2020-11-24 14:44:57 +00:00
|
|
|
# Make sure these values match kuberzero-istio !!!
|
|
|
|
|
global:
|
2021-02-25 23:24:12 +00:00
|
|
|
#hub: docker.io/istio
|
2021-08-25 13:58:55 +00:00
|
|
|
#tag: 1.11.0
|
2020-11-24 14:44:57 +00:00
|
|
|
|
|
|
|
|
logAsJson: true
|
|
|
|
|
|
|
|
|
|
priorityClassName: "system-cluster-critical"
|
|
|
|
|
|
|
|
|
|
defaultPodDisruptionBudget:
|
|
|
|
|
enabled: false
|
|
|
|
|
|
2020-11-28 23:01:20 +00:00
|
|
|
arch:
|
|
|
|
|
amd64: 2
|
2020-11-24 14:44:57 +00:00
|
|
|
|
|
|
|
|
istio-ingress:
|
|
|
|
|
enabled: false
|
|
|
|
|
|
2021-04-22 13:43:10 +00:00
|
|
|
telemetry:
|
|
|
|
|
enabled: false
|
|
|
|
|
|
2020-11-24 14:44:57 +00:00
|
|
|
gateways:
|
|
|
|
|
istio-ingressgateway:
|
|
|
|
|
autoscaleEnabled: false
|
|
|
|
|
replicaCount: 1
|
2021-04-20 10:49:29 +00:00
|
|
|
rollingMaxSurge: 1
|
|
|
|
|
rollingMaxUnavailable: 0
|
2020-11-24 14:44:57 +00:00
|
|
|
resources:
|
|
|
|
|
requests:
|
2021-04-16 11:41:31 +00:00
|
|
|
cpu: 50m
|
2020-11-24 14:44:57 +00:00
|
|
|
memory: 64Mi
|
|
|
|
|
limits:
|
|
|
|
|
# cpu: 100m
|
2021-04-16 11:41:31 +00:00
|
|
|
memory: 512Mi
|
2020-11-24 14:44:57 +00:00
|
|
|
externalTrafficPolicy: Local
|
|
|
|
|
podAntiAffinityLabelSelector:
|
|
|
|
|
- key: app
|
|
|
|
|
operator: In
|
|
|
|
|
topologyKey: kubernetes.io/hostname
|
|
|
|
|
values: istio-ingressgateway
|
|
|
|
|
type: NodePort
|
2021-04-20 14:33:45 +00:00
|
|
|
podAnnotations:
|
|
|
|
|
proxy.istio.io/config: '{ "terminationDrainDuration": "20s" }'
|
|
|
|
|
|
|
|
|
|
# custom hardened bootstrap config
|
|
|
|
|
env:
|
|
|
|
|
ISTIO_BOOTSTRAP_OVERRIDE: /etc/istio/custom-bootstrap/custom_bootstrap.json
|
|
|
|
|
configVolumes:
|
|
|
|
|
- name: custom-bootstrap-volume
|
|
|
|
|
mountPath: /etc/istio/custom-bootstrap
|
|
|
|
|
configMapName: istio-gateway-bootstrap-config
|
|
|
|
|
|
2021-08-25 13:58:55 +00:00
|
|
|
# Unfortunately the upstream chart makes this complicated as they abuse the nodeSelector, see zdt.patch
|
2020-11-24 14:44:57 +00:00
|
|
|
nodeSelector:
|
2021-08-25 13:58:55 +00:00
|
|
|
node.kubernetes.io/ingress.public: "Exists"
|
|
|
|
|
# Only nodes who are fronted with matching NLB
|
|
|
|
|
#affintiy:
|
|
|
|
|
# nodeAffinity:
|
|
|
|
|
# requiredDuringSchedulingIgnoredDuringExecution:
|
|
|
|
|
# nodeSelectorTerms:
|
|
|
|
|
# - matchExpressions:
|
|
|
|
|
# - key: node.kubernetes.io/ingress.public
|
|
|
|
|
# operator: Exists
|
|
|
|
|
|
|
|
|
|
# Map port 80/443 to 8080/8443 so we don't need to root
|
|
|
|
|
|
|
|
|
|
# ports is extended as follows:
|
|
|
|
|
# noGateway: true -> this port does NOT get mapped to a Gateway port
|
|
|
|
|
# tls: optional gateway port setting
|
|
|
|
|
# gatewayProtocol: Loadbalancer protocol which is NOT the same as Container Procotol !
|
2020-11-24 14:44:57 +00:00
|
|
|
ports:
|
2021-02-25 23:24:12 +00:00
|
|
|
- name: status-port
|
2020-11-24 14:44:57 +00:00
|
|
|
port: 15021
|
|
|
|
|
nodePort: 30021
|
2021-08-25 13:58:55 +00:00
|
|
|
noGateway: true
|
2020-11-24 14:44:57 +00:00
|
|
|
- name: http2
|
|
|
|
|
port: 80
|
|
|
|
|
targetPort: 8080
|
|
|
|
|
nodePort: 30080
|
2021-08-25 13:58:55 +00:00
|
|
|
gatewayProtocol: HTTP2
|
|
|
|
|
tls:
|
|
|
|
|
httpsRedirect: true
|
2020-11-24 14:44:57 +00:00
|
|
|
- name: https
|
|
|
|
|
port: 443
|
|
|
|
|
targetPort: 8443
|
|
|
|
|
nodePort: 30443
|
2021-08-25 13:58:55 +00:00
|
|
|
gatewayProtocol: HTTPS
|
|
|
|
|
tls:
|
|
|
|
|
mode: SIMPLE
|
2021-07-01 14:42:24 +00:00
|
|
|
|
|
|
|
|
certificates:
|
|
|
|
|
- name: ingress-cert
|
|
|
|
|
dnsNames: []
|
|
|
|
|
# - '*.example.com'
|
|
|
|
|
|
2021-08-25 13:58:55 +00:00
|
|
|
proxyProtocol: true
|
2020-11-24 14:44:57 +00:00
|
|
|
|
2021-04-20 10:49:29 +00:00
|
|
|
meshConfig:
|
|
|
|
|
defaultConfig:
|
|
|
|
|
proxyMetadata:
|
|
|
|
|
# ISTIO_META_HTTP10: 1
|
|
|
|
|
|
2020-11-24 14:44:57 +00:00
|
|
|
istio-private-ingress:
|
|
|
|
|
enabled: false
|
|
|
|
|
|
2021-04-22 13:43:10 +00:00
|
|
|
telemetry:
|
|
|
|
|
enabled: false
|
|
|
|
|
|
2020-11-24 14:44:57 +00:00
|
|
|
gateways:
|
|
|
|
|
istio-ingressgateway:
|
|
|
|
|
# name and labels make the ingress private
|
|
|
|
|
name: istio-private-ingressgateway
|
|
|
|
|
labels:
|
|
|
|
|
app: istio-private-ingressgateway
|
|
|
|
|
istio: private-ingressgateway
|
|
|
|
|
|
|
|
|
|
autoscaleEnabled: false
|
|
|
|
|
replicaCount: 1
|
2021-04-20 10:49:29 +00:00
|
|
|
rollingMaxSurge: 1
|
|
|
|
|
rollingMaxUnavailable: 0
|
2020-11-24 14:44:57 +00:00
|
|
|
resources:
|
|
|
|
|
requests:
|
2021-04-16 11:49:55 +00:00
|
|
|
cpu: 50m
|
2020-11-24 14:44:57 +00:00
|
|
|
memory: 64Mi
|
|
|
|
|
limits:
|
|
|
|
|
# cpu: 100m
|
2021-04-16 11:49:55 +00:00
|
|
|
memory: 512Mi
|
2020-11-24 14:44:57 +00:00
|
|
|
externalTrafficPolicy: Local
|
|
|
|
|
podAntiAffinityLabelSelector:
|
|
|
|
|
- key: app
|
|
|
|
|
operator: In
|
|
|
|
|
topologyKey: kubernetes.io/hostname
|
|
|
|
|
values: istio-private-ingressgateway
|
|
|
|
|
type: NodePort
|
2021-04-20 14:33:45 +00:00
|
|
|
podAnnotations:
|
|
|
|
|
proxy.istio.io/config: '{ "terminationDrainDuration": "20s" }'
|
2021-07-01 14:42:24 +00:00
|
|
|
|
|
|
|
|
# custom hardened bootstrap config
|
|
|
|
|
env:
|
|
|
|
|
ISTIO_BOOTSTRAP_OVERRIDE: /etc/istio/custom-bootstrap/custom_bootstrap.json
|
|
|
|
|
configVolumes:
|
|
|
|
|
- name: custom-bootstrap-volume
|
|
|
|
|
mountPath: /etc/istio/custom-bootstrap
|
|
|
|
|
configMapName: istio-gateway-bootstrap-config
|
|
|
|
|
|
2021-08-25 13:58:55 +00:00
|
|
|
# Unfortunately the upstream chart makes this complicated as they abuse the nodeSelector, see zdt.patch
|
2020-11-24 14:44:57 +00:00
|
|
|
nodeSelector:
|
2021-08-25 13:58:55 +00:00
|
|
|
node.kubernetes.io/ingress.private: "Exists"
|
|
|
|
|
# Only nodes who are fronted with matching NLB
|
|
|
|
|
#affintiy:
|
|
|
|
|
# nodeAffinity:
|
|
|
|
|
# requiredDuringSchedulingIgnoredDuringExecution:
|
|
|
|
|
# nodeSelectorTerms:
|
|
|
|
|
# - matchExpressions:
|
|
|
|
|
# - key: node.kubernetes.io/ingress.private
|
|
|
|
|
# operator: Exists
|
|
|
|
|
|
2020-11-24 14:44:57 +00:00
|
|
|
ports:
|
2021-02-25 23:24:12 +00:00
|
|
|
- name: status-port
|
2020-11-24 14:44:57 +00:00
|
|
|
port: 15021
|
|
|
|
|
nodePort: 31021
|
2021-08-25 13:58:55 +00:00
|
|
|
noGateway: true
|
2020-11-24 14:44:57 +00:00
|
|
|
- name: http2
|
|
|
|
|
port: 80
|
|
|
|
|
targetPort: 8080
|
|
|
|
|
nodePort: 31080
|
2021-08-25 13:58:55 +00:00
|
|
|
gatewayProtocol: HTTP2
|
|
|
|
|
tls:
|
|
|
|
|
httpsRedirect: true
|
2020-11-24 14:44:57 +00:00
|
|
|
- name: https
|
|
|
|
|
port: 443
|
|
|
|
|
targetPort: 8443
|
|
|
|
|
nodePort: 31443
|
2021-08-25 13:58:55 +00:00
|
|
|
gatewayProtocol: HTTPS
|
|
|
|
|
tls:
|
|
|
|
|
mode: SIMPLE
|
2020-11-24 14:44:57 +00:00
|
|
|
#- name: fluentd-forward
|
|
|
|
|
# port: 24224
|
|
|
|
|
# nodePort: 31224
|
2021-08-25 13:58:55 +00:00
|
|
|
# gatewayProtocol: TLS
|
|
|
|
|
# tls:
|
|
|
|
|
# mode: SIMPLE
|
2020-11-24 14:44:57 +00:00
|
|
|
#- name: amqps
|
|
|
|
|
# port: 5671
|
|
|
|
|
# nodePort: 31671
|
|
|
|
|
#- name: amqp
|
|
|
|
|
# port: 5672
|
|
|
|
|
# nodePort: 31672
|
|
|
|
|
#- name: redis
|
|
|
|
|
# port: 6379
|
|
|
|
|
# nodePort: 31379
|
|
|
|
|
|
2021-07-01 14:42:24 +00:00
|
|
|
certificates:
|
|
|
|
|
- name: private-ingress-cert
|
|
|
|
|
dnsNames: []
|
|
|
|
|
#- '*.example.com'
|
|
|
|
|
|
2021-08-25 13:58:55 +00:00
|
|
|
proxyProtocol: true
|
2020-11-24 14:44:57 +00:00
|
|
|
|
2021-04-20 10:49:29 +00:00
|
|
|
meshConfig:
|
|
|
|
|
defaultConfig:
|
|
|
|
|
proxyMetadata:
|
|
|
|
|
# ISTIO_META_HTTP10: 1
|
