Add KubeZero default Istio config

charts/kubezero-istio/templates/ingress-certificate.yaml

@@ -0,0 +1,12 @@
+apiVersion: cert-manager.io/v1alpha2
+kind: Certificate
+metadata:
+  name: public-ingress-cert
+  namespace: istio-system
+spec:
+  secretName: public-ingress-cert
+  issuerRef:
+    name: letsencrypt-dns-prod
+    kind: ClusterIssuer
+  dnsNames:
+{{ toYaml .Values.ingress.dnsNames | indent 4 }}

charts/kubezero-istio/templates/ingress-gateway.yaml

@@ -0,0 +1,68 @@
+apiVersion: networking.istio.io/v1alpha3
+kind: Gateway
+metadata:
+  name: ingressgateway
+  namespace: istio-system
+  annotations:
+    argocd.argoproj.io/sync-wave: "10"
+spec:
+  selector:
+    istio: ingressgateway
+  servers:
+  - port:
+      number: 80
+      name: http
+      protocol: HTTP2
+    hosts:
+    - "*"
+    tls:
+      httpsRedirect: true
+  - port:
+      number: 443
+      name: https
+      protocol: HTTPS
+    hosts:
+    - "*"
+    tls:
+      mode: SIMPLE
+      privateKey: /etc/istio/ingressgateway-certs/tls.key
+      serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
+      credentialName: public-ingress-cert
+
+---
+apiVersion: networking.istio.io/v1alpha3
+kind: Gateway
+metadata:
+  name: private-ingressgateway
+  namespace: istio-system
+  annotations:
+    argocd.argoproj.io/sync-wave: "10"
+spec:
+  selector:
+    istio: private-ingressgateway
+  servers:
+  - port:
+      number: 80
+      name: http
+      protocol: HTTP2
+    hosts:
+    - "*"
+    tls:
+      httpsRedirect: true
+  - port:
+      number: 443
+      name: https
+      protocol: HTTPS
+    hosts:
+    - "*"
+    tls:
+      mode: SIMPLE
+      privateKey: /etc/istio/ingressgateway-certs/tls.key
+      serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
+      credentialName: public-ingress-cert
+  - port:
+      number: 24224
+      name: fluentd-forward
+      protocol: TCP
+    hosts:
+    - "*"

charts/kubezero-istio/templates/istio-private-ingress.yaml

@@ -0,0 +1,97 @@
+apiVersion: install.istio.io/v1alpha1
+kind: IstioOperator
+metadata:
+  name: kubezero-istio-private-ingress
+  namespace: istio-system
+spec:
+  profile: empty
+  components:
+    ingressGateways:
+    - name: istio-private-ingressgateway
+      enabled: true
+      namespace: istio-system
+      k8s:
+        env:
+        - name: ISTIO_META_HTTP10
+          value: '"1"'
+        - name: ISTIO_META_ROUTER_MODE
+          value: standard
+        hpaSpec:
+          maxReplicas: 5
+          metrics:
+          - resource:
+              name: cpu
+              targetAverageUtilization: 80
+            type: Resource
+          minReplicas: 1
+          scaleTargetRef:
+            apiVersion: apps/v1
+            kind: Deployment
+            name: istio-private-ingressgateway
+        nodeSelector:
+          node.kubernetes.io/ingress.private: "31080_31443_30671_30672_31224"
+        resources:
+          limits:
+            cpu: 2000m
+            memory: 1024Mi
+          requests:
+            cpu: 100m
+            memory: 128Mi
+        strategy:
+          rollingUpdate:
+            maxSurge: 100%
+            maxUnavailable: 25%
+  values:
+    gateways:
+      istio-ingressgateway:
+        externalTrafficPolicy: Local
+        labels:
+          app: istio-private-ingressgateway
+          istio: private-ingressgateway
+        meshExpansionPorts: []
+        podAntiAffinityLabelSelector:
+        - key: app
+          operator: In
+          topologyKey: kubernetes.io/hostname
+          values: istio-ingressgateway
+        ports:
+        - name: http2
+          nodePort: 31080
+          port: 80
+          targetPort: 80
+        - name: https
+          nodePort: 31443
+          port: 443
+        - name: amqp
+          nodePort: 30672
+          port: 5672
+          targetPort: 5672
+        - name: amqps
+          nodePort: 30671
+          port: 5671
+          targetPort: 5671
+        - name: fluentd-forward
+          nodePort: 31224
+          port: 24224
+          targetPort: 24224
+        sds:
+          enabled: true
+          image: node-agent-k8s
+          resources:
+            limits:
+              cpu: 2000m
+              memory: 1024Mi
+            requests:
+              cpu: 100m
+              memory: 128Mi
+        secretVolumes:
+        - mountPath: /etc/istio/ingressgateway-certs
+          name: ingressgateway-certs
+          secretName: istio-ingressgateway-certs
+        - mountPath: /etc/istio/ingressgateway-ca-certs
+          name: ingressgateway-ca-certs
+          secretName: istio-ingressgateway-ca-certs
+        type: NodePort
+
+    global:
+      jwtPolicy: first-party-jwt

charts/kubezero-istio/templates/istio.yaml

@@ -0,0 +1,130 @@
+apiVersion: install.istio.io/v1alpha1
+kind: IstioOperator
+metadata:
+  name: kubezero-istio
+  namespace: istio-system
+spec:
+  profile: empty
+  addonComponents:
+    prometheus:
+      enabled: false
+  components:
+    base:
+      enabled: true
+    citadel:
+      enabled: false
+    galley:
+      enabled: false
+    ingressGateways:
+    - enabled: true
+      k8s:
+        env:
+        - name: ISTIO_META_HTTP10
+          value: '"1"'
+        - name: ISTIO_META_ROUTER_MODE
+          value: standard
+        hpaSpec:
+          maxReplicas: 5
+          metrics:
+          - resource:
+              name: cpu
+              targetAverageUtilization: 80
+            type: Resource
+          minReplicas: 1
+          scaleTargetRef:
+            apiVersion: apps/v1
+            kind: Deployment
+            name: istio-ingressgateway
+        nodeSelector:
+          node.kubernetes.io/ingress.public: "30080_30443"
+        resources:
+          limits:
+            cpu: 2000m
+            memory: 1024Mi
+          requests:
+            cpu: 100m
+            memory: 128Mi
+        strategy:
+          rollingUpdate:
+            maxSurge: 100%
+            maxUnavailable: 25%
+      name: istio-ingressgateway
+    pilot:
+      enabled: true
+      k8s:
+        nodeSelector:
+          node-role.kubernetes.io/master: ""
+        replicaCount: 1
+        resources:
+          requests:
+            cpu: 100m
+            memory: 128Mi
+        tolerations:
+        - effect: NoSchedule
+          key: node-role.kubernetes.io/master
+    policy:
+      enabled: true
+      k8s:
+        replicaCount: 1
+        nodeSelector:
+          node-role.kubernetes.io/master: ""
+        tolerations:
+        - effect: NoSchedule
+          key: node-role.kubernetes.io/master
+    sidecarInjector:
+      enabled: false
+    telemetry:
+      enabled: false
+  values:
+    gateways:
+      istio-ingressgateway:
+        externalTrafficPolicy: Local
+        labels:
+          app: istio-ingressgateway
+          istio: ingressgateway
+        meshExpansionPorts: []
+        podAntiAffinityLabelSelector:
+        - key: app
+          operator: In
+          topologyKey: kubernetes.io/hostname
+          values: istio-ingressgateway
+        ports:
+        - name: http2
+          nodePort: 30080
+          port: 80
+          targetPort: 80
+        - name: https
+          nodePort: 30443
+          port: 443
+        sds:
+          enabled: true
+          image: node-agent-k8s
+          resources:
+            limits:
+              cpu: 2000m
+              memory: 1024Mi
+            requests:
+              cpu: 100m
+              memory: 128Mi
+        secretVolumes:
+        - mountPath: /etc/istio/ingressgateway-certs
+          name: ingressgateway-certs
+          secretName: istio-ingressgateway-certs
+        - mountPath: /etc/istio/ingressgateway-ca-certs
+          name: ingressgateway-ca-certs
+          secretName: istio-ingressgateway-ca-certs
+        type: NodePort
+    meshConfig:
+      accessLogFile: /dev/stdout
+      disablePolicyChecks: false
+    global:
+      jwtPolicy: first-party-jwt
+      omitSidecarInjectorConfigMap: true
+      proxy:
+        accessLogEncoding: JSON
+        autoInject: disabled
+        envoyStatsd:
+          enabled: false
+      useMCP: false
+    pilot:
+      sidecar: false

charts/kubezero-istio/upgrade_from_14.sh

@@ -0,0 +1,15 @@
+#!/bin/bash
+
+# First delete old 1.4 
+kubectl delete -f ingress-gateway.yaml
+kubectl delete -f istio.yaml
+kubectl delete -f istio-init.yaml
+kubectl delete -f namespace.yaml
+
+# Now we need to install the new Istio Operator via KubeZero
+
+# deploy the CR for 1.6
+kubectl apply -f istio-1.6.yaml
+
+# add the additiona private ingress gateway as dedicated CR
+kubectl apply -f istio-1.6-private-ingress.yaml

charts/kubezero-istio/values.yaml

@@ -1,3 +1,13 @@
+istiod:
+  autoscale: true
+  # replicaCount: 2
+
+ingress:
+  autoscale: true
+  # replicaCount: 2
+  dnsNames:
+  - "*.example.com"
+
 istio-operator:
   hub: docker.io/istio
   tag: 1.6.5

deploy/templates/values.yaml

@@ -16,10 +16,7 @@ kubezero:
   cert-manager:
     enabled: {{ index .Values "cert-manager" "enabled" }}
     values:
-{{- if .Values.bootstrap }}
-      localCA:
-        enabled: false 
-{{- else }}
+{{- if not .Values.bootstrap }}
       {{- if .Values.aws }}
       cert-manager:
         podAnnotations:
@@ -41,6 +38,7 @@ kubezero:
                 region: {{ .Values.region }}
               {{- end }}
 
+  # AWS only components
   {{- if .Values.aws }}
   aws-ebs-csi-driver:
     enabled: {{ index .Values "aws-ebs-csi-driver" "enabled" }}