Merge pull request istio#12844 from howardjohn/master-merge2

Merge release-1.1 into master

install/kubernetes/helm/istio/charts/certmanager/templates/deployment.yaml

@@ -25,7 +25,6 @@ spec:
         {{- end }}
       annotations:
         sidecar.istio.io/inject: "false"
-        scheduler.alpha.kubernetes.io/critical-pod: ""
         {{- if .Values.podAnnotations }}
 {{ toYaml .Values.podAnnotations | indent 8 }}
         {{- end }}
@@ -61,3 +60,4 @@ spec:
       {{- end }}
       affinity:
       {{- include "nodeaffinity" . | indent 6 }}
+      {{- include "podAntiAffinity" . | indent 6 }}

install/kubernetes/helm/istio/charts/certmanager/values.yaml

@@ -9,3 +9,23 @@ tag: v0.6.2
 resources: {}
 nodeSelector: {}
 
+# Specify the pod anti-affinity that allows you to constrain which nodes
+# your pod is eligible to be scheduled based on labels on pods that are
+# already running on the node rather than based on labels on nodes.
+# There are currently two types of anti-affinity:
+#    "requiredDuringSchedulingIgnoredDuringExecution"
+#    "preferredDuringSchedulingIgnoredDuringExecution"
+# which denote “hard” vs. “soft” requirements, you can define your values
+# in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector"
+# correspondingly.
+# For example:
+# podAntiAffinityLabelSelector:
+# - key: security
+#   operator: In
+#   values: S1,S2
+#   topologyKey: "kubernetes.io/hostname"
+# This pod anti-affinity rule says that the pod requires not to be scheduled
+# onto a node if that node is already running a pod with label having key
+# “security” and value “S1”.
+podAntiAffinityLabelSelector: {}
+podAntiAffinityTermLabelSelector: {}

install/kubernetes/helm/istio/charts/galley/templates/deployment.yaml

@@ -25,7 +25,6 @@ spec:
         istio: galley
       annotations:
         sidecar.istio.io/inject: "false"
-        scheduler.alpha.kubernetes.io/critical-pod: ""
     spec:
       serviceAccountName: istio-galley-service-account
 {{- if .Values.global.priorityClassName }}
@@ -111,3 +110,4 @@ spec:
           name: istio
       affinity:
       {{- include "nodeaffinity" . | indent 6 }}
+      {{- include "podAntiAffinity" . | indent 6 }}

install/kubernetes/helm/istio/charts/galley/values.yaml

@@ -6,3 +6,23 @@ replicaCount: 1
 image: galley
 nodeSelector: {}
 
+# Specify the pod anti-affinity that allows you to constrain which nodes
+# your pod is eligible to be scheduled based on labels on pods that are
+# already running on the node rather than based on labels on nodes.
+# There are currently two types of anti-affinity:
+#    "requiredDuringSchedulingIgnoredDuringExecution"
+#    "preferredDuringSchedulingIgnoredDuringExecution"
+# which denote “hard” vs. “soft” requirements, you can define your values
+# in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector"
+# correspondingly.
+# For example:
+# podAntiAffinityLabelSelector:
+# - key: security
+#   operator: In
+#   values: S1,S2
+#   topologyKey: "kubernetes.io/hostname"
+# This pod anti-affinity rule says that the pod requires not to be scheduled
+# onto a node if that node is already running a pod with label having key
+# “security” and value “S1”.
+podAntiAffinityLabelSelector: {}
+podAntiAffinityTermLabelSelector: {}

install/kubernetes/helm/istio/charts/gateways/templates/_affinity.tpl

@@ -41,3 +41,53 @@
     {{- end }}
   {{- end }}
 {{- end }}
+
+{{- define "gatewaypodAntiAffinity" }}
+{{- if or .podAntiAffinityLabelSelector .podAntiAffinityTermLabelSelector}}
+  podAntiAffinity:
+    {{- if .podAntiAffinityLabelSelector }}
+    requiredDuringSchedulingIgnoredDuringExecution:
+    {{- include "gatewaypodAntiAffinityRequiredDuringScheduling" . }}
+    {{- end }}
+    {{- if .podAntiAffinityTermLabelSelector }}
+    preferredDuringSchedulingIgnoredDuringExecution:
+    {{- include "gatewaypodAntiAffinityPreferredDuringScheduling" . }}
+    {{- end }}
+{{- end }}
+{{- end }}
+
+{{- define "gatewaypodAntiAffinityRequiredDuringScheduling" }}
+    {{- range $index, $item := .podAntiAffinityLabelSelector }}
+    - labelSelector:
+        matchExpressions:
+        - key: {{ $item.key }}
+          operator: {{ $item.operator }}
+          {{- if $item.value }}
+          values:
+          {{- $vals := split "," $item.values }}
+          {{- range $i, $v := $vals }}
+          - {{ $v }}
+          {{- end }}
+          {{- end }}
+      topologyKey: {{ $item.topologyKey }}
+    {{- end }}
+{{- end }}
+
+{{- define "gatewaypodAntiAffinityPreferredDuringScheduling" }}
+    {{- range $index, $item := .podAntiAffinityTermLabelSelector }}
+    - podAffinityTerm:
+        labelSelector:
+          matchExpressions:
+          - key: {{ $item.key }}
+            operator: {{ $item.operator }}
+            {{- if .value }}
+            values:
+            {{- $vals := split "," $item.values }}
+            {{- range $i, $v := $vals }}
+            - {{ $v }}
+            {{- end }}
+            {{- end }}
+        topologyKey: {{ $item.topologyKey }}
+      weight: 100
+    {{- end }}
+{{- end }}

install/kubernetes/helm/istio/charts/gateways/templates/deployment.yaml

@@ -32,7 +32,6 @@ spec:
         {{- end }}
       annotations:
         sidecar.istio.io/inject: "false"
-        scheduler.alpha.kubernetes.io/critical-pod: ""
 {{- if $spec.podAnnotations }}
 {{ toYaml $spec.podAnnotations | indent 8 }}
 {{ end }}
@@ -283,6 +282,7 @@ spec:
       {{- end }}
       affinity:
       {{- include "gatewaynodeaffinity" (dict "root" $ "nodeSelector" $spec.nodeSelector) | indent 6 }}
+      {{- include "gatewaypodAntiAffinity" (dict "podAntiAffinityLabelSelector" $spec.podAntiAffinityLabelSelector "podAntiAffinityTermLabelSelector" $spec.podAntiAffinityTermLabelSelector) | indent 6 }}
 ---
 {{- end }}
 {{- end }}

install/kubernetes/helm/istio/charts/gateways/values.yaml

@@ -112,6 +112,27 @@ istio-ingressgateway:
     ISTIO_META_ROUTER_MODE: "sni-dnat"
   nodeSelector: {}
 
+  # Specify the pod anti-affinity that allows you to constrain which nodes
+  # your pod is eligible to be scheduled based on labels on pods that are
+  # already running on the node rather than based on labels on nodes.
+  # There are currently two types of anti-affinity:
+  #    "requiredDuringSchedulingIgnoredDuringExecution"
+  #    "preferredDuringSchedulingIgnoredDuringExecution"
+  # which denote “hard” vs. “soft” requirements, you can define your values
+  # in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector"
+  # correspondingly.
+  # For example:
+  # podAntiAffinityLabelSelector:
+  # - key: security
+  #   operator: In
+  #   values: S1,S2
+  #   topologyKey: "kubernetes.io/hostname"
+  # This pod anti-affinity rule says that the pod requires not to be scheduled
+  # onto a node if that node is already running a pod with label having key
+  # “security” and value “S1”.
+  podAntiAffinityLabelSelector: {}
+  podAntiAffinityTermLabelSelector: {}
+
 istio-egressgateway:
   enabled: false
   labels:
@@ -158,6 +179,27 @@ istio-egressgateway:
     # enable cross cluster routing.
     ISTIO_META_ROUTER_MODE: "sni-dnat"
   nodeSelector: {}
+
+  # Specify the pod anti-affinity that allows you to constrain which nodes
+  # your pod is eligible to be scheduled based on labels on pods that are
+  # already running on the node rather than based on labels on nodes.
+  # There are currently two types of anti-affinity:
+  #    "requiredDuringSchedulingIgnoredDuringExecution"
+  #    "preferredDuringSchedulingIgnoredDuringExecution"
+  # which denote “hard” vs. “soft” requirements, you can define your values
+  # in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector"
+  # correspondingly.
+  # For example:
+  # podAntiAffinityLabelSelector:
+  # - key: security
+  #   operator: In
+  #   values: S1,S2
+  #   topologyKey: "kubernetes.io/hostname"
+  # This pod anti-affinity rule says that the pod requires not to be scheduled
+  # onto a node if that node is already running a pod with label having key
+  # “security” and value “S1”.
+  podAntiAffinityLabelSelector: {}
+  podAntiAffinityTermLabelSelector: {}
 
 # Mesh ILB gateway creates a gateway of type InternalLoadBalancer,
 # for mesh expansion. It exposes the mtls ports for Pilot,CA as well

install/kubernetes/helm/istio/charts/grafana/templates/create-custom-resources-job.yaml

@@ -89,3 +89,6 @@ spec:
           configMap:
             name: istio-grafana-custom-resources
       restartPolicy: OnFailure
+      affinity:
+      {{- include "nodeaffinity" . | indent 6 }}
+      {{- include "podAntiAffinity" . | indent 6 }}

install/kubernetes/helm/istio/charts/grafana/templates/deployment.yaml

@@ -19,7 +19,6 @@ spec:
         release: {{ .Release.Name }}
       annotations:
         sidecar.istio.io/inject: "false"
-        scheduler.alpha.kubernetes.io/critical-pod: ""
     spec:
       securityContext:
         runAsUser: 472
@@ -97,6 +96,7 @@ spec:
             subPath: dashboardproviders.yaml
       affinity:
       {{- include "nodeaffinity" . | indent 6 }}
+      {{- include "podAntiAffinity" . | indent 6 }}
       volumes:
       - name: config
         configMap:

install/kubernetes/helm/istio/charts/grafana/templates/tests/test-grafana-connection.yaml

@@ -11,7 +11,6 @@ metadata:
     heritage: {{ .Release.Service }}
     istio: grafana
   annotations:
-    scheduler.alpha.kubernetes.io/critical-pod: ""
     sidecar.istio.io/inject: "false"
     helm.sh/hook: test-success
 spec:
@@ -27,4 +26,5 @@ spec:
   restartPolicy: Never
   affinity:
     {{- include "nodeaffinity" . | indent 4 }}
+    {{- include "podAntiAffinity" . | indent 4 }}
 {{- end }}

install/kubernetes/helm/istio/charts/grafana/values.yaml

@@ -28,6 +28,28 @@ security:
   usernameKey: username
   passphraseKey: passphrase
 nodeSelector: {}
+
+# Specify the pod anti-affinity that allows you to constrain which nodes
+# your pod is eligible to be scheduled based on labels on pods that are
+# already running on the node rather than based on labels on nodes.
+# There are currently two types of anti-affinity:
+#    "requiredDuringSchedulingIgnoredDuringExecution"
+#    "preferredDuringSchedulingIgnoredDuringExecution"
+# which denote “hard” vs. “soft” requirements, you can define your values
+# in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector"
+# correspondingly.
+# For example:
+# podAntiAffinityLabelSelector:
+# - key: security
+#   operator: In
+#   values: S1,S2
+#   topologyKey: "kubernetes.io/hostname"
+# This pod anti-affinity rule says that the pod requires not to be scheduled
+# onto a node if that node is already running a pod with label having key
+# “security” and value “S1”.
+podAntiAffinityLabelSelector: {}
+podAntiAffinityTermLabelSelector: {}
+
 contextPath: /grafana
 service:
   annotations: {}

install/kubernetes/helm/istio/charts/istiocoredns/templates/deployment.yaml

@@ -20,7 +20,6 @@ spec:
         release: {{ .Release.Name }}
       annotations:
         sidecar.istio.io/inject: "false"
-        scheduler.alpha.kubernetes.io/critical-pod: ""
     spec:
       serviceAccountName: istiocoredns-service-account
 {{- if .Values.global.priorityClassName }}
@@ -84,3 +83,4 @@ spec:
             path: Corefile
       affinity:
       {{- include "nodeaffinity" . | indent 6 }}
+      {{- include "podAntiAffinity" . | indent 6 }}

install/kubernetes/helm/istio/charts/istiocoredns/values.yaml

@@ -9,3 +9,24 @@ coreDNSImage: coredns/coredns:1.1.2
 # The plugin listens for DNS requests from coredns server at 127.0.0.1:8053
 coreDNSPluginImage: istio/coredns-plugin:0.2-istio-1.1
 nodeSelector: {}
+
+# Specify the pod anti-affinity that allows you to constrain which nodes
+# your pod is eligible to be scheduled based on labels on pods that are
+# already running on the node rather than based on labels on nodes.
+# There are currently two types of anti-affinity:
+#    "requiredDuringSchedulingIgnoredDuringExecution"
+#    "preferredDuringSchedulingIgnoredDuringExecution"
+# which denote “hard” vs. “soft” requirements, you can define your values
+# in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector"
+# correspondingly.
+# For example:
+# podAntiAffinityLabelSelector:
+# - key: security
+#   operator: In
+#   values: S1,S2
+#   topologyKey: "kubernetes.io/hostname"
+# This pod anti-affinity rule says that the pod requires not to be scheduled
+# onto a node if that node is already running a pod with label having key
+# “security” and value “S1”.
+podAntiAffinityLabelSelector: {}
+podAntiAffinityTermLabelSelector: {}

install/kubernetes/helm/istio/charts/kiali/templates/deployment.yaml

@@ -72,3 +72,4 @@ spec:
           optional: true
       affinity:
       {{- include "nodeaffinity" . | indent 6 }}
+      {{- include "podAntiAffinity" . | indent 6 }}

install/kubernetes/helm/istio/charts/kiali/templates/tests/test-kiali-connection.yaml

@@ -11,7 +11,6 @@ metadata:
     heritage: {{ .Release.Service }}
     istio: kiali
   annotations:
-    scheduler.alpha.kubernetes.io/critical-pod: ""
     sidecar.istio.io/inject: "false"
     helm.sh/hook: test-success
 spec:
@@ -27,4 +26,5 @@ spec:
   restartPolicy: Never
   affinity:
     {{- include "nodeaffinity" . | indent 4 }}
+    {{- include "podAntiAffinity" . | indent 4 }}
 {{- end }}

install/kubernetes/helm/istio/charts/kiali/values.yaml

@@ -1,12 +1,34 @@
 #
 # addon kiali
 #
-enabled: false
+enabled: false # Note that if using the demo or demo-auth yaml when installing via Helm, this default will be `true`.
 replicaCount: 1
 hub: docker.io/kiali
 tag: v0.16
-contextPath: /kiali
+contextPath: /kiali # The root context path to access the Kiali UI.
 nodeSelector: {}
+
+# Specify the pod anti-affinity that allows you to constrain which nodes
+# your pod is eligible to be scheduled based on labels on pods that are
+# already running on the node rather than based on labels on nodes.
+# There are currently two types of anti-affinity:
+#    "requiredDuringSchedulingIgnoredDuringExecution"
+#    "preferredDuringSchedulingIgnoredDuringExecution"
+# which denote “hard” vs. “soft” requirements, you can define your values
+# in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector"
+# correspondingly.
+# For example:
+# podAntiAffinityLabelSelector:
+# - key: security
+#   operator: In
+#   values: S1,S2
+#   topologyKey: "kubernetes.io/hostname"
+# This pod anti-affinity rule says that the pod requires not to be scheduled
+# onto a node if that node is already running a pod with label having key
+# “security” and value “S1”.
+podAntiAffinityLabelSelector: {}
+podAntiAffinityTermLabelSelector: {}
+
 ingress:
   enabled: false
   ## Used to create an Ingress record.
@@ -22,13 +44,11 @@ ingress:
     #     - kiali.local
 
 dashboard:
-  secretName: kiali
-
-  # Override the automatically detected Grafana URL, useful when Grafana service has no ExternalIPs
-  # grafanaURL:
-
-  # Override the automatically detected Jaeger URL, useful when Jaeger service has no ExternalIPs
-  # jaegerURL:
+  secretName: kiali # You must create a secret with this name - one is not provided out-of-box.
+  usernameKey: username # This is the key name within the secret whose value is the actual username.
+  passphraseKey: passphrase # This is the key name within the secret whose value is the actual passphrase.
+  grafanaURL:  # If you have Grafana installed and it is accessible to client browsers, then set this to its external URL. Kiali will redirect users to this URL when Grafana metrics are to be shown.
+  jaegerURL:  # If you have Jaeger installed and it is accessible to client browsers, then set this property to its external URL. Kiali will redirect users to this URL when Jaeger tracing is to be shown.
 prometheusAddr: http://prometheus:9090
 
 # When true, a secret will be created with a default username and password. Useful for demos.