21 @@ spec: properties: add: additionalProperties: - format: string type: string type: object remove: items: - format: string type: string type: array set: additionalProperties: - format: string type: string type: object type: object type: object weight: + description: Weight specifies the relative proportion + of traffic to be forwarded to the destination. format: int32 type: integer type: object @@ -4916,14 +5746,12 @@ spec: description: IPv4 or IPv6 ip addresses of destination with optional subnet. items: - format: string type: string type: array gateways: description: Names of gateways where the rule should be applied. items: - format: string type: string type: array port: @@ -4932,18 +5760,15 @@ spec: type: integer sourceLabels: additionalProperties: - format: string type: string type: object sourceNamespace: description: Source namespace constraining the applicability of a rule to workloads in that namespace. - format: string type: string sourceSubnet: description: IPv4 or IPv6 ip address of source with optional subnet. - format: string type: string type: object type: array @@ -4957,7 +5782,6 @@ spec: host: description: The name of a service from the service registry. - format: string type: string port: description: Specifies the port on the host that is @@ -4968,10 +5792,11 @@ spec: type: object subset: description: The name of a subset within the service. - format: string type: string type: object weight: + description: Weight specifies the relative proportion + of traffic to be forwarded to the destination. format: int32 type: integer type: object @@ -4988,14 +5813,12 @@ spec: description: IPv4 or IPv6 ip addresses of destination with optional subnet. items: - format: string type: string type: array gateways: description: Names of gateways where the rule should be applied. items: - format: string type: string type: array port: @@ -5005,18 +5828,15 @@ spec: sniHosts: description: SNI (server name indicator) to match on. items: - format: string type: string type: array sourceLabels: additionalProperties: - format: string type: string type: object sourceNamespace: description: Source namespace constraining the applicability of a rule to workloads in that namespace. - format: string type: string type: object type: array @@ -5030,7 +5850,6 @@ spec: host: description: The name of a service from the service registry. - format: string type: string port: description: Specifies the port on the host that is @@ -5041,10 +5860,11 @@ spec: type: object subset: description: The name of a subset within the service. - format: string type: string type: object weight: + description: Weight specifies the relative proportion + of traffic to be forwarded to the destination. format: int32 type: integer type: object @@ -5109,20 +5929,16 @@ spec: more details at: https://istio.io/docs/reference/config/networking/workload-entry.html' properties: address: - format: string type: string labels: additionalProperties: - format: string type: string description: One or more labels associated with the endpoint. type: object locality: description: The locality associated with the endpoint. - format: string type: string network: - format: string type: string ports: additionalProperties: @@ -5130,7 +5946,6 @@ spec: description: Set of ports associated with the endpoint. type: object serviceAccount: - format: string type: string weight: description: The load balancing weight associated with the endpoint. @@ -5166,20 +5981,16 @@ spec: more details at: https://istio.io/docs/reference/config/networking/workload-entry.html' properties: address: - format: string type: string labels: additionalProperties: - format: string type: string description: One or more labels associated with the endpoint. type: object locality: description: The locality associated with the endpoint. - format: string type: string network: - format: string type: string ports: additionalProperties: @@ -5187,7 +5998,6 @@ spec: description: Set of ports associated with the endpoint. type: object serviceAccount: - format: string type: string weight: description: The load balancing weight associated with the endpoint. @@ -5248,12 +6058,10 @@ spec: properties: annotations: additionalProperties: - format: string type: string type: object labels: additionalProperties: - format: string type: string type: object type: object @@ -5283,7 +6091,6 @@ spec: command: description: Command to run. items: - format: string type: string type: array type: object @@ -5297,29 +6104,24 @@ spec: host: description: Host name to connect to, defaults to the pod IP. - format: string type: string httpHeaders: description: Headers the proxy will pass on to make the request. items: properties: name: - format: string type: string value: - format: string type: string type: object type: array path: description: Path to access on the HTTP server. - format: string type: string port: description: Port on which the endpoint lives. type: integer scheme: - format: string type: string type: object initialDelaySeconds: @@ -5340,7 +6142,6 @@ spec: description: Health is determined by if the proxy is able to connect. properties: host: - format: string type: string port: type: integer @@ -5354,33 +6155,385 @@ spec: description: Template to be used for the generation of `WorkloadEntry` resources that belong to this `WorkloadGroup`. properties: - address: - format: string - type: string - labels: + address: + type: string + labels: + additionalProperties: + type: string + description: One or more labels associated with the endpoint. + type: object + locality: + description: The locality associated with the endpoint. + type: string + network: + type: string + ports: + additionalProperties: + type: integer + description: Set of ports associated with the endpoint. + type: object + serviceAccount: + type: string + weight: + description: The load balancing weight associated with the endpoint. + type: integer + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + metadata: + description: Metadata that will be used for all corresponding `WorkloadEntries`. + properties: + annotations: + additionalProperties: + type: string + type: object + labels: + additionalProperties: + type: string + type: object + type: object + probe: + description: '`ReadinessProbe` describes the configuration the user + must provide for healthchecking on their workload.' + oneOf: + - not: + anyOf: + - required: + - httpGet + - required: + - tcpSocket + - required: + - exec + - required: + - httpGet + - required: + - tcpSocket + - required: + - exec + properties: + exec: + description: Health is determined by how the command that is executed + exited. + properties: + command: + description: Command to run. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures for the probe to be + considered failed after having succeeded. + format: int32 + type: integer + httpGet: + properties: + host: + description: Host name to connect to, defaults to the pod + IP. + type: string + httpHeaders: + description: Headers the proxy will pass on to make the request. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + description: Port on which the endpoint lives. + type: integer + scheme: + type: string + type: object + initialDelaySeconds: + description: Number of seconds after the container has started + before readiness probes are initiated. + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform the probe. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes for the probe to be + considered successful after having failed. + format: int32 + type: integer + tcpSocket: + description: Health is determined by if the proxy is able to connect. + properties: + host: + type: string + port: + type: integer + type: object + timeoutSeconds: + description: Number of seconds after which the probe times out. + format: int32 + type: integer + type: object + template: + description: Template to be used for the generation of `WorkloadEntry` + resources that belong to this `WorkloadGroup`. + properties: + address: + type: string + labels: + additionalProperties: + type: string + description: One or more labels associated with the endpoint. + type: object + locality: + description: The locality associated with the endpoint. + type: string + network: + type: string + ports: + additionalProperties: + type: integer + description: Set of ports associated with the endpoint. + type: object + serviceAccount: + type: string + weight: + description: The load balancing weight associated with the endpoint. + type: integer + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + istio: security + release: istio + name: authorizationpolicies.security.istio.io +spec: + group: security.istio.io + names: + categories: + - istio-io + - security-istio-io + kind: AuthorizationPolicy + listKind: AuthorizationPolicyList + plural: authorizationpolicies + singular: authorizationpolicy + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration for access control on workloads. See more + details at: https://istio.io/docs/reference/config/security/authorization-policy.html' + oneOf: + - not: + anyOf: + - required: + - provider + - required: + - provider + properties: + action: + description: Optional. + enum: + - ALLOW + - DENY + - AUDIT + - CUSTOM + type: string + provider: + description: Specifies detailed configuration of the CUSTOM action. + properties: + name: + description: Specifies the name of the extension provider. + type: string + type: object + rules: + description: Optional. + items: + properties: + from: + description: Optional. + items: + properties: + source: + description: Source specifies the source of a request. + properties: + ipBlocks: + description: Optional. + items: + type: string + type: array + namespaces: + description: Optional. + items: + type: string + type: array + notIpBlocks: + description: Optional. + items: + type: string + type: array + notNamespaces: + description: Optional. + items: + type: string + type: array + notPrincipals: + description: Optional. + items: + type: string + type: array + notRemoteIpBlocks: + description: Optional. + items: + type: string + type: array + notRequestPrincipals: + description: Optional. + items: + type: string + type: array + principals: + description: Optional. + items: + type: string + type: array + remoteIpBlocks: + description: Optional. + items: + type: string + type: array + requestPrincipals: + description: Optional. + items: + type: string + type: array + type: object + type: object + type: array + to: + description: Optional. + items: + properties: + operation: + description: Operation specifies the operation of a request. + properties: + hosts: + description: Optional. + items: + type: string + type: array + methods: + description: Optional. + items: + type: string + type: array + notHosts: + description: Optional. + items: + type: string + type: array + notMethods: + description: Optional. + items: + type: string + type: array + notPaths: + description: Optional. + items: + type: string + type: array + notPorts: + description: Optional. + items: + type: string + type: array + paths: + description: Optional. + items: + type: string + type: array + ports: + description: Optional. + items: + type: string + type: array + type: object + type: object + type: array + when: + description: Optional. + items: + properties: + key: + description: The name of an Istio attribute. + type: string + notValues: + description: Optional. + items: + type: string + type: array + values: + description: Optional. + items: + type: string + type: array + type: object + type: array + type: object + type: array + selector: + description: Optional. + properties: + matchLabels: additionalProperties: - format: string type: string - description: One or more labels associated with the endpoint. - type: object - locality: - description: The locality associated with the endpoint. - format: string - type: string - network: - format: string - type: string - ports: - additionalProperties: - type: integer - description: Set of ports associated with the endpoint. type: object - serviceAccount: - format: string - type: string - weight: - description: The load balancing weight associated with the endpoint. - type: integer type: object type: object status: @@ -5388,35 +6541,9 @@ spec: x-kubernetes-preserve-unknown-fields: true type: object served: true - storage: true + storage: false subresources: status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - istio: security - release: istio - name: authorizationpolicies.security.istio.io -spec: - group: security.istio.io - names: - categories: - - istio-io - - security-istio-io - kind: AuthorizationPolicy - listKind: AuthorizationPolicyList - plural: authorizationpolicies - singular: authorizationpolicy - scope: Namespaced - versions: - name: v1beta1 schema: openAPIV3Schema: @@ -5445,7 +6572,6 @@ spec: properties: name: description: Specifies the name of the extension provider. - format: string type: string type: object rules: @@ -5462,61 +6588,51 @@ spec: ipBlocks: description: Optional. items: - format: string type: string type: array namespaces: description: Optional. items: - format: string type: string type: array notIpBlocks: description: Optional. items: - format: string type: string type: array notNamespaces: description: Optional. items: - format: string type: string type: array notPrincipals: description: Optional. items: - format: string type: string type: array notRemoteIpBlocks: description: Optional. items: - format: string type: string type: array notRequestPrincipals: description: Optional. items: - format: string type: string type: array principals: description: Optional. items: - format: string type: string type: array remoteIpBlocks: description: Optional. items: - format: string type: string type: array requestPrincipals: description: Optional. items: - format: string type: string type: array type: object @@ -5532,49 +6648,41 @@ spec: hosts: description: Optional. items: - format: string type: string type: array methods: description: Optional. items: - format: string type: string type: array notHosts: description: Optional. items: - format: string type: string type: array notMethods: description: Optional. items: - format: string type: string type: array notPaths: description: Optional. items: - format: string type: string type: array notPorts: description: Optional. items: - format: string type: string type: array paths: description: Optional. items: - format: string type: string type: array ports: description: Optional. items: - format: string type: string type: array type: object @@ -5586,18 +6694,15 @@ spec: properties: key: description: The name of an Istio attribute. - format: string type: string notValues: description: Optional. items: - format: string type: string type: array values: description: Optional. items: - format: string type: string type: array type: object @@ -5609,7 +6714,6 @@ spec: properties: matchLabels: additionalProperties: - format: string type: string type: object type: object @@ -5703,7 +6807,6 @@ spec: properties: matchLabels: additionalProperties: - format: string type: string type: object type: object @@ -5744,6 +6847,90 @@ spec: singular: requestauthentication scope: Namespaced versions: + - name: v1 + schema: + openAPIV3Schema: + properties: + spec: + description: RequestAuthentication defines what request authentication + methods are supported by a workload. + properties: + jwtRules: + description: Define the list of JWTs that can be validated at the + selected workloads' proxy. + items: + properties: + audiences: + items: + type: string + type: array + forwardOriginalToken: + description: If set to true, the original token will be kept + for the upstream request. + type: boolean + fromHeaders: + description: List of header locations from which JWT is expected. + items: + properties: + name: + description: The HTTP header name. + type: string + prefix: + description: The prefix that should be stripped before + decoding the token. + type: string + type: object + type: array + fromParams: + description: List of query parameters from which JWT is expected. + items: + type: string + type: array + issuer: + description: Identifies the issuer that issued the JWT. + type: string + jwks: + description: JSON Web Key Set of public keys to validate signature + of the JWT. + type: string + jwks_uri: + type: string + jwksUri: + type: string + outputClaimToHeaders: + description: This field specifies a list of operations to copy + the claim to HTTP headers on a successfully verified token. + items: + properties: + claim: + description: The name of the claim to be copied from. + type: string + header: + description: The name of the header to be created. + type: string + type: object + type: array + outputPayloadToHeader: + type: string + type: object + type: array + selector: + description: Optional. + properties: + matchLabels: + additionalProperties: + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} - name: v1beta1 schema: openAPIV3Schema: @@ -5759,12 +6946,11 @@ spec: properties: audiences: items: - format: string type: string type: array forwardOriginalToken: - description: If set to true, the orginal token will be kept - for the ustream request. + description: If set to true, the original token will be kept + for the upstream request. type: boolean fromHeaders: description: List of header locations from which JWT is expected. @@ -5772,48 +6958,51 @@ spec: properties: name: description: The HTTP header name. - format: string type: string prefix: description: The prefix that should be stripped before decoding the token. - format: string type: string type: object type: array fromParams: description: List of query parameters from which JWT is expected. items: - format: string type: string type: array issuer: description: Identifies the issuer that issued the JWT. - format: string type: string jwks: description: JSON Web Key Set of public keys to validate signature of the JWT. - format: string type: string jwks_uri: - format: string type: string jwksUri: - format: string type: string + outputClaimToHeaders: + description: This field specifies a list of operations to copy + the claim to HTTP headers on a successfully verified token. + items: + properties: + claim: + description: The name of the claim to be copied from. + type: string + header: + description: The name of the header to be created. + type: string + type: object + type: array outputPayloadToHeader: - format: string type: string type: object type: array selector: - description: The selector determines the workloads to apply the RequestAuthentication - on. + description: Optional. properties: matchLabels: additionalProperties: - format: string type: string type: object type: object @@ -5868,15 +7057,137 @@ spec: openAPIV3Schema: properties: spec: - description: Telemetry defines how the telemetry is generated for workloads - within a mesh. + description: 'Telemetry configuration for workloads. See more details + at: https://istio.io/docs/reference/config/telemetry.html' properties: + accessLogging: + description: Optional. + items: + properties: + disabled: + description: Controls logging. + nullable: true + type: boolean + filter: + description: Optional. + properties: + expression: + description: CEL expression for selecting when requests/connections + should be logged. + type: string + type: object + match: + description: Allows tailoring of logging behavior to specific + conditions. + properties: + mode: + enum: + - CLIENT_AND_SERVER + - CLIENT + - SERVER + type: string + type: object + providers: + description: Optional. + items: + properties: + name: + description: Required. + type: string + type: object + type: array + type: object + type: array + metrics: + description: Optional. + items: + properties: + overrides: + description: Optional. + items: + properties: + disabled: + description: Optional. + nullable: true + type: boolean + match: + description: Match allows provides the scope of the override. + oneOf: + - not: + anyOf: + - required: + - metric + - required: + - customMetric + - required: + - metric + - required: + - customMetric + properties: + customMetric: + description: Allows free-form specification of a metric. + type: string + metric: + description: One of the well-known Istio Standard + Metrics. + enum: + - ALL_METRICS + - REQUEST_COUNT + - REQUEST_DURATION + - REQUEST_SIZE + - RESPONSE_SIZE + - TCP_OPENED_CONNECTIONS + - TCP_CLOSED_CONNECTIONS + - TCP_SENT_BYTES + - TCP_RECEIVED_BYTES + - GRPC_REQUEST_MESSAGES + - GRPC_RESPONSE_MESSAGES + type: string + mode: + enum: + - CLIENT_AND_SERVER + - CLIENT + - SERVER + type: string + type: object + tagOverrides: + additionalProperties: + properties: + operation: + description: Operation controls whether or not to + update/add a tag, or to remove it. + enum: + - UPSERT + - REMOVE + type: string + value: + description: Value is only considered if the operation + is `UPSERT`. + type: string + type: object + description: Optional. + type: object + type: object + type: array + providers: + description: Optional. + items: + properties: + name: + description: Required. + type: string + type: object + type: array + reportingInterval: + description: Optional. + type: string + type: object + type: array selector: description: Optional. properties: matchLabels: additionalProperties: - format: string type: string type: object type: object @@ -5908,26 +7219,20 @@ spec: properties: defaultValue: description: Optional. - format: string type: string name: description: Name of the environment variable from which to extract the tag value. - format: string type: string type: object header: - description: RequestHeader adds the value of an header - from the request to each span. properties: defaultValue: description: Optional. - format: string type: string name: description: Name of the header from which to extract the tag value. - format: string type: string type: object literal: @@ -5936,7 +7241,6 @@ spec: properties: value: description: The tag value to use. - format: string type: string type: object type: object @@ -5946,19 +7250,31 @@ spec: description: Controls span reporting. nullable: true type: boolean + match: + description: Allows tailoring of behavior to specific conditions. + properties: + mode: + enum: + - CLIENT_AND_SERVER + - CLIENT + - SERVER + type: string + type: object providers: description: Optional. items: properties: name: description: Required. - format: string type: string type: object type: array randomSamplingPercentage: nullable: true type: number + useRequestIdForTraceSampling: + nullable: true + type: boolean type: object type: array type: object diff --git a/istio/helm/istio/crds/crd-operator.yaml b/istio/helm/istio/crds/crd-operator.yaml index d36421f92..2a80f4186 100644 --- a/istio/helm/istio/crds/crd-operator.yaml +++ b/istio/helm/istio/crds/crd-operator.yaml @@ -1,3 +1,4 @@ +# SYNC WITH manifests/charts/istio-operator/templates apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -35,12 +36,13 @@ spec: jsonPath: .metadata.creationTimestamp name: Age type: date - name: v1alpha1 subresources: status: {} + name: v1alpha1 schema: openAPIV3Schema: type: object x-kubernetes-preserve-unknown-fields: true served: true - storage: true \ No newline at end of file + storage: true +--- diff --git a/istio/helm/istio/deps.yaml b/istio/helm/istio/deps.yaml index d8c34b3ae..0852f4f28 100644 --- a/istio/helm/istio/deps.yaml +++ b/istio/helm/istio/deps.yaml @@ -4,20 +4,13 @@ metadata: application: true description: deploys istio operator and istio itself spec: + breaking: true dependencies: - type: helm name: bootstrap repo: bootstrap version: '>= 0.7.12' - - type: helm - name: monitoring - repo: monitoring - version: '>= 0.1.37' - - type: helm - name: ingress-nginx - repo: ingress-nginx - version: '>= 0.1.2' - type: terraform name: kube repo: istio - version: '>= 0.1.4' \ No newline at end of file + version: '>= 0.1.4' diff --git a/istio/helm/istio/istio-nginx-sni-proxy/nginx.conf b/istio/helm/istio/istio-nginx-sni-proxy/nginx.conf deleted file mode 100644 index 1833a5078..000000000 --- a/istio/helm/istio/istio-nginx-sni-proxy/nginx.conf +++ /dev/null @@ -1,21 +0,0 @@ -# setup custom path that do not require root access -pid /tmp/nginx.pid; - -events { -} - -stream { - log_format log_stream '$remote_addr [$time_local] $protocol [$ssl_preread_server_name]' - '$status $bytes_sent $bytes_received $session_time'; - - access_log /var/log/nginx/access.log log_stream; - error_log /var/log/nginx/error.log; - - # tcp forward proxy by SNI - server { - resolver 8.8.8.8 ipv6=off; - listen 127.0.0.1:18443; - proxy_pass $ssl_preread_server_name:443; - ssl_preread on; - } -} diff --git a/istio/helm/istio/templates/authorizationpolicy.yaml b/istio/helm/istio/templates/authorizationpolicy.yaml deleted file mode 100644 index 0a432c170..000000000 --- a/istio/helm/istio/templates/authorizationpolicy.yaml +++ /dev/null @@ -1,14 +0,0 @@ -{{- if .Values.istio.egressGateway.enabled }} -apiVersion: security.istio.io/v1beta1 -kind: AuthorizationPolicy -metadata: - name: allow-egress - namespace: {{ .Values.istio.namespace }} -spec: - action: ALLOW - rules: - - {} - selector: - matchLabels: - istio: egressgateway -{{- end }} diff --git a/istio/helm/istio/templates/configmap.yaml b/istio/helm/istio/templates/configmap.yaml deleted file mode 100644 index 941d7cb41..000000000 --- a/istio/helm/istio/templates/configmap.yaml +++ /dev/null @@ -1,10 +0,0 @@ -{{- if .Values.istio.egressGateway.enabled }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: egress-sni-proxy-configmap - namespace: {{ .Values.istio.namespace }} -data: - nginx.conf: | -{{ .Files.Get "istio-nginx-sni-proxy/nginx.conf" | indent 4 }} -{{- end }} diff --git a/istio/helm/istio/templates/destinationrule.yaml b/istio/helm/istio/templates/destinationrule.yaml deleted file mode 100644 index ac0de41c9..000000000 --- a/istio/helm/istio/templates/destinationrule.yaml +++ /dev/null @@ -1,30 +0,0 @@ -{{- if .Values.istio.egressGateway.enabled }} -apiVersion: networking.istio.io/v1beta1 -kind: DestinationRule -metadata: - name: disable-mtls-for-sni-proxy - namespace: {{ .Values.istio.namespace }} -spec: - host: sni-proxy.local - trafficPolicy: - tls: - mode: DISABLE ---- -apiVersion: networking.istio.io/v1beta1 -kind: DestinationRule -metadata: - name: egressgateway-for-allowed-tlds - namespace: {{ .Values.istio.namespace }} -spec: - host: istio-egressgateway.{{ .Values.istio.namespace }}.svc.cluster.local - subsets: - - name: allowed-tlds - trafficPolicy: - loadBalancer: - simple: ROUND_ROBIN - portLevelSettings: - - port: - number: 443 - tls: - mode: ISTIO_MUTUAL -{{- end }} diff --git a/istio/helm/istio/templates/envoyfilter.yaml b/istio/helm/istio/templates/envoyfilter.yaml deleted file mode 100644 index 3c14fa94d..000000000 --- a/istio/helm/istio/templates/envoyfilter.yaml +++ /dev/null @@ -1,54 +0,0 @@ -{{- if .Values.istio.egressGateway.enabled }} -# The following filter is used to forward the original SNI (sent by the application) as the SNI of the -# mutual TLS connection. -# The forwarded SNI will be will be used to enforce policies based on the original SNI value. -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: forward-downstream-sni - namespace: {{ .Values.istio.namespace }} -spec: - configPatches: - - applyTo: NETWORK_FILTER - match: - context: SIDECAR_OUTBOUND - listener: - portNumber: 443 - filterChain: - filter: - name: istio.stats - patch: - operation: INSERT_BEFORE - value: - name: forward_downstream_sni - config: {} ---- -# The following filter verifies that the SNI of the mutual TLS connection is -# identical to the original SNI issued by the client (the SNI used for routing by the SNI proxy). -# The filter prevents the gateway from being deceived by a malicious client: routing to one SNI while -# reporting some other value of SNI. If the original SNI does not match the SNI of the mutual TLS connection, -# the filter will block the connection to the external service. -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: egress-gateway-sni-verifier - namespace: {{ .Values.istio.namespace }} -spec: - workloadSelector: - labels: - app: istio-egressgateway - configPatches: - - applyTo: NETWORK_FILTER - match: - context: GATEWAY - listener: - portNumber: 443 - filterChain: - filter: - name: istio.stats - patch: - operation: INSERT_BEFORE - value: - name: sni_verifier - config: {} -{{- end }} diff --git a/istio/helm/istio/templates/gateway.yaml b/istio/helm/istio/templates/gateway.yaml deleted file mode 100644 index 6c5b12656..000000000 --- a/istio/helm/istio/templates/gateway.yaml +++ /dev/null @@ -1,19 +0,0 @@ -{{- if .Values.istio.egressGateway.enabled }} -apiVersion: networking.istio.io/v1beta1 -kind: Gateway -metadata: - name: istio-egressgateway - namespace: {{ .Values.istio.namespace }} -spec: - selector: - istio: egressgateway - servers: - - port: - number: 443 - name: tls-egress - protocol: TLS - hosts: - - "*" - tls: - mode: ISTIO_MUTUAL -{{- end }} diff --git a/istio/helm/istio/templates/istio.yaml b/istio/helm/istio/templates/istio.yaml deleted file mode 100644 index b6b8e18c4..000000000 --- a/istio/helm/istio/templates/istio.yaml +++ /dev/null @@ -1,78 +0,0 @@ -apiVersion: install.istio.io/v1alpha1 -kind: IstioOperator -metadata: - name: istio-plural - labels: {{ include "istio.labels" . | nindent 4 }} - namespace: {{ .Values.istio.namespace }} - # annotations: - # helm.sh/hook: post-install,post-upgrade - # helm.sh/hook-weight: "5" -spec: - profile: default - hub: {{ .Values.istio.hub }} - tag: {{ .Values.istio.tag }} - meshConfig: - outboundTrafficPolicy: - mode: ALLOW_ANY - accessLogFile: /dev/stdout - accessLogFormat: | - [%START_TIME%] "%REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%" %RESPONSE_CODE% %RESPONSE_FLAGS% %RESPONSE_CODE_DETAILS% %CONNECTION_TERMINATION_DETAILS% "%UPSTREAM_TRANSPORT_FAILURE_REASON%" %BYTES_RECEIVED% %BYTES_SENT% %DURATION% %RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)% "%REQ(X-FORWARDED-FOR)%" "%REQ(USER-AGENT)%" "%REQ(X-REQUEST-ID)%" "%REQ(:AUTHORITY)%" "%UPSTREAM_HOST%" %UPSTREAM_CLUSTER% %UPSTREAM_LOCAL_ADDRESS% %DOWNSTREAM_LOCAL_ADDRESS% %DOWNSTREAM_REMOTE_ADDRESS% %REQUESTED_SERVER_NAME% %ROUTE_NAME% traceID=%REQ(x-b3-traceid)% - enablePrometheusMerge: true - {{ if .Values.monitoring.tracing.enabled }} - enableTracing: true - {{ end }} - defaultConfig: - {{ if .Values.monitoring.tracing.enabled }} - tracing: - sampling: {{ .Values.monitoring.tracing.sampling }} - max_path_tag_length: 256 - zipkin: - address: {{ .Values.monitoring.tracing.tempoService }}.{{ .Values.monitoring.tracing.tempoNamespace }}.svc.cluster.local:9411 - {{ end }} - extensionProviders: - {{ if .Values.kubeflow.enabled }} - - name: kubeflow - envoyExtAuthzHttp: - service: kubeflow-central-dashboard.{{ .Values.kubeflow.namespace }}.svc.cluster.local - port: '4180' # The default port used by oauth2-proxy. - #includeHeadersInCheck: ["authorization", "cookie"] # headers sent to the oauth2-proxy in the check request. - includeHeadersInCheck: # headers sent to the oauth2-proxy in the check request. - # https://github.com/oauth2-proxy/oauth2-proxy/issues/350#issuecomment-576949334 - - cookie - - x-forwarded-access-token - - x-forwarded-user - - x-forwarded-email - - authorization - - x-forwarded-proto - - proxy-authorization - - user-agent - - x-forwarded-host - - from - - x-forwarded-for - - accept - headersToUpstreamOnAllow: [authorization, path, x-auth-request-user, x-auth-request-email, x-auth-request-access-token, x-auth-request-user-groups] # headers sent to backend application when request is allowed. - headersToDownstreamOnDeny: [content-type, set-cookie] # headers sent back to the client when request is denied. - {{ end }} -{{ with .Values.istio.istioComponents }} - components: - {{ toYaml . | nindent 4 }} -{{ end }} - values: - pilot: - env: - PILOT_ENABLE_STATUS: true - global: - istiod: - enableAnalysis: true - istioNamespace: {{ .Values.istio.namespace }} - {{ if .Values.monitoring.tracing.enabled }} - tracer: - zipkin: - address: {{ .Values.monitoring.tracing.tempoService }}.{{ .Values.monitoring.tracing.tempoNamespace }}.svc.cluster.local:9411 - {{ end }} - sidecarInjectorWebhook: - neverInjectSelector: - # kube-prometheus-stack - ## Admission Webhook jobs do not terminate as expected with istio-proxy - - matchExpressions: - - {key: app, operator: In, values: [kube-prometheus-stack-admission-create, kube-prometheus-stack-admission-patch, alertmanager]} diff --git a/istio/helm/istio/templates/monitoring/federation-service-monitor.yaml b/istio/helm/istio/templates/monitoring/federation-service-monitor.yaml index a2677dee4..68fabc85e 100644 --- a/istio/helm/istio/templates/monitoring/federation-service-monitor.yaml +++ b/istio/helm/istio/templates/monitoring/federation-service-monitor.yaml @@ -7,7 +7,7 @@ metadata: spec: namespaceSelector: matchNames: - - {{ .Values.istio.namespace }} + - {{ .Release.Namespace }} selector: matchLabels: app: prometheus diff --git a/istio/helm/istio/templates/monitoring/service-monitor.yaml b/istio/helm/istio/templates/monitoring/service-monitor.yaml index a6f49dabf..8e6d5e8ea 100644 --- a/istio/helm/istio/templates/monitoring/service-monitor.yaml +++ b/istio/helm/istio/templates/monitoring/service-monitor.yaml @@ -15,20 +15,4 @@ spec: endpoints: - port: http-monitoring interval: 15s ---- -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: kiali-service-monitor - labels: {{ include "istio.labels" . | nindent 4 }} -spec: - selector: - matchLabels: - app: kiali - namespaceSelector: - matchNames: - - {{ .Values.istio.namespace }} - endpoints: - - port: http-metrics - path: '/' {{ end }} diff --git a/istio/helm/istio/templates/secret.yaml b/istio/helm/istio/templates/secret.yaml deleted file mode 100644 index e06147ed3..000000000 --- a/istio/helm/istio/templates/secret.yaml +++ /dev/null @@ -1,11 +0,0 @@ -{{ if eq (index .Values "kiali-server" "auth" "strategy") "openid" }} -apiVersion: v1 -kind: Secret -metadata: - name: kiali - namespace: {{ .Values.istio.namespace }} - labels: {{ include "istio.labels" . | nindent 4 }} -type: Opaque -data: - oidc-secret: {{ index .Values "kiali-server" "auth" "openid" "client_secret" | b64enc }} -{{ end }} \ No newline at end of file diff --git a/istio/helm/istio/templates/serviceentry.yaml b/istio/helm/istio/templates/serviceentry.yaml deleted file mode 100644 index 725e2be16..000000000 --- a/istio/helm/istio/templates/serviceentry.yaml +++ /dev/null @@ -1,33 +0,0 @@ -{{- if .Values.istio.egressGateway.enabled }} -apiVersion: networking.istio.io/v1beta1 -kind: ServiceEntry -metadata: - name: sni-proxy - namespace: {{ .Values.istio.namespace }} -spec: - hosts: - - sni-proxy.local - location: MESH_EXTERNAL - ports: - - number: 18443 - name: tcp - protocol: TCP - resolution: STATIC - endpoints: - - address: 127.0.0.1 ---- -apiVersion: networking.istio.io/v1beta1 -kind: ServiceEntry -metadata: - name: allowed-tlds - namespace: {{ .Values.istio.namespace }} -spec: - hosts: - {{- range .Values.istioEgressAllowedTLDs }} - - {{ . | quote -}} - {{ end }} - ports: - - number: 443 - name: tls - protocol: TLS -{{- end }} diff --git a/istio/helm/istio/templates/virtualservice.yaml b/istio/helm/istio/templates/virtualservice.yaml deleted file mode 100644 index 9b60d2b9c..000000000 --- a/istio/helm/istio/templates/virtualservice.yaml +++ /dev/null @@ -1,42 +0,0 @@ -{{- if .Values.istio.egressGateway.enabled }} -apiVersion: networking.istio.io/v1alpha3 -kind: VirtualService -metadata: - name: direct-tlds-through-egress-gateway - namespace: {{ .Values.istio.namespace }} -spec: - hosts: - {{- range .Values.istioEgressAllowedTLDs }} - - {{ . | quote -}} - {{ end }} - gateways: - - mesh - - istio-egressgateway - tls: - - match: - - gateways: - - mesh - port: 443 - sniHosts: - {{- range .Values.istioEgressAllowedTLDs }} - - {{ . | quote -}} - {{ end }} - route: - - destination: - host: istio-egressgateway.{{ .Values.istio.namespace }}.svc.cluster.local - subset: allowed-tlds - port: - number: 443 - weight: 100 - tcp: - - match: - - gateways: - - istio-egressgateway - port: 443 - route: - - destination: - host: sni-proxy.local - port: - number: 18443 - weight: 100 -{{- end }} diff --git a/istio/helm/istio/values.yaml b/istio/helm/istio/values.yaml index a5102043b..d79920d77 100644 --- a/istio/helm/istio/values.yaml +++ b/istio/helm/istio/values.yaml @@ -1,109 +1,65 @@ -# Default values for istio. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. - -provider: aws - -istioEgressAllowedTLDs: -- "*.org" -- "*.com" -- "*.sh" -- "*.ai" -- "*.io" -- "*.nl" - -istio: - hub: gcr.io/istio-release - tag: 1.10.3 - namespace: istio-system - egressGateway: - enabled: false - istioComponents: {} - -istio-operator: - operatorNamespace: istio-operator - watchedNamespaces: istio-system - enableCRDTemplates: false +global: + istioNamespace: istio + istiod: + enableAnalysis: true hub: gcr.io/istio-release - tag: 1.10.3 + # defaultResources: + # requests: + # cpu: 10m + # proxy: + # image: proxyv2 + # resources: + # requests: + # cpu: 100m + # memory: 128Mi + # limits: + # cpu: 2000m + # memory: 1024Mi + # proxy_init: + # # Base name for the proxy_init container, used to configure iptables. + # image: proxyv2 -monitoring: +base: enabled: true - namespace: monitoring - grafana: - namespace: grafana - kiali: - enabled: true - tracing: - enabled: true - sampling: 100.0 - tempoNamespace: grafana-tempo - tempoService: grafana-tempo-tempo-distributed-distributor -# TODO: add prometheus service monitor for Kiali -kiali-server: - istio_namespace: istio - api: - namespaces: - exclude: - - istio-operator - - kube-.* - - openshift.* - - ibm.* - deployment: - override_ingress_yaml: - metadata: - annotations: - kubernetes.io/tls-acme: "true" - kubernetes.io/ingress.class: "nginx" - cert-manager.io/cluster-issuer: letsencrypt-prod - nginx.ingress.kubernetes.io/force-ssl-redirect: 'true' - nginx.ingress.kubernetes.io/use-regex: "true" - spec: - tls: - - hosts: - - kiali.kubeflow-aws.com - secretName: kiali-tls - rules: - - host: kiali.kubeflow-aws.com - http: - paths: - - path: /.* - pathType: Prefix - backend: - service: - name: kiali - port: - name: http - external_services: - prometheus: - url: http://monitoring-prometheus.monitoring:9090 - tracing: - use_grpc: false # we would actually want this to be true, but it doesn't work currently - in_cluster_url: http://grafana-tempo-tempo-distributed-query-frontend.grafana-tempo:16686 - grafana: - auth: - type: basic - username: admin - password: "" - url: - https://grafana.kubeflow-aws.com - in_cluster_url: http://grafana.grafana:80 - dashboards: - - name: "Istio Service Dashboard" - variables: - namespace: var-namespace - service: var-service - - name: "Istio Workload Dashboard" - variables: - namespace: var-namespace - service: var-service - - name: "Kubernetes / API server" - variables: - var-datasource: default - var-cluster: '' - var-instance: All +istiod: + enabled: true + # base: + # # If enabled, gateway-api types will be validated using the standard upstream validation logic. + # # This is an alternative to deploying the standalone validation server the project provides. + # # This is disabled by default, as the cluster may already have a validation server; while technically + # # it works to have multiple redundant validations, this adds complexity and operational risks. + # # Users should consider enabling this if they want full gateway-api validation but don't have other validation servers. + # validateGateway: false + pilot: + autoscaleMin: 2 + resources: + requests: + cpu: 500m + memory: 2048Mi + env: + PILOT_ENABLE_STATUS: "true" # Needed for KNative + VERIFY_CERTIFICATE_AT_CLIENT: "true" # More secure + # ENABLE_AUTO_SNI: "true" # Possibly needed for ambient mode + # PILOT_ENABLE_HBONE: "true" # Needed for ambient mode + # CA_TRUSTED_NODE_ACCOUNTS: "istio-system/ztunnel,kube-system/ztunnel,istio/ztunnel" # Needed for ambient mode + # PILOT_ENABLE_AMBIENT_CONTROLLERS: "true" # Needed for ambient mode + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: topology.kubernetes.io/zone + whenUnsatisfiable: ScheduleAnyway + labelSelector: + matchLabels: + istio: pilot + meshConfig: + outboundTrafficPolicy: + mode: ALLOW_ANY + accessLogFile: /dev/stdout + accessLogFormat: | + [%START_TIME%] "%REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%" %RESPONSE_CODE% %RESPONSE_FLAGS% %RESPONSE_CODE_DETAILS% %CONNECTION_TERMINATION_DETAILS% "%UPSTREAM_TRANSPORT_FAILURE_REASON%" %BYTES_RECEIVED% %BYTES_SENT% %DURATION% %RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)% "%REQ(X-FORWARDED-FOR)%" "%REQ(USER-AGENT)%" "%REQ(X-REQUEST-ID)%" "%REQ(:AUTHORITY)%" "%UPSTREAM_HOST%" %UPSTREAM_CLUSTER% %UPSTREAM_LOCAL_ADDRESS% %DOWNSTREAM_LOCAL_ADDRESS% %DOWNSTREAM_REMOTE_ADDRESS% %REQUESTED_SERVER_NAME% %ROUTE_NAME% traceID=%REQ(x-b3-traceid)% + # defaultConfig: # Needed for ambient mode + # proxyMetadata: # Needed for ambient mode + # ISTIO_META_ENABLE_HBONE: "true" # Needed for ambient mode -kubeflow: - enabled: false - namespace: kubeflow +monitoring: + enabled: true diff --git a/istio/helm/istio/values.yaml.tpl b/istio/helm/istio/values.yaml.tpl index 41503b3c8..fcd85e088 100644 --- a/istio/helm/istio/values.yaml.tpl +++ b/istio/helm/istio/values.yaml.tpl @@ -1,170 +1,8 @@ -istio-operator: - watchedNamespaces: {{ namespace "istio" }} -istio: - namespace: {{ namespace "istio" }} - {{- if .Values.enableEgressGateway }} - egressGateway: - enabled: true - {{- end }} - istioComponents: - ingressGateways: - - name: istio-ingressgateway - k8s: - service: - type: LoadBalancer - {{- if eq .Provider "aws" }} - serviceAnnotations: - service.beta.kubernetes.io/aws-load-balancer-name: {{ .Cluster }}-istio-nlb - service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: '*' - service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing - service.beta.kubernetes.io/aws-load-balancer-type: external - service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: instance - proxy.istio.io/config: '{"gatewayTopology" : { "numTrustedProxies": 2 } }' - {{- end }} - # Cluster-local gateway for KFServing - {{ if or .Configuration.kubeflow .Configuration.knative }} - - name: knative-local-gateway - enabled: true - label: - app: knative-local-gateway - istio: knative-local-gateway - k8s: - env: - - name: ISTIO_META_ROUTER_MODE - value: sni-dnat - hpaSpec: - maxReplicas: 5 - metrics: - - resource: - name: cpu - targetAverageUtilization: 80 - type: Resource - minReplicas: 1 - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: knative-local-gateway - resources: - limits: - cpu: 2000m - memory: 1024Mi - requests: - cpu: 100m - memory: 128Mi - service: - type: ClusterIP - ports: - - name: status-port - port: 15020 - targetPort: 15020 - - name: http2 - port: 80 - targetPort: 8080 - {{ end }} - {{- if .Values.enableEgressGateway }} - egressGateways: - - name: istio-egressgateway - enabled: true - k8s: - service: - ports: - - port: 443 - targetPort: 8443 - name: tls-https - overlays: - - kind: Deployment - name: istio-egressgateway - patches: - - path: spec.template.spec.containers[-1] - value: | - name: sni-proxy - image: dkr.plural.sh/istio/nginx:1.21.6 - volumeMounts: - - name: sni-proxy-config - mountPath: /etc/nginx - readOnly: true - securityContext: - runAsNonRoot: true - runAsUser: 101 - - path: spec.template.spec.volumes[-1] - value: | - name: sni-proxy-config - configMap: - name: egress-sni-proxy-configmap - defaultMode: 292 # 0444 - {{- end }} - -provider: {{ .Provider }} - -{{ $monitoringNamespace := namespace "monitoring" }} -{{ $grafanaNamespace := namespace "grafana" }} -monitoring: - namespace: {{ $monitoringNamespace }} - grafama: - namespace: {{ $grafanaNamespace }} - tracing: - tempoNamespace: {{ namespace "grafana-tempo" | default "grafana-tempo" }} - -kiali-server: - {{/* {{ if .OIDC }} - auth: - strategy: openid - openid: - client_id: {{ .OIDC.ClientId }} - disable_rbac: true - authentication_timeout: 300 - username_claim: "email" - client_secret: {{ .OIDC.ClientSecret }} - issuer_uri: {{ .OIDC.Configuration.Issuer }} - scopes: - - "openid" - - "profile" - {{ end }} */}} - deployment: - override_ingress_yaml: - metadata: - annotations: - kubernetes.io/tls-acme: "true" - kubernetes.io/ingress.class: "nginx" - cert-manager.io/cluster-issuer: letsencrypt-prod - nginx.ingress.kubernetes.io/force-ssl-redirect: 'true' - nginx.ingress.kubernetes.io/use-regex: "true" - spec: - tls: - - hosts: - - {{ .Values.kialiHostname }} - secretName: kiali-tls - rules: - - host: {{ .Values.kialiHostname }} - http: - paths: - - path: /.* - pathType: Prefix - backend: - service: - name: kiali - port: - name: http - namespace: {{ namespace "istio" }} - istio_namespace: {{ namespace "istio" }} - external_services: - prometheus: - url: http://monitoring-prometheus.{{ $monitoringNamespace }}:9090 - {{ if .Configuration.grafana }} - {{ $grafanaValues := .Applications.HelmValues "grafana" }} - grafana: - auth: - username: {{ $grafanaValues.grafana.grafana.admin.user }} - password: {{ $grafanaValues.grafana.grafana.admin.password }} - url: https://{{ .Configuration.grafana.hostname }} - in_cluster_url: http://grafana.{{ $grafanaNamespace }}:80 - {{ end }} - tracing: - in_cluster_url: http://grafana-tempo-tempo-distributed-query-frontend.{{ namespace "grafana-tempo" | default "grafana-tempo" }}:16686 - -{{ if .Configuration.kubeflow }} -{{ $kubeflowNamespace := namespace "kubeflow" }} -kubeflow: - enabled: true - namespace: {{ $kubeflowNamespace }} -{{ end }} +global: + istioNamespace: {{ namespace "istio" }} + +{{- if and .Configuration .Configuration.istio-cni }} +istiod: + istio_cni: + enabled: true +{{- end }} diff --git a/istio/plural.lock b/istio/plural.lock deleted file mode 100644 index 75ff6d206..000000000 --- a/istio/plural.lock +++ /dev/null @@ -1,18 +0,0 @@ -artifact: {} -terraform: - terraform/kube: h1:vMPDCNZkTRKGX1acVe7qsk54Ycy/8ML5L0RKUatL9QM= -helm: - helm/istio: h1:JL/2OcXZJt2TuQ2M7dCs/UotosOa3BXGbyGM2JWa5s0= -recipe: - plural/recipes/istio-aws.yaml: ed8b07b137b65286ba8831c8afc912e380066b331bf414d2e8b14c8649cd386b - plural/recipes/istio-azure.yaml: 16cee03e0960e8f39b1403781e126ec251d3a9f87fcc79635d116868a3a3295b -integration: {} -crd: - plural/crds/crd-all.gen.yaml: 108d7ce9a38ab7e40a2c899c2a29caaae25198f7c556cbfe7e3539f37d4ec415:h1:Zm1opjMCJiz0MKTkt/4dQCI3MNeLLIihI/L+uKZxiU8= - plural/crds/crd-operator.yaml: e04f16e7af9591024ba31a5a956a7f18fe93ee65cc3e8311f4a31bcd5195672e:h1:Zm1opjMCJiz0MKTkt/4dQCI3MNeLLIihI/L+uKZxiU8= -ird: {} -tag: - plural/tags/helm/istio.yaml: 7a04928ccc1ff18dfd45847813fdbf5006ac7b2f3a325080cb336141ab0b3b72 - plural/tags/terraform/kube.yaml: 92ef5c9d1ec51bcf6d917cf7bd8032649bda7e894cc2f47c398250c237c2b1a9 -attrs: - repository.yaml_Plural: M7EiaDeix-CD_jH9-Dlrwuu1oH8Bi-WCm4zax5Z8_OU= diff --git a/istio/plural/recipes/istio-aws.yaml b/istio/plural/recipes/istio-aws.yaml index a968caf07..bd2a084d5 100644 --- a/istio/plural/recipes/istio-aws.yaml +++ b/istio/plural/recipes/istio-aws.yaml @@ -5,16 +5,11 @@ primary: true dependencies: - repo: bootstrap name: aws-k8s -- repo: monitoring - name: monitoring-aws -- repo: ingress-nginx - name: ingress-nginx-aws +- repo: istio-ingress + name: istio-ingress-aws sections: - name: istio - configuration: - - name: kialiHostname - documentation: FQDN to use for the Kiali installation - type: DOMAIN + configuration: [] items: - type: TERRAFORM name: kube diff --git a/istio/plural/recipes/istio-azure.yaml b/istio/plural/recipes/istio-azure.yaml index a4ca9a569..217f0f5c7 100644 --- a/istio/plural/recipes/istio-azure.yaml +++ b/istio/plural/recipes/istio-azure.yaml @@ -5,16 +5,11 @@ primary: true dependencies: - repo: bootstrap name: azure-k8s -- repo: monitoring - name: monitoring-azure -- repo: ingress-nginx - name: ingress-nginx-azure +- repo: istio-ingress + name: istio-ingress-azure sections: - name: istio - configuration: - - name: kialiHostname - documentation: FQDN to use for the Kiali installation - type: DOMAIN + configuration: [] items: - type: TERRAFORM name: kube diff --git a/istio/plural/recipes/istio-gcp.yaml b/istio/plural/recipes/istio-gcp.yaml index 40103b290..ebe836039 100644 --- a/istio/plural/recipes/istio-gcp.yaml +++ b/istio/plural/recipes/istio-gcp.yaml @@ -5,16 +5,11 @@ primary: true dependencies: - repo: bootstrap name: gcp-k8s -- repo: monitoring - name: monitoring-gcp -- repo: ingress-nginx - name: ingress-nginx-gcp +- repo: istio-ingress + name: istio-ingress-gcp sections: - name: istio - configuration: - - name: kialiHostname - documentation: FQDN to use for the Kiali installation - type: DOMAIN + configuration: [] items: - type: TERRAFORM name: kube diff --git a/istio/repository.yaml b/istio/repository.yaml index 801d6360d..c0751544c 100644 --- a/istio/repository.yaml +++ b/istio/repository.yaml @@ -6,5 +6,6 @@ notes: plural/notes.tpl homepage: https://istio.io/ gitUrl: https://github.com/istio/istio tags: +- tag: istio - tag: network -- tag: security \ No newline at end of file +- tag: security diff --git a/istio/terraform/kube/deps.yaml b/istio/terraform/kube/deps.yaml index 26842eccd..05f9426d9 100644 --- a/istio/terraform/kube/deps.yaml +++ b/istio/terraform/kube/deps.yaml @@ -1,9 +1,11 @@ -dependencies: [] - -providers: -- aws -- gcp -- azure - -description: istio kubernetes setup -version: 0.1.7 +apiVersion: plural.sh/v1alpha1 +kind: Dependencies +metadata: + description: istio kubernetes setup + version: 0.1.7 +spec: + dependencies: [] + providers: + - aws + - gcp + - azure diff --git a/kiali/Pluralfile b/kiali/Pluralfile new file mode 100644 index 000000000..55c10ae6b --- /dev/null +++ b/kiali/Pluralfile @@ -0,0 +1,6 @@ +REPO kiali +ATTRIBUTES Plural repository.yaml + +TF terraform/* +HELM helm/* +RECIPE plural/recipes/* diff --git a/kiali/helm/kiali/.helmignore b/kiali/helm/kiali/.helmignore new file mode 100644 index 000000000..0e8a0eb36 --- /dev/null +++ b/kiali/helm/kiali/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/kiali/helm/kiali/Chart.lock b/kiali/helm/kiali/Chart.lock new file mode 100644 index 000000000..00490dd2d --- /dev/null +++ b/kiali/helm/kiali/Chart.lock @@ -0,0 +1,6 @@ +dependencies: +- name: kiali-server + repository: https://kiali.org/helm-charts + version: 1.73.0 +digest: sha256:ae1594c1ad4ef754c30fbda9583da93c08fdf8b904d75cbd9f7c46117c39119d +generated: "2023-09-01T15:42:45.406451+02:00" diff --git a/kiali/helm/kiali/Chart.yaml b/kiali/helm/kiali/Chart.yaml new file mode 100644 index 000000000..85bc84ce9 --- /dev/null +++ b/kiali/helm/kiali/Chart.yaml @@ -0,0 +1,10 @@ +apiVersion: v2 +name: kiali +description: helm chart for kiali +type: application +version: 0.1.0 +appVersion: "v1.73.0" +dependencies: +- name: kiali-server + version: 1.73.0 + repository: https://kiali.org/helm-charts diff --git a/kiali/helm/kiali/README.md b/kiali/helm/kiali/README.md new file mode 100644 index 000000000..dd4efdcb4 --- /dev/null +++ b/kiali/helm/kiali/README.md @@ -0,0 +1 @@ +A helm chart for kiali \ No newline at end of file diff --git a/kiali/helm/kiali/charts/kiali-server-1.73.0.tgz b/kiali/helm/kiali/charts/kiali-server-1.73.0.tgz new file mode 100644 index 0000000000000000000000000000000000000000..81156f4f956d12fe13da8a651aeed037d0c8c146 GIT binary patch literal 7223 zcmV-79LVDziwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc zVQyr3R8em|NM&qo0PH<$bKADE{j6WHm+6_>y%r_;+3HT_9-lOAbDG!KZqJ1ZHw zC7~t>767g2B>wMr@E`>~B|qZyVSGp|a+NoXSNu^#c|UG`RVL-%W?>&Kw1r@3`OQIEsEKM1g7;2?H zCBfyA@DKtPr$kb-AOJ~1SkfqhDFVlsU110`0Rpp3W*oulA%*pcOvz@!UW6DG+eDoD_?16U&!`kf;3ja(pKQh|Fd#L{`fIEGsgnh6a3UKPnW z??BHPZ;roZl-rT^)VeGdbS6C@nOuO7oJgFn6n+0@87#;Zss;EmVM`zjB%$h+q%p#B zK_skL#^H=*65+?Qmj!#K7?4b0?+I`^Ur123)wrl-1N5>10ZG1)Fr#zDI;n_bnFJz% zXNktYLnSO(7KObhkRXPNj3uGQZcxaKePJ4xOf_r9$c~r-dy`^vuDYi<$Ux0s2~LjLu(?RI%hW(}WRe zrj1-MVTH}e08Cf9()WsNZK4+}Ss+(Z*XwB;MT?F|NuY$pgC`K;jAW5i60%gFYwJx* zTNGi~>nRZ#_dr{7G#tbGYx_fsko}#Dkm>tcY*j@ohMM?@##9O;My4@MDv=W7RBCo1 z?!h$6U!PlB@iYinmPl9-0V(pB3N`J8tpRw2d?gn&nftoMZyAS}aRg=IaTWo)LT;MP z8BjwVki@i}33S->Cbx_LND!b9bQ7k7SaGfJ8Kz53cq-4IxqtEOr``IZi@4MQ>&a6m*a5xlFBfAF;jI|7{zMNSCElnE*s zU%52>uO!o_lFY>}Fb)LFFzIfqc9S_rA?%>9r6M9zj6}ieAR1hN9TKMz@`+LgWAH}msS@*v zzz74$xFyy|cvYCy)6)2)oH9=3YEl{|g_L6&(SV3CjP$Q!C#0xQs~rj{@{tPCOc67T zy<+HM#+3jaAHJe?2()4vR{=)f>GwvaYC|h9$P9gIANj6OhIZ!HdzinGt2FP4WRcP@ z21tvnl}s}fC6QG^n*Xn#+(ukg3lx_VrH?1E)L_;ei zx}LET$MCcF!;90=!EogL((6TRPLqjbmzXFhLFWlg=4w<86U;7dtY;dRW7r=Khidx7 zC^-$pq}q}Exq<$A`1P;{u*B&^aag1L)Vq_%^07;4|F4X+NKL)L>o*tA&wcq$-bWi7 z_W#4f!^6t{|L9=&=>L6?@-MT=QFgXAhyQDBT3a_Pu*AIDD=$ZdA*wW`(j^O9_ z@4+{R38#fa8LqE?(dPXWF*axBwT@DEb)82 z9knqUo1M{9r)gDP)!YM%@M#UZd2I=F>pC>={;9QK%lw}#FiMdNU#53=1$NK>(b4|l zQDy!gk4{b==l?^L_wNT^!WE6jAW(ub&Xn!?G*-hBEN~284z90zJq6Z##*s)=TOsRL zm}OD4Qv11x&ZwTsW{;vLwBP#|DoY~?bR`ML2ioZ(az~PO)W8qf6nTOYg{}p9Ln5@# zMBD7fN2E8FJJu2M&FgaoOOv_Y%~Oi^}b?x_uPwMOos)DulRK3WN&!a(iy6rEK>d%$wvVrM`6 zo@Uwm_kG1DnxM5(?IibeydLx|7@ffmNkZ7c-@yOLoB^~FX?I7vu#;c`UF&oXwF}p3 zKcHG^h5cZpM9GIG2qS^@imfCyAV|W>pCt)4zCT@8^*eVJkg~tcKxs>V)0k?|^?;_F zCUOSe-$eg!!Yi#umG$L=-s!3(&iiiTSg4FIAP21T}D})MyU6Eu5Btj!MSu z;jiiMJEPNYWIl^ymKcVLOTVv>+KhW+WvG?ZIj zxns7mQcAe&v)S4WQ{&^g9k=Z`SsmqmW2?^Ld&ApY-E=U2tyTTTY5EOHz<0a=jq|Yuwys_~0P8xLlO#Ni(gk^)#V|VFq<5Qpzr?9_ zCT;4j{V(@SGgFtLRX}gx*+r^6996gi-+CarE0neOz;iG-qf{DI)t_f1 zHNi3zg@5|?g`H`_|DFi&^dXdAoX+UEJn~#}$}LrB^#=Bsw2_t@F)#P{X_uWg9DTUZ zhfLbwS;NiL2J-SN@jvE-h$ZU-yiJVH+wco_Vu|+)B7VSC!GMAy&jGKAc^&7+#e-nVz_ZAHxX3Trk}Uj zI5s7S@=9Ob$Cg1IlGFy4$pWqtQcUd_90^IQrHN4``UOa1&Pra{PyuaLz(eJ0D*s=zj+NI4J0ge zyxAqLjMG(nzAP0QrE!s&aI`9bp#wr9$tGr+4)$$Ldk!zw%==s}@Eb+X_^F|*&eVpO z0e^jr@7GW8UE{;>=yUT%I|DA*OU5q0Wn4A6!*P!9&eMoW@Sb{iXwx`N_IH~bRkBfP zct*L9Ep#d)}^3CB~wnqRn!v z|FL$X#qQ_POW;{o+HNa|b+)w+)9$Wb(s$-4Z&4X`+DC79z0TW#w!GE8+VRtRbBQ@M zbgC4?&^iK6oKV*=IABg-i6zK$DQ%$jDKw5wH_mcLoQ11I+CGgtHr+Y0s3&`ALZoK&6T3aS5df1jMH07ujcXHX_oOCoL_Q8mV2+AM&8;}+Jdv>obbe-BZr_8&=8F({0{ZwfK^{ab-LueFpq*c{xJzc-B*iHo|~n8;x9(xIb^ zl6w5!nxbQiJx`mqiE~jzllhN26}?DBB=62MK1Y-3XrKI;kSjtXGL4GoCZ+JqMbQJu zXRIaP;gQZjz9FBA%(kNUH|4}vRVQV$Rld#yt-`n4-%g#5_DW97nuV`Z@)j6eiY&H! z+|u~$=*V68+`q8n>i>fXd`py_RoN4JySn2h8Cqm3MpqX$^~XR+)xCZ zq-%#lGmuHzb40w-ihA#cXO;%ZIsWTtUdK*!x9@rFqYqFxoSp1an6te+=X)D5scqY~ zm6hgQT9?4&8pQGY*t-K>-(n(lbgQ2BysnnNe5T$N?QV&s#_vYIelu0|6#I28{qAiR zMd#(z*!9WM4H5R&y2;-_?Uv-bmm;j;)zedZQ$lYW$tj_!>GMXK0=B*oEbpD}`xv}t z)~#xk+RWnlcokBQN)&SIlZD0&hfbjNJPxld?w3(4VmUZVf`IP623{I)fr>* zTNXqAUKHc87tblgq%Y{;B!QW|h&WTw_nf5K*O$e$i$vI(P55KPSyF4n2O*BCv-f}iY zcSsd2-=Qpza!TZ)W3JVA)Ab;AxV|1NkVJCvpE7FQw+42s55aHaZ^?@Y7N~~!`-_XW z=QZs0Sx~M~uTUOF0Gd!qN%RdyWOa@KOOz#YeYz_UwMkSzP9gPAxsdS^24b{#G-t6vd$TrnPoozWHwQ z^7&8CUsfA5%YCb>&Zf-yrA608`t6&uSEm=vSi2M8%rz;kh%a8edOrE~#q*cn+_H_@ zO+l?qou9sX`||nO$BBNs#MK^renlc3{MOw6wm3z97e46oo;*IOf#lDN#JY~LYHnblsw>L2?#-4F ziunyhw;Sb+H2cogS=-RwY)lsye3gx#(yd>x(Xw7+=`^WbqKs;BHg5N!Q-b^`(Oqb6 zvk$tH!ZD0-Nw|;Ld>8kPyds*oy2@&{EnNKOcxii`sQos5VjMTsma0aHlWK4W~K zlc=^usr_ZZ&$EZoGhXDb~%r>td05 zpZ{|9kWPBrhF*M(#jj)O+t^#X*lj=jH(uxN#*D^k)8>z49CjMSB)<>VPgsb%u(Js) zW#R5d2z_;|8x3B*brw1o+7d-2HysP{v=LGJdRs=e^_sgCeJQKBhr(M^r%>HHaheNN z3KL21LZ!jEHK{jnjyso-uEE`#NqgJS>SAd;QMmy{rCVdy71ZPN(vj>YqRNOik@XlC zQYkI*AB&XS-)A5;#s8liG~EAq{22f75T)ZlEhWB4F=&eNZ?-g54d?!GRndfze9t)j z4@)G8-m>u2-bs%9j}ud(>AfI)jVKJ>0c&cH2pe;W=dbJncM-Osh#4O0(V z=6`;B!@cN$4f9{k{A&Ey{^&9O>p{x>Y_2R8{LRL!wCyjt?jSLnYNctm^HU@!myBO3 z+yC+_bF0~C@WNo#?h1E;HUXDXxHkb$QIe56xy&@T?R^SO)*LfnN454vf`+i!8&$96 zIW%52aQA$x&0Q;fETK8m^+tW&0$*F_oxQjDB#Fh@*I##A3!atxk6#Pk|D zbu$W_7`R)I;I&N@`!lyM-fwyLQdwBRQ}w-VEQV%bZ?Yk(1GafWR-@SL^Nj&)ZS_mT z#j_~?1do~$`JON(a^ZOGZ+`0Du;IVsa#J`0h+JIgVBNPmXQp^zWu)wM(%$Owf%NSn zrXY_Hs2px5Sv*DF8Yia6gJkv>scepm7!-{?ouK~x9at!2;XD{@(dmZJ|Fh0%Uh)O-> zx^M%AakFyEYdaci&PgI)pZQUiG$>?qx{?TKW7p4?Y9-vh$MHq z2xgQ1A0Aiyzx%_{$^N7Me~41m&U{J&Jwq6$|IyoD$6;cW^cjorE| z*MQbO=DC||;FN`85V3i$q<}Z;*)2LzEP|qFN&jK9+7-j>0vjP0R@0k{I_`@E-8;3r zm@&R2JS^i4^e2`qppaFB_)cP?cb48BcqC0lQxhSX#&hbEepvV0BJset9D>me#Xml$D;l2^dzMBzXvIwYW;s)_;npt+q-XcoY2?ScwxLyR!z@&nrqt!+M95H~Fy>;IG{Ax-9YcLQ&X z|2;mb_(Q7>8aS;j8VRJM~&*Q>}%R5o2(k zmu{W|D%)P!SHeZKSa5k{okYpx>MrRnl@ocw9;RDE`LS5 z@~t+Kuw)gpOymiiw{$R;VIYTK1}@A{{F#H zE&l8A{QqIfJ;i_BL*~a5IMtW&7vBkmL;q+`e+HoV@Mzz4lfGaH;LiSMtJH_ZQF14YzGyT__tiTi!0+ zdara7X*Z#!bm4TJ0p)L=w5!~%51eeY_?=BhE)UvF-oid^tLhrZjaKBRUQGXhrQ80q zw+jwSe4PJ}<*_`L$8w|c{{a91|NpD0jCTOI F007KpY777X literal 0 HcmV?d00001 diff --git a/kiali/helm/kiali/deps.yaml b/kiali/helm/kiali/deps.yaml new file mode 100644 index 000000000..5aa5bc26e --- /dev/null +++ b/kiali/helm/kiali/deps.yaml @@ -0,0 +1,19 @@ +apiVersion: plural.sh/v1alpha1 +kind: Dependencies +metadata: + application: true + description: Deploys kiali crafted for the target cloud +spec: + dependencies: + - type: helm + name: bootstrap + repo: bootstrap + version: '>= 0.5.1' + - type: helm + name: istio + repo: istio + version: '>= 0.1.101' + - type: terraform + name: kube + repo: kiali + version: '>= 0.1.0' diff --git a/kiali/helm/kiali/templates/_helpers.tpl b/kiali/helm/kiali/templates/_helpers.tpl new file mode 100644 index 000000000..acba356d3 --- /dev/null +++ b/kiali/helm/kiali/templates/_helpers.tpl @@ -0,0 +1,62 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "kiali-plural.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "kiali-plural.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "kiali-plural.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "kiali-plural.labels" -}} +helm.sh/chart: {{ include "kiali-plural.chart" . }} +{{ include "kiali-plural.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "kiali-plural.selectorLabels" -}} +app.kubernetes.io/name: {{ include "kiali-plural.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "kiali-plural.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "kiali-plural.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} diff --git a/kiali/helm/kiali/templates/secret.yaml b/kiali/helm/kiali/templates/secret.yaml new file mode 100644 index 000000000..01cc3af95 --- /dev/null +++ b/kiali/helm/kiali/templates/secret.yaml @@ -0,0 +1,11 @@ +{{- if eq (index .Values "kiali-server" "auth" "strategy") "openid" }} +apiVersion: v1 +kind: Secret +metadata: + name: kiali + labels: + {{- include "istio.labels" . | nindent 4 }} +type: Opaque +data: + oidc-secret: {{ index .Values "kiali-server" "auth" "openid" "client_secret" | b64enc }} +{{- end }} diff --git a/kiali/helm/kiali/templates/service-monitor.yaml b/kiali/helm/kiali/templates/service-monitor.yaml new file mode 100644 index 000000000..92edc020b --- /dev/null +++ b/kiali/helm/kiali/templates/service-monitor.yaml @@ -0,0 +1,17 @@ +{{- if eq .Values.monitoring.enabled true }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: kiali-service-monitor + labels: {{ include "istio.labels" . | nindent 4 }} +spec: + selector: + matchLabels: + app: kiali + namespaceSelector: + matchNames: + - {{ .Release.Namespace }} + endpoints: + - port: http-metrics + path: '/' +{{- end }} diff --git a/kiali/helm/kiali/values.yaml b/kiali/helm/kiali/values.yaml new file mode 100644 index 000000000..ea98028d8 --- /dev/null +++ b/kiali/helm/kiali/values.yaml @@ -0,0 +1,75 @@ +kiali-server: + auth: + strategy: anonymous + istio_namespace: istio + # api: + # namespaces: + # exclude: + # - istio-operator + # - kube-.* + # - openshift.* + # - ibm.* + # deployment: + # override_ingress_yaml: + # metadata: + # annotations: + # kubernetes.io/tls-acme: "true" + # kubernetes.io/ingress.class: "nginx" + # cert-manager.io/cluster-issuer: letsencrypt-prod + # nginx.ingress.kubernetes.io/force-ssl-redirect: 'true' + # nginx.ingress.kubernetes.io/use-regex: "true" + # spec: + # tls: + # - hosts: + # - kiali.kubeflow-aws.com + # secretName: kiali-tls + # rules: + # - host: kiali.kubeflow-aws.com + # http: + # paths: + # - path: /.* + # pathType: Prefix + # backend: + # service: + # name: kiali + # port: + # name: http + external_services: + istio: + root_namespace: istio + component_status: + enabled: true + components: + - app_label: istiod + is_core: true + - app_label: istio-ingress + is_core: true + is_proxy: true + namespace: istio-ingress + prometheus: + url: http://monitoring-prometheus.monitoring:9090 + # tracing: + # use_grpc: false # we would actually want this to be true, but it doesn't work currently + # in_cluster_url: http://grafana-tempo-tempo-distributed-query-frontend.grafana-tempo:16686 + # grafana: + # auth: + # type: basic + # username: admin + # password: "" + # url: + # https://grafana.kubeflow-aws.com + # in_cluster_url: http://grafana.grafana:80 + # dashboards: + # - name: "Istio Service Dashboard" + # variables: + # namespace: var-namespace + # service: var-service + # - name: "Istio Workload Dashboard" + # variables: + # namespace: var-namespace + # service: var-service + # - name: "Kubernetes / API server" + # variables: + # var-datasource: default + # var-cluster: '' + # var-instance: All diff --git a/kiali/helm/kiali/values.yaml.tpl b/kiali/helm/kiali/values.yaml.tpl new file mode 100644 index 000000000..afd7b2b68 --- /dev/null +++ b/kiali/helm/kiali/values.yaml.tpl @@ -0,0 +1,15 @@ +{{- if .OIDC }} +kiali-server: + auth: + strategy: openid + openid: + client_id: {{ .OIDC.ClientId }} + disable_rbac: true + authentication_timeout: 300 + username_claim: "email" + client_secret: {{ .OIDC.ClientSecret }} + issuer_uri: {{ .OIDC.Configuration.Issuer }} + scopes: + - "openid" + - "profile" +{{- end }} diff --git a/kiali/plural/icons/kiali.png b/kiali/plural/icons/kiali.png new file mode 100644 index 0000000000000000000000000000000000000000..823a7de1ac6831d2ce7ae0e6c3f23c641d54e3bd GIT binary patch literal 43979 zcmdpe_dnI||3AryP$3~y3MC{VyF|(!*(-ZxWv^qWkdb8Xot-_8Er~-`_TG+T9mnC| zd!5tk{d&FL@6Uhm{iWOMRi4*%J@)-^zaEzlN($2Cr1YeCczEP5Ur4Ip;SmJl;hn1? zAp(DM-;Y-d56>6xrR39BZsVKDu5M~-O;GtezIx_Ebh(0~Geg3T!TnD!`Sp8p%cw@) z3-Nz{_9(vimf2%drc!t#@3A z6tspTy`K4O!1~Wqr=l=fVGRa+%fB!%D7r)5=kA8^m z!M}vXihW*!=;HqheCZ!0{rRtRH~;5Hz-RxhOmPfJ;Qy?AIOT9-k@(&3vHrJNbIsa1|C=!RV3c&eS+(mc_;B^9 z{BWPQT8@qDNv7H;gNo4E*{QKr)AX6R8|N8x;CSIlBI=yE zFM0_mqkocr~7$bN6JT zpp~QXRe`5ZBWC&ql3wuXv)n$l*$f)(Z6s0AM6E`!LW;WPt49l11+!dIx%8KF^GsC3w4S`o@7E|&t0j~}U4@EV*V(EJVuRiP| z!$`eQ{^t1!yBr$QlxkLKscP0=%?Y&EYCYh{ncn(5!_=qiVn&5xDV5(T!h|W9DhZ6= zsDyCoH)U+p)`tDD?2D&=B`X*oMny%{c~&y=OW{o6W!|fKE7A*UC8JMbY(}3!izY@W z#I~;NlLi=>T2J_u$(=%TX>#gU&W<7cKKbglQ$-6at)G*l+xGl`tNbgw(WIo(92GJ` z;lvRZWA8ZWMLnbR-F-fLQ}1@uCa$-HAk`Xl^^W7RDvzZiIWP-(>it!xQ$FfN@r?^s zjOC1i)=?t}!90Roe>jTM?&?){G3;^w$rGpmXhVa@u}ZA9mKLcHtr@e{^~Z+q8W%K* zy%kTss#^;mUjCs=%fT*|Xps92jkG!%A@y85iZEkyh~IxQ z&}1`g{HBb8c!_Fyl=gNn>#=vmTW-`Z#Cl~p_v5*m++(G05~9ab?J7m}`Mth#3ELfS z;X+<=E4OaN#3j8kplII<#i{VG=z`fp3*xoLJyzqqd(2lT#nkfoOB@HtFt?jbtu_?p zg~sq5zAuhxSDNOwW*E6auwVVHp7>ew%G;&%HOv=<3g|eRl8sw>h7(QecT+mF(RC0yv#Z9PVd-B=(b$GrKJe;zogRb;J(MNAj|(o4W>+`Ry)XW z(3=`a&u&quBi~a2FOHpI$cJeZ4vcNTNHO@Yl!2OnS>f*>NA&20oQuD@Y*|Ao&ETt- zv}Yk(H@>hNX!zKn6NnVz^6gNJ>cBf2WqYym|0@j>uEu^&%2=&&a{QOt*8!x> zNwKXkeM`WA<^oEia)LeW7>|%kKR>PXMKaV$%iZ1mf0jseXtJTL zNiP;bi`nMAe`%NUPc2BTKhDm|8E-t7%cYf_Ff~2EO`u)YPh1oF`VeGDKIgH~kTAup zkA#pzy7~W96qwCPA;izxbyF?k^1>#Agw_xN^+ni_g(d2-Zmn~ych+abf8|BpR&GvF zJ!yY`IGNGCre70HQc(~;Ji-X1uBb|F`j5s*+0>tUMl&i2@iD!q|4KVj3)Or5JdMaT zlan$BY4>B|QVZgm2-*Qm(`nB-pH+qnGuiy{zmq@oc)^ulL;_^pDuym`-F$q3pmWqa z#fCd?oz*IP5)&G&8s|T$`h2UtIpc%X`hO~`>!{DjIbIQ==L=9xGiEYQt#qbP2Rz!g z5?#g^pW4{Y`DXVe!fS)UM?wIZ$2uQaG{GBGzbv;PIdr7tK zD%oqinwvEGYuU|G9Mm)nT_|2`Df*K~dB+f~OB~}K+i@r1vn(+T-+mMNPGm@;>%LBw zMO-bJz(lu1{@1x%A!}=NLSC$rHpGyu;0ykE_LR~ut(_4i$ohl3oTAD9^}|0PBmOp^ z8mvEZt6)5D$&8Oj=;z#;W(#vg!cz!bn4dMJVzbg;p+kn&qJ0u5-DR;lRD0wM=Rf}x zkDVGq*DurfJY2&|CSiAX_Yl(gPacC#Ltq0Xo6Gm0e>={Op;-R8J!7gx`*g7EZq~$ii>92__5JT{%+-dxV5C`y!@-y5O;Zc33>kP*(CO~I@BT8s$^EgeI%nOy&f$05m ztKQ!zs> z#%bHQ>t+^363MSJUUO&GN0Y1|*OcvCIAi7Ggr}rLOiqf_XE(cQ3XiHI1VaJVP5$s+ zT}d;GB3Ud~v@4*(WP#uNbXdDl7*eOtEH*-s1H!{JSlzn%cx|0?-)*=Pof@ltcdHX* z36(_rHn_v_fbRCdZ8Bj&o5$9zvSdRq&DbYkTm_ z!ja3rq19gU(1K9~fR~#O-}dwVTI_9cK}c+PMxqG-a3aJdT}N4{AjjyskG6}cpT%Ry z()y|$r+#Hb+eZwBjPuYVfFB{8m*!}Aw$;_S=isXOu`i(QmecLWk_A=pfk3IVSF!1- z`EQO>?tyBs0JDdv6;w9rxN&lX0;Ku(7R=%sjPx8L_LqaTs5x{d#I_D3as`H#0u&#a zZ5i22HqLBSn@y#C=L|u0!8~S0Zt-&HNC!OQGwu*LSP~cs5*Vou8QG#*7%p_Ruy*p4 zK2}UA+xP*{_kRG4;0UbF5H?Oz;S%kp@dJ6BC#sw8=N)Q3m4X;Y)N@Xhc2Ml4M-7ND zb1j<_e%OoU+IVFV$iF3;rMSXb$-Rj7K8b}d{2t-rS{ScUj?p;jF%@dgG;J;oQ+8RjhY=ne%L~-8rmnPIgl;BXhl@IB^Pbg?OiLAl zA|U$nxQ;6nd166`p8al-@=w6P=pgE8nmcg*ddk?!jrI(f^UcNZn4MfH-&f_|w0v$om6Ur}cJlIsjA=%6fmPFyyHwz~=>RvjZ+A z(gjOx!$0Nf=Y)XHW(@U6OyJ8paPF(cV;0p7+c0K<2sO)g$5-vb=#jm8vo5hEU1;CG z3|QM_V5ObF%B5>K^Ss-?*djbptJ?3h*3!ID*f6ItGAvAS2sx<>)Mq;ZBYm%4A6mk1 zGun)CFsTeK>!gW&N<*$VYLWiI0FoUVTe9o*Pv$J%aJ}_dl94#V2w&qorcj%=aR_Nc zp3HA>tdKN^ZZ3HOP}+L{ddI4JwWVcKzfMn{?)aG_P7NDZEE!Q^j7-iw2h^bH`A?TO zNdu@gt6y5+Ci)5l!-sZJLudL3Kdt3!lYh?LF`aHqmBGgX# zwEPC9CD-Ll=&EIqG{AQ7gG*EIA_hkSx;}q$I2E71um}#yeo`2k)tYI%*^}iFk&p)E z-^lnxv%Z75dQ1J#w*OcZF6x2xf!N)@sEyhWGwFloYVbgW_U&RHLzU6ohwhwkc}oMYH`H|P<7D>)hM+5|lT{v)?5%)pf1 zvB6*94o&yi?Z`QxcntGtVd6xHEK((hzBj@A(`FDNsu90m5;jbyO6lSoP5rb$l3jmf zSrwj2W{jCz;fHi7q*fj?996p~Gsuv|$uN3YpLO%PVluDbO#26(+Wz)=(_1xlZ@7-Z zyNi^>Iv5G?8{CzEW&R4>I2}kZ*$eYn>Gc@3KhT)T8!xaMgL52)-;JXph7H@53{Tii zC-~!H@DEv7eOvI3+TfSstZd1raFUVLJmPx!q3_v=wr+YNfM{{uFCQN*oUW6F6GKd( zlwGKfMq|dF6Q`{!0G&KI1^DCPYa9i#HOVc+rSC1R`0H5=eQ8ZytieXlaI9h@(>=l0 zK@D9=k>;=SPOBcscwQ;KD-Z#!2ASzvFK|B`qQeH{=};C`*Gsb5Mu`GF`8O)0VCQo; z35akA{@`o^WZLz|hsMXNmqWkSXT9Dqyv$gaDse#OCZutX6yaV_oDdF&>8cT6i zu<2jTgTO&KSA-VSI@Mb)G`U51ioEbHY?pj#!s@-(yTVvl;H=KO7KEFZS>TsIUG)*9 z2=Jfn`VXnjn+^a89Hpx3!80ShP?Lf_KhGf5+7pv&QtCLL#L=u2sB#w~^ZPnQ219SU zGu9ODjy{3FgA0C__U@8gY=qx9^kz!FoE|}8#=gR&e-FeWOb=7Y*fv%$G9mn~qNUbR zMm;arvIjZ>(&|4)#`JM;-Be~VhdeDu3wv|tO0c*KFy4U9O)R<-3;PSqr>~un25G$A z1u3Hqan)y}tZQ+9&*eekLM0Op{o+J04 z>2j5+5wejPK^J0k`*wY=xOG=QDZepPvlzXI-g_hwzy=!ttKTV>D$)X1Z=IIQ13!9tKrH`94RteqR8Nnj3ySXt+M1_-W{Ck{nyRCBO*KD1 z#P#|eSd`}y&(3LZ3t~I|dU2DmN{kC~C6>%Dy5 zXnIrA6_9A^_nv$gzk&0Ejl=9*bBpe}UXPsTWLE_RHrakFbr>*mmneqU>0ZL@C>X-z z9YPeB(9M)kPvnH7$P4&1L$~X!yjz2nvAoW=ke%Qe#37SJ+%-$j_NISP% &_p6f5-jAP zdc`4*&9@Udpag%eB#B%R0$rY z)tKs${rrl@d}Rn<>aUoBeB#n9cO2cm==183$OnMfsV-uwA`uf`LTdC^*LnuQB4Zz zN2L?70Fof_@w?Xno&L@7?KPkO&>|tfVB>Vx(P&!T8+)Q&>qw;?!^Fv3B#=~Tb4iQ! zZZd4NXplfg$P*pai$+0|EO{RI?11YAJ8%A_ncfY$zgOBSPp#xV+$od-D>0gG6i5au z@6vl~GTB}wf-ZE&M~&0D$`d+xd|sgy$3PCv^@NQ1DoUmn^rks6`s@`hq=@}P_Juzn z9Y%<`GS~+=dp)*=UzKyZAtTAM!y~^7wCUfzB=hG!O}x<6w~-k@S8eihU{Cz;Ovmlu zlX?nz^lYm$lA1A8zWhvQM|?mj@o2i%z{BI+lv7G_i_e_SiK%;I<12l?o3?c4p)kAU z=axG6tMTT84GhtGHC|EyY`x1}HHgZr(&@W6#M4d*y>%elO-V9vmrf`;vY0^Ga-1$I zrxI=WrZeiccPYnHQT~qnxv$sMbeM|7x!(VBbYwwpZjzk5RS!%_qD${Gmt6f2ALU`M z9VjD5ekL#--DX$MJ&rm%yU&!&WP66tK0AiSAxqA_AZNTGkSw?|s=#8xxLhE}jOD+Dd+ypAieayZur~l^>imC|qbY9aV!>#o*lo4JU4ofr z%o9_-{NiNhQW?&WZvmqLgRLKRzki9NH#^Uu8~>s#mJ00mf0Dd2TSAUvWQs@yv5+SGzY;I z2571}|8&ta$%k4uS@%3rxJ*~9e2j9;lIrpl5!lT9XWE1g1Ndt@1K z#;7WWPn#&Z>Mp&?GtnZSQ3kzI!(WFz-@o^FP8}n2S(7Ils$bj0Se!I9NHd#k&JZ=J zwj$S;P4s%Z7qF}*=>SZqu?!GhYHr!F4VWomYV8uQ$#_6xL&raYqN z)N11!Jo`SOZo3d7KBpfKItvQNVp&WM6KH9k1rF+{7a~SxMxhrivXPz?4^RKJ5=|_e z3k}{+L!2>=?yIKGQ=c;4${NEnQ%9CK?rS1o3fi_dj}M08=7;TWbM*6j1Dr}s#)`ZOWbehj zE*FVj7>yGL^+*iODD0>X7_7Of>PT&bsy3Uh(Us`G1S~(PS`L0vz$Y@r*3hESLtb&^^i;72vaMIo0o9iE+1#mEV^+7ml;lNdS8|J zt(L(SwmGDDvX z_V9NZD`U%Cm?h?PbQbJ9(ysur`H-eCbvV)Pc#i7Gv!~d0EFr_KwvL|qu=bOx%3nGa zgb1QJPTIQTk2b%%tNo<(Q+IT_8okXp(l>YJMVC28{Hv0iNA;y8%0(xC*xJ5jlwluS zE^g5h$&NdTR;e`Ju%k%E`C6{nc_d^7@!z zc~9y;Ap^aID%X}w3XvV%G=6DS!}=7O#CXTf|HhZ5r+j{IO)c8Ses|NbxSgu+xX2UUV;nNCH|D&e;74t7H#xB}i8)3%`D5`812@jbi^m95d0gjpqZ9RC$MTG9s%V6t0q=;S%o_s_wLF+V}*TDT+_C#j&VSme% zc)9oo@4?2-deKxarP`X%y@Atb?p_{YJhK@XTiY!DcUiw@5`SWQl(Q2TMzLagy&0E+ zo{mC(S&%f8`j8uc3|=yOVze7D+pzG`!@<46E4P$|gsVMHb=L}0`#r%j-qa# zm_E&#vJRDEsu>F6rRw`py{GB^nbbZaxdl)GqmDTZtmjpIo^i#mm5QmymakF0V}?jA z(bCfug$GF2$^$qjd1jDFfoo844um?0jdRggrC=Kq5PqwCv4%B$cLS=cPeWhV#SJ~J zTpZ;Pzo;N04JWtO7GGK<#GO_G`W|CHWVvlY!?7VI9K?A{sk)9P`y)Q0@9g12$I2Ur z8I3G2sNC&M8{XMQNz)0e396OlHyoElcC}x!vNK^1>u(B_`)jqKibv#04+d@Mf9nWD z99-ucupJJjDyD(VYZJNWW#niK-bbhjc>+t*{;s_pG?S-CUdVVPS zcd2|EvQ+&BIdH!n%J*R5Q}~6I#R=ngA~M2fqk4$1MQVjJM%wj{H&<6Dd1>Ly^KmmE zL#<-2L`U1aUj97l8YrKhBTx@%f-pY~4ToNK}|DM2h~JR9TDll3Mbvyc{1SvCXZk{aeHglrlh;UmBe`|Q;QnAH_hX;jek<)6(^d28;ffTT>rkL% z>%SC?<#MlclNr}MAo@ubz|0)!+S}Jh88B=RHF~^(Y?ciFAQW?Cz{b9G?_=gpTS?vt z7&qcG-H{Ph9!85l(niQD=p7(A6GwQlqPMp|h@&44zn1q88FrZJK|&L;^$ZLheoxa``kEGIs|oS+4SGK~!T4e?@ci zJ7aYBz$8V?=PxaXymzqE4>OI2S|69pndDXSrIaU`NX@vDW^`C!KRA;_Uusy~LI}|A z7S_?le0jbm`9^4u0diRDYhb2cWmb6D$(b+;74s@IS^zbX2-||yTSN6OTUw#z?^jd# zqYdpR@47?xzm>DCd_!7t&J~|LVhhUOsCM}4NMOFigWLYgLgJ`SmvIr9^EE6gntuY_ z&T{gu5?6*MQ*|p4Jf3ZA8QirLZ$%3S*m=La=433RKt4*#79Eq)g7vlHS=S})oOkjD zuLYc4cQJba8&-l*2~!i32ROaog^U!x4p8ISy+z`$O5YEyRbn!|j`;-j;Y2s`L_8ol zLU7-5e#n)KCKt!(wj;FFzYv9`-i5w(PCB0U$WQn>+z7p8JdZn?QC;e=%&qN1LQx^n zB$kZXOA=~t+PU1-Y?miL)aX8=@i8t2y>RCAYaiEY9R_QI{bt+&=dh*7nL%u1072~m z2J7HFs+)=GxN2^cmg=nI4q}i`C-FOZ#%v+#YiG)5#d7>zcD2FyX#3NZdpqlo-7gc( zd5S#Z)C~oBJOFplPHr$}INl_ztAEPJ$UvG}JS|~hGv0@T)q|Mg<;5}bWgkJ|kRa;E z*10A|c_Ge;o0G;F+2>w0Y@Bxw7k}0`C+-G%wD76UqRgLAYa(Dt$V)m`Q|WUNMSx%I;tmy{gT zpnF=i3HF-}Ovx?9Hy-cjtp+;ou8WBIsJxwzN=n$Ja8sL3Wy%?`*TFbIvH*aO_t|NK z1z`#gE?QTC@gs5rhd1n)5+ZI6F2NX_sKv{%UdXy}+ZQShT;cd^%rqyjGaK#+xGtXG zP%BE7xj17slOj_z=R#L1`qYvRtF;v?$ew!9U|S6RW5=f5l6;79&YG1OD=tKJTet-j z$1gdn`Dk5xCVasjqpTbeEA)6T&I0ls$5%a z{1A9M9jILw-XQcbyVKrII)87)Px<&tOacfp+~H^$QuF$riACiS`1DtVhl5gH^&~tT z3l9&c{8F7IA7LcI?{P-3T=e(6PQ%D>8zD5s=>8$h;CODAiB>XsF2x<7frIBcJXoWW z9R*2uUHAg4GW1CF z)f>#+^^1hh6YY$AN@c%ePgcB8y|K;HRh5|sE@C@avvEP6ReDmqxVW~L7J7tUiPB{v z*m9({{jKh0ntCOtKHepl#D z02)w2y8YY$@iW7;Ett!l#wQP6EWHEMQDHa>1kJ@dA?vh@Wj_lb$oz$QcwS96n)PJL z>6uTlYgeVn?CY>ceAuTCY+VS@yKumDbB`M&T`+b^dK{i&g7_-PNloO$oc6gMvtaC;EY{UBHCbH6%74#A992MJ~xf`L?O#8e`sFws=zFyIz&OFz=-j=FoH4ksBvj; z%)#m+DhTibakyAI>67XZ+Wi!tTTtB(#yRMGP-78KRv(COcEEiLTP#^d9hf9Nfyz z&c$K^ubY$Wh_^1qW<+|QDQ)gFC%3(Ro#!=9?y4U8!HT=b__xA3nUtro-Rb1+)`44g z&L1x&JGKFXa1k0dn|bcr8kO1`t81^Leb@4+P8n?yiY~C-WAqh zW_l63a{DS9-a+Nz6zhcaeMX+SnBpQM@8uuHw|ZAvoS)4Jn5$|r&jNQkURqkppD5)4 zLm2jQ?Dr>%gB5}Ul?~3Ndmd{Q-4PQ@N)N7iLNse&Xzvv%!olzG(`04vkkegpvGJ+B z4Sh+tvaZ#i6FERxp0?Z@91$#H2UN!ZpoQ|d{rbI63Ul@V2khW?vDsBxiY+BtF<3Fl z@zs8Z%PwPCz_@>ps*zQk8I!z`w=Xk<=+Fi*Jd}XcimTnNcAi+*b-RtcbEz&h71=i% zrb>%kluPI%zzAQWn7UPRk29I48$GJB0||Y6kF-zb}S=IOmmWRFvdcRAtbE+HVeY9HRNT zb}T4}#UkZm&6MH+n3cE1H7JZr5C@xKKw zWW`wP)H;do@l_v(Y_kI$2~BW6X3>H5vRpie=~5neY9O3>!5id9Yf;UV1w~bj2VcI0 zW+GNQm9gs4aDogt?A$}7WoDLKq(=t0UcjO?X>^dmcje^a3-|f)AYM^F1It~kiKMU7 z6#Y_xu(*OH62J`z--_F(hniT|xeVzMupI{N#lq?;00Ud)_nQwuu^r7>TfENcJ zp|rB2X+xj+(l@NJpJA3u(CU;LE}b@0y)&ngM^{LCQS~Wo-tJph8j0|2oyu2#tM0yS z-AV)S+J!0cEZ*V?W#4>@f&cK-&R?TD-Wn@F$30|DsD z>!sygv^^OgVb>lQWPpc3JCE?hF&B4r%8gU8vu2022VfxHs;eavD@*uH11~MI{pX9T zm+%B87`@II+`kl=pKiS#ec~>+c#Fwt$_d9Dd0Qe9lvM2#GpD0l zADI}8D^5TDfjy1xsNLaD?nQt+chXByc^3$Gxo-MJ5*I6BzU{Gfi3zJLb>Df2CjixQ znioVnUyC{GusztJDG@5^vBuC@k=jbjYR>kb-&xuu0-SM+^|EXQZ~X|DokQ4-?8N2;&}(>ZQ(QE z+E;C}zw1!&aLiXdg)rqfO0B3y!51KH8}pfVW`S?}Wq)&QuWa zd>3)ntLO2m2kPH=l{O@jKdA3*2fLqi8?Im27CkL{tR6+{h)ait5HO85z-?9a$U`4e zD8mBYgoOb^AfTzps`ek-Jr!|yHPJmLM0SxH9i2o5w^e1ErgF!svs4s)5pawm`Dkl- zEN&q`NC`QE@d0J!DIao~E&B7P1Q`%@s8K8-f{AVab_uK_l{xi(diLc?cC6ZFdFIfS zS+=~ghbcHmU&T5)M5j7=U~i9^-WiKq^ASboZc@HzK?97ninLqM#KW6>dF{H7N(xOP zz3AMbbLw+Wd|O}GqCMk>m&Se(Aeo}Igsn#?61x#sKu2!@CWVGjS1*x}edlIL9qanE zzv^U5Ls$b(lp=VxH050GkzM*49P(!Q(PDXBZ1dW zGHrr1JT}0L2v)yd(7eTqC+<&gQ;CB|O{~1jSs{ELZL>`Q_`7RDL9WF3w$8ObGuWk0 z5K9m5e+P~2edu&1>-X}{we^AG1tW436ik^-=UZEmvNAnNshm4T z1?uD=C%&4|7cU(I<|DmljS2+_Z@I`vi5Ev__w>uUsIC0 zw{A2~?KADKJsAJp-M$fYb(g6w9;nhrv6V6Z2k!9CkF>!73 zjVNf` z*9)=U^~u<9^LE_^ZSg@FEvt)feU0Wk7^gg7+P|-(2x+TQlJ@nSom;!Cef8~!Kf=ex z#^!R5+6@HIY%nm8Oiq`5cGtwKPxw;6DLY{%WWJQYIVMv*y$1s=Oc$Wdlo7>^1 z#dPsg>Nr?BTnP#&b%Y;L95)f?_6 zxP=RyqrTCR6KMVNyD3hfQiJ3af{)1)23|F_TR$EWPA(_)`#T2IS1rrmkn}?(2D?n&YXK z2$vt_Ue9>kG2png>pPh=+;aCG zPs~e(S=$|wi!mCp7j_@)bU2=A?`~AT2isp!XUKK$iq@K42u^K*1hB;)%e+{tnxct~ zTs^?5F|Z{_Unh{uw2N55|Iy{X@DWwBk?h+cvk4$O^S1q zgU3&!C6?53gQKVd4U$I}dA1%opRb|ZpSl9Wh3ElxkOZLeZ&7=V&XY(hiN|Fzm&c@d3)8H7=P=dk~=cqdS=LSvOYjf`-k26M(~%kia+1?FZaLt z<5n|u$(~C(IaN`9rQnfQ%;zMD8zxWAn5Up0js1ygMkff^lGM8S5e$MnZUXMoDSlYl zU6*I1M4^cG5Rl*}J0p}(Ghn$8Jf}hsBYB^P4Zd@LmBDLBl{(6;ntUVlY8w7L&b@xMhh>p(=f3lKc7IkRxE(FO(M2g9aPsTdpxRE%^z*(m zMGd=jaQkvDy`FLv6!b;j_=OBSRLD%=4fL=;$yA_ueBCa*I*$Gv_2m&^49=(CK*4Z7 z|HDgHIdpVpwgjKta9Y7n{*;pbLpC!$5}$NF_Vnq-qVjYD3rh-j#jCOl`%LHA?_r=} zDsnP^6!_b2rY!o%`{ZD`2w!G+2u!(;b3P&ov=vGlO_d#J8~n|9o}EOdfk%T0ZBW?B zNNdCQ{s^D?CN$3Z7|x~%1udubQ3o4qzJ7_{^Q|jH4buiuJPzk2T(9@5vm9v%bdDjo zAKWCMe)8;y$opp^3C24AceC0MW!n1*#W3->?>KivC4wQ+C_mh7{L1QubLqkqt1LX0 zN5gOE2MDOoH~E<_DOWYQYbcDa-asfH=iPjAc@PXb{(7hx38K3j0vIW@#M z?7Lno7qged4X0}SWDtoY1RH6%>GckzT-+KRKbsyhbBhXJD!`3DGz_#d46&ADCqH+{)=zweWD==b3qn#3!8f#Ae$AH|D^b;uvtxo*c?-c51~r$1M7V??C!_TodV#E!lO$YMK& z>gR{1PdIF*T_c~Ywo|@I7DI26V2yPpVjy@)Ejz}rch$PPV06>#ObO^LgSO}5cw&wS z&RH5}`Yrdu$O1chhKCD%if>*L+95DES^m1Uex6mw_gp(7lX1B+F>go?fI=m4JldQc zfe&?&F+G1mYr=g$%iA&6(mJSGEV*!h|KhpyL9y+YEICm@-cKK{rrnr9u2nbJaJ!eR zGcHkmcTmRDShfo_qITv9{-bu<%dvT2nAT`gJKbufN#>Mq53!ziTX`7MA3|=uX(u(tF7y^*h^DUwZ>WpztX|khzo%V=;oJ} zbn6X%X8U-AM_Xyga79>rr+4jf74uD4^Cc^i*LYyeOMO!DQ68=sETf0v$doAB9?8!3 z%OuI$e$TE9BD>JnX$jf;pFHM~jBvtyFFghARMj!1iZ~vXo0WRj0jtS3Y(gPE{FqYT zUi0J-{GNgS(}i4;K!wBRLe^b!uey!vyn3AkL@;Dqk0q0Ije7=%gi%X%` zXRE<&R!rgR5zj#EkSgDV3l(;I@!z<~WG-@0W)?u{a{Gnr1GnxgGM7Ce7E~X-Hvjn)%IS#5n%7=b_FY>Jp-H%DRZE zcSDC*A+Noj98cc>%p-~XSu=6Qul-5gY3B3n7G9nZ+sW7?7Q3GrE_m;D!0j443oov{ z5o|7jtv*>8p@O^2Cec8X@3lT8m%t?K4l25peLKI zhZBlH4&xC5#|3sE6vTb<?ZH76TiMO7;zit&BTXySlK3oZCQ($u|#@^yf8^%4rKPT^{Ax)zS6ZWDPp@w z05Z&`9*i56ihy%R?T=IAz}EHI*iQ*xg+z(zDNZ1FJM0{VJUtPb&mS^jq9bq zYQ9j3l_=%{J*l7yu3`Ou1rG{h70JNc+mQG?I6@7~ES;C265sZnvXslh3u<1l>*Lw# z!R$oofW6WWedw}Fvz-3=(A~i9RoS=7kJ`^P>k}+jxUZ1NA2-vMJF1!Uk+0#CE{#CL zGk=l>W?TKRJBOe=7xx3PB4uS@a_>*NnmK6eLdt#o^1O)UbR455)yanY-kkRvGB$_@ zySal&g&A%6Im4x^9ZH_75l>a6Uy)65D7j6{7x9`gKV?phhN7v!8@Y=$JTcT zQXTaV+p|!}%1Tmp$)1ssJtOND*@cYki>xB6jAUi+k&*2hWy>B}mm=G>_vJm`tLJ%s zf4u*4&-a}3+2=C>qw%_;j(%#fA?Qzm#raXxC$vZ`NE-|?Vj5-&39yG8|<&>)sn|J4tWvwHj9tAC69 z!}RHCh>9k)hyw|HX6wDrysiMyP!Y^H^u&kw@;Ens2RWkcbp?5hesjYHS6VUW{9WZa zY5E7}S(sZep#I~gPW_VAD-iJ~ky?m_mpiQAUm%?-Ip*R#TE+%o5<#R;HeW2HxyHZ; zvOV6D1cH`C;WE~Pgl9s>`Joz@t#AMt*W<{|kHM?8V6#7L8}ffsssqVLXw3aF4zoIG zmL@(aAG~RWZ6&ur4<#;ELGXnx!W5_NHd7bGWd+kDf0zo^9jZeh*uc7BBvA*^_<`e`ETL z4cH%1GSzo)V%{I3O;EN9@cQ=T?tQ1^6B@|&2_X)=lTYZ?8hJls%2!r*HoP|T{(?usTobHQ4EEoMtX9x+0z z?3?WhFS6~i$ewi+yJN_j0s)aV)UL@;$6Lbcu77_Zx%WLmmB^p7V4bW-h~v_&KgI9% z>1sm2g#$r|5Mvz5okGRfiZJWv!=KYpIUi$_KgzMV?2*^Au8@4ZCBwQkK09KG-?AOP z*VG;YSV_*hOiZEk-;)m;&LP{fw-f)FuCmzrU`7daeQ|lr;_@5o^o8#Y%JJGk)n0VAoQd zXT7|ZCbx$?k|c2C06ELKTfWYWxM_vaK_Q2(Oxy3Cl%yXL-WK70BeT@SeCYn-Gh8r{ zK>?ct*Dj~G+|bLpv04Rx$=`kmz$?Jr-7|3irZL8QM7G5s@+|vRRXhr~S)sM==1QS( zp^q{|nzu>6HVthTjgBVqt>1H8ArEpL=5|2O&VCSy21I7$?ev8~-YhO% zNjtt!4(8;`x+5u*wl(p*-1M|~DBv@;NK|}d=s#S9y?>|I3$b})?*57qX0I!c=sZ)h zcd>%rC`y@@;D4qjVrYu(7d12S<*xnn$3>1y~f)qi>V+)tCJ!i6x zRy7U_Pd1FhOCtkdVVs&4aw}e-C%{Ee3x3THup`rUh+6vt$y8tYg@ zff$AI1AVPz`ey22WzSJ_jV)yn2=&Pn~+@!#%W@tR}cRaoWHCq$?!N+~e^heiKB4TI}&NJ-aduDbX@5j}q z{|DFN#lKykE!2NL!7ZXJw8Vg9;-F^b(VSV}v%rT0)qivkZX zx|nLYA%JRG&l9DDVsAK@?`LK0+_7+IKN{AL`4CmUU(@G0?aO)4>9F1~>ipQt#)g}b z9UK(8{c{-z7%dVOD`k~O_~ZXU z4t%8v1nDr)1f;6Of`DmEI*0v++wzJaeoU_He}IQM3&?HCIl`B3>p+Nrjlmw^ctqHt8fevy%$eofUOPCw8B-Oje zny;+p%8c6!_*1a-(ZXd-7w9R8u$y>r=9D2~xI(l;Y=`)>7Q1>u3~5F>nID)|$`fj_ zDTwGGKS<(95wZaW|G~*1(B__Q%)^7M2TT?LJNzTLqTI8F*PU;jhJ;$Jv!jyG>=I(0Z5OoC=y)hi;2g`)NkjVVoxEZ8&N zzw{Ab2F_fc7avCO(G0P<2=RtP7r6qlM+?dfZHPIXKZy0GSPOhFlo|IB!KO@5N`3IHrPc#p#h@OP_F^MfAkzpZ*JVqcpiSu{`O&R1c+lgzK{>cBlGsrvk z2~v>Xj6TvrgZbCGAF7(1mm!%@E8f>>qnv+>G{LGmfT+npu?1l$*iRDkG7N>As z_fwA*f?58VndqL2Ee}TC4IQWEs{sSv;WF(5;C1Dj@^z@MhkzQ`f?L&DqH1DpIu2i; zUl|zS09IBj?d$J9{vCIE@t}Kbg^rrYDBoZj;zy3R5Q!*I!KuqYxU0-RuUa*m#Nm08)W9oG4QKZ@&udJU0aiF<+_qm>P zoU40$Aul3@3)h~ zx0e<`hy^YxDH}rRfT5s}!-kz@+CMmR@0=g}Bnecv^Lz4Z5J~fJ$OdQrim9GB{oWw& zxMg6y^BZnJwgi1WL}MwNx&((9mKyW&wH>Zbm+1tLqDQW}KFm&L0rnNF(dv{eB{Z)j2i2x2AoJ)ORS335zER+&ByJTGz-L!s}pT zS{0eer8!`8MaK7a2moqlt*^d4IK$Ke;ic!GE;b==u^_RMI?E+Yz1Dq!)4zWju~}Fi zzkDBi`z=SU@3T?E^Z3N2v}cNt*_>M;VW`!~ixB}>h}^@Q=vp(mj5caL^u?Yu7 z?Fo(4CwHAjN)a0>77a_HlVU+G3PX-?xMvjfQfRX?pErYqO~mG;?{*>lOqmg^et8nv z-wQeE>U`(QZI<`%Ja8@_*`H#!ix5eEIbsIdFkaS!@=zw1U}70?*>g z3U#;vV$ngA#TF}BSzp0Qk7mE=ZBD)J-1q}ZpD}G=tPuX^z7qeiI?ngF1L00>-bM+8 zsNGacY(zl`8}8i5`xk=7sWR=vQ8WU9a%5d4-lRYfwK`}(_Vcr|yqgzSmbQy4YG1Ok zWYpEq4!-ts;sFbI?H=i(`1Gu?%rL&-!RE)@NUD0Uch)Q zr4MN^XZK5WjfW*Xww!)&D6N;sc~dM7Jb-DWV%&9tIDisy^66YUq&N~{cs`nTFV?VN zGnW#$k{wAjNX#!3R+zHVU`f}Qu&u<_;zW@PaQfk--GLn{SPF5322 zT;Q+U zeFosVlruDH@K3qS{IQ~?AtF>yR0Q4(Qa<8FPSlpm7pxj7Ig$OOdX>+v(QD=om*U69 zDOL!dZu;LdCu9G|ej^*(Utjq6l0*?6K1Mws z$2PRu!S5z8suZyPccSZGwPvcZc4#uPwuPl4h8oIg5FwVmP>LOT^{A=kH(q* zA=R>P{@!S1YctmzaG~azn6NB|`5;CrMZw5@0+P(=88k3a?!$;I zvQ4{RR=KatL-HBDL~0w!J(L5AtAa^au$?3+B1CMbRHh5Oxd2_zu2*qzNeU!F3W#ol z=HsVA?Ox_=+?IOq(b;8BIATtyigJH(jX@6Xph$(B{QjF_kNu1-dhn@1XQ?Ot{2Wc!HW2TC zf3L+HWczcjabCy_wJGa-ez(F(NLwjO!zW_nZ5oS@k#l}sSJ#v&a5K7u@2V|McIwBq5}bpU)UJGNrXaa+;%%FEW!0W-lb z?|v2WkoqLERKZs-w)WY(ZKxS%-uCv3vv;rf+>v6;r8%@sy&g`6fj_e?Fs#*z*5)u0o zHZ`K18&#Mu{DO~y@b??HA>K@8kp<@(V_raX47+bg_2U=7T%w&GSdp=_F;;{V?awT>~f>M4e=Ox zW$Z6cwVC#}@(?f_l<^tVh1DyjW(8x}E2TYpHo@o?a6$WSd&ig284ry9v=RB{k7z6Q zC2>%Q)jSZMh*An6jWQAl9Bsb0&e08&PPyqJdw!?gk`{;q1{+9E)!JMBLj+lpSPr0E z2V)lQ=~G6~$d!U9dFqRPkcrM*CpQCr2M@{aBscImy!V=u-o63^{Zw>Wx7j~f{`&Qc zUeGu1G*nN>-n-vp$vrX;C6{vSm-PP85aO@%BT1QJ;0Uvt*C|f($O#u(?gO+hoVoK& z1Tx61s$t${A8g$=%%{ei%+@zbB(fWs7>I_9X+|J(8Nh&-QE>Cku^;EU?$hB%ApELu zsBvlNROiu!XhwV~C1Q&YJ6l_r2vr6G-BUJT=6cc%X?1XFK_(xE>{om~DDBF5^c+33 z_SF7y_3Mxvj2df2Un`vEM%|zeXJF9X7?-0dF=mI>N2t`~`j)+*Vj0_9Eq`Dt-#f{% zxg@RwxJ}$d2_d2l-YWn07GfqBaH_FB7|@ALh?QsA4J26ade-5OXGx6hwEE_lm2g4- zYq-Y=QFm1)9LxUUN$-Vq<%n=*eRiyf7Jkn_DRFA%$}?Toow0Hfl_R_)IhS|5-s33t z)X%ud%{U5&-skyDiN8GO@|+eFK~CHR{k|dDY*mf?ec5R5q3Dh}vu~{|F23TAt3;AT z55}G_su5m_GD<6LjY;yen1TEIxn*lfW4XD9s1oUDdecJ!OJKZj!6|Pj$Nar9uVL*E zaVC9G|FK8fmT)r;*eF-Y$$xR6%=CIl16}Jn-F8K7iK61h?-^Z9p0^@w_f_lD1 zlM@{>X5o|)v%{*^{u*bLeY;>_8hHBZ4Yrch&C6@I`M?Jp zB*eL7PyQK)%}_Q6=j5>@8}2i7F*+tH<{``OJi+v99d5>ZGWOR=?pjBln)*yvM>K)C z5!Cdae)Kr=lne3lcNWO@$uT5zuxC_dhhXBfn^{f=28_-8Vwgl3NLh2(S_pbBDHUXq zfprjeUQN1PGX0|-M(8YtdlI7y;K#R%WWYQrFCBO}EQzpL5t7DT8s2iIAqq^H`I7O` zgv7X+nhLAtL6Z^X`!x!Z5fp2xmKDfGkunzk%62~p!|7}BQ89%`ec$PEbU=zB3}^1Z z!0Fbz2s##;+ndX9HWb?~ua+7d*G*f_kFW>1D1ZAVE9O;Cw^rpc^qQL2q!%CzuqO`d zTr+|@g0q8=0y#^gVwiBiC-4@Sf_!@VL?`W-k0@0B6W7wq<^u2HZ50$Gmp zA<|W4Wg~XJ`9Nc7;ZBhUc@+um)3m;ki~~53_-i%P;>tgF3$o<|hWWUxdL&%-Wsj%} zUOb1v7SWBh2`O^}AYt&VgX7RF_-xaIiczQu-E$T0sVP-*|8CjG&4Q69jplqH0aPNh zE8jh9rUPRl1s|Im+o^n{h2Ji*AVY~+A*vnRN_8@VS{YPoc)7)A#tA~G_2sy)}{mcbZs+BKeR4d)qiJS6?RzZt2CmkGp=~l*IWxG zdqC%(Hf{0sxuV8F=2#NaeQAadv2AIpjWWs4#yNJbz9eJ6{d>@W-J}m=+6EsNO`>DJ zhIHb^e-|NHv%U0S6Uy0!29rf04wdV?=hDMf7{u-Gbw}JN(Rz*jhno@b0cnM zVa!B1bfcK7x<;e+*tk@K)`35iyNpU*NYmdNk8u=p@$*Vz-{sUnj<;HzPKHA-H(O%I zR4Nmy47;i_3@xX@9WGzDctKmin*pmk;esG|(3iE#J@O<`CImoGV(N8fO}7G9Wpv-> zpW!RBQdWdT3+V~JFyMQLn9Vit>deaX@z}Ctq^3(%f+`gbe$n{KX{cHN(n%o*Xc+CP zb9rel{y~+N3eQ!IVSp)-_dcv^m| zU4InKH>Qa-h4u+F|Jhlhz+o00x?Y8>_+#@o^=vo28fw-j7Q_vB|dn@db>L{tJ zVd7*6O;KjX;v0|&&F?0aM&q#jOVs!=xub^L)kcBo@t@!8o?rHGgFRrx-iW@^&WjP` za_GNB(`GNuUv3>7zr-v=XQ$Q_`n`j2z|+_o*~P_SKv&1w@bhGwp7J3N_QnU8YGf&D z4}-|RN9sUU%1|6jl z_IWjZ!aj7t52TZS_w9Ldq|5JSUh9_Nxs7(G1SgS8Nun?l6~dGP|6rzHo@@^_M7>y<0Hd2 zO2P!!S;iK)h7Vptg7FMp*jlb1V)Bu>JP^yRD&Dc5=_sbiVfS4I{&QW2R14u^ zd@N6|ME5kfi7N-Ft~jb6ZCU!+R`Lku5lNa24$wrY)9QLh@Mi0rQmuQYVY0NarVFB#!M~#Du7iD7)V985M)l zUsxXDmVB&DRYyN|iC%^`{yc>0@pkGw(ZQzhjIe=c{bH(?yY=i&HO4?}e3FKLR5vkO zzTK3ZA|%H9P^y=JZhFf-Hn$ij;I)>9pTpKlsEAk1?LSZzYPZ93oC)+gR5<8H6pw2H zLkjwYFMQ12qG0GJ6#*Wo#z~taT+pis9Y~JUC^}dWIFIj`l@jH~`ffqAes;oc+&z5W6Y*RV%aP+fv39fPbPrh|-)I~vq#%!7h755op}ZxE zX1O>7YDX|}UZ)~`0KGLt4GK^jF$Jhha9A*`{6Ldm1gkoLQn8M&oX<C8(Eb3e6O4iDr9{GkKTI6IguH#RUXjm<&!=iLj^>T3%T@a%kj*~(0prN z29`7y~kxh40Oyup9}gHui(I5UR)c-{Si=&4(!^;s{nL8wJEWAmmIT z`J~wO5S%dNq154zYsnjSucJW9e!LZ2@q@h+HGWevw_rE1b|dv9t(1zvBYZK{?3CGP z2?(34hQ5rfn&9Wwl=~RGd1zsA`%|}<4lk70nZwm zJi9YqlV~#o@4X0bs{UtML_GhOBaUsRRza%S2Ynmg`FSqYwqQtYyWEnn05Lgv$Zvhu zwbK>?s;~4|FLx~LidAY;+bs6%K9#lb=wU=>jw&PmrEvwxW^?yvro+B`=~mt#;JAT` zPfjjkPjs75;ZZ|5!*YiV7iC+3IO@NI(7CgGJVrBci3tmihj>u8U{oBv#Ter|O+GKY zk0Xd5S#4{!_AU&A78dDMmV`kbF*@WJ0Z`EzRz3QLpTod~dN;ef;)E1T$1-$U=pJHC z**l5~DZz_^7weaL8?TSmJ#;;KostvM<|NE2lIY9(_Hh(fz!p@>{X0HZfQ3=Q$KOXS zVA+4OuhQ^u*USS@V>gAnS1vpEMUIy`={sE3Z*oJC{*nU+W5}Vg}<7A%C&ccz`>sr-Btc1dp1Z)q&c4!W(kpMa1>C4^kALB z+VDE77AO?K-Mor|PNjZns5M`a0NsDZ6G*Rr)gAr~JfUI?*P+_ZpL=x)2}K}UNX;L;kb#A4Lk;2X+ayPPVlV8M zJp)D`sNNT1F#mU(NwVvsA4`T^AD%z?@?7t7;$Bb#GsK>Z>+y~}I{pQJYBDHhC(8rP z-^>qLX4Z%5Iz7z!J7#O}(~Tti+tcfaB)D67zy*X)!O#TV3?06cPy&wKWZ!~G1@I7q zh*044cd=#u1idV4lN)b7vxn@A1%qh1&dwbZ6?|!9P|73XO4U>Aw%M!p)veww3Sx?d z5+ujaqNpYEi)-0ZraTuUcFIrR7}Igq-VSb1z(S@sP3o+1UB7;X1on~@HP@cUMcbP3 zv9&__Ml6P@W~*NHVM{WM58w4KRqa;azX0zmc>9N;b$txZ&+bERpl>1B7!fLbP~I~8CC{0$+@ZgPqzd=~fofa& z1!uTXvg~WAc<(lLsU>kcL3fq5(c)T|`<^TH_0B;pM+dQ&;X2Bn!=Sr>1b|wTlRe;2 zj96x4<}*@J5wZu>s&E$MihT?NM6Z!4d&vMe>NvAvT%;vg*3jGvuVaK1%u zMjoczH>lpYF#~l*eBqNV3)xSes8F5!ixZV2_Y#FioO|w{+*i-p4G&V$ABrAY1h}R^ zpnSi{!>qC?SP0LXz2^1uv(3e%Qp+ySkNI*{;#d9Vb7php6be5BO@F4Q9Ol~AJ=fR? z_uk2K<#(5E0nofflKb2%&zkN_FW;`@*JdTQ*@gO2wZTE)Q-Av4L~KP@D{NpV4%G3o@&%?I8|Z64G;YlD z<(uF3+}xB@H~B06x6Cu~>d3;*%;NC1?bw!&EfupaSJ6<L~h5TA9nW^_5x)$$1Pr_ChN)+{fs!a7_NGOOMSR@doRd4@`t5=4Qg*vWs~ByOnz*U_&NN!kuS zj;s9+Vf8Abj=DKZIz=DrgBdd#qsYfpA6omKsvSd}Ys?Yl&Cfh}`=1!y;+{Ej;okG{ z1Nk>0N6FzTIt$bT+o`l|egqO^c74gd<^J28zrRRQ$#WIRbhBP^B;882(>rl z_;dmBV_+-h!N=ecqyfHpLxxtZH*7F>Jdksg{cPy)K2}&DX!f0oA|Wasb`%$}a((@T zSlXZm9k|(axUlQ^1J<2+{)1dvcz;#Osq8dN|CO$%4tyk@sF7D`HDmL zxxhZ9EE7!N>uu!+TNf0O4F|mwT;>~_VfBW6QY;~uV?}j?uBC(9{RN)(>Njy2Hw&{e z&{dr|#<=aSpRo5lJFI{=^ODDXaoYU72X`=pl?~4ckkzfXA#C4!d5u{k$!APO9s<_s zMt>hk5CdDuDh&3}nFrs!A6uY#+fKag31N=`Ro+d6aC>)%oFz+DYQk2UZM6{48<_7! zz`^h@+oOS;h)H4VtsFz1*iS3zXwWH6$@Byt)}#3&_LZ>;c8c>8^xKcy zcQ{4f`2@{k8xZz*SBr7Tj5rw+t{7z(laNpFmb^-mAUTM1)fl}UhDYkvbB-0GBekQ;qDskgjUG0y zVq~ulVkrMI`rDdxCaiv?hyT#H(z2G~iWfbXlER=W@r1&HEK^1)a&PtEeDxa(2s;V^}23}L0C!MCcfUh!HZXH@Yw*WQUdgxcYDoV}%DvBXYaea0?*C*$W8z)qOqYAV+ z7U~4f zqW0IdXL>WbO|z22^k;qA0}6KLREfXSF(PQI`{&QmU`fK=o%mIegOIND*x}kfP0$Un zAJYx0uXY5OroJRAvL$3y5m!)|+U^_&;`LsdfeOGSeu>#lA8|6W>Q99S! z=L1{llauNsIIJA!QYlGr6;d*1zTk+WHnu`2F&_*EEu-XDPO@ zZ%JH?mX=^vMHXKh!;ibHjQIr*G~vSH+N?AJOBYuL!4mDD*V9SU2lJcT3?}on-a#15 zs_)f(h|Xef*54aD8rV*j;l~S*n;U<6B)qXYUU0iH#psH)!RQ-1Vy;56NHCYSX{x69zM`@$}TZ* znT2eKgl$ljqn)JHyk>r?v`#kAqDreM>WZTgefpd*yNOgiw3$d^$phaOb#QBJ~Ya zB`~5vVw!Jzo5!bASWi0f+Rvs-?_1nnM3LNIN1ZN6fXFK<{H~{U5B|!A<}tJC5D>Z$ zAiJ%k?JP@Q9biYG^tn@t`!z%Q2nHb9#zT}y3k#H23U36{7iyG}3qJKD$e!H+LbYh{ z=TTaz`l~=)oV>c$;!nBXZq1l}eQ*vs$R4d)^r&cyCKZPLX5Fk( zOI7FqYSMv+@{R*p3bq?r5L;hIoffR`(DguCU;FUAg+^MZz@)=Vjc=&8Ss0Y;h!3c>v7h%S&S9A~tu*~~buZ@Jsy(;i0Th0mG%p@P%!R zRd_*XSiq8?i0eLqT53t+G9890oB7;Me}2zeZZ&yz++I&a;64i%2$FoPcKrtmhUh&`c{&W&{hW=*WDe(HgR|vq2tYo295g{ zLSRnHp>g&T#UL>Nb=Ql4$JD31KsMbR!;f!ZGsjPw9k&M_#v0K6(AMs7I};L?#r=lA z+UGjysT$&NMe}Q=_wmb&%hh+XXyhkQ%EzFod^asG+y_~P!U zX5dq=tq{E_?>hE;7DuZuQghfPEchuQ`b+0W;gDyeM$0oI&YLW_ST62RV68X%xb@M+5_dW4O zK8yN?h)|e8y2>ANj{L!GYe|WOr$h&lm9WaS54SIiM}66OWh4EIK$>2<^$!8ADP-7# zgb_N|V4;txIWy{)boxxTc9{VelEX(AR@FSozG;l_W*#71-}VrSvL1F-u3o^fui^B@ z2jdB*&*{R#KUN}B6?6MA_Mlssjn9|xp{V0S+n;|2u1Dq*tu?)_q`uH zyG~DZg!_Au3X#iIb$?4KyBX|en&{Y^jLSvk7r<16H_S?c(iuMYKtT{OdPbbN4&(mSGd>vn!y9;^!mbL z*O9Mbh%b~(;@7aXf3*pupLHkdC`+Dny}h0S3PiNS(ubX`lE@UZCfawc7G)DjL*HxF z2$@JYL}_NGdz;#&y#ZO%b}#tX*RVHR>TmnRI$rGi1!ksQ*2ZJ-_Z7!Gcq_BrxBlfQ z#|s{}Du(Hnso3#l<{lJ_oJ?S?;#lz!#4%Cg6fxtZBwQ)xo%~a=ZCnPLFmGp~*QGrk z_Ynx~bTq#~b*t%u=7^%c&gv|^t54P~SoJaVfql$=lij9&xW*Gy6GVC=r1jGLAEU-g z*4AEJY`AzGfsW2wDL+|Fkh5!h>z}>j?&9=G*-*g0?sw&eZ0Ls}V{)*Qn5VYJqDxAO zi1j9~mI?Mt#cqclkBO&DPuIg!9JfE%qrZ2;F_a<>=Z#m%;l(S^I>2T+Qm;Dv)m>Tn zd`JD?ZpPB9n-r@Q(ak56yT8+wP8vm5Y1}Qzds}Pa-wm%Bdq2yRnxf88Ywi?dMtRPz z_lX62ZU2rv{!!p6>5QdS7>e`xGLUeJHt{vymzCQYJ8M5g%b$a(Cge?hwT9NH0ZLAg zMieRjXqSQMj*eW$Up^i1@cy?q9o(k4Y` zD(-e7sQiG0!&j8!YH_papX}AgmKRT)%^g+5cinj2?>RP#)}aLJDw-oBTgTn?wc|??br{2O%1o%^&=k#J_BQ+oy(?DoJs( zHk7=Ez0i6OoMtmybBYke-B3_=$%^3X&ywPQ^HBDyp6}eG7z-*?^f8YQ(DVrzl^}36 ztlnD%ge!)k*m(6|lqJZX(C475U#YA+co)*U^Q&>mmE4&(3)UVqR;WPaj*9@xG^w48 zb4}BrESRK%k*7q<%BJt2X~#LeLVSY&8V=-z1-E)5t5?phxsW<@ z@jGAPSsHzh-j154e7v*#+3EO$p}qQ`3K$Rci);0RGeOzGH^NP~ayC8NNAEv7C=ZWQ z(twnOY~C!ZWy_z)lgUNvPs3-0VXF-Aeq=cztvqKZ$L34w>-C8`N~kv+Ir7$SYvFZ` z*McBM-uMZ6mCBQj+K;B%R>lDT3KJv2s_S~rQsDCo)Q5o9{2+=xoR{QR&HH=x$@j-b zA9jJ+>FMrNO`=ZnCqL|*+qe9T?6LJXFa@fMxIbL@=E_hjZ_%Z?e6~l+zze=yy-!1R zE$uUEe}B_oLH?*=A2?l02IS1&5P3^CgD{-n(J;G(#SS#ns(!b;IA%%O<6CN;fF$(NS%0wc^V6zwL&AdAI?CI++SDVXy#4%mO|LK?$B--*nJa*Yn0$)% zdydX^Sv4JGf$&pjF1<=MV2JXW|Am@A*8~wTF-rOen3ozr9tB+ZUO9DARQ8{{c@qrL zwy+qfeaCb$hcKO9JuNU?rHc$SNvA7@sgqZs9&z8lGyJl+wN!#c{ZeH^p`BPEDKa&c zG0hD2aN^9t;oZn)$<>Or7iA#9ZN=Ip|0>AUpD20}Y41Dg^O&QLFi&@<3K$-(a?b|3 zwoA~Br$stS?PY(nvjD+<*TWYS z>lYL6Yd*rX^Ho4LZv_{(d_f*}Loc@<~h=&$~e| zta4pPGc}R&2nNcv;O+4yz9)#2)f=+KeAvTPZ< z8&O}Gd_tG1j!a^2i7{S%aMB9A2+VLWEAfEcaLml$A%}18k6rGQh_dgi=c(fb38A%4 zs~qoYJXgiflPhWN-CI6CM^K*aI81k=;ll?ZRwU#p60LLi$iSB0{@X9d6|vk zqh%|fxT@UGfmO$J2p-;9>md=VAbuyYpMHeei5DxXv^jq^@t={c2*P!%pq9&^^HQXs z5&!M48mvXP&y`=!BfX01+r9o?9R#7KZ}E?Jpdo`BCl(eKcH?XEP&BUI;k>mEmIo?B zHO74z{`WoaZE?rbm@~sFL4hEom}B-+;0C07J)EIFUm52ObF|omzQlC6F7;ZOdgj>g zVC}$?z>P`tKi~j{1QKpz!~61=uad9j(UKdAyKp;>#Jj$E%Zs$A|0FSCPAvKZH0c^% zvj)}f^%~TeB1&eG4pyqjqK;n1-rB!6z^#6_4Fg>8hLeJelQE4TR~wrB7AA4yf$tS* z_V!dU#qkBpX=@VEOCsgRLSVe`;lk%sY8SHPnlH7e1B;T`1NX+`Rq!c{5`>gJH09R~ z1QAINu8TH55Rm3KTA~>@J(JY$v|7Vg3~FAqR9xyN?R3J7V=O*muj92HKD9V@{Sj=8 z+L0`jTxB?5tS#YJ`o~s*?@148cMk zU}l5*O4~i&oL%0@A8)L~QP!PHK9Wqy?{AtBa4+e8XyeO71=%`aOfQIfr0#XE13Lj- zG{ewCb=LGKv$5p9UUM<510<=Kx6TTHrbajC^BX03F%urWcFNUXNKszT2eGV`PW_eb zlvC_N$rUh%{@eNE3NUGr1gdO+CeI!|N$Wq(s(ZfUMif+)z{A~N9Z7QONZIsHPi=ZS zNcrF)ZODI*LM!({cyU9;e~!zRXZV({`?GEk*k&`~(vE&Tpzvhu^SamCOJeY8Fv(yJ z969(%p5ta-i_!Erq4VTZ12ueP3a_+WT=bczWgsI#Ic5fD<7uH|IT#x~vOE~FkS5&{ z#)BOBRjTw~ij&qs7bdjye-Z)3a7+j|a)V~mOm9JdkLT#XkPS7kI3;xH%-b;V8X;_? zXmSk+hKZ9SQuoW>JayN7f2^Kl!5q~hzPT?DAfM>cAMM=yzr(3-hP_qM1j(4ROQ%ag z`+B;$kC>0hr3G8B-=b5F;aysLD$B?i$u=7H;oy=y*^?6rj;}>S@XU?^_GbAZZ4K)gJGuH|&n9 z2zvCP@qnjLN6CfzpNInpp+w8xNZ;L`9k}GVF?)Z|4>0VQMWc5+!GaO3H&9p&R-2=Y z*LN^%a(+Mw3J{9fZmlkpTy`%(*R&F`2~&)oEWj!mbk{d}%x7}xW$@%MtheEKu*rLL#N~S5^UP_wtLJ|o+Ic9wO0@F)^{o9i)1YihXk&D4$;A;h-3nfu4>Isxnx zO%{tj0id^2c#Feiv$^e{b15U92Xcy`vd+8kO9$=$xbM_H(sjJ2ozik;tE`e%W}53q ze*Ww#?!u%)Vtv~TysdQZ7*F1$M*ajyyvf5XliG9-yQ-zi*V6_Kj;UkHE_6~_`X$IO z{{>)4pr1C3JY-s%+3BWKZD4{IjqrL4a4!Wz^eU8@uTdN%@-M|^Z+D#usI zy88>KaB+e4xXRgdeBS0EOC|DZ4v3xu{@*K*mA2%tw z3@hBkE`$i`^T`jAp^^$880gYmQ_yM-80){72?%`nFwf+?Pvpfdny>rTqpK4dJ7X_v z7JVeaINgM`_?V>hAFEaQ!28dw(I;QXi~<#fC7=uwb1o8K$^#AR1+~hf7j*jy*U7sQ zP(1bdF1PjoQ$0FM-3|&cMx>CALOxqigSl5uRwM@Wb#RZtQ)Cc;Vav#snsz8=*hpyw zaS{N>HXp?{A%>@&i@`9eI3L1s*y^`uo3Vs*n{Ilab8Y$_7=E>g_bH96d>+3alDZ5B zMHk9_)maVg8U^St1IIc=afL!10SE0RTtXEZ&nwSHp|1}8M?+)7x9;TS4}K-|^4X3; zECgbl0c`M z7|-{g3l+PEpK8X1;5Hy1+ZQ%fdD$M9@wp0#49~a$3hXmM-?N|AmR0^dx+eA|o0)91 z+`pITjYmfY-^j2LuHrB0!6yP=0h}>&=YWPn;_j(DQX2t@OM53PB?2N|SQ7C9)%H7E z{5-#^d!-Vhf%tdZDv!HkKjmgHt)Tw5>n-7TNYM>j*g=ji@NW0ef^`e zD9bI>7LVa03nRBtP&c~fGyQ)~nQC+h0z%^lZ>c${JHD)AYlFPJSesvuaI=4o`0H2! zE!ypj0OQ(ok(s|Zk;Mfm-dVhTbGY9P;ghu}e$eR(h!4!*K}aQUEL!zmE1s&=@h$xI zCgF|uxPx_XzoG95Z!3rGjz3%IBh|)5l|1mxlfMaMWRb%wK&8t?G}dswVNWAZksh

X0g>7 zU8wVt&D?CAV*FXZQf!BfVh`S5RN<^j5pt+`Xwj8R;N$=Ksz7UBts?5<^3JYH5W%ID zDL)Ww)wnE0`vt^;ZO=Q)YhCu}fn|pz_8+C@_=7MgJ~lb|l{2|LH7_06@c+uY?zg7W zB^*?6S1F3J3L4N|S6A@Lx)ddJ5Mfb31Ze`IsFcv8N()7bD=w%gTtJDqOYbG3Qi6ga zA_OTx2pth2;GsxD2!T6?qVfI*cklOGp64XzoXLDs-g##}VIp=Q70Rrg*!K>Q%w&*}Om+&rq>Mn9XdWhxr=&Yw@IaDv2 zry3ML_cUE*9C*-naEr1hDcs#|_xiW|Fc zr%TG7obmC`M*i+tw6cCZ-LIr7_1U#E$n0tw#gycu(u!osrf|v}wmThm3*%@CaQ)Ko zc2&B@jK~@95u!k+yCEs*Ja+38IFj*Tvy$Kay+q}$&*sq1Bj1xWD!h8vQTDgi(aC4#|OzdrFUc>Ug+x%VDtOsS{+t4 z%@w62s27LI^>B2c-jA>@*npldpAQVd$96ItuZULV7HI|8+V&mS z_!RWtKSI)@j_bT33 z-t`*1EELT8(6CtHCDK$^?AX32!*=)Li@Zc}F>4n#^Vt>WG8rxANw+&|S?Shoa{uY3 z9B9{K8yn$8EnVIaj<8q-mn?IK+6)UXZ}{^@bKNv*<(uD{!V=&Ur+P?I#Y1 z^%waKa&kEKKpP!Z3J49H;9Yyn&IkfcWy8Ejfej%fN(0Wi7dP~I+@RL6s`W`?@ugUA zta7I9uqGTkr`umR30s=_Ldw*OrOMp*ba49I_z=p<9rsm{?MlXy;@*BzaMz%FkGHq} zoIRdkL@#2F-uLT}2?SJ;gp39NX2?b~*lr6Ip$#fK|6W^b(19p(J)IEQm1SO^mg8Tl zD;HGTbEX>8TwE9@yqM;0tN3f&8;30<9McfEGg&P+FMDT*9l02d`XWlnfsV&|$35P8 z_Z7eZ4?B;sF&6EULwU<^H7@5xXE9Sio5G9lPR@7w!L>8x?Q}eT_TGz8dG{h5;kRRd zJ{2la&gI+<%4bF-XSQCWn^b*p^`gB~-4Gxnr2|mls%G>v*Al1)qU5T7bL&(Bw%3i2 zJ@X%XwD7;DdfiTwE4yS^aNz-V5Bb>!+n636>YIk~0>LI0AAOP4K)%Q+qmo^HC)VogXEm$ISRp){hG=v-IZjb(FY<)sHlLsVfaQT1#}3FD?sm~>PoNyv6q+AO%_-F~oGg)%6X{NqGfb&HMbkrG#gK!!nXg`;)9C-| z>6z)~HasK63?Ri-2MMU^D@4QWG2e+~TjD@%-&TzHo|yRD)K7nK ztxDhSLl>SXT_00~1lT^Qd7Y60g3Lp26duXfDEAuZVJ<7I7x8A9=7W3pe-qpM9{fq27_ijH&4@h6h zIA@=f5lJ^>$D2hOtje^YIU)UdYWATF-r%z5xPnnIrH;@xCnCK0BH0uLoR$umM@3jY zZyBF&54FlU?Z&ET^@EtM@5$NCM>+c_CMV6-p;+2#1ZVdY?IXeRYd4<_d-?qy}YiONr=&w87zn^BwS)OB=wbog6yTq#8#2b90QLlMAg&N#>9xu?6q=3{1x2+gM*+D=3^W2@Pqajkw#!+{IsdrW<})@14tMd z5{efkj!s%O2FIFfVwkvJK0tvli#aQbyE0dv*IQn{k=-gC6|_ zYeazEd96D#W_kgXZZ&?YhT>U{%@yd~7*{4(VEJOGz*zio=bElzr#^6bi+=KMErQ`% zTD>i#&C6n5Np`A{kU2O`X2kN!oxqL?ug?`eoAvkcKHjm=opGN}pJfRwwGtt(0rc31 zF9v{ki$I+bF*!1JnB{TTeQ{Sf&R$}_>93C_p3-%cM7E*gUNv?1 z2JLvO|6Ow-x7Yt`=lp@gRs6}W!o|+{9({P5q{l+j_wHkTXF`ZaBcKkHbT3wE{xe6(B~nA)N-Ab_bhowG3Y&ptg5a?PiDKi4`TXd-Z8TSW|MH$7kT$ ze5PL)n9)fPWAF>^=KCZ94d=+C_cAP(Q>+M>*7ql7dur*?O})iu1~6$Gz^lEJWi3#ZrO3IttAM8)B{(+7W%f zeIe!?n8(j2SDLn!$`M!Tkm)-GeWPapd+e;Rkaxi&I2ee z#;yF2FIyxYhhz6}+l14g3xWD*ZKT}geqH}#g;0}~Y@YoWyXtnYiNixQr9uI`{DGLT z3XRk?GsW?E`pCT|rlpMxJ1Y`rHJ4HQZ->M(?VeMtY*~n71rl+lh@fcpUS++fd^dGYFZG!CmiZhtr-msM z##ZPhCnYi$jFBMuI+Z>+^f0&6z3-ZSc$n0oHWX7*oxd@?>Ukm9R~><=(~c5O!doQr zuYEKFs__Vv!n`F^^4e$&`>xQ7VmOb=9I(d#m%Ei z^YowZx0vR%L{vn2&N|&ZFB}V4lwsyJY5Eii&j?YWK2t$)C2kuaM3yj5b_}mYbB@2? z3~tkK_Lfjg{gW+73wS~gh6d1w3V3-=d_uOoJw)xJaxO2ON9H= 0.1.1' + optional: true + - name: gcp-bootstrap + repo: bootstrap + type: terraform + version: '>= 0.1.1' + optional: true + - name: azure-bootstrap + repo: bootstrap + type: terraform + version: '>= 0.1.1' + optional: true + providers: + - aws + - gcp + - azure diff --git a/kiali/terraform/kube/main.tf b/kiali/terraform/kube/main.tf new file mode 100644 index 000000000..aaecb8387 --- /dev/null +++ b/kiali/terraform/kube/main.tf @@ -0,0 +1,11 @@ +resource "kubernetes_namespace" "kiali" { + metadata { + name = var.namespace + labels = { + "app.kubernetes.io/managed-by" = "plural" + "app.plural.sh/name" = "kiali" + + } + } +} + diff --git a/kiali/terraform/kube/terraform.tfvars b/kiali/terraform/kube/terraform.tfvars new file mode 100644 index 000000000..961103ecf --- /dev/null +++ b/kiali/terraform/kube/terraform.tfvars @@ -0,0 +1,2 @@ +namespace = {{ .Namespace | quote }} +cluster_name = {{ .Cluster | quote }} \ No newline at end of file diff --git a/kiali/terraform/kube/variables.tf b/kiali/terraform/kube/variables.tf new file mode 100644 index 000000000..27f0a7f1a --- /dev/null +++ b/kiali/terraform/kube/variables.tf @@ -0,0 +1,8 @@ +variable "namespace" { + type = string + default = "kiali" +} + +variable "cluster_name" { + type = string +} From 276b8d1335efe3dd4f4c7b2592f51bba4a0792d1 Mon Sep 17 00:00:00 2001 From: David van der Spek Date: Mon, 11 Sep 2023 13:37:00 +0200 Subject: [PATCH 02/18] fix template Signed-off-by: David van der Spek --- istio/helm/istio/values.yaml.tpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/istio/helm/istio/values.yaml.tpl b/istio/helm/istio/values.yaml.tpl index fcd85e088..f7dfc73fe 100644 --- a/istio/helm/istio/values.yaml.tpl +++ b/istio/helm/istio/values.yaml.tpl @@ -1,7 +1,7 @@ global: istioNamespace: {{ namespace "istio" }} -{{- if and .Configuration .Configuration.istio-cni }} +{{- if and .Configuration (index .Configuration "istio-cni") }} istiod: istio_cni: enabled: true From 008dd4a6d66aa4572bfc8fc27ec5ed6deb69d87f Mon Sep 17 00:00:00 2001 From: David van der Spek Date: Mon, 11 Sep 2023 13:38:45 +0200 Subject: [PATCH 03/18] some fixes after pushing Signed-off-by: David van der Spek --- istio-cni/helm/istio-cni/deps.yaml | 2 +- istio-ingress/helm/istio-ingress/deps.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/istio-cni/helm/istio-cni/deps.yaml b/istio-cni/helm/istio-cni/deps.yaml index 4910874d0..3b4a86792 100644 --- a/istio-cni/helm/istio-cni/deps.yaml +++ b/istio-cni/helm/istio-cni/deps.yaml @@ -12,7 +12,7 @@ spec: - type: helm name: istio repo: istio - version: '>= 0.1.101' + version: '>= 0.2.0' - type: terraform name: kube repo: istio-cni diff --git a/istio-ingress/helm/istio-ingress/deps.yaml b/istio-ingress/helm/istio-ingress/deps.yaml index c49199476..fb3e0e8f8 100644 --- a/istio-ingress/helm/istio-ingress/deps.yaml +++ b/istio-ingress/helm/istio-ingress/deps.yaml @@ -12,7 +12,7 @@ spec: - type: helm name: istio repo: istio - version: '>= 0.1.101' + version: '>= 0.2.0' - type: terraform name: kube repo: istio-ingress From ea5ca1a7101d36483d8254316fb80b0b479e91a3 Mon Sep 17 00:00:00 2001 From: David van der Spek Date: Mon, 11 Sep 2023 14:14:48 +0200 Subject: [PATCH 04/18] some initial kiali fixes Signed-off-by: David van der Spek --- kiali/helm/kiali/Chart.yaml | 1 + kiali/helm/kiali/deps.yaml | 4 +++ kiali/helm/kiali/templates/secret.yaml | 2 +- .../helm/kiali/templates/service-monitor.yaml | 5 ++-- kiali/helm/kiali/values.yaml | 1 + kiali/helm/kiali/values.yaml.tpl | 30 +++++++++++++++++-- kiali/plural/recipes/kiali-aws.yaml | 6 ++++ kiali/plural/recipes/kiali-azure.yaml | 6 ++++ kiali/plural/recipes/kiali-gcp.yaml | 6 ++++ kiali/repository.yaml | 3 ++ 10 files changed, 58 insertions(+), 6 deletions(-) diff --git a/kiali/helm/kiali/Chart.yaml b/kiali/helm/kiali/Chart.yaml index 85bc84ce9..f80349a1b 100644 --- a/kiali/helm/kiali/Chart.yaml +++ b/kiali/helm/kiali/Chart.yaml @@ -8,3 +8,4 @@ dependencies: - name: kiali-server version: 1.73.0 repository: https://kiali.org/helm-charts + condition: kiali-server.enabled diff --git a/kiali/helm/kiali/deps.yaml b/kiali/helm/kiali/deps.yaml index 5aa5bc26e..160c4d1e3 100644 --- a/kiali/helm/kiali/deps.yaml +++ b/kiali/helm/kiali/deps.yaml @@ -9,6 +9,10 @@ spec: name: bootstrap repo: bootstrap version: '>= 0.5.1' + - type: helm + name: monitoring + repo: monitoring + version: '>= 0.1.37' - type: helm name: istio repo: istio diff --git a/kiali/helm/kiali/templates/secret.yaml b/kiali/helm/kiali/templates/secret.yaml index 01cc3af95..d44d37bc8 100644 --- a/kiali/helm/kiali/templates/secret.yaml +++ b/kiali/helm/kiali/templates/secret.yaml @@ -4,7 +4,7 @@ kind: Secret metadata: name: kiali labels: - {{- include "istio.labels" . | nindent 4 }} + {{- include "kiali-plural.labels" . | nindent 4 }} type: Opaque data: oidc-secret: {{ index .Values "kiali-server" "auth" "openid" "client_secret" | b64enc }} diff --git a/kiali/helm/kiali/templates/service-monitor.yaml b/kiali/helm/kiali/templates/service-monitor.yaml index 92edc020b..9f7b80d46 100644 --- a/kiali/helm/kiali/templates/service-monitor.yaml +++ b/kiali/helm/kiali/templates/service-monitor.yaml @@ -1,9 +1,9 @@ -{{- if eq .Values.monitoring.enabled true }} apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: name: kiali-service-monitor - labels: {{ include "istio.labels" . | nindent 4 }} + labels: + {{- include "kiali-plural.labels" . | nindent 4 }} spec: selector: matchLabels: @@ -14,4 +14,3 @@ spec: endpoints: - port: http-metrics path: '/' -{{- end }} diff --git a/kiali/helm/kiali/values.yaml b/kiali/helm/kiali/values.yaml index ea98028d8..29ef8c2ed 100644 --- a/kiali/helm/kiali/values.yaml +++ b/kiali/helm/kiali/values.yaml @@ -1,4 +1,5 @@ kiali-server: + enabled: true auth: strategy: anonymous istio_namespace: istio diff --git a/kiali/helm/kiali/values.yaml.tpl b/kiali/helm/kiali/values.yaml.tpl index afd7b2b68..1a61f67db 100644 --- a/kiali/helm/kiali/values.yaml.tpl +++ b/kiali/helm/kiali/values.yaml.tpl @@ -1,5 +1,15 @@ -{{- if .OIDC }} +{{- $monitoringNamespace := namespace "monitoring" -}} + +global: + application: + links: + - description: kiali web ui + url: {{ .Values.hostname }} + kiali-server: + server: + web_fqdn: {{ .Values.hostname }} + {{- if .OIDC }} auth: strategy: openid openid: @@ -12,4 +22,20 @@ kiali-server: scopes: - "openid" - "profile" -{{- end }} + - "groups" + {{- end }} + istio_namespace: {{ namespace "istio" }} + external_services: + istio: + root_namespace: {{ namespace "istio" }} + component_status: + enabled: true + components: + - app_label: istiod + is_core: true + - app_label: istio-ingress + is_core: true + is_proxy: true + namespace: {{ namespace "istio-ingress" }} + prometheus: + url: http://monitoring-prometheus.{{ $monitoringNamespace }}:9090 diff --git a/kiali/plural/recipes/kiali-aws.yaml b/kiali/plural/recipes/kiali-aws.yaml index d1a0d2ccc..d6889bf0e 100644 --- a/kiali/plural/recipes/kiali-aws.yaml +++ b/kiali/plural/recipes/kiali-aws.yaml @@ -2,9 +2,15 @@ name: kiali-aws description: Installs kiali on an aws eks cluster provider: AWS primary: true +oidcSettings: + authMethod: POST + uriFormat: https://{domain}/auth/callback + domainKey: hostname dependencies: - repo: bootstrap name: aws-k8s +- repo: monitoring + name: monitoring-aws - repo: istio name: istio-aws sections: diff --git a/kiali/plural/recipes/kiali-azure.yaml b/kiali/plural/recipes/kiali-azure.yaml index 58ce04d7c..8a3e4f23a 100644 --- a/kiali/plural/recipes/kiali-azure.yaml +++ b/kiali/plural/recipes/kiali-azure.yaml @@ -2,9 +2,15 @@ name: kiali-azure description: Installs kiali on an aws eks cluster provider: AZURE primary: true +oidcSettings: + authMethod: POST + uriFormat: https://{domain}/auth/callback + domainKey: hostname dependencies: - repo: bootstrap name: azure-k8s +- repo: monitoring + name: monitoring-azure - repo: istio name: istio-azure sections: diff --git a/kiali/plural/recipes/kiali-gcp.yaml b/kiali/plural/recipes/kiali-gcp.yaml index a72daaf95..5a6e6f70a 100644 --- a/kiali/plural/recipes/kiali-gcp.yaml +++ b/kiali/plural/recipes/kiali-gcp.yaml @@ -2,9 +2,15 @@ name: kiali-gcp description: Installs kiali on an aws eks cluster provider: GCP primary: true +oidcSettings: + authMethod: POST + uriFormat: https://{domain}/auth/callback + domainKey: hostname dependencies: - repo: bootstrap name: gcp-k8s +- repo: monitoring + name: monitoring-gcp - repo: istio name: istio-gcp sections: diff --git a/kiali/repository.yaml b/kiali/repository.yaml index 50ff76bc1..74c9119bc 100644 --- a/kiali/repository.yaml +++ b/kiali/repository.yaml @@ -6,6 +6,9 @@ icon: plural/icons/kiali.png notes: plural/notes.tpl homepage: https://kiali.io/ gitUrl: https://github.com/kiali/kiali +oauthSettings: + uriFormat: https://{domain}/auth/callback + authMethod: POST tags: - tag: istio - tag: network From 2a1e02d80ea6aec56f8a6256dd1ba4aacf0defd1 Mon Sep 17 00:00:00 2001 From: David van der Spek Date: Mon, 11 Sep 2023 14:57:37 +0200 Subject: [PATCH 05/18] add default istio gateway to ingress chart Signed-off-by: David van der Spek --- .../istio-ingress/templates/certificate.yaml | 16 ++++++++ .../envoy-filter-ingressgateway-settings.yaml | 2 +- .../envoy-filter-proxy-protocol.yaml | 2 +- .../helm/istio-ingress/templates/gateway.yaml | 41 +++++++++++++++++++ istio-ingress/helm/istio-ingress/values.yaml | 11 +++++ .../helm/istio-ingress/values.yaml.tpl | 10 +++++ kiali/helm/kiali/values.yaml | 2 +- 7 files changed, 81 insertions(+), 3 deletions(-) create mode 100644 istio-ingress/helm/istio-ingress/templates/certificate.yaml create mode 100644 istio-ingress/helm/istio-ingress/templates/gateway.yaml diff --git a/istio-ingress/helm/istio-ingress/templates/certificate.yaml b/istio-ingress/helm/istio-ingress/templates/certificate.yaml new file mode 100644 index 000000000..876354b8d --- /dev/null +++ b/istio-ingress/helm/istio-ingress/templates/certificate.yaml @@ -0,0 +1,16 @@ +{{- if and .Values.istioGateway.enabled .Values.istioGateway.tls.enabled }} +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: {{ include "istio-ingress-plural.fullname" . }}-ingress-cert +spec: + secretName: {{ include "istio-ingress-plural.fullname" . }}-ingress-cert + commonName: {{ .Values.istioGateway.tls.commonName }} + {{- with .Values.istioGateway.tls.dnsNames }} + dnsNames: + {{- toYaml . | nindent 2 }} + {{- end }} + issuerRef: + name: {{ .Values.istioGateway.tls.issuerRef.name }} + kind: {{ .Values.istioGateway.tls.issuerRef.kind }} +{{- end }} diff --git a/istio-ingress/helm/istio-ingress/templates/envoy-filter-ingressgateway-settings.yaml b/istio-ingress/helm/istio-ingress/templates/envoy-filter-ingressgateway-settings.yaml index 8c1ebd488..9f186db60 100644 --- a/istio-ingress/helm/istio-ingress/templates/envoy-filter-ingressgateway-settings.yaml +++ b/istio-ingress/helm/istio-ingress/templates/envoy-filter-ingressgateway-settings.yaml @@ -2,7 +2,7 @@ apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: - name: ingressgateway-settings + name: {{ include "istio-ingress-plural.fullname" . }}-ingressgateway-settings labels: {{- include "istio-ingress-plural.labels" . | nindent 4 }} spec: diff --git a/istio-ingress/helm/istio-ingress/templates/envoy-filter-proxy-protocol.yaml b/istio-ingress/helm/istio-ingress/templates/envoy-filter-proxy-protocol.yaml index dff592424..90deeda62 100644 --- a/istio-ingress/helm/istio-ingress/templates/envoy-filter-proxy-protocol.yaml +++ b/istio-ingress/helm/istio-ingress/templates/envoy-filter-proxy-protocol.yaml @@ -2,7 +2,7 @@ apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: - name: proxy-protocol + name: {{ include "istio-ingress-plural.fullname" . }}-proxy-protocol labels: {{- include "istio-ingress-plural.labels" . | nindent 4 }} spec: diff --git a/istio-ingress/helm/istio-ingress/templates/gateway.yaml b/istio-ingress/helm/istio-ingress/templates/gateway.yaml new file mode 100644 index 000000000..74b6db57b --- /dev/null +++ b/istio-ingress/helm/istio-ingress/templates/gateway.yaml @@ -0,0 +1,41 @@ +{{- if .Values.istioGateway.enabled }} +apiVersion: networking.istio.io/v1beta1 +kind: Gateway +metadata: + name: {{ include "istio-ingress-plural.fullname" . }} + labels: + {{- include "istio-ingress-plural.labels" . | nindent 4 }} +spec: + selector: + {{- if hasKey .Values.gateway.labels "istio" }} + {{- with .Values.gateway.labels.istio }} + istio: {{.|quote}} + {{- end }} + {{- else }} + istio: {{ include "gateway.name" .Subcharts.gateway | trimPrefix "istio-" }} + {{- end }} + servers: + - port: + name: http + number: 80 + protocol: HTTP + {{- with .Values.istioGateway.hosts }} + hosts: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- if .Values.istioGateway.tls.enabled }} + tls: + httpsRedirect: true + - port: + number: 443 + name: https + protocol: HTTPS + tls: + mode: SIMPLE + credentialName: {{ include "istio-ingress-plural.fullname" . }}-ingress-cert + {{- with .Values.istioGateway.hosts }} + hosts: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} diff --git a/istio-ingress/helm/istio-ingress/values.yaml b/istio-ingress/helm/istio-ingress/values.yaml index 7f603f191..9bfd0e089 100644 --- a/istio-ingress/helm/istio-ingress/values.yaml +++ b/istio-ingress/helm/istio-ingress/values.yaml @@ -8,3 +8,14 @@ gateway: labelSelector: matchLabels: istio: ingress + +istioGateway: + enabled: true + hosts: [] + tls: + enabled: true + commonName: "" + dnsNames: [] + issuerRef: + name: letsencrypt-prod + kind: ClusterIssuer diff --git a/istio-ingress/helm/istio-ingress/values.yaml.tpl b/istio-ingress/helm/istio-ingress/values.yaml.tpl index a6c52c0cf..400fd7f6a 100644 --- a/istio-ingress/helm/istio-ingress/values.yaml.tpl +++ b/istio-ingress/helm/istio-ingress/values.yaml.tpl @@ -11,3 +11,13 @@ gateway: {{- end }} provider: {{ .Provider }} + +istioGateway: + hosts: + - {{ .Network.Subdomain }} + - "*.{{ .Network.Subdomain }}" + tls: + commonName: {{ .Network.Subdomain }} + dnsNames: + - {{ .Network.Subdomain }} + - "*.{{ .Network.Subdomain }}" diff --git a/kiali/helm/kiali/values.yaml b/kiali/helm/kiali/values.yaml index 29ef8c2ed..22c5ab73f 100644 --- a/kiali/helm/kiali/values.yaml +++ b/kiali/helm/kiali/values.yaml @@ -1,7 +1,7 @@ kiali-server: enabled: true auth: - strategy: anonymous + strategy: token istio_namespace: istio # api: # namespaces: From eff2f5e4fcb3ed1d716cd347697b5064ca6db688 Mon Sep 17 00:00:00 2001 From: David van der Spek Date: Mon, 11 Sep 2023 16:07:59 +0200 Subject: [PATCH 06/18] some fixes for aws nlb ingress + kiali vs Signed-off-by: David van der Spek --- .../envoy-filter-proxy-protocol.yaml | 4 ++++ .../helm/kiali/templates/service-monitor.yaml | 2 ++ .../helm/kiali/templates/virtualservice.yaml | 22 +++++++++++++++++++ kiali/helm/kiali/values.yaml | 9 ++++++++ kiali/helm/kiali/values.yaml.tpl | 3 +++ kiali/plural/recipes/kiali-aws.yaml | 2 +- kiali/plural/recipes/kiali-azure.yaml | 2 +- kiali/plural/recipes/kiali-gcp.yaml | 2 +- 8 files changed, 43 insertions(+), 3 deletions(-) create mode 100644 kiali/helm/kiali/templates/virtualservice.yaml diff --git a/istio-ingress/helm/istio-ingress/templates/envoy-filter-proxy-protocol.yaml b/istio-ingress/helm/istio-ingress/templates/envoy-filter-proxy-protocol.yaml index 90deeda62..b4fc03e26 100644 --- a/istio-ingress/helm/istio-ingress/templates/envoy-filter-proxy-protocol.yaml +++ b/istio-ingress/helm/istio-ingress/templates/envoy-filter-proxy-protocol.yaml @@ -16,5 +16,9 @@ spec: value: listener_filters: - name: envoy.filters.listener.proxy_protocol + typed_config: + '@type': type.googleapis.com/envoy.extensions.filters.listener.proxy_protocol.v3.ProxyProtocol - name: envoy.filters.listener.tls_inspector + typed_config: + '@type': type.googleapis.com/envoy.extensions.filters.listener.tls_inspector.v3.TlsInspector {{- end }} diff --git a/kiali/helm/kiali/templates/service-monitor.yaml b/kiali/helm/kiali/templates/service-monitor.yaml index 9f7b80d46..2084a4034 100644 --- a/kiali/helm/kiali/templates/service-monitor.yaml +++ b/kiali/helm/kiali/templates/service-monitor.yaml @@ -1,3 +1,4 @@ +{{- if eq .Values.monitoring.enabled true }} apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: @@ -14,3 +15,4 @@ spec: endpoints: - port: http-metrics path: '/' +{{- end }} diff --git a/kiali/helm/kiali/templates/virtualservice.yaml b/kiali/helm/kiali/templates/virtualservice.yaml new file mode 100644 index 000000000..86caa2cd5 --- /dev/null +++ b/kiali/helm/kiali/templates/virtualservice.yaml @@ -0,0 +1,22 @@ +{{- if .Values.virtualService.enabled }} +apiVersion: networking.istio.io/v1beta1 +kind: VirtualService +metadata: + name: {{ include "kiali-plural.fullname" . }} + labels: + {{- include "kiali-plural.labels" . | nindent 4 }} +spec: + hosts: + - {{ index .Values "kiali-server" "server" "web_fqdn" }} + gateways: + - {{ .Values.virtualService.gateway }} + http: + - match: + - uri: + prefix: {{ include "kiali-server.server.web_root" (index .Subcharts "kiali-server") }} + route: + - destination: + port: + number: {{ index .Values "kiali-server" "server" "port" }} + host: {{ include "kiali-server.fullname" (index .Subcharts "kiali-server") }} +{{- end }} diff --git a/kiali/helm/kiali/values.yaml b/kiali/helm/kiali/values.yaml index 22c5ab73f..21d3daed7 100644 --- a/kiali/helm/kiali/values.yaml +++ b/kiali/helm/kiali/values.yaml @@ -1,8 +1,14 @@ +virtualService: + enabled: true + gateway: "" + kiali-server: enabled: true auth: strategy: token istio_namespace: istio + server: + web_root: / # api: # namespaces: # exclude: @@ -74,3 +80,6 @@ kiali-server: # var-datasource: default # var-cluster: '' # var-instance: All + +monitoring: + enabled: false # with Istio we should have Istio scrape the pod diff --git a/kiali/helm/kiali/values.yaml.tpl b/kiali/helm/kiali/values.yaml.tpl index 1a61f67db..0aa61a28d 100644 --- a/kiali/helm/kiali/values.yaml.tpl +++ b/kiali/helm/kiali/values.yaml.tpl @@ -6,6 +6,9 @@ global: - description: kiali web ui url: {{ .Values.hostname }} +virtualService: + gateway: {{ namespace "istio-ingress" }}/istio-ingress + kiali-server: server: web_fqdn: {{ .Values.hostname }} diff --git a/kiali/plural/recipes/kiali-aws.yaml b/kiali/plural/recipes/kiali-aws.yaml index d6889bf0e..b975438c2 100644 --- a/kiali/plural/recipes/kiali-aws.yaml +++ b/kiali/plural/recipes/kiali-aws.yaml @@ -4,7 +4,7 @@ provider: AWS primary: true oidcSettings: authMethod: POST - uriFormat: https://{domain}/auth/callback + uriFormat: https://{domain}/api/auth/openid_redirect domainKey: hostname dependencies: - repo: bootstrap diff --git a/kiali/plural/recipes/kiali-azure.yaml b/kiali/plural/recipes/kiali-azure.yaml index 8a3e4f23a..e2ec54f25 100644 --- a/kiali/plural/recipes/kiali-azure.yaml +++ b/kiali/plural/recipes/kiali-azure.yaml @@ -4,7 +4,7 @@ provider: AZURE primary: true oidcSettings: authMethod: POST - uriFormat: https://{domain}/auth/callback + uriFormat: https://{domain}/api/auth/openid_redirect domainKey: hostname dependencies: - repo: bootstrap diff --git a/kiali/plural/recipes/kiali-gcp.yaml b/kiali/plural/recipes/kiali-gcp.yaml index 5a6e6f70a..6ae2a2e82 100644 --- a/kiali/plural/recipes/kiali-gcp.yaml +++ b/kiali/plural/recipes/kiali-gcp.yaml @@ -4,7 +4,7 @@ provider: GCP primary: true oidcSettings: authMethod: POST - uriFormat: https://{domain}/auth/callback + uriFormat: https://{domain}/api/auth/openid_redirect domainKey: hostname dependencies: - repo: bootstrap From e3bebabf484d91f4516c9bb9e9f7563834a6ddc7 Mon Sep 17 00:00:00 2001 From: David van der Spek Date: Mon, 11 Sep 2023 16:39:59 +0200 Subject: [PATCH 07/18] fix(kiali): allow for oidc login Signed-off-by: David van der Spek --- kiali/helm/kiali/values.yaml | 3 +++ kiali/helm/kiali/values.yaml.tpl | 7 +++---- kiali/plural/recipes/kiali-aws.yaml | 4 ++-- kiali/plural/recipes/kiali-azure.yaml | 4 ++-- kiali/plural/recipes/kiali-gcp.yaml | 4 ++-- kiali/repository.yaml | 4 ++-- 6 files changed, 14 insertions(+), 12 deletions(-) diff --git a/kiali/helm/kiali/values.yaml b/kiali/helm/kiali/values.yaml index 21d3daed7..e1ca75a5c 100644 --- a/kiali/helm/kiali/values.yaml +++ b/kiali/helm/kiali/values.yaml @@ -8,6 +8,9 @@ kiali-server: strategy: token istio_namespace: istio server: + # address: + web_port: 443 + web_schema: https web_root: / # api: # namespaces: diff --git a/kiali/helm/kiali/values.yaml.tpl b/kiali/helm/kiali/values.yaml.tpl index 0aa61a28d..d7e538a21 100644 --- a/kiali/helm/kiali/values.yaml.tpl +++ b/kiali/helm/kiali/values.yaml.tpl @@ -19,13 +19,12 @@ kiali-server: client_id: {{ .OIDC.ClientId }} disable_rbac: true authentication_timeout: 300 - username_claim: "email" + username_claim: email client_secret: {{ .OIDC.ClientSecret }} issuer_uri: {{ .OIDC.Configuration.Issuer }} scopes: - - "openid" - - "profile" - - "groups" + - openid + - profile {{- end }} istio_namespace: {{ namespace "istio" }} external_services: diff --git a/kiali/plural/recipes/kiali-aws.yaml b/kiali/plural/recipes/kiali-aws.yaml index b975438c2..1e9d5b6a2 100644 --- a/kiali/plural/recipes/kiali-aws.yaml +++ b/kiali/plural/recipes/kiali-aws.yaml @@ -3,8 +3,8 @@ description: Installs kiali on an aws eks cluster provider: AWS primary: true oidcSettings: - authMethod: POST - uriFormat: https://{domain}/api/auth/openid_redirect + authMethod: BASIC + uriFormat: https://{domain} domainKey: hostname dependencies: - repo: bootstrap diff --git a/kiali/plural/recipes/kiali-azure.yaml b/kiali/plural/recipes/kiali-azure.yaml index e2ec54f25..ba2acfd37 100644 --- a/kiali/plural/recipes/kiali-azure.yaml +++ b/kiali/plural/recipes/kiali-azure.yaml @@ -3,8 +3,8 @@ description: Installs kiali on an aws eks cluster provider: AZURE primary: true oidcSettings: - authMethod: POST - uriFormat: https://{domain}/api/auth/openid_redirect + authMethod: BASIC + uriFormat: https://{domain} domainKey: hostname dependencies: - repo: bootstrap diff --git a/kiali/plural/recipes/kiali-gcp.yaml b/kiali/plural/recipes/kiali-gcp.yaml index 6ae2a2e82..db6dadc5c 100644 --- a/kiali/plural/recipes/kiali-gcp.yaml +++ b/kiali/plural/recipes/kiali-gcp.yaml @@ -3,8 +3,8 @@ description: Installs kiali on an aws eks cluster provider: GCP primary: true oidcSettings: - authMethod: POST - uriFormat: https://{domain}/api/auth/openid_redirect + authMethod: BASIC + uriFormat: https://{domain} domainKey: hostname dependencies: - repo: bootstrap diff --git a/kiali/repository.yaml b/kiali/repository.yaml index 74c9119bc..668faf838 100644 --- a/kiali/repository.yaml +++ b/kiali/repository.yaml @@ -7,8 +7,8 @@ notes: plural/notes.tpl homepage: https://kiali.io/ gitUrl: https://github.com/kiali/kiali oauthSettings: - uriFormat: https://{domain}/auth/callback - authMethod: POST + uriFormat: https://{domain} + authMethod: BASIC tags: - tag: istio - tag: network From 4c39f3ef9e62644182299a4cc6326810bdcf589e Mon Sep 17 00:00:00 2001 From: David van der Spek Date: Mon, 11 Sep 2023 16:47:59 +0200 Subject: [PATCH 08/18] fix(kiali): allow it to work with sidecar Signed-off-by: David van der Spek --- kiali/helm/kiali/values.yaml | 4 +++- kiali/terraform/kube/main.tf | 3 +-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/kiali/helm/kiali/values.yaml b/kiali/helm/kiali/values.yaml index e1ca75a5c..a8c0e6b1c 100644 --- a/kiali/helm/kiali/values.yaml +++ b/kiali/helm/kiali/values.yaml @@ -19,7 +19,9 @@ kiali-server: # - kube-.* # - openshift.* # - ibm.* - # deployment: + deployment: + pod_annotations: + proxy.istio.io/config: '{ "holdApplicationUntilProxyStarts": true }' # TODO: remove once https://github.com/kiali/kiali/issues/6598 is resolved # override_ingress_yaml: # metadata: # annotations: diff --git a/kiali/terraform/kube/main.tf b/kiali/terraform/kube/main.tf index aaecb8387..fa1a7a656 100644 --- a/kiali/terraform/kube/main.tf +++ b/kiali/terraform/kube/main.tf @@ -4,8 +4,7 @@ resource "kubernetes_namespace" "kiali" { labels = { "app.kubernetes.io/managed-by" = "plural" "app.plural.sh/name" = "kiali" - + "istio-injection" = "enabled" } } } - From d0814b1b32e18dedbe1be750689748c296384d64 Mon Sep 17 00:00:00 2001 From: David van der Spek Date: Mon, 11 Sep 2023 17:32:00 +0200 Subject: [PATCH 09/18] fix(kiali): grafana integration Signed-off-by: David van der Spek --- kiali/helm/kiali/values.yaml | 43 ++++++++++++++++---------------- kiali/helm/kiali/values.yaml.tpl | 10 ++++++++ 2 files changed, 31 insertions(+), 22 deletions(-) diff --git a/kiali/helm/kiali/values.yaml b/kiali/helm/kiali/values.yaml index a8c0e6b1c..966626f61 100644 --- a/kiali/helm/kiali/values.yaml +++ b/kiali/helm/kiali/values.yaml @@ -63,28 +63,27 @@ kiali-server: # tracing: # use_grpc: false # we would actually want this to be true, but it doesn't work currently # in_cluster_url: http://grafana-tempo-tempo-distributed-query-frontend.grafana-tempo:16686 - # grafana: - # auth: - # type: basic - # username: admin - # password: "" - # url: - # https://grafana.kubeflow-aws.com - # in_cluster_url: http://grafana.grafana:80 - # dashboards: - # - name: "Istio Service Dashboard" - # variables: - # namespace: var-namespace - # service: var-service - # - name: "Istio Workload Dashboard" - # variables: - # namespace: var-namespace - # service: var-service - # - name: "Kubernetes / API server" - # variables: - # var-datasource: default - # var-cluster: '' - # var-instance: All + grafana: + auth: + type: basic # TODO: don't use admin password for Kiali to access grafana in values.yaml.tpl + dashboards: + - name: "Istio Mesh Dashboard" + - name: "Istio Control Plane Dashboard" + - name: "Istio Performance Dashboard" + - name: "Istio Wasm Extension Dashboard" + - name: "Istio Service Dashboard" + variables: + namespace: var-namespace + service: var-service + - name: "Istio Workload Dashboard" + variables: + namespace: var-namespace + service: var-service + - name: "Kubernetes / API server" + variables: + var-datasource: default + var-cluster: '' + var-instance: All monitoring: enabled: false # with Istio we should have Istio scrape the pod diff --git a/kiali/helm/kiali/values.yaml.tpl b/kiali/helm/kiali/values.yaml.tpl index d7e538a21..1e01bcb49 100644 --- a/kiali/helm/kiali/values.yaml.tpl +++ b/kiali/helm/kiali/values.yaml.tpl @@ -41,3 +41,13 @@ kiali-server: namespace: {{ namespace "istio-ingress" }} prometheus: url: http://monitoring-prometheus.{{ $monitoringNamespace }}:9090 + {{- if .Configuration.grafana }} + {{ $grafanaValues := .Applications.HelmValues "grafana" }} + {{ $grafanaNamespace := namespace "grafana" }} + grafana: + auth: + username: {{ $grafanaValues.grafana.grafana.admin.user }} + password: {{ $grafanaValues.grafana.grafana.admin.password }} + url: https://{{ .Configuration.grafana.hostname }} + in_cluster_url: http://grafana.{{ $grafanaNamespace }}:80 + {{- end }} From 4bd59863a909505cdd5925d59a5d2a1c0ccad633 Mon Sep 17 00:00:00 2001 From: David van der Spek Date: Mon, 11 Sep 2023 17:45:53 +0200 Subject: [PATCH 10/18] some more kiali templating cleanup Signed-off-by: David van der Spek --- kiali/helm/kiali/values.yaml | 11 ++++++++++- kiali/helm/kiali/values.yaml.tpl | 8 +------- 2 files changed, 11 insertions(+), 8 deletions(-) diff --git a/kiali/helm/kiali/values.yaml b/kiali/helm/kiali/values.yaml index 966626f61..168cf0e3e 100644 --- a/kiali/helm/kiali/values.yaml +++ b/kiali/helm/kiali/values.yaml @@ -6,6 +6,13 @@ kiali-server: enabled: true auth: strategy: token + openid: + disable_rbac: true + authentication_timeout: 300 + username_claim: email + scopes: + - openid + - profile istio_namespace: istio server: # address: @@ -60,10 +67,12 @@ kiali-server: namespace: istio-ingress prometheus: url: http://monitoring-prometheus.monitoring:9090 - # tracing: + tracing: + enabled: false # use_grpc: false # we would actually want this to be true, but it doesn't work currently # in_cluster_url: http://grafana-tempo-tempo-distributed-query-frontend.grafana-tempo:16686 grafana: + enabled: false auth: type: basic # TODO: don't use admin password for Kiali to access grafana in values.yaml.tpl dashboards: diff --git a/kiali/helm/kiali/values.yaml.tpl b/kiali/helm/kiali/values.yaml.tpl index 1e01bcb49..c064378bc 100644 --- a/kiali/helm/kiali/values.yaml.tpl +++ b/kiali/helm/kiali/values.yaml.tpl @@ -17,21 +17,14 @@ kiali-server: strategy: openid openid: client_id: {{ .OIDC.ClientId }} - disable_rbac: true - authentication_timeout: 300 - username_claim: email client_secret: {{ .OIDC.ClientSecret }} issuer_uri: {{ .OIDC.Configuration.Issuer }} - scopes: - - openid - - profile {{- end }} istio_namespace: {{ namespace "istio" }} external_services: istio: root_namespace: {{ namespace "istio" }} component_status: - enabled: true components: - app_label: istiod is_core: true @@ -45,6 +38,7 @@ kiali-server: {{ $grafanaValues := .Applications.HelmValues "grafana" }} {{ $grafanaNamespace := namespace "grafana" }} grafana: + enabled: true auth: username: {{ $grafanaValues.grafana.grafana.admin.user }} password: {{ $grafanaValues.grafana.grafana.admin.password }} From a54a0dff0127a3c76f76e59084ab6e1952209c82 Mon Sep 17 00:00:00 2001 From: David van der Spek Date: Mon, 11 Sep 2023 18:11:55 +0200 Subject: [PATCH 11/18] set gateway to 2 replicas + kiali labels Signed-off-by: David van der Spek --- istio-ingress/helm/istio-ingress/values.yaml | 2 ++ kiali/helm/kiali/values.yaml | 3 +++ 2 files changed, 5 insertions(+) diff --git a/istio-ingress/helm/istio-ingress/values.yaml b/istio-ingress/helm/istio-ingress/values.yaml index 9bfd0e089..72523cc86 100644 --- a/istio-ingress/helm/istio-ingress/values.yaml +++ b/istio-ingress/helm/istio-ingress/values.yaml @@ -1,6 +1,8 @@ provider: "" gateway: + autoscaling: + minReplicas: 2 topologySpreadConstraints: - maxSkew: 1 topologyKey: topology.kubernetes.io/zone diff --git a/kiali/helm/kiali/values.yaml b/kiali/helm/kiali/values.yaml index 168cf0e3e..309e8376f 100644 --- a/kiali/helm/kiali/values.yaml +++ b/kiali/helm/kiali/values.yaml @@ -53,6 +53,9 @@ kiali-server: # name: kiali # port: # name: http + istio_labels: + app_label_name: "app.kubernetes.io/name" + version_label_name: "app.kubernetes.io/version" external_services: istio: root_namespace: istio From f0986f9e736ed81eb04f6e8a09cf914f19278c14 Mon Sep 17 00:00:00 2001 From: David van der Spek Date: Tue, 12 Sep 2023 11:24:26 +0200 Subject: [PATCH 12/18] deps and template fixes Signed-off-by: David van der Spek --- bootstrap/helm/bootstrap/values.yaml.tpl | 5 ++--- istio/helm/istio/values.yaml.tpl | 2 +- kiali/helm/kiali/deps.yaml | 11 ++++++++++- kiali/plural/recipes/kiali-aws.yaml | 2 ++ kiali/plural/recipes/kiali-azure.yaml | 2 ++ kiali/plural/recipes/kiali-gcp.yaml | 2 ++ 6 files changed, 19 insertions(+), 5 deletions(-) diff --git a/bootstrap/helm/bootstrap/values.yaml.tpl b/bootstrap/helm/bootstrap/values.yaml.tpl index 9b88bf34e..38cf4b559 100644 --- a/bootstrap/helm/bootstrap/values.yaml.tpl +++ b/bootstrap/helm/bootstrap/values.yaml.tpl @@ -52,10 +52,9 @@ external-dns: sources: - service - ingress - {{ if .Configuration.istio }} - - istio-gateway + {{- if chartInstalled "istio" "istio" }} - istio-virtualservice - {{ end }} + {{- end }} {{ if and (not $pluraldns) (eq .Provider "azure") }} externalDnsIdentityId: {{ importValue "Terraform" "externaldns_msi_id" }} diff --git a/istio/helm/istio/values.yaml.tpl b/istio/helm/istio/values.yaml.tpl index f7dfc73fe..5cb1aa60e 100644 --- a/istio/helm/istio/values.yaml.tpl +++ b/istio/helm/istio/values.yaml.tpl @@ -1,7 +1,7 @@ global: istioNamespace: {{ namespace "istio" }} -{{- if and .Configuration (index .Configuration "istio-cni") }} +{{- if chartInstalled "istio-cni" "istio-cni" }} istiod: istio_cni: enabled: true diff --git a/kiali/helm/kiali/deps.yaml b/kiali/helm/kiali/deps.yaml index 160c4d1e3..f0f5ea7d6 100644 --- a/kiali/helm/kiali/deps.yaml +++ b/kiali/helm/kiali/deps.yaml @@ -16,7 +16,16 @@ spec: - type: helm name: istio repo: istio - version: '>= 0.1.101' + version: '>= 0.2.0' + - type: helm + name: istio-ingress + repo: istio-ingress + version: '>= 0.1.0' + - type: helm + name: istio-cni + repo: istio-cni + version: '>= 0.1.0' + optional: true - type: terraform name: kube repo: kiali diff --git a/kiali/plural/recipes/kiali-aws.yaml b/kiali/plural/recipes/kiali-aws.yaml index 1e9d5b6a2..ea33be816 100644 --- a/kiali/plural/recipes/kiali-aws.yaml +++ b/kiali/plural/recipes/kiali-aws.yaml @@ -13,6 +13,8 @@ dependencies: name: monitoring-aws - repo: istio name: istio-aws +- repo: istio-ingress + name: istio-ingress-aws sections: - name: kiali configuration: diff --git a/kiali/plural/recipes/kiali-azure.yaml b/kiali/plural/recipes/kiali-azure.yaml index ba2acfd37..09b0389b3 100644 --- a/kiali/plural/recipes/kiali-azure.yaml +++ b/kiali/plural/recipes/kiali-azure.yaml @@ -13,6 +13,8 @@ dependencies: name: monitoring-azure - repo: istio name: istio-azure +- repo: istio-ingress + name: istio-ingress-azure sections: - name: kiali configuration: diff --git a/kiali/plural/recipes/kiali-gcp.yaml b/kiali/plural/recipes/kiali-gcp.yaml index db6dadc5c..19051022b 100644 --- a/kiali/plural/recipes/kiali-gcp.yaml +++ b/kiali/plural/recipes/kiali-gcp.yaml @@ -13,6 +13,8 @@ dependencies: name: monitoring-gcp - repo: istio name: istio-gcp +- repo: istio-ingress + name: istio-ingress-gcp sections: - name: kiali configuration: From 44c7006e4658038dd7b8b48c2c554b3c82d4919c Mon Sep 17 00:00:00 2001 From: David van der Spek Date: Tue, 12 Sep 2023 11:44:45 +0200 Subject: [PATCH 13/18] fix(kiali): enable support for mimir Signed-off-by: David van der Spek --- kiali/helm/kiali/values.yaml.tpl | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/kiali/helm/kiali/values.yaml.tpl b/kiali/helm/kiali/values.yaml.tpl index c064378bc..b945c0b2c 100644 --- a/kiali/helm/kiali/values.yaml.tpl +++ b/kiali/helm/kiali/values.yaml.tpl @@ -1,4 +1,5 @@ {{- $monitoringNamespace := namespace "monitoring" -}} +{{- $mimir := and .Configuration .Configuration.mimir }} global: application: @@ -33,7 +34,13 @@ kiali-server: is_proxy: true namespace: {{ namespace "istio-ingress" }} prometheus: + {{- if $mimir }} + url: http://mimir-nginx.mimir/prometheus + custom_headers: + X-Scope-OrgID: {{ .Cluster }} + {{- else }} url: http://monitoring-prometheus.{{ $monitoringNamespace }}:9090 + {{- end }} {{- if .Configuration.grafana }} {{ $grafanaValues := .Applications.HelmValues "grafana" }} {{ $grafanaNamespace := namespace "grafana" }} From 632c386fe3a25d792163ea2274e5c45591e15d71 Mon Sep 17 00:00:00 2001 From: David van der Spek Date: Tue, 12 Sep 2023 12:42:27 +0200 Subject: [PATCH 14/18] enable tracing Signed-off-by: David van der Spek --- grafana-agent/helm/grafana-agent/values.yaml | 17 +++++++++++++--- istio/helm/istio/values.yaml | 5 ++++- istio/helm/istio/values.yaml.tpl | 21 +++++++++++++++++++- kiali/helm/kiali/values.yaml | 7 ++++++- kiali/helm/kiali/values.yaml.tpl | 9 +++++++++ 5 files changed, 53 insertions(+), 6 deletions(-) diff --git a/grafana-agent/helm/grafana-agent/values.yaml b/grafana-agent/helm/grafana-agent/values.yaml index b40181a4b..bc9f523ea 100644 --- a/grafana-agent/helm/grafana-agent/values.yaml +++ b/grafana-agent/helm/grafana-agent/values.yaml @@ -200,6 +200,10 @@ traces: # TODO: split this into 2 deployment to allow for tail based sampling. F port: 6831 targetPort: 6831 protocol: "UDP" + - name: http-zipkin + port: 9411 + targetPort: 9411 + protocol: "TCP" mimirHost: http://mimir-nginx.mimir lokiHost: http://loki-loki-distributed-gateway.loki/loki/api/v1/push tempoHost: http://tempo-gateway.tempo/otlp @@ -260,9 +264,16 @@ traces: # TODO: split this into 2 deployment to allow for tail based sampling. F } output { - metrics = [otelcol.exporter.otlphttp.local.input] - logs = [otelcol.exporter.otlphttp.local.input] - traces = [otelcol.exporter.otlphttp.local.input] + metrics = [otelcol.processor.batch.local.input] + logs = [otelcol.processor.batch.local.input] + traces = [otelcol.processor.batch.local.input] + } + } + + otelcol.receiver.zipkin "local" { + endpoint = "0.0.0.0:9411" + output { + traces = [otelcol.processor.batch.local.input] } } diff --git a/istio/helm/istio/values.yaml b/istio/helm/istio/values.yaml index d79920d77..a85599855 100644 --- a/istio/helm/istio/values.yaml +++ b/istio/helm/istio/values.yaml @@ -57,7 +57,10 @@ istiod: accessLogFile: /dev/stdout accessLogFormat: | [%START_TIME%] "%REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%" %RESPONSE_CODE% %RESPONSE_FLAGS% %RESPONSE_CODE_DETAILS% %CONNECTION_TERMINATION_DETAILS% "%UPSTREAM_TRANSPORT_FAILURE_REASON%" %BYTES_RECEIVED% %BYTES_SENT% %DURATION% %RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)% "%REQ(X-FORWARDED-FOR)%" "%REQ(USER-AGENT)%" "%REQ(X-REQUEST-ID)%" "%REQ(:AUTHORITY)%" "%UPSTREAM_HOST%" %UPSTREAM_CLUSTER% %UPSTREAM_LOCAL_ADDRESS% %DOWNSTREAM_LOCAL_ADDRESS% %DOWNSTREAM_REMOTE_ADDRESS% %REQUESTED_SERVER_NAME% %ROUTE_NAME% traceID=%REQ(x-b3-traceid)% - # defaultConfig: # Needed for ambient mode + defaultConfig: + tracing: + sampling: 100.0 + max_path_tag_length: 256 # proxyMetadata: # Needed for ambient mode # ISTIO_META_ENABLE_HBONE: "true" # Needed for ambient mode diff --git a/istio/helm/istio/values.yaml.tpl b/istio/helm/istio/values.yaml.tpl index 5cb1aa60e..5ca8c4f00 100644 --- a/istio/helm/istio/values.yaml.tpl +++ b/istio/helm/istio/values.yaml.tpl @@ -1,8 +1,27 @@ +{{ $grafanaAgent := and .Configuration (index .Configuration "grafana-agent") }} +{{ $tempo := and .Configuration .Configuration.tempo }} + global: istioNamespace: {{ namespace "istio" }} + {{/* {{- if and $grafanaAgent $tempo }} + tracer: + zipkin: + address: + {{- end }} */}} -{{- if chartInstalled "istio-cni" "istio-cni" }} +{{- if or (and $grafanaAgent $tempo) (chartInstalled "istio-cni" "istio-cni") }} istiod: + {{- if and $grafanaAgent $tempo }} + {{ $grafanaAgentNamespace := namespace "grafana-agent" }} + meshConfig: + enableTracing: true + defaultConfig: + tracing: + zipkin: + address: grafana-agent-traces.{{ $grafanaAgentNamespace }}.svc:9411 + {{- end }} + {{- if chartInstalled "istio-cni" "istio-cni" }} istio_cni: enabled: true + {{- end }} {{- end }} diff --git a/kiali/helm/kiali/values.yaml b/kiali/helm/kiali/values.yaml index 309e8376f..cd7a38399 100644 --- a/kiali/helm/kiali/values.yaml +++ b/kiali/helm/kiali/values.yaml @@ -15,7 +15,12 @@ kiali-server: - profile istio_namespace: istio server: - # address: + observability: + tracing: + collector_type: otel + sampling_rate: 1.0 + otel: + protocol: http web_port: 443 web_schema: https web_root: / diff --git a/kiali/helm/kiali/values.yaml.tpl b/kiali/helm/kiali/values.yaml.tpl index b945c0b2c..3da67bcc5 100644 --- a/kiali/helm/kiali/values.yaml.tpl +++ b/kiali/helm/kiali/values.yaml.tpl @@ -1,5 +1,7 @@ {{- $monitoringNamespace := namespace "monitoring" -}} {{- $mimir := and .Configuration .Configuration.mimir }} +{{ $grafanaAgent := and .Configuration (index .Configuration "grafana-agent") }} +{{ $tempo := and .Configuration .Configuration.tempo }} global: application: @@ -12,6 +14,13 @@ virtualService: kiali-server: server: + {{- if and $grafanaAgent $tempo }} + {{ $grafanaAgentNamespace := namespace "grafana-agent" }} + observability: + tracing: + collector_url: grafana-agent-traces.{{ $grafanaAgentNamespace }}.svc:4318 + enabled: true + {{- end }} web_fqdn: {{ .Values.hostname }} {{- if .OIDC }} auth: From 5c3cfd3bcf3faed33322177b561c2ae2a64ce68a Mon Sep 17 00:00:00 2001 From: David van der Spek Date: Tue, 12 Sep 2023 14:02:09 +0200 Subject: [PATCH 15/18] update istio dashboards Signed-off-by: David van der Spek --- ...istio-control-plane-dashboard_rev178.json} | 52 +- .../istio-extension-dashboard_rev135.json | 887 ++++++++++++++++++ ....json => istio-mesh-dashboard_rev178.json} | 46 +- ...> istio-performance-dashboard_rev178.json} | 45 +- ...on => istio-service-dashboard_rev178.json} | 121 ++- ...n => istio-workload-dashboard_rev178.json} | 59 +- .../dashboards/control-plane-dashboard.yaml | 2 +- .../dashboards/istio-extension-dashboard.yaml | 11 + .../monitoring/dashboards/mesh-dashboard.yaml | 2 +- .../dashboards/performance-dashboard.yaml | 2 +- .../dashboards/service-dashboard.yaml | 2 +- .../dashboards/workload-dashboard.yaml | 2 +- 12 files changed, 1078 insertions(+), 153 deletions(-) rename istio/helm/istio/grafana-dashboards/{istio-control-plane-dashboard_rev82.json => istio-control-plane-dashboard_rev178.json} (96%) create mode 100644 istio/helm/istio/grafana-dashboards/istio-extension-dashboard_rev135.json rename istio/helm/istio/grafana-dashboards/{istio-mesh-dashboard_rev82.json => istio-mesh-dashboard_rev178.json} (97%) rename istio/helm/istio/grafana-dashboards/{istio-performance-dashboard_rev82.json => istio-performance-dashboard_rev178.json} (96%) rename istio/helm/istio/grafana-dashboards/{istio-service-dashboard_rev82.json => istio-service-dashboard_rev178.json} (97%) rename istio/helm/istio/grafana-dashboards/{istio-workload-dashboard_rev82.json => istio-workload-dashboard_rev178.json} (98%) create mode 100644 istio/helm/istio/templates/monitoring/dashboards/istio-extension-dashboard.yaml diff --git a/istio/helm/istio/grafana-dashboards/istio-control-plane-dashboard_rev82.json b/istio/helm/istio/grafana-dashboards/istio-control-plane-dashboard_rev178.json similarity index 96% rename from istio/helm/istio/grafana-dashboards/istio-control-plane-dashboard_rev82.json rename to istio/helm/istio/grafana-dashboards/istio-control-plane-dashboard_rev178.json index 16ebe32e7..a57fd85bc 100644 --- a/istio/helm/istio/grafana-dashboards/istio-control-plane-dashboard_rev82.json +++ b/istio/helm/istio/grafana-dashboards/istio-control-plane-dashboard_rev178.json @@ -48,7 +48,7 @@ } ] }, - "description": "Istio Control Plane Dashboard version 1.11.0", + "description": "Istio Control Plane Dashboard version 1.19.0", "editable": false, "gnetId": 7645, "graphTooltip": 1, @@ -72,7 +72,7 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "${DS_PROMETHEUS}", + "datasource": "${datasource}", "fill": 1, "gridPos": { "h": 5, @@ -170,7 +170,7 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "${DS_PROMETHEUS}", + "datasource": "${datasource}", "fill": 1, "gridPos": { "h": 7, @@ -322,7 +322,7 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "${DS_PROMETHEUS}", + "datasource": "${datasource}", "fill": 1, "gridPos": { "h": 7, @@ -425,7 +425,7 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "${DS_PROMETHEUS}", + "datasource": "${datasource}", "fill": 1, "gridPos": { "h": 7, @@ -519,7 +519,7 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "${DS_PROMETHEUS}", + "datasource": "${datasource}", "fill": 1, "gridPos": { "h": 7, @@ -618,7 +618,7 @@ "bars": true, "dashLength": 10, "dashes": false, - "datasource": "${DS_PROMETHEUS}", + "datasource": "${datasource}", "description": "Shows the rate of pilot pushes", "fill": 1, "gridPos": { @@ -740,7 +740,7 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "${DS_PROMETHEUS}", + "datasource": "${datasource}", "description": "Captures a variety of pilot errors", "fill": 1, "gridPos": { @@ -891,7 +891,7 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "${DS_PROMETHEUS}", + "datasource": "${datasource}", "description": "Shows the total time it takes to push a config update to a proxy", "fill": 1, "gridPos": { @@ -998,7 +998,7 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "${DS_PROMETHEUS}", + "datasource": "${datasource}", "fill": 1, "gridPos": { "h": 8, @@ -1039,14 +1039,6 @@ "legendFormat": "Inbound Listeners", "refId": "B" }, - { - "expr": "pilot_conflict_outbound_listener_http_over_current_tcp{app=\"istiod\"}", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "Outbound Listeners (http over current tcp)", - "refId": "A" - }, { "expr": "pilot_conflict_outbound_listener_tcp_over_current_tcp{app=\"istiod\"}", "format": "time_series", @@ -1054,14 +1046,6 @@ "intervalFactor": 1, "legendFormat": "Outbound Listeners (tcp over current tcp)", "refId": "C" - }, - { - "expr": "pilot_conflict_outbound_listener_tcp_over_current_http{app=\"istiod\"}", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "Outbound Listeners (tcp over current http)", - "refId": "D" } ], "thresholds": [], @@ -1110,7 +1094,7 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "${DS_PROMETHEUS}", + "datasource": "${datasource}", "fill": 1, "gridPos": { "h": 8, @@ -1222,7 +1206,7 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "${DS_PROMETHEUS}", + "datasource": "${datasource}", "description": "Shows details about Envoy proxies in the mesh", "fill": 1, "gridPos": { @@ -1324,7 +1308,7 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "${DS_PROMETHEUS}", + "datasource": "${datasource}", "fill": 1, "gridPos": { "h": 8, @@ -1410,7 +1394,7 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "${DS_PROMETHEUS}", + "datasource": "${datasource}", "description": "Shows the size of XDS requests and responses", "fill": 1, "gridPos": { @@ -1518,7 +1502,7 @@ }, { "collapsed": false, - "datasource": "${DS_PROMETHEUS}", + "datasource": null, "gridPos": { "h": 1, "w": 24, @@ -1535,7 +1519,7 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "${DS_PROMETHEUS}", + "datasource": null, "fill": 1, "fillGradient": 0, "gridPos": { @@ -1631,7 +1615,7 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "${DS_PROMETHEUS}", + "datasource": null, "description": "", "fill": 1, "fillGradient": 0, @@ -1739,7 +1723,7 @@ "includeAll": false, "label": null, "multi": false, - "name": "DS_PROMETHEUS", + "name": "datasource", "options": [], "query": "prometheus", "queryValue": "", diff --git a/istio/helm/istio/grafana-dashboards/istio-extension-dashboard_rev135.json b/istio/helm/istio/grafana-dashboards/istio-extension-dashboard_rev135.json new file mode 100644 index 000000000..389fc3fe9 --- /dev/null +++ b/istio/helm/istio/grafana-dashboards/istio-extension-dashboard_rev135.json @@ -0,0 +1,887 @@ +{ + "__inputs": [ + { + "name": "DS_PROMETHEUS", + "label": "Prometheus", + "description": "", + "type": "datasource", + "pluginId": "prometheus", + "pluginName": "Prometheus" + } + ], + "__requires": [ + { + "type": "grafana", + "id": "grafana", + "name": "Grafana", + "version": "6.4.3" + }, + { + "type": "panel", + "id": "graph", + "name": "Graph", + "version": "" + }, + { + "type": "datasource", + "id": "prometheus", + "name": "Prometheus", + "version": "5.0.0" + }, + { + "type": "panel", + "id": "table", + "name": "Table", + "version": "" + } + ], + "annotations": { + "list": [ + { + "builtIn": 1, + "datasource": "-- Grafana --", + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "name": "Annotations & Alerts", + "type": "dashboard" + } + ] + }, + "description": "Istio Wasm Extension Dashboard version 1.19.0", + "editable": false, + "gnetId": 13277, + "graphTooltip": 0, + "links": [], + "panels": [ + { + "collapsed": false, + "datasource": "${datasource}", + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 0 + }, + "id": 3, + "panels": [], + "title": "Wasm VMs", + "type": "row" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "${datasource}", + "description": "", + "fieldConfig": { + "defaults": { + "custom": { + "align": null + }, + "links": [], + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + } + }, + "overrides": [] + }, + "fill": 1, + "fillGradient": 0, + "gridPos": { + "h": 8, + "w": 12, + "x": 0, + "y": 1 + }, + "hiddenSeries": false, + "id": 2, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "nullPointMode": "null", + "options": { + "alertThreshold": true + }, + "percentage": false, + "pluginVersion": "7.2.1", + "pointradius": 2, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "avg(envoy_wasm_envoy_wasm_runtime_null_active)", + "interval": "", + "legendFormat": "native", + "refId": "A" + }, + { + "expr": "avg(envoy_wasm_envoy_wasm_runtime_v8_active)", + "interval": "", + "legendFormat": "v8", + "refId": "B" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Active", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "$$hashKey": "object:123", + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "$$hashKey": "object:124", + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "${datasource}", + "fieldConfig": { + "defaults": { + "custom": {}, + "links": [] + }, + "overrides": [] + }, + "fill": 1, + "fillGradient": 0, + "gridPos": { + "h": 8, + "w": 12, + "x": 12, + "y": 1 + }, + "hiddenSeries": false, + "id": 6, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "nullPointMode": "null", + "options": { + "alertThreshold": true + }, + "percentage": false, + "pluginVersion": "7.2.1", + "pointradius": 2, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "avg(envoy_wasm_envoy_wasm_runtime_null_created)", + "interval": "", + "legendFormat": "native", + "refId": "A" + }, + { + "expr": "avg(envoy_wasm_envoy_wasm_runtime_v8_created)", + "interval": "", + "legendFormat": "v8", + "refId": "B" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Created", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "$$hashKey": "object:68", + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "$$hashKey": "object:69", + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "collapsed": false, + "datasource": "${datasource}", + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 9 + }, + "id": 7, + "panels": [], + "title": "Wasm Module Remote Load", + "type": "row" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "${datasource}", + "fieldConfig": { + "defaults": { + "custom": {}, + "links": [] + }, + "overrides": [] + }, + "fill": 1, + "fillGradient": 0, + "gridPos": { + "h": 8, + "w": 8, + "x": 0, + "y": 10 + }, + "hiddenSeries": false, + "id": 11, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "nullPointMode": "null", + "options": { + "alertThreshold": true + }, + "percentage": false, + "pluginVersion": "7.2.1", + "pointradius": 2, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "avg(envoy_wasm_remote_load_cache_entries)", + "interval": "", + "legendFormat": "entries", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Cache Entry", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "$$hashKey": "object:178", + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "$$hashKey": "object:179", + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "${datasource}", + "fieldConfig": { + "defaults": { + "custom": {}, + "links": [] + }, + "overrides": [] + }, + "fill": 1, + "fillGradient": 0, + "gridPos": { + "h": 8, + "w": 8, + "x": 8, + "y": 10 + }, + "hiddenSeries": false, + "id": 8, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "nullPointMode": "null", + "options": { + "alertThreshold": true + }, + "percentage": false, + "pluginVersion": "7.2.1", + "pointradius": 2, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "avg(envoy_wasm_remote_load_cache_hits)", + "interval": "", + "legendFormat": "hits", + "refId": "A" + }, + { + "expr": "avg(envoy_wasm_remote_load_cache_misses)", + "interval": "", + "legendFormat": "misses", + "refId": "B" + }, + { + "expr": "avg(envoy_wasm_remote_load_cache_negative_hits)", + "interval": "", + "legendFormat": "negative hits", + "refId": "C" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Cache Visit", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "$$hashKey": "object:233", + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "$$hashKey": "object:234", + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "${datasource}", + "fieldConfig": { + "defaults": { + "custom": {}, + "links": [] + }, + "overrides": [] + }, + "fill": 1, + "fillGradient": 0, + "gridPos": { + "h": 8, + "w": 8, + "x": 16, + "y": 10 + }, + "hiddenSeries": false, + "id": 10, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "nullPointMode": "null", + "options": { + "alertThreshold": true + }, + "percentage": false, + "pluginVersion": "7.2.1", + "pointradius": 2, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "avg(envoy_wasm_remote_load_fetch_failures)", + "interval": "", + "legendFormat": "failures", + "refId": "A" + }, + { + "expr": "avg(envoy_wasm_remote_load_fetch_successes)", + "interval": "", + "legendFormat": "successes", + "refId": "B" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Remote Fetch", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "$$hashKey": "object:288", + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "$$hashKey": "object:289", + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "collapsed": false, + "datasource": "${datasource}", + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 18 + }, + "id": 71, + "panels": [], + "title": "Proxy Resource Usage", + "type": "row" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "${datasource}", + "fieldConfig": { + "defaults": { + "custom": {} + }, + "overrides": [] + }, + "fill": 1, + "fillGradient": 0, + "gridPos": { + "h": 8, + "w": 12, + "x": 0, + "y": 19 + }, + "hiddenSeries": false, + "id": 72, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "options": { + "alertThreshold": true + }, + "percentage": false, + "pluginVersion": "7.2.1", + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(container_memory_working_set_bytes{container=\"istio-proxy\"})", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "Total (k8s)", + "refId": "A", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Memory", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "$$hashKey": "object:396", + "format": "bytes", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "$$hashKey": "object:397", + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "${datasource}", + "fieldConfig": { + "defaults": { + "custom": {} + }, + "overrides": [] + }, + "fill": 1, + "fillGradient": 0, + "gridPos": { + "h": 8, + "w": 12, + "x": 12, + "y": 19 + }, + "hiddenSeries": false, + "id": 73, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "options": { + "alertThreshold": true + }, + "percentage": false, + "pluginVersion": "7.2.1", + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(rate(container_cpu_usage_seconds_total{container=\"istio-proxy\"}[1m]))", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "Total (k8s)", + "refId": "A", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "vCPU", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "$$hashKey": "object:447", + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "$$hashKey": "object:448", + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + } + ], + "refresh": false, + "schemaVersion": 26, + "style": "dark", + "tags": [], + "templating": { + "list": [ + { + "current": { + "selected": true, + "text": "default", + "value": "default" + }, + "hide": 0, + "includeAll": false, + "label": null, + "multi": false, + "name": "datasource", + "options": [], + "query": "prometheus", + "queryValue": "", + "refresh": 1, + "regex": "", + "skipUrlSync": false, + "type": "datasource" + } + ] + }, + "time": { + "from": "now-5m", + "to": "now" + }, + "timepicker": { + "refresh_intervals": [ + "10s", + "30s", + "1m", + "5m", + "15m", + "30m", + "1h", + "2h", + "1d" + ] + }, + "timezone": "", + "title": "Istio Wasm Extension Dashboard", + "uid": "7PAV7ctGz", + "version": 17 +} \ No newline at end of file diff --git a/istio/helm/istio/grafana-dashboards/istio-mesh-dashboard_rev82.json b/istio/helm/istio/grafana-dashboards/istio-mesh-dashboard_rev178.json similarity index 97% rename from istio/helm/istio/grafana-dashboards/istio-mesh-dashboard_rev82.json rename to istio/helm/istio/grafana-dashboards/istio-mesh-dashboard_rev178.json index 4cbe83293..06bc99b9d 100644 --- a/istio/helm/istio/grafana-dashboards/istio-mesh-dashboard_rev82.json +++ b/istio/helm/istio/grafana-dashboards/istio-mesh-dashboard_rev178.json @@ -48,7 +48,7 @@ } ] }, - "description": "Istio Mesh Dashboard version 1.11.0", + "description": "Istio Mesh Dashboard version 1.19.0", "editable": false, "gnetId": 7639, "graphTooltip": 0, @@ -83,7 +83,7 @@ "rgba(237, 129, 40, 0.89)", "rgba(50, 172, 45, 0.97)" ], - "datasource": "${DS_PROMETHEUS}", + "datasource": "${datasource}", "format": "ops", "gauge": { "maxValue": 100, @@ -177,7 +177,7 @@ "rgba(237, 129, 40, 0.89)", "rgba(50, 172, 45, 0.97)" ], - "datasource": "${DS_PROMETHEUS}", + "datasource": "${datasource}", "format": "percentunit", "gauge": { "maxValue": 100, @@ -272,7 +272,7 @@ "rgba(237, 129, 40, 0.89)", "rgba(50, 172, 45, 0.97)" ], - "datasource": "${DS_PROMETHEUS}", + "datasource": "${datasource}", "format": "ops", "gauge": { "maxValue": 100, @@ -367,7 +367,7 @@ "rgba(237, 129, 40, 0.89)", "rgba(50, 172, 45, 0.97)" ], - "datasource": "${DS_PROMETHEUS}", + "datasource": "${datasource}", "format": "ops", "gauge": { "maxValue": 100, @@ -462,7 +462,7 @@ "rgba(237, 129, 40, 0.89)", "#d44a3a" ], - "datasource": "${DS_PROMETHEUS}", + "datasource": "${datasource}", "format": "none", "gauge": { "maxValue": 100, @@ -558,7 +558,7 @@ "rgba(237, 129, 40, 0.89)", "#d44a3a" ], - "datasource": "${DS_PROMETHEUS}", + "datasource": "${datasource}", "format": "none", "gauge": { "maxValue": 100, @@ -654,7 +654,7 @@ "rgba(237, 129, 40, 0.89)", "#d44a3a" ], - "datasource": "${DS_PROMETHEUS}", + "datasource": "${datasource}", "format": "none", "gauge": { "maxValue": 100, @@ -750,7 +750,7 @@ "rgba(237, 129, 40, 0.89)", "#d44a3a" ], - "datasource": "${DS_PROMETHEUS}", + "datasource": "${datasource}", "format": "none", "gauge": { "maxValue": 100, @@ -846,7 +846,7 @@ "rgba(237, 129, 40, 0.89)", "#d44a3a" ], - "datasource": "${DS_PROMETHEUS}", + "datasource": "${datasource}", "format": "none", "gauge": { "maxValue": 100, @@ -942,7 +942,7 @@ "rgba(237, 129, 40, 0.89)", "#d44a3a" ], - "datasource": "${DS_PROMETHEUS}", + "datasource": "${datasource}", "format": "none", "gauge": { "maxValue": 100, @@ -1038,7 +1038,7 @@ "rgba(237, 129, 40, 0.89)", "#d44a3a" ], - "datasource": "${DS_PROMETHEUS}", + "datasource": "${datasource}", "format": "none", "gauge": { "maxValue": 100, @@ -1134,7 +1134,7 @@ "rgba(237, 129, 40, 0.89)", "#d44a3a" ], - "datasource": "${DS_PROMETHEUS}", + "datasource": "${datasource}", "format": "none", "gauge": { "maxValue": 100, @@ -1223,7 +1223,7 @@ }, { "columns": [], - "datasource": "${DS_PROMETHEUS}", + "datasource": "${datasource}", "fontSize": "100%", "gridPos": { "h": 21, @@ -1257,7 +1257,7 @@ "link": false, "linkTargetBlank": false, "linkTooltip": "Workload dashboard", - "linkUrl": "/d/UbsSZTDik/istio-workload-dashboard?var-namespace=${__cell_3:raw}&var-workload=${__cell_2:raw}", + "linkUrl": "/dashboard/db/istio-workload-dashboard?var-namespace=${__cell_3:raw}&var-workload=${__cell_2:raw}", "pattern": "destination_workload", "preserveFormat": false, "sanitize": false, @@ -1370,7 +1370,7 @@ "decimals": 2, "link": true, "linkTooltip": "$__cell dashboard", - "linkUrl": "/d/UbsSZTDik/istio-workload-dashboard?var-workload=${__cell_2:raw}&var-namespace=${__cell_3:raw}", + "linkUrl": "/dashboard/db/istio-workload-dashboard?var-workload=${__cell_2:raw}&var-namespace=${__cell_3:raw}", "pattern": "destination_workload_var", "thresholds": [], "type": "number", @@ -1388,7 +1388,7 @@ "decimals": 2, "link": true, "linkTooltip": "$__cell dashboard", - "linkUrl": "/d/LJ_uJAvmk/istio-service-dashboard?var-service=${__cell_1:raw}", + "linkUrl": "/dashboard/db/istio-service-dashboard?var-service=${__cell_1:raw}", "pattern": "destination_service", "thresholds": [], "type": "string", @@ -1465,7 +1465,7 @@ }, { "columns": [], - "datasource": "${DS_PROMETHEUS}", + "datasource": "${datasource}", "fontSize": "100%", "gridPos": { "h": 18, @@ -1498,7 +1498,7 @@ "link": false, "linkTargetBlank": false, "linkTooltip": "$__cell dashboard", - "linkUrl": "/d/UbsSZTDik/istio-workload-dashboard?var-namespace=${__cell_3:raw}&var-workload=${__cell_2:raw}", + "linkUrl": "/dashboard/db/istio-workload-dashboard?var-namespace=${__cell_3:raw}&var-workload=${__cell_2:raw}", "pattern": "destination_workload", "preserveFormat": false, "sanitize": false, @@ -1565,7 +1565,7 @@ "decimals": 2, "link": true, "linkTooltip": "$__cell dashboard", - "linkUrl": "/d/UbsSZTDik/istio-workload-dashboard?var-namespace=${__cell_3:raw}&var-workload=${__cell_2:raw}", + "linkUrl": "/dashboard/db/istio-workload-dashboard?var-namespace=${__cell_3:raw}&var-workload=${__cell_2:raw}", "pattern": "destination_workload_var", "thresholds": [], "type": "string", @@ -1598,7 +1598,7 @@ "decimals": 2, "link": true, "linkTooltip": "$__cell dashboard", - "linkUrl": "/d/LJ_uJAvmk/istio-service-dashboard?var-service=${__cell_1:raw}", + "linkUrl": "/dashboard/db/istio-service-dashboard?var-service=${__cell_1:raw}", "pattern": "destination_service", "thresholds": [], "type": "number", @@ -1635,7 +1635,7 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "${DS_PROMETHEUS}", + "datasource": "${datasource}", "fill": 1, "gridPos": { "h": 9, @@ -1734,7 +1734,7 @@ "includeAll": false, "label": null, "multi": false, - "name": "DS_PROMETHEUS", + "name": "datasource", "options": [], "query": "prometheus", "queryValue": "", diff --git a/istio/helm/istio/grafana-dashboards/istio-performance-dashboard_rev82.json b/istio/helm/istio/grafana-dashboards/istio-performance-dashboard_rev178.json similarity index 96% rename from istio/helm/istio/grafana-dashboards/istio-performance-dashboard_rev82.json rename to istio/helm/istio/grafana-dashboards/istio-performance-dashboard_rev178.json index 570ae38c8..7d07299ec 100644 --- a/istio/helm/istio/grafana-dashboards/istio-performance-dashboard_rev82.json +++ b/istio/helm/istio/grafana-dashboards/istio-performance-dashboard_rev178.json @@ -48,7 +48,7 @@ } ] }, - "description": "Istio Performance Dashboard version 1.11.0", + "description": "Istio Performance Dashboard version 1.19.0", "editable": false, "gnetId": 11829, "graphTooltip": 0, @@ -103,7 +103,7 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "${DS_PROMETHEUS}", + "datasource": "${datasource}", "fill": 1, "gridPos": { "h": 8, @@ -135,7 +135,7 @@ "steppedLine": false, "targets": [ { - "expr": "(sum(irate(container_cpu_usage_seconds_total{pod=~\"istio-ingressgateway-.*\",container=\"istio-proxy\"}[1m])) / (round(sum(irate(istio_requests_total{source_workload=\"istio-ingressgateway\", reporter=\"source\"}[1m])), 0.001)/1000))", + "expr": "(sum(irate(container_cpu_usage_seconds_total{pod=~\"istio-ingress.*\",container=\"istio-proxy\"}[1m])) / (round(sum(irate(istio_requests_total{source_workload=\"istio-ingress\", reporter=\"source\"}[1m])), 0.001)/1000))", "format": "time_series", "hide": false, "intervalFactor": 1, @@ -143,7 +143,7 @@ "refId": "A" }, { - "expr": "(sum(irate(container_cpu_usage_seconds_total{namespace!=\"istio-system\",container=\"istio-proxy\"}[1m]))/ (round(sum(irate(istio_requests_total[1m])), 0.001)/1000))/ (sum(irate(istio_requests_total{source_workload=\"istio-ingressgateway\"}[1m])) >bool 10)", + "expr": "(sum(irate(container_cpu_usage_seconds_total{namespace!=\"istio-system\",container=\"istio-proxy\"}[1m]))/ (round(sum(irate(istio_requests_total[1m])), 0.001)/1000))/ (sum(irate(istio_requests_total{source_workload=\"istio-ingress\"}[1m])) >bool 10)", "format": "time_series", "intervalFactor": 1, "legendFormat": "istio-proxy", @@ -196,7 +196,7 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "${DS_PROMETHEUS}", + "datasource": "${datasource}", "fill": 1, "gridPos": { "h": 8, @@ -228,7 +228,7 @@ "steppedLine": false, "targets": [ { - "expr": "sum(rate(container_cpu_usage_seconds_total{pod=~\"istio-ingressgateway-.*\",container=\"istio-proxy\"}[1m]))", + "expr": "sum(rate(container_cpu_usage_seconds_total{pod=~\"istio-ingress.*\",container=\"istio-proxy\"}[1m]))", "format": "time_series", "intervalFactor": 1, "legendFormat": "istio-ingressgateway", @@ -301,7 +301,7 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "${DS_PROMETHEUS}", + "datasource": "${datasource}", "fill": 1, "gridPos": { "h": 8, @@ -333,7 +333,7 @@ "steppedLine": false, "targets": [ { - "expr": "sum(container_memory_working_set_bytes{pod=~\"istio-ingressgateway-.*\"}) / count(container_memory_working_set_bytes{pod=~\"istio-ingressgateway-.*\",container!=\"POD\"})", + "expr": "sum(container_memory_working_set_bytes{pod=~\"istio-ingress.*\"}) / count(container_memory_working_set_bytes{pod=~\"istio-ingress.*\",container!=\"POD\"})", "format": "time_series", "intervalFactor": 1, "legendFormat": "per istio-ingressgateway", @@ -393,7 +393,7 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "${DS_PROMETHEUS}", + "datasource": "${datasource}", "fill": 1, "gridPos": { "h": 8, @@ -425,7 +425,7 @@ "steppedLine": false, "targets": [ { - "expr": "sum(irate(istio_response_bytes_sum{source_workload=\"istio-ingressgateway\", reporter=\"source\"}[1m]))", + "expr": "sum(irate(istio_response_bytes_sum{source_workload=\"istio-ingress\", reporter=\"source\"}[1m]))", "format": "time_series", "intervalFactor": 1, "legendFormat": "istio-ingressgateway", @@ -498,7 +498,7 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "${DS_PROMETHEUS}", + "datasource": "${datasource}", "fill": 1, "gridPos": { "h": 8, @@ -596,7 +596,7 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "${DS_PROMETHEUS}", + "datasource": "${datasource}", "fill": 1, "gridPos": { "h": 7, @@ -683,7 +683,7 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "${DS_PROMETHEUS}", + "datasource": "${datasource}", "fill": 1, "gridPos": { "h": 7, @@ -770,7 +770,7 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "${DS_PROMETHEUS}", + "datasource": "${datasource}", "fill": 1, "gridPos": { "h": 7, @@ -870,7 +870,7 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "${DS_PROMETHEUS}", + "datasource": "${datasource}", "fill": 1, "gridPos": { "h": 7, @@ -1024,7 +1024,7 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "${DS_PROMETHEUS}", + "datasource": "${datasource}", "fill": 1, "gridPos": { "h": 7, @@ -1129,7 +1129,7 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "${DS_PROMETHEUS}", + "datasource": "${datasource}", "fill": 1, "gridPos": { "h": 7, @@ -1226,7 +1226,7 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "${DS_PROMETHEUS}", + "datasource": "${datasource}", "fill": 1, "gridPos": { "h": 7, @@ -1316,17 +1316,18 @@ "list": [ { "current": { - "selected": false, + "selected": true, "text": "default", "value": "default" }, - "hide": 2, + "hide": 0, "includeAll": false, - "label": "Data Source", + "label": null, "multi": false, - "name": "DS_PROMETHEUS", + "name": "datasource", "options": [], "query": "prometheus", + "queryValue": "", "refresh": 1, "regex": "", "skipUrlSync": false, diff --git a/istio/helm/istio/grafana-dashboards/istio-service-dashboard_rev82.json b/istio/helm/istio/grafana-dashboards/istio-service-dashboard_rev178.json similarity index 97% rename from istio/helm/istio/grafana-dashboards/istio-service-dashboard_rev82.json rename to istio/helm/istio/grafana-dashboards/istio-service-dashboard_rev178.json index 1222df2a8..1923b21ad 100644 --- a/istio/helm/istio/grafana-dashboards/istio-service-dashboard_rev82.json +++ b/istio/helm/istio/grafana-dashboards/istio-service-dashboard_rev178.json @@ -48,7 +48,7 @@ } ] }, - "description": "Istio Service Dashboard version 1.11.0", + "description": "Istio Service Dashboard version 1.19.0", "editable": false, "gnetId": 7636, "graphTooltip": 0, @@ -100,7 +100,7 @@ "rgba(237, 129, 40, 0.89)", "rgba(50, 172, 45, 0.97)" ], - "datasource": "${DS_PROMETHEUS}", + "datasource": "${datasource}", "fieldConfig": { "defaults": { "custom": {} @@ -201,7 +201,7 @@ "rgba(237, 129, 40, 0.89)", "rgba(245, 54, 54, 0.9)" ], - "datasource": "${DS_PROMETHEUS}", + "datasource": "${datasource}", "decimals": null, "fieldConfig": { "defaults": { @@ -298,7 +298,7 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "${DS_PROMETHEUS}", + "datasource": "${datasource}", "fieldConfig": { "defaults": { "custom": {} @@ -417,7 +417,7 @@ "rgba(237, 129, 40, 0.89)", "#d44a3a" ], - "datasource": "${DS_PROMETHEUS}", + "datasource": "${datasource}", "fieldConfig": { "defaults": { "custom": {} @@ -519,7 +519,7 @@ "rgba(237, 129, 40, 0.89)", "rgba(50, 172, 45, 0.97)" ], - "datasource": "${DS_PROMETHEUS}", + "datasource": "${datasource}", "fieldConfig": { "defaults": { "custom": {} @@ -620,7 +620,7 @@ "rgba(237, 129, 40, 0.89)", "rgba(245, 54, 54, 0.9)" ], - "datasource": "${DS_PROMETHEUS}", + "datasource": "${datasource}", "decimals": null, "fieldConfig": { "defaults": { @@ -717,7 +717,7 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "${DS_PROMETHEUS}", + "datasource": "${datasource}", "fieldConfig": { "defaults": { "custom": {} @@ -836,7 +836,7 @@ "rgba(237, 129, 40, 0.89)", "#d44a3a" ], - "datasource": "${DS_PROMETHEUS}", + "datasource": "${datasource}", "fieldConfig": { "defaults": { "custom": {} @@ -974,7 +974,7 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "${DS_PROMETHEUS}", + "datasource": "${datasource}", "fieldConfig": { "defaults": { "custom": {} @@ -1081,7 +1081,7 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "${DS_PROMETHEUS}", + "datasource": "${datasource}", "fieldConfig": { "defaults": { "custom": {} @@ -1188,7 +1188,7 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "${DS_PROMETHEUS}", + "datasource": "${datasource}", "description": "", "fieldConfig": { "defaults": { @@ -1352,7 +1352,7 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "${DS_PROMETHEUS}", + "datasource": "${datasource}", "fieldConfig": { "defaults": { "custom": {} @@ -1514,7 +1514,7 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "${DS_PROMETHEUS}", + "datasource": "${datasource}", "fieldConfig": { "defaults": { "custom": {} @@ -1676,7 +1676,7 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "${DS_PROMETHEUS}", + "datasource": "${datasource}", "fieldConfig": { "defaults": { "custom": {} @@ -1780,7 +1780,7 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "${DS_PROMETHEUS}", + "datasource": "${datasource}", "fieldConfig": { "defaults": { "custom": {} @@ -1923,7 +1923,7 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "${DS_PROMETHEUS}", + "datasource": "${datasource}", "fieldConfig": { "defaults": { "custom": {} @@ -2030,7 +2030,7 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "${DS_PROMETHEUS}", + "datasource": "${datasource}", "fieldConfig": { "defaults": { "custom": {} @@ -2137,7 +2137,7 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "${DS_PROMETHEUS}", + "datasource": "${datasource}", "description": "", "fieldConfig": { "defaults": { @@ -2301,7 +2301,7 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "${DS_PROMETHEUS}", + "datasource": "${datasource}", "fieldConfig": { "defaults": { "custom": {} @@ -2463,7 +2463,7 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "${DS_PROMETHEUS}", + "datasource": "${datasource}", "fieldConfig": { "defaults": { "custom": {} @@ -2625,7 +2625,7 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "${DS_PROMETHEUS}", + "datasource": "${datasource}", "fieldConfig": { "defaults": { "custom": {} @@ -2729,7 +2729,7 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "${DS_PROMETHEUS}", + "datasource": "${datasource}", "fieldConfig": { "defaults": { "custom": {} @@ -2848,7 +2848,7 @@ "includeAll": false, "label": null, "multi": false, - "name": "DS_PROMETHEUS", + "name": "datasource", "options": [], "query": "prometheus", "queryValue": "", @@ -2860,7 +2860,7 @@ { "allValue": null, "current": {}, - "datasource": "${DS_PROMETHEUS}", + "datasource": "${datasource}", "definition": "", "hide": 0, "includeAll": false, @@ -2868,9 +2868,9 @@ "multi": false, "name": "service", "options": [], - "query": "label_values(destination_service)", + "query": "query_result(sum(istio_requests_total{}) by (destination_service) or sum(istio_tcp_sent_bytes_total{}) by (destination_service))", "refresh": 1, - "regex": "", + "regex": "/.*destination_service=\"([^\"]*).*/", "skipUrlSync": false, "sort": 0, "tagValuesQuery": "", @@ -2886,18 +2886,39 @@ "text": "destination", "value": "destination" }, - "datasource": "${DS_PROMETHEUS}", + "datasource": "${datasource}", "definition": "", "hide": 0, "includeAll": false, "label": "Reporter", "multi": true, "name": "qrep", - "options": [], - "query": "label_values(reporter)", + "query": "source,destination", "refresh": 1, "regex": "", "skipUrlSync": false, + "sort": 1, + "tagValuesQuery": "", + "tags": [], + "tagsQuery": "", + "type": "custom", + "useTags": false + }, + { + "allValue": null, + "current": {}, + "datasource": "${datasource}", + "definition": "", + "hide": 0, + "includeAll": true, + "label": "Client Cluster", + "multi": true, + "name": "srccluster", + "options": [], + "query": "query_result(sum(istio_requests_total{reporter=~\"$qrep\", destination_service=\"$service\"}) by (source_cluster) or sum(istio_tcp_sent_bytes_total{reporter=~\"$qrep\", destination_service=~\"$service\"}) by (source_cluster))", + "refresh": 1, + "regex": "/.*cluster=\"([^\"]*).*/", + "skipUrlSync": false, "sort": 2, "tagValuesQuery": "", "tags": [], @@ -2908,7 +2929,7 @@ { "allValue": null, "current": {}, - "datasource": "${DS_PROMETHEUS}", + "datasource": "${datasource}", "definition": "", "hide": 0, "includeAll": true, @@ -2920,7 +2941,7 @@ "refresh": 1, "regex": "/.*namespace=\"([^\"]*).*/", "skipUrlSync": false, - "sort": 2, + "sort": 3, "tagValuesQuery": "", "tags": [], "tagsQuery": "", @@ -2930,7 +2951,7 @@ { "allValue": null, "current": {}, - "datasource": "${DS_PROMETHEUS}", + "datasource": "${datasource}", "definition": "", "hide": 0, "includeAll": true, @@ -2942,7 +2963,7 @@ "refresh": 1, "regex": "/.*workload=\"([^\"]*).*/", "skipUrlSync": false, - "sort": 3, + "sort": 4, "tagValuesQuery": "", "tags": [], "tagsQuery": "", @@ -2952,7 +2973,29 @@ { "allValue": null, "current": {}, - "datasource": "${DS_PROMETHEUS}", + "datasource": "${datasource}", + "definition": "", + "hide": 0, + "includeAll": true, + "label": "Service Workload Cluster", + "multi": true, + "name": "dstcluster", + "options": [], + "query": "query_result(sum(istio_requests_total{reporter=\"destination\", destination_service=\"$service\"}) by (destination_cluster) or sum(istio_tcp_sent_bytes_total{reporter=\"destination\", destination_service=~\"$service\"}) by (destination_cluster))", + "refresh": 1, + "regex": "/.*cluster=\"([^\"]*).*/", + "skipUrlSync": false, + "sort": 2, + "tagValuesQuery": "", + "tags": [], + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "allValue": null, + "current": {}, + "datasource": "${datasource}", "definition": "", "hide": 0, "includeAll": true, @@ -2964,7 +3007,7 @@ "refresh": 1, "regex": "/.*namespace=\"([^\"]*).*/", "skipUrlSync": false, - "sort": 2, + "sort": 3, "tagValuesQuery": "", "tags": [], "tagsQuery": "", @@ -2974,7 +3017,7 @@ { "allValue": null, "current": {}, - "datasource": "${DS_PROMETHEUS}", + "datasource": "${datasource}", "definition": "", "hide": 0, "includeAll": true, @@ -2982,11 +3025,11 @@ "multi": true, "name": "dstwl", "options": [], - "query": "query_result( sum(istio_requests_total{reporter=\"destination\", destination_service=~\"$service\", destination_workload_namespace=~\"$dstns\"}) by (destination_workload) or sum(istio_tcp_sent_bytes_total{reporter=\"destination\", destination_service=~\"$service\", destination_workload_namespace=~\"$dstns\"}) by (destination_workload))", + "query": "query_result( sum(istio_requests_total{reporter=\"destination\", destination_service=~\"$service\", destination_cluster=~\"$dstcluster\", destination_workload_namespace=~\"$dstns\"}) by (destination_workload) or sum(istio_tcp_sent_bytes_total{reporter=\"destination\", destination_service=~\"$service\", destination_cluster=~\"$dstcluster\", destination_workload_namespace=~\"$dstns\"}) by (destination_workload))", "refresh": 1, "regex": "/.*workload=\"([^\"]*).*/", "skipUrlSync": false, - "sort": 3, + "sort": 4, "tagValuesQuery": "", "tags": [], "tagsQuery": "", diff --git a/istio/helm/istio/grafana-dashboards/istio-workload-dashboard_rev82.json b/istio/helm/istio/grafana-dashboards/istio-workload-dashboard_rev178.json similarity index 98% rename from istio/helm/istio/grafana-dashboards/istio-workload-dashboard_rev82.json rename to istio/helm/istio/grafana-dashboards/istio-workload-dashboard_rev178.json index b8b0aec38..3cf79c4f9 100644 --- a/istio/helm/istio/grafana-dashboards/istio-workload-dashboard_rev82.json +++ b/istio/helm/istio/grafana-dashboards/istio-workload-dashboard_rev178.json @@ -48,7 +48,7 @@ } ] }, - "description": "Istio Workload Dashboard version 1.11.0", + "description": "Istio Workload Dashboard version 1.19.0", "editable": false, "gnetId": 7630, "graphTooltip": 0, @@ -100,7 +100,7 @@ "rgba(237, 129, 40, 0.89)", "rgba(50, 172, 45, 0.97)" ], - "datasource": "${DS_PROMETHEUS}", + "datasource": "${datasource}", "fieldConfig": { "defaults": { "custom": {} @@ -201,7 +201,7 @@ "rgba(237, 129, 40, 0.89)", "rgba(245, 54, 54, 0.9)" ], - "datasource": "${DS_PROMETHEUS}", + "datasource": "${datasource}", "decimals": null, "fieldConfig": { "defaults": { @@ -298,7 +298,7 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "${DS_PROMETHEUS}", + "datasource": "${datasource}", "fieldConfig": { "defaults": { "custom": {} @@ -417,7 +417,7 @@ "rgba(237, 129, 40, 0.89)", "#d44a3a" ], - "datasource": "${DS_PROMETHEUS}", + "datasource": "${datasource}", "fieldConfig": { "defaults": { "custom": {} @@ -519,7 +519,7 @@ "rgba(237, 129, 40, 0.89)", "#d44a3a" ], - "datasource": "${DS_PROMETHEUS}", + "datasource": "${datasource}", "fieldConfig": { "defaults": { "custom": {} @@ -657,7 +657,7 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "${DS_PROMETHEUS}", + "datasource": "${datasource}", "fieldConfig": { "defaults": { "custom": {} @@ -764,7 +764,7 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "${DS_PROMETHEUS}", + "datasource": "${datasource}", "fieldConfig": { "defaults": { "custom": {} @@ -871,7 +871,7 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "${DS_PROMETHEUS}", + "datasource": "${datasource}", "description": "", "fieldConfig": { "defaults": { @@ -1035,7 +1035,7 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "${DS_PROMETHEUS}", + "datasource": "${datasource}", "fieldConfig": { "defaults": { "custom": {} @@ -1197,7 +1197,7 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "${DS_PROMETHEUS}", + "datasource": "${datasource}", "fieldConfig": { "defaults": { "custom": {} @@ -1359,7 +1359,7 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "${DS_PROMETHEUS}", + "datasource": "${datasource}", "fieldConfig": { "defaults": { "custom": {} @@ -1463,7 +1463,7 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "${DS_PROMETHEUS}", + "datasource": "${datasource}", "fieldConfig": { "defaults": { "custom": {} @@ -1606,7 +1606,7 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "${DS_PROMETHEUS}", + "datasource": "${datasource}", "fieldConfig": { "defaults": { "custom": {} @@ -1713,7 +1713,7 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "${DS_PROMETHEUS}", + "datasource": "${datasource}", "fieldConfig": { "defaults": { "custom": {} @@ -1820,7 +1820,7 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "${DS_PROMETHEUS}", + "datasource": "${datasource}", "description": "", "fieldConfig": { "defaults": { @@ -1984,7 +1984,7 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "${DS_PROMETHEUS}", + "datasource": "${datasource}", "fieldConfig": { "defaults": { "custom": {} @@ -2146,7 +2146,7 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "${DS_PROMETHEUS}", + "datasource": "${datasource}", "fieldConfig": { "defaults": { "custom": {} @@ -2308,7 +2308,7 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "${DS_PROMETHEUS}", + "datasource": "${datasource}", "fieldConfig": { "defaults": { "custom": {} @@ -2411,7 +2411,7 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "${DS_PROMETHEUS}", + "datasource": "${datasource}", "fieldConfig": { "defaults": { "custom": {} @@ -2530,7 +2530,7 @@ "includeAll": false, "label": null, "multi": false, - "name": "DS_PROMETHEUS", + "name": "datasource", "options": [], "query": "prometheus", "queryValue": "", @@ -2542,7 +2542,7 @@ { "allValue": null, "current": {}, - "datasource": "${DS_PROMETHEUS}", + "datasource": "${datasource}", "definition": "", "hide": 0, "includeAll": false, @@ -2564,7 +2564,7 @@ { "allValue": null, "current": {}, - "datasource": "${DS_PROMETHEUS}", + "datasource": "${datasource}", "definition": "", "hide": 0, "includeAll": false, @@ -2590,15 +2590,14 @@ "text": "destination", "value": "destination" }, - "datasource": "${DS_PROMETHEUS}", + "datasource": "${datasource}", "definition": "", "hide": 0, "includeAll": false, "label": "Reporter", "multi": true, "name": "qrep", - "options": [], - "query": "label_values(reporter)", + "query": "source,destination", "refresh": 1, "regex": "", "skipUrlSync": false, @@ -2606,13 +2605,13 @@ "tagValuesQuery": "", "tags": [], "tagsQuery": "", - "type": "query", + "type": "custom", "useTags": false }, { "allValue": null, "current": {}, - "datasource": "${DS_PROMETHEUS}", + "datasource": "${datasource}", "definition": "", "hide": 0, "includeAll": true, @@ -2634,7 +2633,7 @@ { "allValue": null, "current": {}, - "datasource": "${DS_PROMETHEUS}", + "datasource": "${datasource}", "definition": "", "hide": 0, "includeAll": true, @@ -2656,7 +2655,7 @@ { "allValue": null, "current": {}, - "datasource": "${DS_PROMETHEUS}", + "datasource": "${datasource}", "definition": "", "hide": 0, "includeAll": true, diff --git a/istio/helm/istio/templates/monitoring/dashboards/control-plane-dashboard.yaml b/istio/helm/istio/templates/monitoring/dashboards/control-plane-dashboard.yaml index e50a24aba..244b77bed 100644 --- a/istio/helm/istio/templates/monitoring/dashboards/control-plane-dashboard.yaml +++ b/istio/helm/istio/templates/monitoring/dashboards/control-plane-dashboard.yaml @@ -8,4 +8,4 @@ metadata: k8s-sidecar-target-directory: /tmp/dashboards/Istio Dashboards data: istio-control-plane-dashboard.json: |- -{{ .Files.Get "grafana-dashboards/istio-control-plane-dashboard_rev82.json" | indent 4 }} +{{ .Files.Get "grafana-dashboards/istio-control-plane-dashboard_rev178.json" | indent 4 }} diff --git a/istio/helm/istio/templates/monitoring/dashboards/istio-extension-dashboard.yaml b/istio/helm/istio/templates/monitoring/dashboards/istio-extension-dashboard.yaml new file mode 100644 index 000000000..8b29e3500 --- /dev/null +++ b/istio/helm/istio/templates/monitoring/dashboards/istio-extension-dashboard.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-extension-dashboard + labels: {{ include "istio.labels" . | nindent 4 }} + grafana_dashboard: istio-extension-dashboard + annotations: + k8s-sidecar-target-directory: /tmp/dashboards/Istio Dashboards +data: + istio-extension-dashboard.json: |- +{{ .Files.Get "grafana-dashboards/istio-extension-dashboard_rev135.json" | indent 4 }} diff --git a/istio/helm/istio/templates/monitoring/dashboards/mesh-dashboard.yaml b/istio/helm/istio/templates/monitoring/dashboards/mesh-dashboard.yaml index 465b26d2e..c312b6b85 100644 --- a/istio/helm/istio/templates/monitoring/dashboards/mesh-dashboard.yaml +++ b/istio/helm/istio/templates/monitoring/dashboards/mesh-dashboard.yaml @@ -8,4 +8,4 @@ metadata: k8s-sidecar-target-directory: /tmp/dashboards/Istio Dashboards data: istio-mesh-dashboard.json: |- -{{ .Files.Get "grafana-dashboards/istio-mesh-dashboard_rev82.json" | indent 4 }} +{{ .Files.Get "grafana-dashboards/istio-mesh-dashboard_rev178.json" | indent 4 }} diff --git a/istio/helm/istio/templates/monitoring/dashboards/performance-dashboard.yaml b/istio/helm/istio/templates/monitoring/dashboards/performance-dashboard.yaml index 9ef312653..89fa8ec32 100644 --- a/istio/helm/istio/templates/monitoring/dashboards/performance-dashboard.yaml +++ b/istio/helm/istio/templates/monitoring/dashboards/performance-dashboard.yaml @@ -8,4 +8,4 @@ metadata: k8s-sidecar-target-directory: /tmp/dashboards/Istio Dashboards data: istio-performance-dashboard.json: |- -{{ .Files.Get "grafana-dashboards/istio-performance-dashboard_rev82.json" | indent 4 }} +{{ .Files.Get "grafana-dashboards/istio-performance-dashboard_rev178.json" | indent 4 }} diff --git a/istio/helm/istio/templates/monitoring/dashboards/service-dashboard.yaml b/istio/helm/istio/templates/monitoring/dashboards/service-dashboard.yaml index ae9d15a2e..5d51d80c5 100644 --- a/istio/helm/istio/templates/monitoring/dashboards/service-dashboard.yaml +++ b/istio/helm/istio/templates/monitoring/dashboards/service-dashboard.yaml @@ -8,4 +8,4 @@ metadata: k8s-sidecar-target-directory: /tmp/dashboards/Istio Dashboards data: istio-service-dashboard.json: |- -{{ .Files.Get "grafana-dashboards/istio-service-dashboard_rev82.json" | indent 4 }} +{{ .Files.Get "grafana-dashboards/istio-service-dashboard_rev178.json" | indent 4 }} diff --git a/istio/helm/istio/templates/monitoring/dashboards/workload-dashboard.yaml b/istio/helm/istio/templates/monitoring/dashboards/workload-dashboard.yaml index 1b96caf0e..c6b2d6a03 100644 --- a/istio/helm/istio/templates/monitoring/dashboards/workload-dashboard.yaml +++ b/istio/helm/istio/templates/monitoring/dashboards/workload-dashboard.yaml @@ -8,4 +8,4 @@ metadata: k8s-sidecar-target-directory: /tmp/dashboards/Istio Dashboards data: istio-workload-dashboard.json: |- -{{ .Files.Get "grafana-dashboards/istio-workload-dashboard_rev82.json" | indent 4 }} +{{ .Files.Get "grafana-dashboards/istio-workload-dashboard_rev178.json" | indent 4 }} From 96c6779eebaa9db4128633e5ec2101fe59ea8b77 Mon Sep 17 00:00:00 2001 From: David van der Spek Date: Tue, 12 Sep 2023 14:06:32 +0200 Subject: [PATCH 16/18] bump chart versions Signed-off-by: David van der Spek --- bootstrap/helm/bootstrap/Chart.yaml | 2 +- grafana-agent/helm/grafana-agent/Chart.yaml | 2 +- istio-cni/helm/istio-cni/Chart.yaml | 2 +- istio-ingress/helm/istio-ingress/Chart.yaml | 2 +- istio/helm/istio/Chart.yaml | 2 +- kiali/helm/kiali/Chart.yaml | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/bootstrap/helm/bootstrap/Chart.yaml b/bootstrap/helm/bootstrap/Chart.yaml index b34829a61..325000874 100644 --- a/bootstrap/helm/bootstrap/Chart.yaml +++ b/bootstrap/helm/bootstrap/Chart.yaml @@ -10,7 +10,7 @@ maintainers: email: mguarino46@gmail.com - name: David van der Spek email: david@plural.sh -version: 0.8.73 +version: 0.8.74 dependencies: - name: external-dns version: 6.14.1 diff --git a/grafana-agent/helm/grafana-agent/Chart.yaml b/grafana-agent/helm/grafana-agent/Chart.yaml index 75468655c..7fd781713 100644 --- a/grafana-agent/helm/grafana-agent/Chart.yaml +++ b/grafana-agent/helm/grafana-agent/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: grafana-agent description: helm chart for grafana-agent type: application -version: 0.1.3 +version: 0.1.4 appVersion: v0.34.3 dependencies: - name: grafana-agent diff --git a/istio-cni/helm/istio-cni/Chart.yaml b/istio-cni/helm/istio-cni/Chart.yaml index 36d28b9c9..5b75d2656 100644 --- a/istio-cni/helm/istio-cni/Chart.yaml +++ b/istio-cni/helm/istio-cni/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: istio-cni description: helm chart for istio-cni type: application -version: 0.1.0 +version: 0.1.1 appVersion: "1.19.0" dependencies: - name: cni diff --git a/istio-ingress/helm/istio-ingress/Chart.yaml b/istio-ingress/helm/istio-ingress/Chart.yaml index 419628341..e282055c2 100644 --- a/istio-ingress/helm/istio-ingress/Chart.yaml +++ b/istio-ingress/helm/istio-ingress/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: istio-ingress description: helm chart for istio-ingress type: application -version: 0.1.0 +version: 0.1.1 appVersion: "1.19.0" dependencies: - name: gateway diff --git a/istio/helm/istio/Chart.yaml b/istio/helm/istio/Chart.yaml index 51fc4d098..04aceeaef 100644 --- a/istio/helm/istio/Chart.yaml +++ b/istio/helm/istio/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: istio description: A chart bundling the istio operator for plural type: application -version: 0.2.0 +version: 0.2.1 appVersion: "1.19.0" dependencies: - name: base diff --git a/kiali/helm/kiali/Chart.yaml b/kiali/helm/kiali/Chart.yaml index f80349a1b..51f9ed588 100644 --- a/kiali/helm/kiali/Chart.yaml +++ b/kiali/helm/kiali/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: kiali description: helm chart for kiali type: application -version: 0.1.0 +version: 0.1.1 appVersion: "v1.73.0" dependencies: - name: kiali-server From 020cdc0b011000b23edd0b25abe1e3e03baff860 Mon Sep 17 00:00:00 2001 From: David van der Spek Date: Tue, 12 Sep 2023 14:20:52 +0200 Subject: [PATCH 17/18] remove breaking flag Signed-off-by: David van der Spek --- istio/helm/istio/deps.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/istio/helm/istio/deps.yaml b/istio/helm/istio/deps.yaml index 0852f4f28..689a14e18 100644 --- a/istio/helm/istio/deps.yaml +++ b/istio/helm/istio/deps.yaml @@ -4,7 +4,7 @@ metadata: application: true description: deploys istio operator and istio itself spec: - breaking: true + breaking: false dependencies: - type: helm name: bootstrap From dbc39cd92ad79bc2bf926474c56028d5e57c8889 Mon Sep 17 00:00:00 2001 From: David van der Spek Date: Tue, 12 Sep 2023 15:07:25 +0200 Subject: [PATCH 18/18] fix recipes Signed-off-by: David van der Spek --- istio-cni/plural/recipes/istio-cni-azure.yaml | 2 +- istio-cni/plural/recipes/istio-cni-gcp.yaml | 2 +- istio-ingress/plural/recipes/istio-ingress-azure.yaml | 2 +- istio-ingress/plural/recipes/istio-ingress-gcp.yaml | 2 +- kiali/plural/recipes/kiali-azure.yaml | 2 +- kiali/plural/recipes/kiali-gcp.yaml | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/istio-cni/plural/recipes/istio-cni-azure.yaml b/istio-cni/plural/recipes/istio-cni-azure.yaml index f36ad0655..8ae1146e0 100644 --- a/istio-cni/plural/recipes/istio-cni-azure.yaml +++ b/istio-cni/plural/recipes/istio-cni-azure.yaml @@ -1,5 +1,5 @@ name: istio-cni-azure -description: Installs istio-cni on an aws eks cluster +description: Installs istio-cni on an azure aks cluster provider: AZURE primary: true dependencies: diff --git a/istio-cni/plural/recipes/istio-cni-gcp.yaml b/istio-cni/plural/recipes/istio-cni-gcp.yaml index 6b7754689..48c90a5e6 100644 --- a/istio-cni/plural/recipes/istio-cni-gcp.yaml +++ b/istio-cni/plural/recipes/istio-cni-gcp.yaml @@ -1,5 +1,5 @@ name: istio-cni-gcp -description: Installs istio-cni on an aws eks cluster +description: Installs istio-cni on a gcp gke cluster provider: GCP primary: true dependencies: diff --git a/istio-ingress/plural/recipes/istio-ingress-azure.yaml b/istio-ingress/plural/recipes/istio-ingress-azure.yaml index cf7d52a17..e6706b169 100644 --- a/istio-ingress/plural/recipes/istio-ingress-azure.yaml +++ b/istio-ingress/plural/recipes/istio-ingress-azure.yaml @@ -1,5 +1,5 @@ name: istio-ingress-azure -description: Installs istio-ingress on an aws eks cluster +description: Installs istio-ingress on an azure aks cluster provider: AZURE primary: true dependencies: diff --git a/istio-ingress/plural/recipes/istio-ingress-gcp.yaml b/istio-ingress/plural/recipes/istio-ingress-gcp.yaml index 488af8173..fbdbb2590 100644 --- a/istio-ingress/plural/recipes/istio-ingress-gcp.yaml +++ b/istio-ingress/plural/recipes/istio-ingress-gcp.yaml @@ -1,5 +1,5 @@ name: istio-ingress-gcp -description: Installs istio-ingress on an aws eks cluster +description: Installs istio-ingress on a gcp gke cluster provider: GCP primary: true dependencies: diff --git a/kiali/plural/recipes/kiali-azure.yaml b/kiali/plural/recipes/kiali-azure.yaml index 09b0389b3..27f5f8362 100644 --- a/kiali/plural/recipes/kiali-azure.yaml +++ b/kiali/plural/recipes/kiali-azure.yaml @@ -1,5 +1,5 @@ name: kiali-azure -description: Installs kiali on an aws eks cluster +description: Installs kiali on an azure aks cluster provider: AZURE primary: true oidcSettings: diff --git a/kiali/plural/recipes/kiali-gcp.yaml b/kiali/plural/recipes/kiali-gcp.yaml index 19051022b..3bca0b461 100644 --- a/kiali/plural/recipes/kiali-gcp.yaml +++ b/kiali/plural/recipes/kiali-gcp.yaml @@ -1,5 +1,5 @@ name: kiali-gcp -description: Installs kiali on an aws eks cluster +description: Installs kiali on a gcp gke cluster provider: GCP primary: true oidcSettings: