Add KubeZero default Istio config
This commit is contained in:
parent
545ab623dc
commit
0c88f62889
12
charts/kubezero-istio/templates/ingress-certificate.yaml
Normal file
12
charts/kubezero-istio/templates/ingress-certificate.yaml
Normal file
@ -0,0 +1,12 @@
|
||||
apiVersion: cert-manager.io/v1alpha2
|
||||
kind: Certificate
|
||||
metadata:
|
||||
name: public-ingress-cert
|
||||
namespace: istio-system
|
||||
spec:
|
||||
secretName: public-ingress-cert
|
||||
issuerRef:
|
||||
name: letsencrypt-dns-prod
|
||||
kind: ClusterIssuer
|
||||
dnsNames:
|
||||
{{ toYaml .Values.ingress.dnsNames | indent 4 }}
|
68
charts/kubezero-istio/templates/ingress-gateway.yaml
Normal file
68
charts/kubezero-istio/templates/ingress-gateway.yaml
Normal file
@ -0,0 +1,68 @@
|
||||
apiVersion: networking.istio.io/v1alpha3
|
||||
kind: Gateway
|
||||
metadata:
|
||||
name: ingressgateway
|
||||
namespace: istio-system
|
||||
annotations:
|
||||
argocd.argoproj.io/sync-wave: "10"
|
||||
spec:
|
||||
selector:
|
||||
istio: ingressgateway
|
||||
servers:
|
||||
- port:
|
||||
number: 80
|
||||
name: http
|
||||
protocol: HTTP2
|
||||
hosts:
|
||||
- "*"
|
||||
tls:
|
||||
httpsRedirect: true
|
||||
- port:
|
||||
number: 443
|
||||
name: https
|
||||
protocol: HTTPS
|
||||
hosts:
|
||||
- "*"
|
||||
tls:
|
||||
mode: SIMPLE
|
||||
privateKey: /etc/istio/ingressgateway-certs/tls.key
|
||||
serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
|
||||
credentialName: public-ingress-cert
|
||||
|
||||
---
|
||||
apiVersion: networking.istio.io/v1alpha3
|
||||
kind: Gateway
|
||||
metadata:
|
||||
name: private-ingressgateway
|
||||
namespace: istio-system
|
||||
annotations:
|
||||
argocd.argoproj.io/sync-wave: "10"
|
||||
spec:
|
||||
selector:
|
||||
istio: private-ingressgateway
|
||||
servers:
|
||||
- port:
|
||||
number: 80
|
||||
name: http
|
||||
protocol: HTTP2
|
||||
hosts:
|
||||
- "*"
|
||||
tls:
|
||||
httpsRedirect: true
|
||||
- port:
|
||||
number: 443
|
||||
name: https
|
||||
protocol: HTTPS
|
||||
hosts:
|
||||
- "*"
|
||||
tls:
|
||||
mode: SIMPLE
|
||||
privateKey: /etc/istio/ingressgateway-certs/tls.key
|
||||
serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
|
||||
credentialName: public-ingress-cert
|
||||
- port:
|
||||
number: 24224
|
||||
name: fluentd-forward
|
||||
protocol: TCP
|
||||
hosts:
|
||||
- "*"
|
97
charts/kubezero-istio/templates/istio-private-ingress.yaml
Normal file
97
charts/kubezero-istio/templates/istio-private-ingress.yaml
Normal file
@ -0,0 +1,97 @@
|
||||
apiVersion: install.istio.io/v1alpha1
|
||||
kind: IstioOperator
|
||||
metadata:
|
||||
name: kubezero-istio-private-ingress
|
||||
namespace: istio-system
|
||||
spec:
|
||||
profile: empty
|
||||
components:
|
||||
ingressGateways:
|
||||
- name: istio-private-ingressgateway
|
||||
enabled: true
|
||||
namespace: istio-system
|
||||
k8s:
|
||||
env:
|
||||
- name: ISTIO_META_HTTP10
|
||||
value: '"1"'
|
||||
- name: ISTIO_META_ROUTER_MODE
|
||||
value: standard
|
||||
hpaSpec:
|
||||
maxReplicas: 5
|
||||
metrics:
|
||||
- resource:
|
||||
name: cpu
|
||||
targetAverageUtilization: 80
|
||||
type: Resource
|
||||
minReplicas: 1
|
||||
scaleTargetRef:
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
name: istio-private-ingressgateway
|
||||
nodeSelector:
|
||||
node.kubernetes.io/ingress.private: "31080_31443_30671_30672_31224"
|
||||
resources:
|
||||
limits:
|
||||
cpu: 2000m
|
||||
memory: 1024Mi
|
||||
requests:
|
||||
cpu: 100m
|
||||
memory: 128Mi
|
||||
strategy:
|
||||
rollingUpdate:
|
||||
maxSurge: 100%
|
||||
maxUnavailable: 25%
|
||||
values:
|
||||
gateways:
|
||||
istio-ingressgateway:
|
||||
externalTrafficPolicy: Local
|
||||
labels:
|
||||
app: istio-private-ingressgateway
|
||||
istio: private-ingressgateway
|
||||
meshExpansionPorts: []
|
||||
podAntiAffinityLabelSelector:
|
||||
- key: app
|
||||
operator: In
|
||||
topologyKey: kubernetes.io/hostname
|
||||
values: istio-ingressgateway
|
||||
ports:
|
||||
- name: http2
|
||||
nodePort: 31080
|
||||
port: 80
|
||||
targetPort: 80
|
||||
- name: https
|
||||
nodePort: 31443
|
||||
port: 443
|
||||
- name: amqp
|
||||
nodePort: 30672
|
||||
port: 5672
|
||||
targetPort: 5672
|
||||
- name: amqps
|
||||
nodePort: 30671
|
||||
port: 5671
|
||||
targetPort: 5671
|
||||
- name: fluentd-forward
|
||||
nodePort: 31224
|
||||
port: 24224
|
||||
targetPort: 24224
|
||||
sds:
|
||||
enabled: true
|
||||
image: node-agent-k8s
|
||||
resources:
|
||||
limits:
|
||||
cpu: 2000m
|
||||
memory: 1024Mi
|
||||
requests:
|
||||
cpu: 100m
|
||||
memory: 128Mi
|
||||
secretVolumes:
|
||||
- mountPath: /etc/istio/ingressgateway-certs
|
||||
name: ingressgateway-certs
|
||||
secretName: istio-ingressgateway-certs
|
||||
- mountPath: /etc/istio/ingressgateway-ca-certs
|
||||
name: ingressgateway-ca-certs
|
||||
secretName: istio-ingressgateway-ca-certs
|
||||
type: NodePort
|
||||
|
||||
global:
|
||||
jwtPolicy: first-party-jwt
|
130
charts/kubezero-istio/templates/istio.yaml
Normal file
130
charts/kubezero-istio/templates/istio.yaml
Normal file
@ -0,0 +1,130 @@
|
||||
apiVersion: install.istio.io/v1alpha1
|
||||
kind: IstioOperator
|
||||
metadata:
|
||||
name: kubezero-istio
|
||||
namespace: istio-system
|
||||
spec:
|
||||
profile: empty
|
||||
addonComponents:
|
||||
prometheus:
|
||||
enabled: false
|
||||
components:
|
||||
base:
|
||||
enabled: true
|
||||
citadel:
|
||||
enabled: false
|
||||
galley:
|
||||
enabled: false
|
||||
ingressGateways:
|
||||
- enabled: true
|
||||
k8s:
|
||||
env:
|
||||
- name: ISTIO_META_HTTP10
|
||||
value: '"1"'
|
||||
- name: ISTIO_META_ROUTER_MODE
|
||||
value: standard
|
||||
hpaSpec:
|
||||
maxReplicas: 5
|
||||
metrics:
|
||||
- resource:
|
||||
name: cpu
|
||||
targetAverageUtilization: 80
|
||||
type: Resource
|
||||
minReplicas: 1
|
||||
scaleTargetRef:
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
name: istio-ingressgateway
|
||||
nodeSelector:
|
||||
node.kubernetes.io/ingress.public: "30080_30443"
|
||||
resources:
|
||||
limits:
|
||||
cpu: 2000m
|
||||
memory: 1024Mi
|
||||
requests:
|
||||
cpu: 100m
|
||||
memory: 128Mi
|
||||
strategy:
|
||||
rollingUpdate:
|
||||
maxSurge: 100%
|
||||
maxUnavailable: 25%
|
||||
name: istio-ingressgateway
|
||||
pilot:
|
||||
enabled: true
|
||||
k8s:
|
||||
nodeSelector:
|
||||
node-role.kubernetes.io/master: ""
|
||||
replicaCount: 1
|
||||
resources:
|
||||
requests:
|
||||
cpu: 100m
|
||||
memory: 128Mi
|
||||
tolerations:
|
||||
- effect: NoSchedule
|
||||
key: node-role.kubernetes.io/master
|
||||
policy:
|
||||
enabled: true
|
||||
k8s:
|
||||
replicaCount: 1
|
||||
nodeSelector:
|
||||
node-role.kubernetes.io/master: ""
|
||||
tolerations:
|
||||
- effect: NoSchedule
|
||||
key: node-role.kubernetes.io/master
|
||||
sidecarInjector:
|
||||
enabled: false
|
||||
telemetry:
|
||||
enabled: false
|
||||
values:
|
||||
gateways:
|
||||
istio-ingressgateway:
|
||||
externalTrafficPolicy: Local
|
||||
labels:
|
||||
app: istio-ingressgateway
|
||||
istio: ingressgateway
|
||||
meshExpansionPorts: []
|
||||
podAntiAffinityLabelSelector:
|
||||
- key: app
|
||||
operator: In
|
||||
topologyKey: kubernetes.io/hostname
|
||||
values: istio-ingressgateway
|
||||
ports:
|
||||
- name: http2
|
||||
nodePort: 30080
|
||||
port: 80
|
||||
targetPort: 80
|
||||
- name: https
|
||||
nodePort: 30443
|
||||
port: 443
|
||||
sds:
|
||||
enabled: true
|
||||
image: node-agent-k8s
|
||||
resources:
|
||||
limits:
|
||||
cpu: 2000m
|
||||
memory: 1024Mi
|
||||
requests:
|
||||
cpu: 100m
|
||||
memory: 128Mi
|
||||
secretVolumes:
|
||||
- mountPath: /etc/istio/ingressgateway-certs
|
||||
name: ingressgateway-certs
|
||||
secretName: istio-ingressgateway-certs
|
||||
- mountPath: /etc/istio/ingressgateway-ca-certs
|
||||
name: ingressgateway-ca-certs
|
||||
secretName: istio-ingressgateway-ca-certs
|
||||
type: NodePort
|
||||
meshConfig:
|
||||
accessLogFile: /dev/stdout
|
||||
disablePolicyChecks: false
|
||||
global:
|
||||
jwtPolicy: first-party-jwt
|
||||
omitSidecarInjectorConfigMap: true
|
||||
proxy:
|
||||
accessLogEncoding: JSON
|
||||
autoInject: disabled
|
||||
envoyStatsd:
|
||||
enabled: false
|
||||
useMCP: false
|
||||
pilot:
|
||||
sidecar: false
|
15
charts/kubezero-istio/upgrade_from_14.sh
Executable file
15
charts/kubezero-istio/upgrade_from_14.sh
Executable file
@ -0,0 +1,15 @@
|
||||
#!/bin/bash
|
||||
|
||||
# First delete old 1.4
|
||||
kubectl delete -f ingress-gateway.yaml
|
||||
kubectl delete -f istio.yaml
|
||||
kubectl delete -f istio-init.yaml
|
||||
kubectl delete -f namespace.yaml
|
||||
|
||||
# Now we need to install the new Istio Operator via KubeZero
|
||||
|
||||
# deploy the CR for 1.6
|
||||
kubectl apply -f istio-1.6.yaml
|
||||
|
||||
# add the additiona private ingress gateway as dedicated CR
|
||||
kubectl apply -f istio-1.6-private-ingress.yaml
|
@ -1,3 +1,13 @@
|
||||
istiod:
|
||||
autoscale: true
|
||||
# replicaCount: 2
|
||||
|
||||
ingress:
|
||||
autoscale: true
|
||||
# replicaCount: 2
|
||||
dnsNames:
|
||||
- "*.example.com"
|
||||
|
||||
istio-operator:
|
||||
hub: docker.io/istio
|
||||
tag: 1.6.5
|
||||
|
@ -16,10 +16,7 @@ kubezero:
|
||||
cert-manager:
|
||||
enabled: {{ index .Values "cert-manager" "enabled" }}
|
||||
values:
|
||||
{{- if .Values.bootstrap }}
|
||||
localCA:
|
||||
enabled: false
|
||||
{{- else }}
|
||||
{{- if not .Values.bootstrap }}
|
||||
{{- if .Values.aws }}
|
||||
cert-manager:
|
||||
podAnnotations:
|
||||
@ -41,6 +38,7 @@ kubezero:
|
||||
region: {{ .Values.region }}
|
||||
{{- end }}
|
||||
|
||||
# AWS only components
|
||||
{{- if .Values.aws }}
|
||||
aws-ebs-csi-driver:
|
||||
enabled: {{ index .Values "aws-ebs-csi-driver" "enabled" }}
|
||||
|
Loading…
Reference in New Issue
Block a user