ZeroDownTime/KubeZero
3
0
Fork 0
Code Issues 1 Pull Requests 25 Packages Projects Releases Wiki Activity

feat: New Istio gateway deploy first working PoC

Browse Source
This commit is contained in:
Stefan Reimer 2022-04-21 16:37:28 +02:00
parent 39ba92132e
commit 1a78b7eaaa
3 changed files with 24 additions and 147 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

117
charts/kubezero-istio-gateway/README.md
View File

@ -1,8 +1,8 @@
# kubezero-istio-ingress # kubezero-istio-gateway
![Version: 0.7.5](https://img.shields.io/badge/Version-0.7.5-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.11.3](https://img.shields.io/badge/AppVersion-1.11.3-informational?style=flat-square) ![Version: 0.8.0](https://img.shields.io/badge/Version-0.8.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
KubeZero Umbrella Chart for Istio based Ingress KubeZero Umbrella Chart for Istio gateways
Installs Istio Ingress Gateways, requires kubezero-istio to be installed ! Installs Istio Ingress Gateways, requires kubezero-istio to be installed !
@ -12,111 +12,36 @@ Installs Istio Ingress Gateways, requires kubezero-istio to be installed !
| Name | Email | Url | | Name | Email | Url |
| ---- | ------ | --- | | ---- | ------ | --- |
| Quarky9 | | | | Stefan Reimer | stefan@zero-downtime.net | |
## Requirements ## Requirements
Kubernetes: `>= 1.18.0` Kubernetes: `>= 1.20.0`
| Repository | Name | Version | | Repository | Name | Version |
|------------|------|---------| |------------|------|---------|
| | istio-ingress | 1.11.3 |
| | istio-private-ingress | 1.11.3 |
| https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.4 | | https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.4 |
| https://istio-release.storage.googleapis.com/charts | gateway | 1.13.3 |
## Values ## Values
| Key | Type | Default | Description | | Key | Type | Default | Description |
|-----|------|---------|-------------| |-----|------|---------|-------------|
| global.arch.amd64 | int | `2` | | | certificates[0].dnsNames | list | `[]` | |
| global.defaultPodDisruptionBudget.enabled | bool | `false` | | | certificates[0].name | string | `"ingress-cert"` | |
| global.logAsJson | bool | `true` | | | gateway.autoscaling.enabled | bool | `false` | |
| global.priorityClassName | string | `"system-cluster-critical"` | | | gateway.autoscaling.maxReplicas | int | `4` | |
| istio-ingress.certificates[0].dnsNames | list | `[]` | | | gateway.autoscaling.minReplicas | int | `1` | |
| istio-ingress.certificates[0].name | string | `"ingress-cert"` | | | gateway.autoscaling.targetCPUUtilizationPercentage | int | `80` | |
| istio-ingress.enabled | bool | `false` | | | gateway.podAnnotations."proxy.istio.io/config" | string | `"{ \"terminationDrainDuration\": \"20s\" }"` | |
| istio-ingress.gateways.istio-ingressgateway.autoscaleEnabled | bool | `false` | | | gateway.replicaCount | int | `1` | |
| istio-ingress.gateways.istio-ingressgateway.configVolumes[0].configMapName | string | `"istio-gateway-bootstrap-config"` | | | gateway.resources.limits.memory | string | `"512Mi"` | |
| istio-ingress.gateways.istio-ingressgateway.configVolumes[0].mountPath | string | `"/etc/istio/custom-bootstrap"` | | | gateway.resources.requests.cpu | string | `"50m"` | |
| istio-ingress.gateways.istio-ingressgateway.configVolumes[0].name | string | `"custom-bootstrap-volume"` | | | gateway.resources.requests.memory | string | `"64Mi"` | |
| istio-ingress.gateways.istio-ingressgateway.env.ISTIO_BOOTSTRAP_OVERRIDE | string | `"/etc/istio/custom-bootstrap/custom_bootstrap.json"` | | | gateway.service.externalTrafficPolicy | string | `"Local"` | |
| istio-ingress.gateways.istio-ingressgateway.externalTrafficPolicy | string | `"Local"` | | | gateway.service.type | string | `"NodePort"` | |
| istio-ingress.gateways.istio-ingressgateway.nodeSelector."node.kubernetes.io/ingress.public" | string | `"Exists"` | | | proxyProtocol | bool | `true` | |
| istio-ingress.gateways.istio-ingressgateway.podAnnotations."proxy.istio.io/config" | string | `"{ \"terminationDrainDuration\": \"20s\" }"` | | | telemetry.enabled | string | `"falser"` | |
| istio-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].key | string | `"app"` | |
| istio-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].operator | string | `"In"` | |
| istio-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].topologyKey | string | `"kubernetes.io/hostname"` | |
| istio-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].values | string | `"istio-ingressgateway"` | |
| istio-ingress.gateways.istio-ingressgateway.ports[0].name | string | `"status-port"` | |
| istio-ingress.gateways.istio-ingressgateway.ports[0].noGateway | bool | `true` | |
| istio-ingress.gateways.istio-ingressgateway.ports[0].nodePort | int | `30021` | |
| istio-ingress.gateways.istio-ingressgateway.ports[0].port | int | `15021` | |
| istio-ingress.gateways.istio-ingressgateway.ports[1].gatewayProtocol | string | `"HTTP2"` | |
| istio-ingress.gateways.istio-ingressgateway.ports[1].name | string | `"http2"` | |
| istio-ingress.gateways.istio-ingressgateway.ports[1].nodePort | int | `30080` | |
| istio-ingress.gateways.istio-ingressgateway.ports[1].port | int | `80` | |
| istio-ingress.gateways.istio-ingressgateway.ports[1].targetPort | int | `8080` | |
| istio-ingress.gateways.istio-ingressgateway.ports[1].tls.httpsRedirect | bool | `true` | |
| istio-ingress.gateways.istio-ingressgateway.ports[2].gatewayProtocol | string | `"HTTPS"` | |
| istio-ingress.gateways.istio-ingressgateway.ports[2].name | string | `"https"` | |
| istio-ingress.gateways.istio-ingressgateway.ports[2].nodePort | int | `30443` | |
| istio-ingress.gateways.istio-ingressgateway.ports[2].port | int | `443` | |
| istio-ingress.gateways.istio-ingressgateway.ports[2].targetPort | int | `8443` | |
| istio-ingress.gateways.istio-ingressgateway.ports[2].tls.mode | string | `"SIMPLE"` | |
| istio-ingress.gateways.istio-ingressgateway.replicaCount | int | `1` | |
| istio-ingress.gateways.istio-ingressgateway.resources.limits.memory | string | `"512Mi"` | |
| istio-ingress.gateways.istio-ingressgateway.resources.requests.cpu | string | `"50m"` | |
| istio-ingress.gateways.istio-ingressgateway.resources.requests.memory | string | `"64Mi"` | |
| istio-ingress.gateways.istio-ingressgateway.rollingMaxSurge | int | `1` | |
| istio-ingress.gateways.istio-ingressgateway.rollingMaxUnavailable | int | `0` | |
| istio-ingress.gateways.istio-ingressgateway.type | string | `"NodePort"` | |
| istio-ingress.meshConfig.defaultConfig.proxyMetadata | string | `nil` | |
| istio-ingress.proxyProtocol | bool | `true` | |
| istio-ingress.telemetry.enabled | bool | `false` | |
| istio-private-ingress.certificates[0].dnsNames | list | `[]` | |
| istio-private-ingress.certificates[0].name | string | `"private-ingress-cert"` | |
| istio-private-ingress.enabled | bool | `false` | |
| istio-private-ingress.gateways.istio-ingressgateway.autoscaleEnabled | bool | `false` | |
| istio-private-ingress.gateways.istio-ingressgateway.configVolumes[0].configMapName | string | `"istio-gateway-bootstrap-config"` | |
| istio-private-ingress.gateways.istio-ingressgateway.configVolumes[0].mountPath | string | `"/etc/istio/custom-bootstrap"` | |
| istio-private-ingress.gateways.istio-ingressgateway.configVolumes[0].name | string | `"custom-bootstrap-volume"` | |
| istio-private-ingress.gateways.istio-ingressgateway.env.ISTIO_BOOTSTRAP_OVERRIDE | string | `"/etc/istio/custom-bootstrap/custom_bootstrap.json"` | |
| istio-private-ingress.gateways.istio-ingressgateway.externalTrafficPolicy | string | `"Local"` | |
| istio-private-ingress.gateways.istio-ingressgateway.labels.app | string | `"istio-private-ingressgateway"` | |
| istio-private-ingress.gateways.istio-ingressgateway.labels.istio | string | `"private-ingressgateway"` | |
| istio-private-ingress.gateways.istio-ingressgateway.name | string | `"istio-private-ingressgateway"` | |
| istio-private-ingress.gateways.istio-ingressgateway.nodeSelector."node.kubernetes.io/ingress.private" | string | `"Exists"` | |
| istio-private-ingress.gateways.istio-ingressgateway.podAnnotations."proxy.istio.io/config" | string | `"{ \"terminationDrainDuration\": \"20s\" }"` | |
| istio-private-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].key | string | `"app"` | |
| istio-private-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].operator | string | `"In"` | |
| istio-private-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].topologyKey | string | `"kubernetes.io/hostname"` | |
| istio-private-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].values | string | `"istio-private-ingressgateway"` | |
| istio-private-ingress.gateways.istio-ingressgateway.ports[0].name | string | `"status-port"` | |
| istio-private-ingress.gateways.istio-ingressgateway.ports[0].noGateway | bool | `true` | |
| istio-private-ingress.gateways.istio-ingressgateway.ports[0].nodePort | int | `31021` | |
| istio-private-ingress.gateways.istio-ingressgateway.ports[0].port | int | `15021` | |
| istio-private-ingress.gateways.istio-ingressgateway.ports[1].gatewayProtocol | string | `"HTTP2"` | |
| istio-private-ingress.gateways.istio-ingressgateway.ports[1].name | string | `"http2"` | |
| istio-private-ingress.gateways.istio-ingressgateway.ports[1].nodePort | int | `31080` | |
| istio-private-ingress.gateways.istio-ingressgateway.ports[1].port | int | `80` | |
| istio-private-ingress.gateways.istio-ingressgateway.ports[1].targetPort | int | `8080` | |
| istio-private-ingress.gateways.istio-ingressgateway.ports[1].tls.httpsRedirect | bool | `true` | |
| istio-private-ingress.gateways.istio-ingressgateway.ports[2].gatewayProtocol | string | `"HTTPS"` | |
| istio-private-ingress.gateways.istio-ingressgateway.ports[2].name | string | `"https"` | |
| istio-private-ingress.gateways.istio-ingressgateway.ports[2].nodePort | int | `31443` | |
| istio-private-ingress.gateways.istio-ingressgateway.ports[2].port | int | `443` | |
| istio-private-ingress.gateways.istio-ingressgateway.ports[2].targetPort | int | `8443` | |
| istio-private-ingress.gateways.istio-ingressgateway.ports[2].tls.mode | string | `"SIMPLE"` | |
| istio-private-ingress.gateways.istio-ingressgateway.replicaCount | int | `1` | |
| istio-private-ingress.gateways.istio-ingressgateway.resources.limits.memory | string | `"512Mi"` | |
| istio-private-ingress.gateways.istio-ingressgateway.resources.requests.cpu | string | `"50m"` | |
| istio-private-ingress.gateways.istio-ingressgateway.resources.requests.memory | string | `"64Mi"` | |
| istio-private-ingress.gateways.istio-ingressgateway.rollingMaxSurge | int | `1` | |
| istio-private-ingress.gateways.istio-ingressgateway.rollingMaxUnavailable | int | `0` | |
| istio-private-ingress.gateways.istio-ingressgateway.type | string | `"NodePort"` | |
| istio-private-ingress.meshConfig.defaultConfig.proxyMetadata | string | `nil` | |
| istio-private-ingress.proxyProtocol | bool | `true` | |
| istio-private-ingress.telemetry.enabled | bool | `false` | |
## Resources ## Resources

4
charts/kubezero-istio-gateway/templates/envoyfilter-proxy-protocol.yaml
View File

@ -16,6 +16,6 @@ spec:
operation: MERGE operation: MERGE
value: value:
listener_filters: listener_filters:
- name: envoy.listener.proxy_protocol - name: envoy.filters.listener.proxy_protocol
- name: envoy.listener.tls_inspector - name: envoy.filters.listener.tls_inspector
{{- end }} {{- end }}

50
charts/kubezero-istio-gateway/values.yaml
View File

@ -24,64 +24,16 @@ gateway:
# noGateway: true -> this port does NOT get mapped to a Gateway port # noGateway: true -> this port does NOT get mapped to a Gateway port
# tls: optional gateway port setting # tls: optional gateway port setting
# gatewayProtocol: Loadbalancer protocol which is NOT the same as Container Procotol ! # gatewayProtocol: Loadbalancer protocol which is NOT the same as Container Procotol !
ports:
- name: status-port
port: 15021
nodePort: 30021
noGateway: true
- name: http2
port: 80
targetPort: 8080
nodePort: 30080
gatewayProtocol: HTTP2
tls:
httpsRedirect: true
- name: https
port: 443
targetPort: 8443
nodePort: 30443
gatewayProtocol: HTTPS
tls:
mode: SIMPLE
affinity:
# Only nodes who are fronted with matching NLB
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: node.kubernetes.io/ingress.public
operator: Exists
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: app
operator: In
values:
- istio-ingressgateway
topologyKey: "kubernetes.io/hostname"
podAnnotations: podAnnotations:
proxy.istio.io/config: '{ "terminationDrainDuration": "20s" }' proxy.istio.io/config: '{ "terminationDrainDuration": "20s" }'
# TODO
# custom hardened bootstrap config
#env:
# ISTIO_BOOTSTRAP_OVERRIDE: /etc/istio/custom-bootstrap/custom_bootstrap.json
#configVolumes:
#- name: custom-bootstrap-volume
# mountPath: /etc/istio/custom-bootstrap
# configMapName: istio-gateway-bootstrap-config
certificates: certificates:
- name: ingress-cert - name: ingress-cert
dnsNames: [] dnsNames: []
# - '*.example.com' # - '*.example.com'
telemetry: telemetry:
enabled: false enabled: falser
proxyProtocol: true proxyProtocol: true