diff --git a/charts/kubezero-istio-ingress/Chart.yaml b/charts/kubezero-istio-ingress/Chart.yaml index f5aa0645..4e4e5bc3 100644 --- a/charts/kubezero-istio-ingress/Chart.yaml +++ b/charts/kubezero-istio-ingress/Chart.yaml @@ -2,8 +2,8 @@ apiVersion: v2 name: kubezero-istio-ingress description: KubeZero Umbrella Chart for Istio based Ingress type: application -version: 0.5.0 -appVersion: 1.9.1 +version: 0.5.1 +appVersion: 1.9.2 home: https://kubezero.com icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png keywords: @@ -16,9 +16,9 @@ dependencies: version: ">= 0.1.3" repository: https://zero-down-time.github.io/kubezero/ - name: istio-ingress - version: 1.9.1 + version: 1.9.2 condition: istio-ingress.enabled - name: istio-private-ingress - version: 1.9.1 + version: 1.9.2 condition: istio-private-ingress.enabled kubeVersion: ">= 1.18.0" diff --git a/charts/kubezero-istio-ingress/charts/istio-ingress/Chart.yaml b/charts/kubezero-istio-ingress/charts/istio-ingress/Chart.yaml index d402a1f8..4973d36d 100644 --- a/charts/kubezero-istio-ingress/charts/istio-ingress/Chart.yaml +++ b/charts/kubezero-istio-ingress/charts/istio-ingress/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v1 name: istio-ingress -version: 1.9.1 +version: 1.9.2 tillerVersion: ">=2.7.2" description: Helm chart for deploying Istio gateways keywords: diff --git a/charts/kubezero-istio-ingress/charts/istio-ingress/templates/autoscale.yaml b/charts/kubezero-istio-ingress/charts/istio-ingress/templates/autoscale.yaml index 0b339dc6..8cf8f668 100644 --- a/charts/kubezero-istio-ingress/charts/istio-ingress/templates/autoscale.yaml +++ b/charts/kubezero-istio-ingress/charts/istio-ingress/templates/autoscale.yaml @@ -3,7 +3,7 @@ apiVersion: autoscaling/v2beta1 kind: HorizontalPodAutoscaler metadata: - name: {{ $gateway.name | default "istio-ingressgateway" }} + name: {{ $gateway.name }} namespace: {{ .Release.Namespace }} labels: {{ $gateway.labels | toYaml | indent 4 }} @@ -17,7 +17,7 @@ spec: scaleTargetRef: apiVersion: apps/v1 kind: Deployment - name: {{ $gateway.name | default "istio-ingressgateway" }} + name: {{ $gateway.name }} metrics: - type: Resource resource: diff --git a/charts/kubezero-istio-ingress/charts/istio-ingress/templates/deployment.yaml b/charts/kubezero-istio-ingress/charts/istio-ingress/templates/deployment.yaml index 0c32e2f2..70af55a2 100644 --- a/charts/kubezero-istio-ingress/charts/istio-ingress/templates/deployment.yaml +++ b/charts/kubezero-istio-ingress/charts/istio-ingress/templates/deployment.yaml @@ -1,8 +1,10 @@ + {{- $gateway := index .Values "gateways" "istio-ingressgateway" }} +{{- if eq $gateway.injectionTemplate "" }} apiVersion: apps/v1 kind: Deployment metadata: - name: {{ $gateway.name | default "istio-ingressgateway" }} + name: {{ $gateway.name }} namespace: {{ .Release.Namespace }} labels: {{ $gateway.labels | toYaml | indent 4 }} @@ -32,7 +34,7 @@ spec: release: istio chart: gateways {{- end }} - service.istio.io/canonical-name: {{ $gateway.name | default "istio-ingressgateway" }} + service.istio.io/canonical-name: {{ $gateway.name }} {{- if not (eq .Values.revision "") }} service.istio.io/canonical-revision: {{ .Values.revision }} {{- else}} @@ -41,14 +43,17 @@ spec: istio.io/rev: {{ .Values.revision | default "default" }} install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} operator.istio.io/component: "IngressGateways" - sidecar.istio.io/inject: "false" + sidecar.istio.io/inject: "{{- ne $gateway.injectionTemplate "" }}" annotations: {{- if .Values.meshConfig.enablePrometheusMerge }} prometheus.io/port: "15020" prometheus.io/scrape: "true" prometheus.io/path: "/stats/prometheus" {{- end }} - sidecar.istio.io/inject: "false" + sidecar.istio.io/inject: "{{- ne $gateway.injectionTemplate "" }}" + {{- if ne $gateway.injectionTemplate "" }} + inject.istio.io/templates: "{{ $gateway.injectionTemplate }}" + {{- end}} {{- if $gateway.podAnnotations }} {{ toYaml $gateway.podAnnotations | indent 8 }} {{ end }} @@ -60,7 +65,7 @@ spec: runAsNonRoot: true fsGroup: 1337 {{- end }} - serviceAccountName: {{ $gateway.name | default "istio-ingressgateway" }}-service-account + serviceAccountName: {{ $gateway.name }}-service-account {{- if .Values.global.priorityClassName }} priorityClassName: "{{ .Values.global.priorityClassName }}" {{- end }} @@ -123,7 +128,7 @@ spec: - --log_as_json {{- end }} - --serviceCluster - - {{ $gateway.name | default "istio-ingressgateway" }} + - {{ $gateway.name }} {{- if .Values.global.sts.servicePort }} - --stsPort={{ .Values.global.sts.servicePort }} {{- end }} @@ -201,9 +206,9 @@ spec: fieldRef: fieldPath: metadata.labels['service.istio.io/canonical-revision'] - name: ISTIO_META_WORKLOAD_NAME - value: {{ $gateway.name | default "istio-ingressgateway" }} + value: {{ $gateway.name }} - name: ISTIO_META_OWNER - value: kubernetes://apis/apps/v1/namespaces/{{ .Release.Namespace }}/deployments/{{ $gateway.name | default "istio-ingressgateway" }} + value: kubernetes://apis/apps/v1/namespaces/{{ .Release.Namespace }}/deployments/{{ $gateway.name }} {{- if $.Values.global.meshID }} - name: ISTIO_META_MESH_ID value: "{{ $.Values.global.meshID }}" @@ -349,3 +354,4 @@ spec: tolerations: {{ toYaml .Values.global.defaultTolerations | indent 6 }} {{- end }} +{{- end }} diff --git a/charts/kubezero-istio-ingress/charts/istio-ingress/templates/injected-deployment.yaml b/charts/kubezero-istio-ingress/charts/istio-ingress/templates/injected-deployment.yaml new file mode 100644 index 00000000..1115d18d --- /dev/null +++ b/charts/kubezero-istio-ingress/charts/istio-ingress/templates/injected-deployment.yaml @@ -0,0 +1,143 @@ +{{- $gateway := index .Values "gateways" "istio-ingressgateway" }} +{{- if ne $gateway.injectionTemplate "" }} +{{/* This provides a minimal gateway, ready to be injected. + Any settings from values.gateways should be here - these are options specific to the gateway. + Global settings, like the image, various env vars and volumes, etc will be injected. + The normal Deployment is not suitable for this, as the original pod spec will override the injection template. */}} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ $gateway.name | default "istio-ingressgateway" }} + namespace: {{ .Release.Namespace }} + labels: +{{ $gateway.labels | toYaml | indent 4 }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "IngressGateways" +spec: +{{- if not $gateway.autoscaleEnabled }} +{{- if $gateway.replicaCount }} + replicas: {{ $gateway.replicaCount }} +{{- end }} +{{- end }} + selector: + matchLabels: +{{ $gateway.labels | toYaml | indent 6 }} + strategy: + rollingUpdate: + maxSurge: {{ $gateway.rollingMaxSurge }} + maxUnavailable: {{ $gateway.rollingMaxUnavailable }} + template: + metadata: + labels: +{{ $gateway.labels | toYaml | indent 8 }} +{{- if eq .Release.Namespace "istio-system"}} + heritage: Tiller + release: istio + chart: gateways +{{- end }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "IngressGateways" + sidecar.istio.io/inject: "true" + {{- with .Values.revision }} + istio.io/rev: {{ . }} + {{- end }} + annotations: + {{- if .Values.meshConfig.enablePrometheusMerge }} + prometheus.io/port: "15020" + prometheus.io/scrape: "true" + prometheus.io/path: "/stats/prometheus" + {{- end }} + sidecar.istio.io/inject: "true" + inject.istio.io/templates: "{{ $gateway.injectionTemplate }}" +{{- if $gateway.podAnnotations }} +{{ toYaml $gateway.podAnnotations | indent 8 }} +{{ end }} + spec: +{{- if not $gateway.runAsRoot }} + securityContext: + runAsUser: 1337 + runAsGroup: 1337 + runAsNonRoot: true + fsGroup: 1337 +{{- end }} + serviceAccountName: {{ $gateway.name | default "istio-ingressgateway" }}-service-account +{{- if .Values.global.priorityClassName }} + priorityClassName: "{{ .Values.global.priorityClassName }}" +{{- end }} + containers: + - name: istio-proxy + image: auto + ports: + {{- range $key, $val := $gateway.ports }} + - containerPort: {{ $val.targetPort | default $val.port }} + protocol: {{ $val.protocol | default "TCP" }} + {{- end }} + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + {{- if not $gateway.runAsRoot }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + {{- end }} + resources: +{{- if $gateway.resources }} +{{ toYaml $gateway.resources | indent 12 }} +{{- else }} +{{ toYaml .Values.global.defaultResources | indent 12 }} +{{- end }} + env: + {{- if not $gateway.runAsRoot }} + - name: ISTIO_META_UNPRIVILEGED_POD + value: "true" + {{- end }} + {{- range $key, $val := $gateway.env }} + - name: {{ $key }} + value: {{ $val }} + {{- end }} + volumeMounts: + {{- range $gateway.secretVolumes }} + - name: {{ .name }} + mountPath: {{ .mountPath | quote }} + readOnly: true + {{- end }} + {{- range $gateway.configVolumes }} + {{- if .mountPath }} + - name: {{ .name }} + mountPath: {{ .mountPath | quote }} + readOnly: true + {{- end }} + {{- end }} +{{- if $gateway.additionalContainers }} +{{ toYaml $gateway.additionalContainers | indent 8 }} +{{- end }} + volumes: + {{- range $gateway.secretVolumes }} + - name: {{ .name }} + secret: + secretName: {{ .secretName | quote }} + optional: true + {{- end }} + {{- range $gateway.configVolumes }} + - name: {{ .name }} + configMap: + name: {{ .configMapName | quote }} + optional: true + {{- end }} + affinity: +{{ include "nodeaffinity" (dict "global" .Values.global "nodeSelector" $gateway.nodeSelector) | trim | indent 8 }} + {{- include "podAntiAffinity" $gateway | indent 6 }} +{{- if $gateway.tolerations }} + tolerations: +{{ toYaml $gateway.tolerations | indent 6 }} +{{- else if .Values.global.defaultTolerations }} + tolerations: +{{ toYaml .Values.global.defaultTolerations | indent 6 }} +{{- end }} +{{- end }} diff --git a/charts/kubezero-istio-ingress/charts/istio-ingress/templates/poddisruptionbudget.yaml b/charts/kubezero-istio-ingress/charts/istio-ingress/templates/poddisruptionbudget.yaml index d0b480d7..523a43fc 100644 --- a/charts/kubezero-istio-ingress/charts/istio-ingress/templates/poddisruptionbudget.yaml +++ b/charts/kubezero-istio-ingress/charts/istio-ingress/templates/poddisruptionbudget.yaml @@ -3,7 +3,7 @@ apiVersion: policy/v1beta1 kind: PodDisruptionBudget metadata: - name: {{ $gateway.name | default "istio-ingressgateway" }} + name: {{ $gateway.name }} namespace: {{ .Release.Namespace }} labels: {{ $gateway.labels | toYaml | trim | indent 4 }} diff --git a/charts/kubezero-istio-ingress/charts/istio-ingress/templates/preconfigured.yaml b/charts/kubezero-istio-ingress/charts/istio-ingress/templates/preconfigured.yaml deleted file mode 100644 index 230e3446..00000000 --- a/charts/kubezero-istio-ingress/charts/istio-ingress/templates/preconfigured.yaml +++ /dev/null @@ -1,78 +0,0 @@ -{{ $gateway := index .Values "gateways" "istio-ingressgateway" }} -{{- if .Values.global.multiCluster.enabled }} -apiVersion: networking.istio.io/v1alpha3 -kind: Gateway -metadata: - name: istio-multicluster-ingressgateway - namespace: {{ .Release.Namespace }} - labels: -{{ $gateway.labels | toYaml | indent 4 }} - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "IngressGateways" -spec: - selector: - istio: ingressgateway - servers: - - hosts: - - "*.{{ .Values.global.multiCluster.globalDomainSuffix | trim }}" - port: - name: tls - number: 15443 - protocol: TLS - tls: - mode: AUTO_PASSTHROUGH ---- -{{- if .Values.global.multiCluster.includeEnvoyFilter }} -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: istio-multicluster-ingressgateway - namespace: {{ .Release.Namespace }} - labels: -{{ $gateway.labels | toYaml | indent 4 }} - release: {{ .Release.Name }} -spec: - workloadSelector: - labels: - istio: ingressgateway - configPatches: - - applyTo: NETWORK_FILTER - match: - context: GATEWAY - listener: - portNumber: 15443 - filterChain: - filter: - name: "envoy.filters.network.sni_cluster" - patch: - operation: INSERT_AFTER - value: - name: "envoy.filters.network.tcp_cluster_rewrite" - typed_config: - "@type": "type.googleapis.com/istio.envoy.config.filter.network.tcp_cluster_rewrite.v2alpha1.TcpClusterRewrite" - cluster_pattern: "\\.{{ .Values.global.multiCluster.globalDomainSuffix | trim }}$" - cluster_replacement: ".svc.{{ .Values.global.proxy.clusterDomain }}" ---- -{{- end }} -## To ensure all traffic to globalDomainSuffix is using mTLS -apiVersion: networking.istio.io/v1alpha3 -kind: DestinationRule -metadata: - name: istio-multicluster-ingressgateway - namespace: {{ .Release.Namespace }} - labels: -{{ $gateway.labels | toYaml | indent 4 }} - release: {{ .Release.Name }} -spec: - host: "*.{{ .Values.global.multiCluster.globalDomainSuffix | trim }}" - {{- if .Values.global.defaultConfigVisibilitySettings }} - exportTo: - - '*' - {{- end }} - trafficPolicy: - tls: - mode: ISTIO_MUTUAL ---- -{{- end }} diff --git a/charts/kubezero-istio-ingress/charts/istio-ingress/templates/role.yaml b/charts/kubezero-istio-ingress/charts/istio-ingress/templates/role.yaml index 7d931728..3e21bca5 100644 --- a/charts/kubezero-istio-ingress/charts/istio-ingress/templates/role.yaml +++ b/charts/kubezero-istio-ingress/charts/istio-ingress/templates/role.yaml @@ -2,7 +2,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: {{ $gateway.name | default "istio-ingressgateway" }}-sds + name: {{ $gateway.name }}-sds namespace: {{ .Release.Namespace }} labels: release: {{ .Release.Name }} diff --git a/charts/kubezero-istio-ingress/charts/istio-ingress/templates/rolebindings.yaml b/charts/kubezero-istio-ingress/charts/istio-ingress/templates/rolebindings.yaml index 81625cb3..d4525579 100644 --- a/charts/kubezero-istio-ingress/charts/istio-ingress/templates/rolebindings.yaml +++ b/charts/kubezero-istio-ingress/charts/istio-ingress/templates/rolebindings.yaml @@ -2,7 +2,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: {{ $gateway.name | default "istio-ingressgateway" }}-sds + name: {{ $gateway.name }}-sds namespace: {{ .Release.Namespace }} labels: release: {{ .Release.Name }} @@ -12,8 +12,8 @@ metadata: roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: {{ $gateway.name | default "istio-ingressgateway" }}-sds + name: {{ $gateway.name }}-sds subjects: - kind: ServiceAccount - name: {{ $gateway.name | default "istio-ingressgateway" }}-service-account + name: {{ $gateway.name }}-service-account --- diff --git a/charts/kubezero-istio-ingress/charts/istio-ingress/templates/service.yaml b/charts/kubezero-istio-ingress/charts/istio-ingress/templates/service.yaml index 0f9dbf25..a3b97be1 100644 --- a/charts/kubezero-istio-ingress/charts/istio-ingress/templates/service.yaml +++ b/charts/kubezero-istio-ingress/charts/istio-ingress/templates/service.yaml @@ -3,7 +3,7 @@ apiVersion: v1 kind: Service metadata: - name: {{ $gateway.name | default "istio-ingressgateway" }} + name: {{ $gateway.name }} namespace: {{ .Release.Namespace }} annotations: {{- range $key, $val := $gateway.serviceAnnotations }} diff --git a/charts/kubezero-istio-ingress/charts/istio-ingress/templates/serviceaccount.yaml b/charts/kubezero-istio-ingress/charts/istio-ingress/templates/serviceaccount.yaml index 4b0ab1ae..458800cb 100644 --- a/charts/kubezero-istio-ingress/charts/istio-ingress/templates/serviceaccount.yaml +++ b/charts/kubezero-istio-ingress/charts/istio-ingress/templates/serviceaccount.yaml @@ -8,7 +8,7 @@ imagePullSecrets: {{- end }} {{- end }} metadata: - name: {{ $gateway.name | default "istio-ingressgateway" }}-service-account + name: {{ $gateway.name }}-service-account namespace: {{ .Release.Namespace }} labels: {{ $gateway.labels | toYaml | trim | indent 4 }} diff --git a/charts/kubezero-istio-ingress/charts/istio-ingress/values.yaml b/charts/kubezero-istio-ingress/charts/istio-ingress/values.yaml index 249b3a81..001568ef 100644 --- a/charts/kubezero-istio-ingress/charts/istio-ingress/values.yaml +++ b/charts/kubezero-istio-ingress/charts/istio-ingress/values.yaml @@ -120,6 +120,9 @@ gateways: # whether to run the gateway in a privileged container runAsRoot: false + # The injection template to use for the gateway. If not set, no injection will be performed. + injectionTemplate: "" + # Revision is set as 'version' label and part of the resource names when installing multiple control planes. revision: "" @@ -171,7 +174,7 @@ global: hub: docker.io/istio # Default tag for Istio images. - tag: 1.9.1 + tag: 1.9.2 # Specify image pull policy if default behavior isn't desired. # Default behavior: latest images will be Always else IfNotPresent. diff --git a/charts/kubezero-istio-ingress/charts/istio-private-ingress/Chart.yaml b/charts/kubezero-istio-ingress/charts/istio-private-ingress/Chart.yaml index 37863354..19ccd4b4 100644 --- a/charts/kubezero-istio-ingress/charts/istio-private-ingress/Chart.yaml +++ b/charts/kubezero-istio-ingress/charts/istio-private-ingress/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v1 name: istio-private-ingress -version: 1.9.1 +version: 1.9.2 tillerVersion: ">=2.7.2" description: Helm chart for deploying Istio gateways keywords: diff --git a/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/autoscale.yaml b/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/autoscale.yaml index 0b339dc6..8cf8f668 100644 --- a/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/autoscale.yaml +++ b/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/autoscale.yaml @@ -3,7 +3,7 @@ apiVersion: autoscaling/v2beta1 kind: HorizontalPodAutoscaler metadata: - name: {{ $gateway.name | default "istio-ingressgateway" }} + name: {{ $gateway.name }} namespace: {{ .Release.Namespace }} labels: {{ $gateway.labels | toYaml | indent 4 }} @@ -17,7 +17,7 @@ spec: scaleTargetRef: apiVersion: apps/v1 kind: Deployment - name: {{ $gateway.name | default "istio-ingressgateway" }} + name: {{ $gateway.name }} metrics: - type: Resource resource: diff --git a/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/deployment.yaml b/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/deployment.yaml index 0c32e2f2..70af55a2 100644 --- a/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/deployment.yaml +++ b/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/deployment.yaml @@ -1,8 +1,10 @@ + {{- $gateway := index .Values "gateways" "istio-ingressgateway" }} +{{- if eq $gateway.injectionTemplate "" }} apiVersion: apps/v1 kind: Deployment metadata: - name: {{ $gateway.name | default "istio-ingressgateway" }} + name: {{ $gateway.name }} namespace: {{ .Release.Namespace }} labels: {{ $gateway.labels | toYaml | indent 4 }} @@ -32,7 +34,7 @@ spec: release: istio chart: gateways {{- end }} - service.istio.io/canonical-name: {{ $gateway.name | default "istio-ingressgateway" }} + service.istio.io/canonical-name: {{ $gateway.name }} {{- if not (eq .Values.revision "") }} service.istio.io/canonical-revision: {{ .Values.revision }} {{- else}} @@ -41,14 +43,17 @@ spec: istio.io/rev: {{ .Values.revision | default "default" }} install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} operator.istio.io/component: "IngressGateways" - sidecar.istio.io/inject: "false" + sidecar.istio.io/inject: "{{- ne $gateway.injectionTemplate "" }}" annotations: {{- if .Values.meshConfig.enablePrometheusMerge }} prometheus.io/port: "15020" prometheus.io/scrape: "true" prometheus.io/path: "/stats/prometheus" {{- end }} - sidecar.istio.io/inject: "false" + sidecar.istio.io/inject: "{{- ne $gateway.injectionTemplate "" }}" + {{- if ne $gateway.injectionTemplate "" }} + inject.istio.io/templates: "{{ $gateway.injectionTemplate }}" + {{- end}} {{- if $gateway.podAnnotations }} {{ toYaml $gateway.podAnnotations | indent 8 }} {{ end }} @@ -60,7 +65,7 @@ spec: runAsNonRoot: true fsGroup: 1337 {{- end }} - serviceAccountName: {{ $gateway.name | default "istio-ingressgateway" }}-service-account + serviceAccountName: {{ $gateway.name }}-service-account {{- if .Values.global.priorityClassName }} priorityClassName: "{{ .Values.global.priorityClassName }}" {{- end }} @@ -123,7 +128,7 @@ spec: - --log_as_json {{- end }} - --serviceCluster - - {{ $gateway.name | default "istio-ingressgateway" }} + - {{ $gateway.name }} {{- if .Values.global.sts.servicePort }} - --stsPort={{ .Values.global.sts.servicePort }} {{- end }} @@ -201,9 +206,9 @@ spec: fieldRef: fieldPath: metadata.labels['service.istio.io/canonical-revision'] - name: ISTIO_META_WORKLOAD_NAME - value: {{ $gateway.name | default "istio-ingressgateway" }} + value: {{ $gateway.name }} - name: ISTIO_META_OWNER - value: kubernetes://apis/apps/v1/namespaces/{{ .Release.Namespace }}/deployments/{{ $gateway.name | default "istio-ingressgateway" }} + value: kubernetes://apis/apps/v1/namespaces/{{ .Release.Namespace }}/deployments/{{ $gateway.name }} {{- if $.Values.global.meshID }} - name: ISTIO_META_MESH_ID value: "{{ $.Values.global.meshID }}" @@ -349,3 +354,4 @@ spec: tolerations: {{ toYaml .Values.global.defaultTolerations | indent 6 }} {{- end }} +{{- end }} diff --git a/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/injected-deployment.yaml b/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/injected-deployment.yaml new file mode 100644 index 00000000..1115d18d --- /dev/null +++ b/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/injected-deployment.yaml @@ -0,0 +1,143 @@ +{{- $gateway := index .Values "gateways" "istio-ingressgateway" }} +{{- if ne $gateway.injectionTemplate "" }} +{{/* This provides a minimal gateway, ready to be injected. + Any settings from values.gateways should be here - these are options specific to the gateway. + Global settings, like the image, various env vars and volumes, etc will be injected. + The normal Deployment is not suitable for this, as the original pod spec will override the injection template. */}} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ $gateway.name | default "istio-ingressgateway" }} + namespace: {{ .Release.Namespace }} + labels: +{{ $gateway.labels | toYaml | indent 4 }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "IngressGateways" +spec: +{{- if not $gateway.autoscaleEnabled }} +{{- if $gateway.replicaCount }} + replicas: {{ $gateway.replicaCount }} +{{- end }} +{{- end }} + selector: + matchLabels: +{{ $gateway.labels | toYaml | indent 6 }} + strategy: + rollingUpdate: + maxSurge: {{ $gateway.rollingMaxSurge }} + maxUnavailable: {{ $gateway.rollingMaxUnavailable }} + template: + metadata: + labels: +{{ $gateway.labels | toYaml | indent 8 }} +{{- if eq .Release.Namespace "istio-system"}} + heritage: Tiller + release: istio + chart: gateways +{{- end }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "IngressGateways" + sidecar.istio.io/inject: "true" + {{- with .Values.revision }} + istio.io/rev: {{ . }} + {{- end }} + annotations: + {{- if .Values.meshConfig.enablePrometheusMerge }} + prometheus.io/port: "15020" + prometheus.io/scrape: "true" + prometheus.io/path: "/stats/prometheus" + {{- end }} + sidecar.istio.io/inject: "true" + inject.istio.io/templates: "{{ $gateway.injectionTemplate }}" +{{- if $gateway.podAnnotations }} +{{ toYaml $gateway.podAnnotations | indent 8 }} +{{ end }} + spec: +{{- if not $gateway.runAsRoot }} + securityContext: + runAsUser: 1337 + runAsGroup: 1337 + runAsNonRoot: true + fsGroup: 1337 +{{- end }} + serviceAccountName: {{ $gateway.name | default "istio-ingressgateway" }}-service-account +{{- if .Values.global.priorityClassName }} + priorityClassName: "{{ .Values.global.priorityClassName }}" +{{- end }} + containers: + - name: istio-proxy + image: auto + ports: + {{- range $key, $val := $gateway.ports }} + - containerPort: {{ $val.targetPort | default $val.port }} + protocol: {{ $val.protocol | default "TCP" }} + {{- end }} + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + {{- if not $gateway.runAsRoot }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + {{- end }} + resources: +{{- if $gateway.resources }} +{{ toYaml $gateway.resources | indent 12 }} +{{- else }} +{{ toYaml .Values.global.defaultResources | indent 12 }} +{{- end }} + env: + {{- if not $gateway.runAsRoot }} + - name: ISTIO_META_UNPRIVILEGED_POD + value: "true" + {{- end }} + {{- range $key, $val := $gateway.env }} + - name: {{ $key }} + value: {{ $val }} + {{- end }} + volumeMounts: + {{- range $gateway.secretVolumes }} + - name: {{ .name }} + mountPath: {{ .mountPath | quote }} + readOnly: true + {{- end }} + {{- range $gateway.configVolumes }} + {{- if .mountPath }} + - name: {{ .name }} + mountPath: {{ .mountPath | quote }} + readOnly: true + {{- end }} + {{- end }} +{{- if $gateway.additionalContainers }} +{{ toYaml $gateway.additionalContainers | indent 8 }} +{{- end }} + volumes: + {{- range $gateway.secretVolumes }} + - name: {{ .name }} + secret: + secretName: {{ .secretName | quote }} + optional: true + {{- end }} + {{- range $gateway.configVolumes }} + - name: {{ .name }} + configMap: + name: {{ .configMapName | quote }} + optional: true + {{- end }} + affinity: +{{ include "nodeaffinity" (dict "global" .Values.global "nodeSelector" $gateway.nodeSelector) | trim | indent 8 }} + {{- include "podAntiAffinity" $gateway | indent 6 }} +{{- if $gateway.tolerations }} + tolerations: +{{ toYaml $gateway.tolerations | indent 6 }} +{{- else if .Values.global.defaultTolerations }} + tolerations: +{{ toYaml .Values.global.defaultTolerations | indent 6 }} +{{- end }} +{{- end }} diff --git a/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/poddisruptionbudget.yaml b/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/poddisruptionbudget.yaml index d0b480d7..523a43fc 100644 --- a/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/poddisruptionbudget.yaml +++ b/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/poddisruptionbudget.yaml @@ -3,7 +3,7 @@ apiVersion: policy/v1beta1 kind: PodDisruptionBudget metadata: - name: {{ $gateway.name | default "istio-ingressgateway" }} + name: {{ $gateway.name }} namespace: {{ .Release.Namespace }} labels: {{ $gateway.labels | toYaml | trim | indent 4 }} diff --git a/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/preconfigured.yaml b/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/preconfigured.yaml deleted file mode 100644 index 230e3446..00000000 --- a/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/preconfigured.yaml +++ /dev/null @@ -1,78 +0,0 @@ -{{ $gateway := index .Values "gateways" "istio-ingressgateway" }} -{{- if .Values.global.multiCluster.enabled }} -apiVersion: networking.istio.io/v1alpha3 -kind: Gateway -metadata: - name: istio-multicluster-ingressgateway - namespace: {{ .Release.Namespace }} - labels: -{{ $gateway.labels | toYaml | indent 4 }} - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "IngressGateways" -spec: - selector: - istio: ingressgateway - servers: - - hosts: - - "*.{{ .Values.global.multiCluster.globalDomainSuffix | trim }}" - port: - name: tls - number: 15443 - protocol: TLS - tls: - mode: AUTO_PASSTHROUGH ---- -{{- if .Values.global.multiCluster.includeEnvoyFilter }} -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: istio-multicluster-ingressgateway - namespace: {{ .Release.Namespace }} - labels: -{{ $gateway.labels | toYaml | indent 4 }} - release: {{ .Release.Name }} -spec: - workloadSelector: - labels: - istio: ingressgateway - configPatches: - - applyTo: NETWORK_FILTER - match: - context: GATEWAY - listener: - portNumber: 15443 - filterChain: - filter: - name: "envoy.filters.network.sni_cluster" - patch: - operation: INSERT_AFTER - value: - name: "envoy.filters.network.tcp_cluster_rewrite" - typed_config: - "@type": "type.googleapis.com/istio.envoy.config.filter.network.tcp_cluster_rewrite.v2alpha1.TcpClusterRewrite" - cluster_pattern: "\\.{{ .Values.global.multiCluster.globalDomainSuffix | trim }}$" - cluster_replacement: ".svc.{{ .Values.global.proxy.clusterDomain }}" ---- -{{- end }} -## To ensure all traffic to globalDomainSuffix is using mTLS -apiVersion: networking.istio.io/v1alpha3 -kind: DestinationRule -metadata: - name: istio-multicluster-ingressgateway - namespace: {{ .Release.Namespace }} - labels: -{{ $gateway.labels | toYaml | indent 4 }} - release: {{ .Release.Name }} -spec: - host: "*.{{ .Values.global.multiCluster.globalDomainSuffix | trim }}" - {{- if .Values.global.defaultConfigVisibilitySettings }} - exportTo: - - '*' - {{- end }} - trafficPolicy: - tls: - mode: ISTIO_MUTUAL ---- -{{- end }} diff --git a/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/role.yaml b/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/role.yaml index 7d931728..3e21bca5 100644 --- a/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/role.yaml +++ b/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/role.yaml @@ -2,7 +2,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: {{ $gateway.name | default "istio-ingressgateway" }}-sds + name: {{ $gateway.name }}-sds namespace: {{ .Release.Namespace }} labels: release: {{ .Release.Name }} diff --git a/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/rolebindings.yaml b/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/rolebindings.yaml index 81625cb3..d4525579 100644 --- a/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/rolebindings.yaml +++ b/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/rolebindings.yaml @@ -2,7 +2,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: {{ $gateway.name | default "istio-ingressgateway" }}-sds + name: {{ $gateway.name }}-sds namespace: {{ .Release.Namespace }} labels: release: {{ .Release.Name }} @@ -12,8 +12,8 @@ metadata: roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: {{ $gateway.name | default "istio-ingressgateway" }}-sds + name: {{ $gateway.name }}-sds subjects: - kind: ServiceAccount - name: {{ $gateway.name | default "istio-ingressgateway" }}-service-account + name: {{ $gateway.name }}-service-account --- diff --git a/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/service.yaml b/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/service.yaml index 0f9dbf25..a3b97be1 100644 --- a/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/service.yaml +++ b/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/service.yaml @@ -3,7 +3,7 @@ apiVersion: v1 kind: Service metadata: - name: {{ $gateway.name | default "istio-ingressgateway" }} + name: {{ $gateway.name }} namespace: {{ .Release.Namespace }} annotations: {{- range $key, $val := $gateway.serviceAnnotations }} diff --git a/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/serviceaccount.yaml b/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/serviceaccount.yaml index 4b0ab1ae..458800cb 100644 --- a/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/serviceaccount.yaml +++ b/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/serviceaccount.yaml @@ -8,7 +8,7 @@ imagePullSecrets: {{- end }} {{- end }} metadata: - name: {{ $gateway.name | default "istio-ingressgateway" }}-service-account + name: {{ $gateway.name }}-service-account namespace: {{ .Release.Namespace }} labels: {{ $gateway.labels | toYaml | trim | indent 4 }} diff --git a/charts/kubezero-istio-ingress/charts/istio-private-ingress/values.yaml b/charts/kubezero-istio-ingress/charts/istio-private-ingress/values.yaml index 249b3a81..001568ef 100644 --- a/charts/kubezero-istio-ingress/charts/istio-private-ingress/values.yaml +++ b/charts/kubezero-istio-ingress/charts/istio-private-ingress/values.yaml @@ -120,6 +120,9 @@ gateways: # whether to run the gateway in a privileged container runAsRoot: false + # The injection template to use for the gateway. If not set, no injection will be performed. + injectionTemplate: "" + # Revision is set as 'version' label and part of the resource names when installing multiple control planes. revision: "" @@ -171,7 +174,7 @@ global: hub: docker.io/istio # Default tag for Istio images. - tag: 1.9.1 + tag: 1.9.2 # Specify image pull policy if default behavior isn't desired. # Default behavior: latest images will be Always else IfNotPresent. diff --git a/charts/kubezero-istio/Chart.yaml b/charts/kubezero-istio/Chart.yaml index bae339a1..d8951870 100644 --- a/charts/kubezero-istio/Chart.yaml +++ b/charts/kubezero-istio/Chart.yaml @@ -2,8 +2,8 @@ apiVersion: v2 name: kubezero-istio description: KubeZero Umbrella Chart for Istio type: application -version: 0.5.0 -appVersion: 1.9.1 +version: 0.5.1 +appVersion: 1.9.2 home: https://kubezero.com icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png keywords: @@ -16,7 +16,7 @@ dependencies: version: ">= 0.1.3" repository: https://zero-down-time.github.io/kubezero/ - name: base - version: 1.9.1 + version: 1.9.2 - name: istio-discovery - version: 1.9.1 + version: 1.9.2 kubeVersion: ">= 1.18.0" diff --git a/charts/kubezero-istio/charts/base/Chart.yaml b/charts/kubezero-istio/charts/base/Chart.yaml index e6142de0..6b1b1655 100644 --- a/charts/kubezero-istio/charts/base/Chart.yaml +++ b/charts/kubezero-istio/charts/base/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v1 name: base -version: 1.9.1 +version: 1.9.2 tillerVersion: ">=2.7.2" description: Helm chart for deploying Istio cluster resources and CRDs keywords: diff --git a/charts/kubezero-istio/charts/base/crds/crd-all.gen.yaml b/charts/kubezero-istio/charts/base/crds/crd-all.gen.yaml index faddc02a..0f649046 100644 --- a/charts/kubezero-istio/charts/base/crds/crd-all.gen.yaml +++ b/charts/kubezero-istio/charts/base/crds/crd-all.gen.yaml @@ -2473,7 +2473,8 @@ spec: format: int32 type: integer perTryTimeout: - description: Timeout per retry attempt for a given request. + description: Timeout per attempt for a given request, including + the initial call and any retries. type: string retryOn: description: Specifies the conditions under which retry takes diff --git a/charts/kubezero-istio/charts/base/files/gen-istio-cluster.yaml b/charts/kubezero-istio/charts/base/files/gen-istio-cluster.yaml index 2fda970e..365ca20b 100644 --- a/charts/kubezero-istio/charts/base/files/gen-istio-cluster.yaml +++ b/charts/kubezero-istio/charts/base/files/gen-istio-cluster.yaml @@ -2475,7 +2475,8 @@ spec: format: int32 type: integer perTryTimeout: - description: Timeout per retry attempt for a given request. + description: Timeout per attempt for a given request, including + the initial call and any retries. type: string retryOn: description: Specifies the conditions under which retry takes diff --git a/charts/kubezero-istio/charts/istio-discovery/Chart.yaml b/charts/kubezero-istio/charts/istio-discovery/Chart.yaml index a43db08d..fcf5f356 100644 --- a/charts/kubezero-istio/charts/istio-discovery/Chart.yaml +++ b/charts/kubezero-istio/charts/istio-discovery/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v1 name: istio-discovery -version: 1.9.1 +version: 1.9.2 tillerVersion: ">=2.7.2" description: Helm chart for istio control plane keywords: diff --git a/charts/kubezero-istio/charts/istio-discovery/files/gateway-injection-template.yaml b/charts/kubezero-istio/charts/istio-discovery/files/gateway-injection-template.yaml new file mode 100644 index 00000000..ab3e6522 --- /dev/null +++ b/charts/kubezero-istio/charts/istio-discovery/files/gateway-injection-template.yaml @@ -0,0 +1,233 @@ +{{- $containers := list }} +{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} +metadata: + labels: + service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} + service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} + istio.io/rev: {{ .Revision | default "default" | quote }} + annotations: { + {{- if eq (len $containers) 1 }} + kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", + {{ end }} + } +spec: + containers: + - name: istio-proxy + {{- if contains "/" .Values.global.proxy.image }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }}" + {{- end }} + ports: + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + args: + - proxy + - router + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --serviceCluster + {{ if ne "" (index .ObjectMeta.Labels "app") -}} + - "{{ index .ObjectMeta.Labels `app` }}.$(POD_NAMESPACE)" + {{ else -}} + - "{{ valueOrDefault .DeploymentMeta.Name `istio-proxy` }}.{{ valueOrDefault .DeploymentMeta.Namespace `default` }}" + {{ end -}} + - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} + - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} + - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} + {{- if .Values.global.sts.servicePort }} + - --stsPort={{ .Values.global.sts.servicePort }} + {{- end }} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + {{- if .Values.global.proxy.lifecycle }} + lifecycle: + {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} + {{- end }} + env: + - name: JWT_POLICY + value: {{ .Values.global.jwtPolicy }} + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: CANONICAL_SERVICE + valueFrom: + fieldRef: + fieldPath: metadata.labels['service.istio.io/canonical-name'] + - name: CANONICAL_REVISION + valueFrom: + fieldRef: + fieldPath: metadata.labels['service.istio.io/canonical-revision'] + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + - name: ISTIO_META_POD_PORTS + value: |- + [ + {{- $first := true }} + {{- range $index1, $c := .Spec.Containers }} + {{- range $index2, $p := $c.Ports }} + {{- if (structToJSON $p) }} + {{if not $first}},{{end}}{{ structToJSON $p }} + {{- $first = false }} + {{- end }} + {{- end}} + {{- end}} + ] + - name: ISTIO_META_APP_CONTAINERS + value: "{{ $containers | join "," }}" + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" + - name: ISTIO_META_INTERCEPTION_MODE + value: "{{ .ProxyConfig.InterceptionMode.String }}" + {{- if .Values.global.network }} + - name: ISTIO_META_NETWORK + value: "{{ .Values.global.network }}" + {{- end }} + {{ if .ObjectMeta.Annotations }} + - name: ISTIO_METAJSON_ANNOTATIONS + value: | + {{ toJSON .ObjectMeta.Annotations }} + {{ end }} + {{- if .DeploymentMeta.Name }} + - name: ISTIO_META_WORKLOAD_NAME + value: "{{ .DeploymentMeta.Name }}" + {{ end }} + {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} + - name: ISTIO_META_OWNER + value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} + {{- end}} + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + readinessProbe: + httpGet: + path: /healthz/ready + port: 15021 + initialDelaySeconds: {{.Values.global.proxy.readinessInitialDelaySeconds }} + periodSeconds: {{ .Values.global.proxy.readinessPeriodSeconds }} + timeoutSeconds: 3 + failureThreshold: {{ .Values.global.proxy.readinessFailureThreshold }} + volumeMounts: + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + {{- end }} + - mountPath: /var/lib/istio/data + name: istio-data + # SDS channel between istioagent and Envoy + - mountPath: /etc/istio/proxy + name: istio-envoy + {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} + - mountPath: /var/run/secrets/tokens + name: istio-token + {{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - mountPath: /etc/certs/ + name: istio-certs + readOnly: true + {{- end }} + - name: istio-podinfo + mountPath: /etc/istio/pod + volumes: + # SDS channel between istioagent and Envoy + - emptyDir: + medium: Memory + name: istio-envoy + - name: istio-data + emptyDir: {} + - name: istio-podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "annotations" + fieldRef: + fieldPath: metadata.annotations + - path: "cpu-limit" + resourceFieldRef: + containerName: istio-proxy + resource: limits.cpu + divisor: 1m + - path: "cpu-request" + resourceFieldRef: + containerName: istio-proxy + resource: requests.cpu + divisor: 1m + {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} + {{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - name: istiod-ca-cert + configMap: + name: istio-ca-root-cert + {{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - name: istio-certs + secret: + optional: true + {{ if eq .Spec.ServiceAccountName "" }} + secretName: istio.default + {{ else -}} + secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} + {{ end -}} + {{- end }} + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} + {{- if eq (env "ENABLE_LEGACY_FSGROUP_INJECTION" "true") "true" }} + securityContext: + fsGroup: 1337 + {{- end }} diff --git a/charts/kubezero-istio/charts/istio-discovery/files/gen-istio.yaml b/charts/kubezero-istio/charts/istio-discovery/files/gen-istio.yaml index 4a4077a1..71d892cb 100644 --- a/charts/kubezero-istio/charts/istio-discovery/files/gen-istio.yaml +++ b/charts/kubezero-istio/charts/istio-discovery/files/gen-istio.yaml @@ -695,6 +695,240 @@ data: securityContext: fsGroup: 1337 {{- end }} + gateway: | + {{- $containers := list }} + {{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} + metadata: + labels: + service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} + service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} + istio.io/rev: {{ .Revision | default "default" | quote }} + annotations: { + {{- if eq (len $containers) 1 }} + kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", + {{ end }} + } + spec: + containers: + - name: istio-proxy + {{- if contains "/" .Values.global.proxy.image }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }}" + {{- end }} + ports: + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + args: + - proxy + - router + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --serviceCluster + {{ if ne "" (index .ObjectMeta.Labels "app") -}} + - "{{ index .ObjectMeta.Labels `app` }}.$(POD_NAMESPACE)" + {{ else -}} + - "{{ valueOrDefault .DeploymentMeta.Name `istio-proxy` }}.{{ valueOrDefault .DeploymentMeta.Namespace `default` }}" + {{ end -}} + - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} + - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} + - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} + {{- if .Values.global.sts.servicePort }} + - --stsPort={{ .Values.global.sts.servicePort }} + {{- end }} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + {{- if .Values.global.proxy.lifecycle }} + lifecycle: + {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} + {{- end }} + env: + - name: JWT_POLICY + value: {{ .Values.global.jwtPolicy }} + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: CANONICAL_SERVICE + valueFrom: + fieldRef: + fieldPath: metadata.labels['service.istio.io/canonical-name'] + - name: CANONICAL_REVISION + valueFrom: + fieldRef: + fieldPath: metadata.labels['service.istio.io/canonical-revision'] + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + - name: ISTIO_META_POD_PORTS + value: |- + [ + {{- $first := true }} + {{- range $index1, $c := .Spec.Containers }} + {{- range $index2, $p := $c.Ports }} + {{- if (structToJSON $p) }} + {{if not $first}},{{end}}{{ structToJSON $p }} + {{- $first = false }} + {{- end }} + {{- end}} + {{- end}} + ] + - name: ISTIO_META_APP_CONTAINERS + value: "{{ $containers | join "," }}" + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" + - name: ISTIO_META_INTERCEPTION_MODE + value: "{{ .ProxyConfig.InterceptionMode.String }}" + {{- if .Values.global.network }} + - name: ISTIO_META_NETWORK + value: "{{ .Values.global.network }}" + {{- end }} + {{ if .ObjectMeta.Annotations }} + - name: ISTIO_METAJSON_ANNOTATIONS + value: | + {{ toJSON .ObjectMeta.Annotations }} + {{ end }} + {{- if .DeploymentMeta.Name }} + - name: ISTIO_META_WORKLOAD_NAME + value: "{{ .DeploymentMeta.Name }}" + {{ end }} + {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} + - name: ISTIO_META_OWNER + value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} + {{- end}} + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + readinessProbe: + httpGet: + path: /healthz/ready + port: 15021 + initialDelaySeconds: {{.Values.global.proxy.readinessInitialDelaySeconds }} + periodSeconds: {{ .Values.global.proxy.readinessPeriodSeconds }} + timeoutSeconds: 3 + failureThreshold: {{ .Values.global.proxy.readinessFailureThreshold }} + volumeMounts: + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + {{- end }} + - mountPath: /var/lib/istio/data + name: istio-data + # SDS channel between istioagent and Envoy + - mountPath: /etc/istio/proxy + name: istio-envoy + {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} + - mountPath: /var/run/secrets/tokens + name: istio-token + {{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - mountPath: /etc/certs/ + name: istio-certs + readOnly: true + {{- end }} + - name: istio-podinfo + mountPath: /etc/istio/pod + volumes: + # SDS channel between istioagent and Envoy + - emptyDir: + medium: Memory + name: istio-envoy + - name: istio-data + emptyDir: {} + - name: istio-podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "annotations" + fieldRef: + fieldPath: metadata.annotations + - path: "cpu-limit" + resourceFieldRef: + containerName: istio-proxy + resource: limits.cpu + divisor: 1m + - path: "cpu-request" + resourceFieldRef: + containerName: istio-proxy + resource: requests.cpu + divisor: 1m + {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} + {{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - name: istiod-ca-cert + configMap: + name: istio-ca-root-cert + {{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - name: istio-certs + secret: + optional: true + {{ if eq .Spec.ServiceAccountName "" }} + secretName: istio.default + {{ else -}} + secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} + {{ end -}} + {{- end }} + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} + {{- if eq (env "ENABLE_LEGACY_FSGROUP_INJECTION" "true") "true" }} + securityContext: + fsGroup: 1337 + {{- end }} --- # Source: istio-discovery/templates/service.yaml apiVersion: v1 diff --git a/charts/kubezero-istio/charts/istio-discovery/files/injection-template.yaml b/charts/kubezero-istio/charts/istio-discovery/files/injection-template.yaml index b9b9866d..8b1f156c 100644 --- a/charts/kubezero-istio/charts/istio-discovery/files/injection-template.yaml +++ b/charts/kubezero-istio/charts/istio-discovery/files/injection-template.yaml @@ -1,4 +1,4 @@ - {{- $containers := list }} +{{- $containers := list }} {{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} metadata: labels: diff --git a/charts/kubezero-istio/charts/istio-discovery/templates/istiod-injector-configmap.yaml b/charts/kubezero-istio/charts/istio-discovery/templates/istiod-injector-configmap.yaml index 15ece14b..b874bc24 100644 --- a/charts/kubezero-istio/charts/istio-discovery/templates/istiod-injector-configmap.yaml +++ b/charts/kubezero-istio/charts/istio-discovery/templates/istiod-injector-configmap.yaml @@ -48,6 +48,10 @@ data: sidecar: | {{ .Files.Get "files/injection-template.yaml" | trim | indent 8 }} {{- end }} +{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "gateway") }} + gateway: | +{{ .Files.Get "files/gateway-injection-template.yaml" | trim | indent 8 }} +{{- end }} {{- with .Values.sidecarInjectorWebhook.templates }} {{ toYaml . | trim | indent 6 }} {{- end }} diff --git a/charts/kubezero-istio/charts/istio-discovery/values.yaml b/charts/kubezero-istio/charts/istio-discovery/values.yaml index 6491504f..c42d2841 100644 --- a/charts/kubezero-istio/charts/istio-discovery/values.yaml +++ b/charts/kubezero-istio/charts/istio-discovery/values.yaml @@ -232,7 +232,7 @@ global: # Dev builds from prow are on gcr.io hub: docker.io/istio # Default tag for Istio images. - tag: 1.9.1 + tag: 1.9.2 # Specify image pull policy if default behavior isn't desired. # Default behavior: latest images will be Always else IfNotPresent. diff --git a/charts/kubezero-istio/update.sh b/charts/kubezero-istio/update.sh index db27e799..34247fbb 100755 --- a/charts/kubezero-istio/update.sh +++ b/charts/kubezero-istio/update.sh @@ -1,7 +1,7 @@ #!/bin/bash set -ex -export ISTIO_VERSION=1.9.1 +export ISTIO_VERSION=1.9.2 if [ ! -d istio-$ISTIO_VERSION ]; then NAME="istio-$ISTIO_VERSION"