feat: New Istio gateway deploy first working PoC
This commit is contained in:
parent
39ba92132e
commit
1a78b7eaaa
@ -1,8 +1,8 @@
|
||||
# kubezero-istio-ingress
|
||||
# kubezero-istio-gateway
|
||||
|
||||
  
|
||||
 
|
||||
|
||||
KubeZero Umbrella Chart for Istio based Ingress
|
||||
KubeZero Umbrella Chart for Istio gateways
|
||||
|
||||
Installs Istio Ingress Gateways, requires kubezero-istio to be installed !
|
||||
|
||||
@ -12,111 +12,36 @@ Installs Istio Ingress Gateways, requires kubezero-istio to be installed !
|
||||
|
||||
| Name | Email | Url |
|
||||
| ---- | ------ | --- |
|
||||
| Quarky9 | | |
|
||||
| Stefan Reimer | stefan@zero-downtime.net | |
|
||||
|
||||
## Requirements
|
||||
|
||||
Kubernetes: `>= 1.18.0`
|
||||
Kubernetes: `>= 1.20.0`
|
||||
|
||||
| Repository | Name | Version |
|
||||
|------------|------|---------|
|
||||
| | istio-ingress | 1.11.3 |
|
||||
| | istio-private-ingress | 1.11.3 |
|
||||
| https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.4 |
|
||||
| https://istio-release.storage.googleapis.com/charts | gateway | 1.13.3 |
|
||||
|
||||
## Values
|
||||
|
||||
| Key | Type | Default | Description |
|
||||
|-----|------|---------|-------------|
|
||||
| global.arch.amd64 | int | `2` | |
|
||||
| global.defaultPodDisruptionBudget.enabled | bool | `false` | |
|
||||
| global.logAsJson | bool | `true` | |
|
||||
| global.priorityClassName | string | `"system-cluster-critical"` | |
|
||||
| istio-ingress.certificates[0].dnsNames | list | `[]` | |
|
||||
| istio-ingress.certificates[0].name | string | `"ingress-cert"` | |
|
||||
| istio-ingress.enabled | bool | `false` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.autoscaleEnabled | bool | `false` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.configVolumes[0].configMapName | string | `"istio-gateway-bootstrap-config"` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.configVolumes[0].mountPath | string | `"/etc/istio/custom-bootstrap"` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.configVolumes[0].name | string | `"custom-bootstrap-volume"` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.env.ISTIO_BOOTSTRAP_OVERRIDE | string | `"/etc/istio/custom-bootstrap/custom_bootstrap.json"` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.externalTrafficPolicy | string | `"Local"` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.nodeSelector."node.kubernetes.io/ingress.public" | string | `"Exists"` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.podAnnotations."proxy.istio.io/config" | string | `"{ \"terminationDrainDuration\": \"20s\" }"` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].key | string | `"app"` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].operator | string | `"In"` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].topologyKey | string | `"kubernetes.io/hostname"` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].values | string | `"istio-ingressgateway"` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.ports[0].name | string | `"status-port"` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.ports[0].noGateway | bool | `true` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.ports[0].nodePort | int | `30021` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.ports[0].port | int | `15021` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.ports[1].gatewayProtocol | string | `"HTTP2"` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.ports[1].name | string | `"http2"` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.ports[1].nodePort | int | `30080` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.ports[1].port | int | `80` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.ports[1].targetPort | int | `8080` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.ports[1].tls.httpsRedirect | bool | `true` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.ports[2].gatewayProtocol | string | `"HTTPS"` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.ports[2].name | string | `"https"` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.ports[2].nodePort | int | `30443` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.ports[2].port | int | `443` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.ports[2].targetPort | int | `8443` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.ports[2].tls.mode | string | `"SIMPLE"` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.replicaCount | int | `1` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.resources.limits.memory | string | `"512Mi"` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.resources.requests.cpu | string | `"50m"` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.resources.requests.memory | string | `"64Mi"` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.rollingMaxSurge | int | `1` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.rollingMaxUnavailable | int | `0` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.type | string | `"NodePort"` | |
|
||||
| istio-ingress.meshConfig.defaultConfig.proxyMetadata | string | `nil` | |
|
||||
| istio-ingress.proxyProtocol | bool | `true` | |
|
||||
| istio-ingress.telemetry.enabled | bool | `false` | |
|
||||
| istio-private-ingress.certificates[0].dnsNames | list | `[]` | |
|
||||
| istio-private-ingress.certificates[0].name | string | `"private-ingress-cert"` | |
|
||||
| istio-private-ingress.enabled | bool | `false` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.autoscaleEnabled | bool | `false` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.configVolumes[0].configMapName | string | `"istio-gateway-bootstrap-config"` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.configVolumes[0].mountPath | string | `"/etc/istio/custom-bootstrap"` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.configVolumes[0].name | string | `"custom-bootstrap-volume"` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.env.ISTIO_BOOTSTRAP_OVERRIDE | string | `"/etc/istio/custom-bootstrap/custom_bootstrap.json"` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.externalTrafficPolicy | string | `"Local"` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.labels.app | string | `"istio-private-ingressgateway"` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.labels.istio | string | `"private-ingressgateway"` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.name | string | `"istio-private-ingressgateway"` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.nodeSelector."node.kubernetes.io/ingress.private" | string | `"Exists"` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.podAnnotations."proxy.istio.io/config" | string | `"{ \"terminationDrainDuration\": \"20s\" }"` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].key | string | `"app"` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].operator | string | `"In"` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].topologyKey | string | `"kubernetes.io/hostname"` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].values | string | `"istio-private-ingressgateway"` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.ports[0].name | string | `"status-port"` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.ports[0].noGateway | bool | `true` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.ports[0].nodePort | int | `31021` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.ports[0].port | int | `15021` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.ports[1].gatewayProtocol | string | `"HTTP2"` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.ports[1].name | string | `"http2"` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.ports[1].nodePort | int | `31080` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.ports[1].port | int | `80` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.ports[1].targetPort | int | `8080` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.ports[1].tls.httpsRedirect | bool | `true` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.ports[2].gatewayProtocol | string | `"HTTPS"` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.ports[2].name | string | `"https"` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.ports[2].nodePort | int | `31443` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.ports[2].port | int | `443` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.ports[2].targetPort | int | `8443` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.ports[2].tls.mode | string | `"SIMPLE"` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.replicaCount | int | `1` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.resources.limits.memory | string | `"512Mi"` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.resources.requests.cpu | string | `"50m"` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.resources.requests.memory | string | `"64Mi"` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.rollingMaxSurge | int | `1` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.rollingMaxUnavailable | int | `0` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.type | string | `"NodePort"` | |
|
||||
| istio-private-ingress.meshConfig.defaultConfig.proxyMetadata | string | `nil` | |
|
||||
| istio-private-ingress.proxyProtocol | bool | `true` | |
|
||||
| istio-private-ingress.telemetry.enabled | bool | `false` | |
|
||||
| certificates[0].dnsNames | list | `[]` | |
|
||||
| certificates[0].name | string | `"ingress-cert"` | |
|
||||
| gateway.autoscaling.enabled | bool | `false` | |
|
||||
| gateway.autoscaling.maxReplicas | int | `4` | |
|
||||
| gateway.autoscaling.minReplicas | int | `1` | |
|
||||
| gateway.autoscaling.targetCPUUtilizationPercentage | int | `80` | |
|
||||
| gateway.podAnnotations."proxy.istio.io/config" | string | `"{ \"terminationDrainDuration\": \"20s\" }"` | |
|
||||
| gateway.replicaCount | int | `1` | |
|
||||
| gateway.resources.limits.memory | string | `"512Mi"` | |
|
||||
| gateway.resources.requests.cpu | string | `"50m"` | |
|
||||
| gateway.resources.requests.memory | string | `"64Mi"` | |
|
||||
| gateway.service.externalTrafficPolicy | string | `"Local"` | |
|
||||
| gateway.service.type | string | `"NodePort"` | |
|
||||
| proxyProtocol | bool | `true` | |
|
||||
| telemetry.enabled | string | `"falser"` | |
|
||||
|
||||
## Resources
|
||||
|
||||
|
||||
@ -16,6 +16,6 @@ spec:
|
||||
operation: MERGE
|
||||
value:
|
||||
listener_filters:
|
||||
- name: envoy.listener.proxy_protocol
|
||||
- name: envoy.listener.tls_inspector
|
||||
- name: envoy.filters.listener.proxy_protocol
|
||||
- name: envoy.filters.listener.tls_inspector
|
||||
{{- end }}
|
||||
|
||||
@ -24,64 +24,16 @@ gateway:
|
||||
# noGateway: true -> this port does NOT get mapped to a Gateway port
|
||||
# tls: optional gateway port setting
|
||||
# gatewayProtocol: Loadbalancer protocol which is NOT the same as Container Procotol !
|
||||
ports:
|
||||
- name: status-port
|
||||
port: 15021
|
||||
nodePort: 30021
|
||||
noGateway: true
|
||||
- name: http2
|
||||
port: 80
|
||||
targetPort: 8080
|
||||
nodePort: 30080
|
||||
gatewayProtocol: HTTP2
|
||||
tls:
|
||||
httpsRedirect: true
|
||||
- name: https
|
||||
port: 443
|
||||
targetPort: 8443
|
||||
nodePort: 30443
|
||||
gatewayProtocol: HTTPS
|
||||
tls:
|
||||
mode: SIMPLE
|
||||
|
||||
affinity:
|
||||
# Only nodes who are fronted with matching NLB
|
||||
nodeAffinity:
|
||||
requiredDuringSchedulingIgnoredDuringExecution:
|
||||
nodeSelectorTerms:
|
||||
- matchExpressions:
|
||||
- key: node.kubernetes.io/ingress.public
|
||||
operator: Exists
|
||||
podAntiAffinity:
|
||||
requiredDuringSchedulingIgnoredDuringExecution:
|
||||
- labelSelector:
|
||||
matchExpressions:
|
||||
- key: app
|
||||
operator: In
|
||||
values:
|
||||
- istio-ingressgateway
|
||||
topologyKey: "kubernetes.io/hostname"
|
||||
|
||||
podAnnotations:
|
||||
proxy.istio.io/config: '{ "terminationDrainDuration": "20s" }'
|
||||
|
||||
# TODO
|
||||
# custom hardened bootstrap config
|
||||
#env:
|
||||
# ISTIO_BOOTSTRAP_OVERRIDE: /etc/istio/custom-bootstrap/custom_bootstrap.json
|
||||
|
||||
#configVolumes:
|
||||
#- name: custom-bootstrap-volume
|
||||
# mountPath: /etc/istio/custom-bootstrap
|
||||
# configMapName: istio-gateway-bootstrap-config
|
||||
|
||||
|
||||
certificates:
|
||||
- name: ingress-cert
|
||||
dnsNames: []
|
||||
# - '*.example.com'
|
||||
|
||||
telemetry:
|
||||
enabled: false
|
||||
enabled: falser
|
||||
|
||||
proxyProtocol: true
|
||||
|
||||
Loading…
Reference in New Issue
Block a user