Add KubeZero default Istio config

This commit is contained in:
Stefan Reimer 2020-07-21 18:30:21 +01:00
parent 545ab623dc
commit 0c88f62889
7 changed files with 334 additions and 4 deletions

View File

@ -0,0 +1,12 @@
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
name: public-ingress-cert
namespace: istio-system
spec:
secretName: public-ingress-cert
issuerRef:
name: letsencrypt-dns-prod
kind: ClusterIssuer
dnsNames:
{{ toYaml .Values.ingress.dnsNames | indent 4 }}

View File

@ -0,0 +1,68 @@
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: ingressgateway
namespace: istio-system
annotations:
argocd.argoproj.io/sync-wave: "10"
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 80
name: http
protocol: HTTP2
hosts:
- "*"
tls:
httpsRedirect: true
- port:
number: 443
name: https
protocol: HTTPS
hosts:
- "*"
tls:
mode: SIMPLE
privateKey: /etc/istio/ingressgateway-certs/tls.key
serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
credentialName: public-ingress-cert
---
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: private-ingressgateway
namespace: istio-system
annotations:
argocd.argoproj.io/sync-wave: "10"
spec:
selector:
istio: private-ingressgateway
servers:
- port:
number: 80
name: http
protocol: HTTP2
hosts:
- "*"
tls:
httpsRedirect: true
- port:
number: 443
name: https
protocol: HTTPS
hosts:
- "*"
tls:
mode: SIMPLE
privateKey: /etc/istio/ingressgateway-certs/tls.key
serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
credentialName: public-ingress-cert
- port:
number: 24224
name: fluentd-forward
protocol: TCP
hosts:
- "*"

View File

@ -0,0 +1,97 @@
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
name: kubezero-istio-private-ingress
namespace: istio-system
spec:
profile: empty
components:
ingressGateways:
- name: istio-private-ingressgateway
enabled: true
namespace: istio-system
k8s:
env:
- name: ISTIO_META_HTTP10
value: '"1"'
- name: ISTIO_META_ROUTER_MODE
value: standard
hpaSpec:
maxReplicas: 5
metrics:
- resource:
name: cpu
targetAverageUtilization: 80
type: Resource
minReplicas: 1
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: istio-private-ingressgateway
nodeSelector:
node.kubernetes.io/ingress.private: "31080_31443_30671_30672_31224"
resources:
limits:
cpu: 2000m
memory: 1024Mi
requests:
cpu: 100m
memory: 128Mi
strategy:
rollingUpdate:
maxSurge: 100%
maxUnavailable: 25%
values:
gateways:
istio-ingressgateway:
externalTrafficPolicy: Local
labels:
app: istio-private-ingressgateway
istio: private-ingressgateway
meshExpansionPorts: []
podAntiAffinityLabelSelector:
- key: app
operator: In
topologyKey: kubernetes.io/hostname
values: istio-ingressgateway
ports:
- name: http2
nodePort: 31080
port: 80
targetPort: 80
- name: https
nodePort: 31443
port: 443
- name: amqp
nodePort: 30672
port: 5672
targetPort: 5672
- name: amqps
nodePort: 30671
port: 5671
targetPort: 5671
- name: fluentd-forward
nodePort: 31224
port: 24224
targetPort: 24224
sds:
enabled: true
image: node-agent-k8s
resources:
limits:
cpu: 2000m
memory: 1024Mi
requests:
cpu: 100m
memory: 128Mi
secretVolumes:
- mountPath: /etc/istio/ingressgateway-certs
name: ingressgateway-certs
secretName: istio-ingressgateway-certs
- mountPath: /etc/istio/ingressgateway-ca-certs
name: ingressgateway-ca-certs
secretName: istio-ingressgateway-ca-certs
type: NodePort
global:
jwtPolicy: first-party-jwt

View File

@ -0,0 +1,130 @@
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
name: kubezero-istio
namespace: istio-system
spec:
profile: empty
addonComponents:
prometheus:
enabled: false
components:
base:
enabled: true
citadel:
enabled: false
galley:
enabled: false
ingressGateways:
- enabled: true
k8s:
env:
- name: ISTIO_META_HTTP10
value: '"1"'
- name: ISTIO_META_ROUTER_MODE
value: standard
hpaSpec:
maxReplicas: 5
metrics:
- resource:
name: cpu
targetAverageUtilization: 80
type: Resource
minReplicas: 1
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: istio-ingressgateway
nodeSelector:
node.kubernetes.io/ingress.public: "30080_30443"
resources:
limits:
cpu: 2000m
memory: 1024Mi
requests:
cpu: 100m
memory: 128Mi
strategy:
rollingUpdate:
maxSurge: 100%
maxUnavailable: 25%
name: istio-ingressgateway
pilot:
enabled: true
k8s:
nodeSelector:
node-role.kubernetes.io/master: ""
replicaCount: 1
resources:
requests:
cpu: 100m
memory: 128Mi
tolerations:
- effect: NoSchedule
key: node-role.kubernetes.io/master
policy:
enabled: true
k8s:
replicaCount: 1
nodeSelector:
node-role.kubernetes.io/master: ""
tolerations:
- effect: NoSchedule
key: node-role.kubernetes.io/master
sidecarInjector:
enabled: false
telemetry:
enabled: false
values:
gateways:
istio-ingressgateway:
externalTrafficPolicy: Local
labels:
app: istio-ingressgateway
istio: ingressgateway
meshExpansionPorts: []
podAntiAffinityLabelSelector:
- key: app
operator: In
topologyKey: kubernetes.io/hostname
values: istio-ingressgateway
ports:
- name: http2
nodePort: 30080
port: 80
targetPort: 80
- name: https
nodePort: 30443
port: 443
sds:
enabled: true
image: node-agent-k8s
resources:
limits:
cpu: 2000m
memory: 1024Mi
requests:
cpu: 100m
memory: 128Mi
secretVolumes:
- mountPath: /etc/istio/ingressgateway-certs
name: ingressgateway-certs
secretName: istio-ingressgateway-certs
- mountPath: /etc/istio/ingressgateway-ca-certs
name: ingressgateway-ca-certs
secretName: istio-ingressgateway-ca-certs
type: NodePort
meshConfig:
accessLogFile: /dev/stdout
disablePolicyChecks: false
global:
jwtPolicy: first-party-jwt
omitSidecarInjectorConfigMap: true
proxy:
accessLogEncoding: JSON
autoInject: disabled
envoyStatsd:
enabled: false
useMCP: false
pilot:
sidecar: false

View File

@ -0,0 +1,15 @@
#!/bin/bash
# First delete old 1.4
kubectl delete -f ingress-gateway.yaml
kubectl delete -f istio.yaml
kubectl delete -f istio-init.yaml
kubectl delete -f namespace.yaml
# Now we need to install the new Istio Operator via KubeZero
# deploy the CR for 1.6
kubectl apply -f istio-1.6.yaml
# add the additiona private ingress gateway as dedicated CR
kubectl apply -f istio-1.6-private-ingress.yaml

View File

@ -1,3 +1,13 @@
istiod:
autoscale: true
# replicaCount: 2
ingress:
autoscale: true
# replicaCount: 2
dnsNames:
- "*.example.com"
istio-operator:
hub: docker.io/istio
tag: 1.6.5

View File

@ -16,10 +16,7 @@ kubezero:
cert-manager:
enabled: {{ index .Values "cert-manager" "enabled" }}
values:
{{- if .Values.bootstrap }}
localCA:
enabled: false
{{- else }}
{{- if not .Values.bootstrap }}
{{- if .Values.aws }}
cert-manager:
podAnnotations:
@ -41,6 +38,7 @@ kubezero:
region: {{ .Values.region }}
{{- end }}
# AWS only components
{{- if .Values.aws }}
aws-ebs-csi-driver:
enabled: {{ index .Values "aws-ebs-csi-driver" "enabled" }}