From 39ba92132e3f05bfadf4b1775d593b008a54f2de Mon Sep 17 00:00:00 2001 From: Stefan Reimer Date: Thu, 21 Apr 2022 13:57:34 +0200 Subject: [PATCH] feat: Istio Ingress migration to new gateway charts --- charts/kubezero-ci/Chart.yaml | 4 +- charts/kubezero-ci/update.sh | 2 + charts/kubezero-ci/values.yaml | 2 +- .../Chart.yaml | 16 +- .../README.md | 0 .../README.md.gotmpl | 0 .../charts/gateway/Chart.yaml | 12 + .../charts/gateway/README.md | 148 ++++++++ .../charts/gateway/templates/NOTES.txt | 9 + .../charts/gateway/templates/_helpers.tpl | 52 +++ .../charts/gateway/templates/deployment.yaml | 104 ++++++ .../charts/gateway/templates/hpa.yaml | 28 ++ .../charts/gateway/templates/role.yaml | 25 ++ .../charts/gateway/templates/service.yaml | 52 +++ .../gateway/templates/serviceaccount.yaml | 13 + .../charts/gateway/values.schema.json | 193 ++++++++++ .../charts/gateway/values.yaml | 88 +++++ .../templates/_gateway.tpl | 11 + .../templates/bootstrap-config.yaml | 4 +- .../templates/envoyfilter-hardening.yaml | 9 +- .../templates/envoyfilter-keepalive-nlb.yaml | 29 ++ .../templates/envoyfilter-proxy-protocol.yaml | 21 ++ .../templates/ingress-certificate.yaml | 19 + .../templates/ingress-gateway.yaml | 12 +- .../templates/podmonitor.yaml | 6 +- charts/kubezero-istio-gateway/update.sh | 11 + charts/kubezero-istio-gateway/values.yaml | 87 +++++ charts/kubezero-istio-gateway/zdt.patch | 40 +++ charts/kubezero-istio-ingress/.helmignore | 1 - .../charts/istio-ingress/Chart.yaml | 13 - .../charts/istio-ingress/NOTES.txt | 43 --- .../istio-ingress/templates/_affinity.tpl | 105 ------ .../istio-ingress/templates/autoscale.yaml | 27 -- .../istio-ingress/templates/deployment.yaml | 335 ------------------ .../templates/injected-deployment.yaml | 143 -------- .../templates/poddisruptionbudget.yaml | 19 - .../charts/istio-ingress/templates/role.yaml | 16 - .../istio-ingress/templates/rolebindings.yaml | 19 - .../istio-ingress/templates/service.yaml | 49 --- .../templates/serviceaccount.yaml | 22 -- .../charts/istio-ingress/values.yaml | 326 ----------------- .../charts/istio-private-ingress/Chart.yaml | 13 - .../charts/istio-private-ingress/NOTES.txt | 43 --- .../templates/_affinity.tpl | 105 ------ .../templates/autoscale.yaml | 27 -- .../templates/deployment.yaml | 335 ------------------ .../templates/injected-deployment.yaml | 143 -------- .../templates/poddisruptionbudget.yaml | 19 - .../istio-private-ingress/templates/role.yaml | 16 - .../templates/rolebindings.yaml | 19 - .../templates/service.yaml | 49 --- .../templates/serviceaccount.yaml | 22 -- .../charts/istio-private-ingress/values.yaml | 326 ----------------- .../templates/envoyfilter-keepalive-nlb.yaml | 64 ---- .../templates/envoyfilter-proxy-protocol.yaml | 44 --- .../templates/ingress-certificate.yaml | 39 -- .../templates/ingress-private-gateway.yaml | 19 - charts/kubezero-istio-ingress/values.yaml | 203 ----------- charts/kubezero-istio/dashboards.yaml | 2 +- .../templates/grafana-dashboards.yaml | 2 +- charts/kubezero/templates/_app.tpl | 4 + charts/kubezero/templates/istio-ingress.yaml | 51 --- .../templates/istio-private-ingress.yaml | 28 ++ charts/kubezero/templates/istio.yaml | 4 +- charts/kubezero/values.yaml | 10 +- 65 files changed, 1011 insertions(+), 2691 deletions(-) rename charts/{kubezero-istio-ingress => kubezero-istio-gateway}/Chart.yaml (56%) rename charts/{kubezero-istio-ingress => kubezero-istio-gateway}/README.md (100%) rename charts/{kubezero-istio-ingress => kubezero-istio-gateway}/README.md.gotmpl (100%) create mode 100644 charts/kubezero-istio-gateway/charts/gateway/Chart.yaml create mode 100644 charts/kubezero-istio-gateway/charts/gateway/README.md create mode 100644 charts/kubezero-istio-gateway/charts/gateway/templates/NOTES.txt create mode 100644 charts/kubezero-istio-gateway/charts/gateway/templates/_helpers.tpl create mode 100644 charts/kubezero-istio-gateway/charts/gateway/templates/deployment.yaml create mode 100644 charts/kubezero-istio-gateway/charts/gateway/templates/hpa.yaml create mode 100644 charts/kubezero-istio-gateway/charts/gateway/templates/role.yaml create mode 100644 charts/kubezero-istio-gateway/charts/gateway/templates/service.yaml create mode 100644 charts/kubezero-istio-gateway/charts/gateway/templates/serviceaccount.yaml create mode 100644 charts/kubezero-istio-gateway/charts/gateway/values.schema.json create mode 100644 charts/kubezero-istio-gateway/charts/gateway/values.yaml rename charts/{kubezero-istio-ingress => kubezero-istio-gateway}/templates/_gateway.tpl (77%) rename charts/{kubezero-istio-ingress => kubezero-istio-gateway}/templates/bootstrap-config.yaml (91%) rename charts/{kubezero-istio-ingress => kubezero-istio-gateway}/templates/envoyfilter-hardening.yaml (85%) create mode 100644 charts/kubezero-istio-gateway/templates/envoyfilter-keepalive-nlb.yaml create mode 100644 charts/kubezero-istio-gateway/templates/envoyfilter-proxy-protocol.yaml create mode 100644 charts/kubezero-istio-gateway/templates/ingress-certificate.yaml rename charts/{kubezero-istio-ingress => kubezero-istio-gateway}/templates/ingress-gateway.yaml (50%) rename charts/{kubezero-istio-ingress => kubezero-istio-gateway}/templates/podmonitor.yaml (84%) create mode 100755 charts/kubezero-istio-gateway/update.sh create mode 100644 charts/kubezero-istio-gateway/values.yaml create mode 100644 charts/kubezero-istio-gateway/zdt.patch delete mode 120000 charts/kubezero-istio-ingress/.helmignore delete mode 100644 charts/kubezero-istio-ingress/charts/istio-ingress/Chart.yaml delete mode 100644 charts/kubezero-istio-ingress/charts/istio-ingress/NOTES.txt delete mode 100644 charts/kubezero-istio-ingress/charts/istio-ingress/templates/_affinity.tpl delete mode 100644 charts/kubezero-istio-ingress/charts/istio-ingress/templates/autoscale.yaml delete mode 100644 charts/kubezero-istio-ingress/charts/istio-ingress/templates/deployment.yaml delete mode 100644 charts/kubezero-istio-ingress/charts/istio-ingress/templates/injected-deployment.yaml delete mode 100644 charts/kubezero-istio-ingress/charts/istio-ingress/templates/poddisruptionbudget.yaml delete mode 100644 charts/kubezero-istio-ingress/charts/istio-ingress/templates/role.yaml delete mode 100644 charts/kubezero-istio-ingress/charts/istio-ingress/templates/rolebindings.yaml delete mode 100644 charts/kubezero-istio-ingress/charts/istio-ingress/templates/service.yaml delete mode 100644 charts/kubezero-istio-ingress/charts/istio-ingress/templates/serviceaccount.yaml delete mode 100644 charts/kubezero-istio-ingress/charts/istio-ingress/values.yaml delete mode 100644 charts/kubezero-istio-ingress/charts/istio-private-ingress/Chart.yaml delete mode 100644 charts/kubezero-istio-ingress/charts/istio-private-ingress/NOTES.txt delete mode 100644 charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/_affinity.tpl delete mode 100644 charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/autoscale.yaml delete mode 100644 charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/deployment.yaml delete mode 100644 charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/injected-deployment.yaml delete mode 100644 charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/poddisruptionbudget.yaml delete mode 100644 charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/role.yaml delete mode 100644 charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/rolebindings.yaml delete mode 100644 charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/service.yaml delete mode 100644 charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/serviceaccount.yaml delete mode 100644 charts/kubezero-istio-ingress/charts/istio-private-ingress/values.yaml delete mode 100644 charts/kubezero-istio-ingress/templates/envoyfilter-keepalive-nlb.yaml delete mode 100644 charts/kubezero-istio-ingress/templates/envoyfilter-proxy-protocol.yaml delete mode 100644 charts/kubezero-istio-ingress/templates/ingress-certificate.yaml delete mode 100644 charts/kubezero-istio-ingress/templates/ingress-private-gateway.yaml delete mode 100644 charts/kubezero-istio-ingress/values.yaml delete mode 100644 charts/kubezero/templates/istio-ingress.yaml create mode 100644 charts/kubezero/templates/istio-private-ingress.yaml diff --git a/charts/kubezero-ci/Chart.yaml b/charts/kubezero-ci/Chart.yaml index 84291d93..f840cf2b 100644 --- a/charts/kubezero-ci/Chart.yaml +++ b/charts/kubezero-ci/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: kubezero-ci description: KubeZero umbrella chart for all things CI type: application -version: 0.4.44 +version: 0.4.45 home: https://kubezero.com icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png keywords: @@ -22,7 +22,7 @@ dependencies: repository: https://gocd.github.io/helm-chart condition: gocd.enabled - name: gitea - version: 5.0.3 + version: 5.0.5 repository: https://dl.gitea.io/charts/ condition: gitea.enabled - name: jenkins diff --git a/charts/kubezero-ci/update.sh b/charts/kubezero-ci/update.sh index ccb83977..035ab68d 100755 --- a/charts/kubezero-ci/update.sh +++ b/charts/kubezero-ci/update.sh @@ -1,4 +1,6 @@ #!/bin/bash +helm dep update + # Create ZDT dashboard configmap ../kubezero-metrics/sync_grafana_dashboards.py dashboards.yaml templates/grafana-dashboards.yaml diff --git a/charts/kubezero-ci/values.yaml b/charts/kubezero-ci/values.yaml index 77c1e6bd..e4674655 100644 --- a/charts/kubezero-ci/values.yaml +++ b/charts/kubezero-ci/values.yaml @@ -17,7 +17,7 @@ gitea: enabled: false image: - tag: 1.16.5 + tag: 1.16.6 rootless: true securityContext: diff --git a/charts/kubezero-istio-ingress/Chart.yaml b/charts/kubezero-istio-gateway/Chart.yaml similarity index 56% rename from charts/kubezero-istio-ingress/Chart.yaml rename to charts/kubezero-istio-gateway/Chart.yaml index aff9a4be..3bf12e02 100644 --- a/charts/kubezero-istio-ingress/Chart.yaml +++ b/charts/kubezero-istio-gateway/Chart.yaml @@ -1,9 +1,8 @@ apiVersion: v2 -name: kubezero-istio-ingress -description: KubeZero Umbrella Chart for Istio based Ingress +name: kubezero-istio-gateway +description: KubeZero Umbrella Chart for Istio gateways type: application -version: 0.7.6 -appVersion: 1.11.5 +version: 0.8.0 home: https://kubezero.com icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png keywords: @@ -17,10 +16,7 @@ dependencies: - name: kubezero-lib version: ">= 0.1.4" repository: https://cdn.zero-downtime.net/charts/ - - name: istio-ingress - version: 1.11.5 - condition: istio-ingress.enabled - - name: istio-private-ingress - version: 1.11.5 - condition: istio-private-ingress.enabled + - name: gateway + version: 1.13.3 + repository: https://istio-release.storage.googleapis.com/charts kubeVersion: ">= 1.20.0" diff --git a/charts/kubezero-istio-ingress/README.md b/charts/kubezero-istio-gateway/README.md similarity index 100% rename from charts/kubezero-istio-ingress/README.md rename to charts/kubezero-istio-gateway/README.md diff --git a/charts/kubezero-istio-ingress/README.md.gotmpl b/charts/kubezero-istio-gateway/README.md.gotmpl similarity index 100% rename from charts/kubezero-istio-ingress/README.md.gotmpl rename to charts/kubezero-istio-gateway/README.md.gotmpl diff --git a/charts/kubezero-istio-gateway/charts/gateway/Chart.yaml b/charts/kubezero-istio-gateway/charts/gateway/Chart.yaml new file mode 100644 index 00000000..320d8ed0 --- /dev/null +++ b/charts/kubezero-istio-gateway/charts/gateway/Chart.yaml @@ -0,0 +1,12 @@ +apiVersion: v2 +appVersion: 1.13.3 +description: Helm chart for deploying Istio gateways +icon: https://istio.io/latest/favicons/android-192x192.png +keywords: +- istio +- gateways +name: gateway +sources: +- http://github.com/istio/istio +type: application +version: 1.13.3 diff --git a/charts/kubezero-istio-gateway/charts/gateway/README.md b/charts/kubezero-istio-gateway/charts/gateway/README.md new file mode 100644 index 00000000..0e58c00f --- /dev/null +++ b/charts/kubezero-istio-gateway/charts/gateway/README.md @@ -0,0 +1,148 @@ +# Istio Gateway Helm Chart + +This chart installs an Istio gateway deployment. + +## Setup Repo Info + +```console +helm repo add istio https://istio-release.storage.googleapis.com/charts +helm repo update +``` + +_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ + +## Installing the Chart + +To install the chart with the release name `istio-ingressgateway`: + +```console +helm install istio-ingressgateway istio/gateway +``` + +## Uninstalling the Chart + +To uninstall/delete the `istio-ingressgateway` deployment: + +```console +helm delete istio-ingressgateway +``` + +## Configuration + +To view support configuration options and documentation, run: + +```console +helm show values istio/gateway +``` + +### `image: auto` Information + +The image used by the chart, `auto`, may be unintuitive. +This exists because the pod spec will be automatically populated at runtime, using the same mechanism as [Sidecar Injection](istio.io/latest/docs/setup/additional-setup/sidecar-injection). +This allows the same configurations and lifecycle to apply to gateways as sidecars. + +Note: this does mean that the namespace the gateway is deployed in must not have the `istio-injection=disabled` label. +See [Controlling the injection policy](https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#controlling-the-injection-policy) for more info. + +### Examples + +#### Egress Gateway + +Deploying a Gateway to be used as an [Egress Gateway](https://istio.io/latest/docs/tasks/traffic-management/egress/egress-gateway/): + +```yaml +service: + # Egress gateways do not need an external LoadBalancer IP + type: ClusterIP +``` + +#### Multi-network/VM Gateway + +Deploying a Gateway to be used as a [Multi-network Gateway](https://istio.io/latest/docs/setup/install/multicluster/) for network `network-1`: + +```yaml +networkGateway: network-1 +``` + +### Migrating from other installation methods + +Installations from other installation methods (such as istioctl, Istio Operator, other helm charts, etc) can be migrated to use the new Helm charts +following the guidance below. +If you are able to, a clean installation is simpler. However, this often requires an external IP migration which can be challenging. + +WARNING: when installing over an existing deployment, the two deployments will be merged together by Helm, which may lead to unexpected results. + +#### Legacy Gateway Helm charts + +Istio historically offered two different charts - `manifests/charts/gateways/istio-ingress` and `manifests/charts/gateways/istio-egress`. +These are replaced by this chart. +While not required, it is recommended all new users use this chart, and existing users migrate when possible. + +This chart has the following benefits and differences: +* Designed with Helm best practices in mind (standardized values options, values schema, values are not all nested under `gateways.istio-ingressgateway.*`, release name and namespace taken into account, etc). +* Utilizes Gateway injection, simplifying upgrades, allowing gateways to run in any namespace, and avoiding repeating config for sidecars and gateways. +* Published to official Istio Helm repository. +* Single chart for all gateways (Ingress, Egress, East West). + +#### General concerns + +For a smooth migration, the resource names and `Deployment.spec.selector` labels must match. + +If you install with `helm install istio-gateway istio/gateway`, resources will be named `istio-gateway` and the `selector` labels set to: + +```yaml +app: istio-gateway +istio: gateway # the release name with leading istio- prefix stripped +``` + +If your existing installation doesn't follow these names, you can override them. For example, if you have resources named `my-custom-gateway` with `selector` labels +`foo=bar,istio=ingressgateway`: + +```yaml +name: my-custom-gateway # Override the name to match existing resources +labels: + app: "" # Unset default app selector label + istio: ingressgateway # override default istio selector label + foo: bar # Add the existing custom selector label +``` + +#### Migrating an existing Helm release + +An existing helm release can be `helm upgrade`d to this chart by using the same release name. For example, if a previous +installation was done like: + +```console +helm install istio-ingress manifests/charts/gateways/istio-ingress -n istio-system +``` + +It could be upgraded with + +```console +helm upgrade istio-ingress manifests/charts/gateway -n istio-system --set name=istio-ingressgateway --set labels.app=istio-ingressgateway --set labels.istio=ingressgateway +``` + +Note the name and labels are overridden to match the names of the existing installation. + +Warning: the helm charts here default to using port 80 and 443, while the old charts used 8080 and 8443. +If you have AuthorizationPolicies that reference port these ports, you should update them during this process, +or customize the ports to match the old defaults. +See the [security advisory](https://istio.io/latest/news/security/istio-security-2021-002/) for more information. + +#### Other migrations + +If you see errors like `rendered manifests contain a resource that already exists` during installation, you may need to forcibly take ownership. + +The script below can handle this for you. Replace `RELEASE` and `NAMESPACE` with the name and namespace of the release: + +```console +KINDS=(service deployment) +RELEASE=istio-ingressgateway +NAMESPACE=istio-system +for KIND in "${KINDS[@]}"; do + kubectl --namespace $NAMESPACE --overwrite=true annotate $KIND $RELEASE meta.helm.sh/release-name=$RELEASE + kubectl --namespace $NAMESPACE --overwrite=true annotate $KIND $RELEASE meta.helm.sh/release-namespace=$NAMESPACE + kubectl --namespace $NAMESPACE --overwrite=true label $KIND $RELEASE app.kubernetes.io/managed-by=Helm +done +``` + +You may ignore errors about resources not being found. diff --git a/charts/kubezero-istio-gateway/charts/gateway/templates/NOTES.txt b/charts/kubezero-istio-gateway/charts/gateway/templates/NOTES.txt new file mode 100644 index 00000000..78451d33 --- /dev/null +++ b/charts/kubezero-istio-gateway/charts/gateway/templates/NOTES.txt @@ -0,0 +1,9 @@ +"{{ include "gateway.name" . }}" successfully installed! + +To learn more about the release, try: + $ helm status {{ .Release.Name }} + $ helm get all {{ .Release.Name }} + +Next steps: + * Deploy an HTTP Gateway: https://istio.io/latest/docs/tasks/traffic-management/ingress/ingress-control/ + * Deploy an HTTPS Gateway: https://istio.io/latest/docs/tasks/traffic-management/ingress/secure-ingress/ diff --git a/charts/kubezero-istio-gateway/charts/gateway/templates/_helpers.tpl b/charts/kubezero-istio-gateway/charts/gateway/templates/_helpers.tpl new file mode 100644 index 00000000..e75d2734 --- /dev/null +++ b/charts/kubezero-istio-gateway/charts/gateway/templates/_helpers.tpl @@ -0,0 +1,52 @@ +{{- define "gateway.name" -}} +{{- if eq .Release.Name "RELEASE-NAME" -}} + {{- .Values.name | default "istio-ingressgateway" -}} +{{- else -}} + {{- .Values.name | default .Release.Name | default "istio-ingressgateway" -}} +{{- end -}} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "gateway.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{- define "gateway.labels" -}} +helm.sh/chart: {{ include "gateway.chart" . }} +{{ include "gateway.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +app.kubernetes.io/name: {{ include "gateway.name" . }} +{{- range $key, $val := .Values.labels }} +{{- if not (or (eq $key "app") (eq $key "istio")) }} +{{ $key | quote }}: {{ $val | quote }} +{{- end }} +{{- end }} +{{- end }} + +{{- define "gateway.selectorLabels" -}} +{{- if hasKey .Values.labels "app" }} +{{- with .Values.labels.app }}app: {{.|quote}} +{{- end}} +{{- else }}app: {{ include "gateway.name" . }} +{{- end }} +{{- if hasKey .Values.labels "istio" }} +{{- with .Values.labels.istio }} +istio: {{.|quote}} +{{- end}} +{{- else }} +istio: {{ include "gateway.name" . | trimPrefix "istio-" }} +{{- end }} +{{- end }} + +{{- define "gateway.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- .Values.serviceAccount.name | default (include "gateway.name" .) }} +{{- else }} +{{- .Values.serviceAccount.name | default "default" }} +{{- end }} +{{- end }} diff --git a/charts/kubezero-istio-gateway/charts/gateway/templates/deployment.yaml b/charts/kubezero-istio-gateway/charts/gateway/templates/deployment.yaml new file mode 100644 index 00000000..b86dc293 --- /dev/null +++ b/charts/kubezero-istio-gateway/charts/gateway/templates/deployment.yaml @@ -0,0 +1,104 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "gateway.name" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "gateway.labels" . | nindent 4}} + annotations: + {{- .Values.annotations | toYaml | nindent 4 }} +spec: + {{- if not .Values.autoscaling.enabled }} + replicas: {{ .Values.replicaCount }} + {{- end }} + # Give the LB 120s to detect and take into service + # should only be 40s by we are on AWS so ... + minReadySeconds: 120 + selector: + matchLabels: + {{- include "gateway.selectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + sidecar.istio.io/inject: "true" + {{- with .Values.revision }} + istio.io/rev: {{ . }} + {{- end }} + {{- include "gateway.selectorLabels" . | nindent 8 }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + terminationGracePeriodSeconds: 120 + serviceAccountName: {{ include "gateway.serviceAccountName" . }} + securityContext: + {{- if .Values.securityContext }} + {{- toYaml .Values.securityContext | nindent 8 }} + {{- else if (semverCompare ">=1.22-0" .Capabilities.KubeVersion.GitVersion) }} + # Safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326 + sysctls: + - name: net.ipv4.ip_unprivileged_port_start + value: "0" + {{- end }} + containers: + - name: istio-proxy + # "auto" will be populated at runtime by the mutating webhook. See https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#customizing-injection + image: auto + securityContext: + {{- if .Values.containerSecurityContext }} + {{- toYaml .Values.containerSecurityContext | nindent 12 }} + {{- else if (semverCompare ">=1.22-0" .Capabilities.KubeVersion.GitVersion) }} + # Safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326 + capabilities: + drop: + - ALL + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + runAsUser: 1337 + runAsGroup: 1337 + runAsNonRoot: true + {{- else }} + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + runAsUser: 0 + runAsGroup: 1337 + runAsNonRoot: false + allowPrivilegeEscalation: true + readOnlyRootFilesystem: true + {{- end }} + env: + {{- with .Values.networkGateway }} + - name: ISTIO_META_REQUESTED_NETWORK_VIEW + value: "{{.}}" + {{- end }} + {{- range $key, $val := .Values.env }} + - name: {{ $key }} + value: {{ $val | quote }} + {{- end }} + ports: + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + resources: + {{- toYaml .Values.resources | nindent 12 }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/charts/kubezero-istio-gateway/charts/gateway/templates/hpa.yaml b/charts/kubezero-istio-gateway/charts/gateway/templates/hpa.yaml new file mode 100644 index 00000000..956a5ee5 --- /dev/null +++ b/charts/kubezero-istio-gateway/charts/gateway/templates/hpa.yaml @@ -0,0 +1,28 @@ +{{- if .Values.autoscaling.enabled }} +apiVersion: autoscaling/v2beta2 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "gateway.name" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "gateway.labels" . | nindent 4 }} + annotations: + {{- .Values.annotations | toYaml | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "gateway.name" . }} + minReplicas: {{ .Values.autoscaling.minReplicas }} + maxReplicas: {{ .Values.autoscaling.maxReplicas }} + metrics: + {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} + type: Utilization + {{- end }} + +{{- end }} diff --git a/charts/kubezero-istio-gateway/charts/gateway/templates/role.yaml b/charts/kubezero-istio-gateway/charts/gateway/templates/role.yaml new file mode 100644 index 00000000..3febf79b --- /dev/null +++ b/charts/kubezero-istio-gateway/charts/gateway/templates/role.yaml @@ -0,0 +1,25 @@ +{{/*Set up roles for Istio Gateway. Not required for gateway-api*/}} +{{- if .Values.rbac.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "gateway.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +rules: +- apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "watch", "list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "gateway.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "gateway.serviceAccountName" . }} +subjects: +- kind: ServiceAccount + name: {{ include "gateway.serviceAccountName" . }} +{{- end }} diff --git a/charts/kubezero-istio-gateway/charts/gateway/templates/service.yaml b/charts/kubezero-istio-gateway/charts/gateway/templates/service.yaml new file mode 100644 index 00000000..bfef1ffe --- /dev/null +++ b/charts/kubezero-istio-gateway/charts/gateway/templates/service.yaml @@ -0,0 +1,52 @@ +{{- if not (eq .Values.service.type "None") }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "gateway.name" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "gateway.labels" . | nindent 4 }} + {{- with .Values.networkGateway }} + topology.istio.io/network: "{{.}}" + {{- end }} + annotations: + {{- merge (deepCopy .Values.service.annotations) .Values.annotations | toYaml | nindent 4 }} +spec: +{{- with .Values.service.loadBalancerIP }} + loadBalancerIP: "{{ . }}" +{{- end }} +{{- with .Values.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: +{{ toYaml . | indent 4 }} +{{- end }} +{{- with .Values.service.externalTrafficPolicy }} + externalTrafficPolicy: "{{ . }}" +{{- end }} + type: {{ .Values.service.type }} + ports: +{{- if .Values.networkGateway }} + - name: status-port + port: 15021 + targetPort: 15021 + - name: tls + port: 15443 + targetPort: 15443 + - name: tls-istiod + port: 15012 + targetPort: 15012 + - name: tls-webhook + port: 15017 + targetPort: 15017 +{{- else }} + {{- range $key, $val := .Values.service.ports }} + - + {{- range $pkey, $pval := $val }} + {{- if has $pkey (list "name" "nodePort" "port" "targetPort") }} + {{ $pkey}}: {{ $pval }} + {{- end }} + {{- end }} + {{- end }} +{{- end }} + selector: + {{- include "gateway.selectorLabels" . | nindent 4 }} +{{- end }} diff --git a/charts/kubezero-istio-gateway/charts/gateway/templates/serviceaccount.yaml b/charts/kubezero-istio-gateway/charts/gateway/templates/serviceaccount.yaml new file mode 100644 index 00000000..e5b2304d --- /dev/null +++ b/charts/kubezero-istio-gateway/charts/gateway/templates/serviceaccount.yaml @@ -0,0 +1,13 @@ +{{- if .Values.serviceAccount.create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "gateway.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "gateway.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/kubezero-istio-gateway/charts/gateway/values.schema.json b/charts/kubezero-istio-gateway/charts/gateway/values.schema.json new file mode 100644 index 00000000..f51e6849 --- /dev/null +++ b/charts/kubezero-istio-gateway/charts/gateway/values.schema.json @@ -0,0 +1,193 @@ +{ + "$schema": "http://json-schema.org/schema#", + "type": "object", + "additionalProperties": false, + "properties": { + "global": { + "type": "object" + }, + "affinity": { + "type": "object" + }, + "securityContext": { + "type": ["object", "null"] + }, + "containerSecurityContext": { + "type": ["object", "null"] + }, + "annotations": { + "additionalProperties": { + "type": [ + "string", + "integer" + ] + }, + "type": "object" + }, + "autoscaling": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "maxReplicas": { + "type": "integer" + }, + "minReplicas": { + "type": "integer" + }, + "targetCPUUtilizationPercentage": { + "type": "integer" + } + } + }, + "env": { + "type": "object" + }, + "labels": { + "type": "object" + }, + "name": { + "type": "string" + }, + "nodeSelector": { + "type": "object" + }, + "podAnnotations": { + "type": "object", + "properties": { + "inject.istio.io/templates": { + "type": "string" + }, + "prometheus.io/path": { + "type": "string" + }, + "prometheus.io/port": { + "type": "string" + }, + "prometheus.io/scrape": { + "type": "string" + } + } + }, + "replicaCount": { + "type": "integer" + }, + "resources": { + "type": "object", + "properties": { + "limits": { + "type": "object", + "properties": { + "cpu": { + "type": "string" + }, + "memory": { + "type": "string" + } + } + }, + "requests": { + "type": "object", + "properties": { + "cpu": { + "type": "string" + }, + "memory": { + "type": "string" + } + } + } + } + }, + "revision": { + "type": "string" + }, + "runAsRoot": { + "type": "boolean" + }, + "unprivilegedPort": { + "type": ["string", "boolean"], + "enum": [true, false, "auto"] + }, + "service": { + "type": "object", + "properties": { + "annotations": { + "type": "object" + }, + "externalTrafficPolicy": { + "type": "string" + }, + "loadBalancerIP": { + "type": "string" + }, + "loadBalancerSourceRanges": { + "type": "array" + }, + "ports": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string" + }, + "port": { + "type": "integer" + }, + "protocol": { + "type": "string" + }, + "targetPort": { + "type": "integer" + } + } + } + }, + "type": { + "type": "string" + } + } + }, + "serviceAccount": { + "type": "object", + "properties": { + "annotations": { + "type": "object" + }, + "name": { + "type": "string" + }, + "create": { + "type": "boolean" + } + } + }, + "rbac": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + } + }, + "tolerations": { + "type": "array" + }, + "networkGateway": { + "type": "string" + }, + "imagePullSecrets": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string" + } + } + } + } + } +} diff --git a/charts/kubezero-istio-gateway/charts/gateway/values.yaml b/charts/kubezero-istio-gateway/charts/gateway/values.yaml new file mode 100644 index 00000000..f225cee5 --- /dev/null +++ b/charts/kubezero-istio-gateway/charts/gateway/values.yaml @@ -0,0 +1,88 @@ +# Name allows overriding the release name. Generally this should not be set +name: "" +# revision declares which revision this gateway is a part of +revision: "" + +replicaCount: 1 + +rbac: + # If enabled, roles will be created to enable accessing certificates from Gateways. This is not needed + # when using http://gateway-api.org/. + enabled: true + +serviceAccount: + # If set, a service account will be created. Otherwise, the default is used + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set, the release name is used + name: "" + +podAnnotations: + prometheus.io/port: "15020" + prometheus.io/scrape: "true" + prometheus.io/path: "/stats/prometheus" + inject.istio.io/templates: "gateway" + sidecar.istio.io/inject: "true" + +# Define the security context for the pod. +# If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443. +# On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl. +securityContext: ~ +containerSecurityContext: ~ + +service: + # Type of service. Set to "None" to disable the service entirely + type: LoadBalancer + ports: + - name: status-port + port: 15021 + protocol: TCP + targetPort: 15021 + - name: http2 + port: 80 + protocol: TCP + targetPort: 80 + - name: https + port: 443 + protocol: TCP + targetPort: 443 + annotations: {} + loadBalancerIP: "" + loadBalancerSourceRanges: [] + externalTrafficPolicy: "" + +resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 2000m + memory: 1024Mi + +autoscaling: + enabled: true + minReplicas: 1 + maxReplicas: 5 + targetCPUUtilizationPercentage: 80 + +# Pod environment variables +env: {} + +# Labels to apply to all resources +labels: {} + +# Annotations to apply to all resources +annotations: {} + +nodeSelector: {} + +tolerations: [] + +affinity: {} + +# If specified, the gateway will act as a network gateway for the given network. +networkGateway: "" + +imagePullSecrets: [] \ No newline at end of file diff --git a/charts/kubezero-istio-ingress/templates/_gateway.tpl b/charts/kubezero-istio-gateway/templates/_gateway.tpl similarity index 77% rename from charts/kubezero-istio-ingress/templates/_gateway.tpl rename to charts/kubezero-istio-gateway/templates/_gateway.tpl index 5983de1f..ec8e0c6e 100644 --- a/charts/kubezero-istio-ingress/templates/_gateway.tpl +++ b/charts/kubezero-istio-gateway/templates/_gateway.tpl @@ -40,3 +40,14 @@ {{- end }} {{- end }} + + +{{- define "gatewayName" -}} +{{ .Values.gateway.name | default .Release.Name | default "istio-ingressgateway" }} +{{- end }} + + +{{- define "gatewaySelectorLabels" -}} +app: {{ include "gatewayName" . }} +istio: {{ include "gatewayName" . | trimPrefix "istio-" }} +{{- end }} diff --git a/charts/kubezero-istio-ingress/templates/bootstrap-config.yaml b/charts/kubezero-istio-gateway/templates/bootstrap-config.yaml similarity index 91% rename from charts/kubezero-istio-ingress/templates/bootstrap-config.yaml rename to charts/kubezero-istio-gateway/templates/bootstrap-config.yaml index aa6ec259..0e012244 100644 --- a/charts/kubezero-istio-ingress/templates/bootstrap-config.yaml +++ b/charts/kubezero-istio-gateway/templates/bootstrap-config.yaml @@ -1,10 +1,9 @@ -{{- if or (index .Values "istio-ingress" "enabled") (index .Values "istio-private-ingress" "enabled") }} # https://www.envoyproxy.io/docs/envoy/v1.17.1/configuration/best_practices/edge#configuring-envoy-as-an-edge-proxy # https://github.com/istio/istio/issues/24715 apiVersion: v1 kind: ConfigMap metadata: - name: istio-gateway-bootstrap-config + name: {{ include "gatewayName" . | trimPrefix "istio-" }}-bootstrap-config namespace: {{ .Release.Namespace }} labels: {{ include "kubezero-lib.labels" . | indent 4 }} @@ -58,4 +57,3 @@ data: ] } } -{{- end }} diff --git a/charts/kubezero-istio-ingress/templates/envoyfilter-hardening.yaml b/charts/kubezero-istio-gateway/templates/envoyfilter-hardening.yaml similarity index 85% rename from charts/kubezero-istio-ingress/templates/envoyfilter-hardening.yaml rename to charts/kubezero-istio-gateway/templates/envoyfilter-hardening.yaml index dd1d9d34..d97b3637 100644 --- a/charts/kubezero-istio-ingress/templates/envoyfilter-hardening.yaml +++ b/charts/kubezero-istio-gateway/templates/envoyfilter-hardening.yaml @@ -1,12 +1,14 @@ -{{- if or (index .Values "istio-ingress" "enabled") (index .Values "istio-private-ingress" "enabled") }} apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: - name: ingressgateway-hardening + name: {{ include "gatewayName" . | trimPrefix "istio-" }}-hardening namespace: {{ .Release.Namespace }} labels: -{{ include "kubezero-lib.labels" . | indent 4 }} + {{ include "kubezero-lib.labels" . | nindent 4 }} spec: + workloadSelector: + labels: + {{- include "gatewaySelectorLabels" . | nindent 6 }} configPatches: - applyTo: CLUSTER patch: @@ -35,4 +37,3 @@ spec: initial_connection_window_size: 1048576 # 1 MiB #stream_idle_timeout: 300s # 5 mins, must be disabled for long-lived and streaming requests #request_timeout: 300s # 5 mins, must be disabled for long-lived and streaming requests -{{- end }} diff --git a/charts/kubezero-istio-gateway/templates/envoyfilter-keepalive-nlb.yaml b/charts/kubezero-istio-gateway/templates/envoyfilter-keepalive-nlb.yaml new file mode 100644 index 00000000..3888aa51 --- /dev/null +++ b/charts/kubezero-istio-gateway/templates/envoyfilter-keepalive-nlb.yaml @@ -0,0 +1,29 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: {{ include "gatewayName" . | trimPrefix "istio-" }}-listener-tcp-keepalive + namespace: {{ .Release.Namespace }} + labels: + {{- include "kubezero-lib.labels" . | nindent 4 }} +spec: + workloadSelector: + labels: + {{- include "gatewaySelectorLabels" . | nindent 6 }} + configPatches: + - applyTo: LISTENER + patch: + operation: MERGE + value: + socket_options: + - level: 1 # SOL_SOCKET = 1 + name: 9 # SO_KEEPALIVE = 9 + int_value: 1 + state: STATE_PREBIND + - level: 6 # IPPROTO_TCP = 6 + name: 4 # TCP_KEEPIDLE = 4 + int_value: 120 + state: STATE_PREBIND + - level: 6 # IPPROTO_TCP = 6 + name: 5 # TCP_KEEPINTVL = 5 + int_value: 60 + state: STATE_PREBIND diff --git a/charts/kubezero-istio-gateway/templates/envoyfilter-proxy-protocol.yaml b/charts/kubezero-istio-gateway/templates/envoyfilter-proxy-protocol.yaml new file mode 100644 index 00000000..1c1fce60 --- /dev/null +++ b/charts/kubezero-istio-gateway/templates/envoyfilter-proxy-protocol.yaml @@ -0,0 +1,21 @@ +{{- if .Values.proxyProtocol }} +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: {{ include "gatewayName" . | trimPrefix "istio-" }}-proxy-protocol + namespace: {{ .Release.Namespace }} + labels: + {{ include "kubezero-lib.labels" . | nindent 4 }} +spec: + workloadSelector: + labels: + {{- include "gatewaySelectorLabels" . | nindent 6 }} + configPatches: + - applyTo: LISTENER + patch: + operation: MERGE + value: + listener_filters: + - name: envoy.listener.proxy_protocol + - name: envoy.listener.tls_inspector +{{- end }} diff --git a/charts/kubezero-istio-gateway/templates/ingress-certificate.yaml b/charts/kubezero-istio-gateway/templates/ingress-certificate.yaml new file mode 100644 index 00000000..57d6c134 --- /dev/null +++ b/charts/kubezero-istio-gateway/templates/ingress-certificate.yaml @@ -0,0 +1,19 @@ +{{- range $cert := .Values.certificates }} +{{- if $cert.dnsNames }} +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: {{ $cert.name }} + namespace: {{ $.Release.Namespace }} + labels: +{{ include "kubezero-lib.labels" $ | indent 4 }} +spec: + secretName: {{ $cert.name }} + issuerRef: + name: {{ default "letsencrypt-dns-prod" $cert.issuer }} + kind: ClusterIssuer + dnsNames: +{{ toYaml $cert.dnsNames | indent 4 }} +--- +{{- end }} +{{- end }} diff --git a/charts/kubezero-istio-ingress/templates/ingress-gateway.yaml b/charts/kubezero-istio-gateway/templates/ingress-gateway.yaml similarity index 50% rename from charts/kubezero-istio-ingress/templates/ingress-gateway.yaml rename to charts/kubezero-istio-gateway/templates/ingress-gateway.yaml index d8d859b7..d2929b56 100644 --- a/charts/kubezero-istio-ingress/templates/ingress-gateway.yaml +++ b/charts/kubezero-istio-gateway/templates/ingress-gateway.yaml @@ -1,19 +1,15 @@ -# Public Ingress Gateway -{{- $gateway := index .Values "istio-ingress" }} - -{{- if and $gateway.enabled $gateway.certificates }} # https://istio.io/latest/docs/tasks/traffic-management/ingress/secure-ingress/#configure-a-tls-ingress-gateway-for-multiple-hosts - +{{- if .Values.certificates }} apiVersion: networking.istio.io/v1beta1 kind: Gateway metadata: - name: ingressgateway + name: {{ include "gatewayName" . | trimPrefix "istio-" }} namespace: {{ .Release.Namespace }} labels: {{- include "kubezero-lib.labels" . | nindent 4 }} spec: selector: - istio: ingressgateway + {{- include "gatewaySelectorLabels" . | nindent 4 }} servers: - {{- include "gatewayServers" (dict "certificates" $gateway.certificates "ports" (index $gateway "gateways" "istio-ingressgateway" "ports") ) | nindent 2}} + {{- include "gatewayServers" (dict "certificates" .Values.certificates "ports" .Values.gateway.service.ports ) | nindent 2}} {{- end }} diff --git a/charts/kubezero-istio-ingress/templates/podmonitor.yaml b/charts/kubezero-istio-gateway/templates/podmonitor.yaml similarity index 84% rename from charts/kubezero-istio-ingress/templates/podmonitor.yaml rename to charts/kubezero-istio-gateway/templates/podmonitor.yaml index e3d26efa..2020c4fe 100644 --- a/charts/kubezero-istio-ingress/templates/podmonitor.yaml +++ b/charts/kubezero-istio-gateway/templates/podmonitor.yaml @@ -1,8 +1,8 @@ -{{- if or ( index .Values "istio-ingress" "telemetry" "enabled" ) ( index .Values "istio-private-ingress" "telemetry" "enabled" )}} +{{- if .Values.telemetry.enabled }} apiVersion: monitoring.coreos.com/v1 kind: PodMonitor metadata: - name: envoy-stats-monitor + name: {{ include "gatewayName" . | trimPrefix "istio-" }}-envoy-stats-monitor namespace: {{ .Release.Namespace }} labels: {{ include "kubezero-lib.labels" . | indent 4 }} @@ -10,6 +10,8 @@ spec: selector: matchExpressions: - {key: istio-prometheus-ignore, operator: DoesNotExist} + matchLabels: + {{- include "gatewaySelectorLabels" . | nindent 6 }} jobLabel: envoy-stats podMetricsEndpoints: - path: /stats/prometheus diff --git a/charts/kubezero-istio-gateway/update.sh b/charts/kubezero-istio-gateway/update.sh new file mode 100755 index 00000000..6180df35 --- /dev/null +++ b/charts/kubezero-istio-gateway/update.sh @@ -0,0 +1,11 @@ +#!/bin/bash +set -ex + +export ISTIO_VERSION=$(yq eval '.dependencies[] | select(.name=="gateway") | .version' Chart.yaml) + +helm dep update + +# Patch +tar xf charts/gateway-$ISTIO_VERSION.tgz -C charts && rm -f charts/gateway-$ISTIO_VERSION.tgz +#diff -tubr charts/gateway.orig charts/gateway +patch -p0 -i zdt.patch --no-backup-if-mismatch diff --git a/charts/kubezero-istio-gateway/values.yaml b/charts/kubezero-istio-gateway/values.yaml new file mode 100644 index 00000000..873221fa --- /dev/null +++ b/charts/kubezero-istio-gateway/values.yaml @@ -0,0 +1,87 @@ +gateway: + autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 4 + targetCPUUtilizationPercentage: 80 + + replicaCount: 1 + + resources: + requests: + cpu: 50m + memory: 64Mi + limits: + # cpu: 100m + memory: 512Mi + + service: + type: NodePort + externalTrafficPolicy: Local + # Map port 80/443 to 8080/8443 so we don't need to root + + # ports is extended as follows: + # noGateway: true -> this port does NOT get mapped to a Gateway port + # tls: optional gateway port setting + # gatewayProtocol: Loadbalancer protocol which is NOT the same as Container Procotol ! + ports: + - name: status-port + port: 15021 + nodePort: 30021 + noGateway: true + - name: http2 + port: 80 + targetPort: 8080 + nodePort: 30080 + gatewayProtocol: HTTP2 + tls: + httpsRedirect: true + - name: https + port: 443 + targetPort: 8443 + nodePort: 30443 + gatewayProtocol: HTTPS + tls: + mode: SIMPLE + + affinity: + # Only nodes who are fronted with matching NLB + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: node.kubernetes.io/ingress.public + operator: Exists + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app + operator: In + values: + - istio-ingressgateway + topologyKey: "kubernetes.io/hostname" + + podAnnotations: + proxy.istio.io/config: '{ "terminationDrainDuration": "20s" }' + + # TODO + # custom hardened bootstrap config + #env: + # ISTIO_BOOTSTRAP_OVERRIDE: /etc/istio/custom-bootstrap/custom_bootstrap.json + + #configVolumes: + #- name: custom-bootstrap-volume + # mountPath: /etc/istio/custom-bootstrap + # configMapName: istio-gateway-bootstrap-config + + +certificates: +- name: ingress-cert + dnsNames: [] +# - '*.example.com' + +telemetry: + enabled: false + +proxyProtocol: true diff --git a/charts/kubezero-istio-gateway/zdt.patch b/charts/kubezero-istio-gateway/zdt.patch new file mode 100644 index 00000000..a9189117 --- /dev/null +++ b/charts/kubezero-istio-gateway/zdt.patch @@ -0,0 +1,40 @@ +diff -tubr charts/gateway.orig/templates/deployment.yaml charts/gateway/templates/deployment.yaml +--- charts/gateway.orig/templates/deployment.yaml 2022-04-21 01:00:49.624942235 +0200 ++++ charts/gateway/templates/deployment.yaml 2022-04-21 01:04:28.276506097 +0200 +@@ -11,6 +11,9 @@ + {{- if not .Values.autoscaling.enabled }} + replicas: {{ .Values.replicaCount }} + {{- end }} ++ # Give the LB 120s to detect and take into service ++ # should only be 40s by we are on AWS so ... ++ minReadySeconds: 120 + selector: + matchLabels: + {{- include "gateway.selectorLabels" . | nindent 6 }} +@@ -31,6 +34,7 @@ + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} ++ terminationGracePeriodSeconds: 120 + serviceAccountName: {{ include "gateway.serviceAccountName" . }} + securityContext: + {{- if .Values.securityContext }} +diff -tubr charts/gateway.orig/templates/service.yaml charts/gateway/templates/service.yaml +--- charts/gateway.orig/templates/service.yaml 2022-04-21 01:00:49.628275645 +0200 ++++ charts/gateway/templates/service.yaml 2022-04-21 01:08:56.785411051 +0200 +@@ -38,7 +38,14 @@ + port: 15017 + targetPort: 15017 + {{- else }} +-{{ .Values.service.ports | toYaml | indent 4 }} ++ {{- range $key, $val := .Values.service.ports }} ++ - ++ {{- range $pkey, $pval := $val }} ++ {{- if has $pkey (list "name" "nodePort" "port" "targetPort") }} ++ {{ $pkey}}: {{ $pval }} ++ {{- end }} ++ {{- end }} ++ {{- end }} + {{- end }} + selector: + {{- include "gateway.selectorLabels" . | nindent 4 }} diff --git a/charts/kubezero-istio-ingress/.helmignore b/charts/kubezero-istio-ingress/.helmignore deleted file mode 120000 index 1ff0487d..00000000 --- a/charts/kubezero-istio-ingress/.helmignore +++ /dev/null @@ -1 +0,0 @@ -../kubezero-istio/.helmignore \ No newline at end of file diff --git a/charts/kubezero-istio-ingress/charts/istio-ingress/Chart.yaml b/charts/kubezero-istio-ingress/charts/istio-ingress/Chart.yaml deleted file mode 100644 index 36126fea..00000000 --- a/charts/kubezero-istio-ingress/charts/istio-ingress/Chart.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: v1 -name: istio-ingress -version: 1.11.5 -tillerVersion: ">=2.7.2" -description: Helm chart for deploying Istio gateways -keywords: - - istio - - ingressgateway - - gateways -sources: - - http://github.com/istio/istio -engine: gotpl -icon: https://istio.io/latest/favicons/android-192x192.png diff --git a/charts/kubezero-istio-ingress/charts/istio-ingress/NOTES.txt b/charts/kubezero-istio-ingress/charts/istio-ingress/NOTES.txt deleted file mode 100644 index 221ee560..00000000 --- a/charts/kubezero-istio-ingress/charts/istio-ingress/NOTES.txt +++ /dev/null @@ -1,43 +0,0 @@ - -Changes: -- separate namespace allows: --- easier reconfig of just the gateway --- TLS secrets and domain name management is isolated, for better security --- simplified configuration --- multiple versions of the ingress can be used, to minimize upgrade risks - -- the new chart uses the default namespace service account, and doesn't require -additional RBAC permissions. - -- simplified label and chart structure. -- ability to run a pilot dedicated for the gateway, isolated from the main pilot. This is more robust, safer on upgrades -and allows a bit more flexibility. -- the dedicated pilot-per-ingress is required if the gateway needs to support k8s-style ingress. - -# Port and basic host configuration - -In order to configure the Service object, the install/upgrade needs to provide a list of all ports. -In the past, this was done when installing/upgrading full istio, and involved some duplication - ports configured -both in upgrade, Gateway and VirtualService. - -The new Ingress chart uses a 'values.yaml' (see user-example-ingress), which auto-generates Service ports, -Gateways and basic VirtualService. It is still possible to only configure the ports in Service, and do manual -config for the rest. - -All internal services ( telemetry, pilot debug ports, mesh expansion ) can now be configured via the new mechanism. - -# Migration from istio-system - -Istio 1.0 includes the gateways in istio-system. Since the external IP is associated -with the Service and bound to the namespace, it is recommended to: - -1. Install the new gateway in a new namespace. -2. Copy any TLS certificate to the new namespace, and configure the domains. -3. Checking the new gateway work - for example by overriding the IP in /etc/hosts -4. Modify the DNS server to add the A record of the new namespace -5. Check traffic -6. Delete the A record corresponding to the gateway in istio-system -7. Upgrade istio-system, disabling the ingressgateway -8. Delete the domain TLS certs from istio-system. - -If using certmanager, all Certificate and associated configs must be moved as well. diff --git a/charts/kubezero-istio-ingress/charts/istio-ingress/templates/_affinity.tpl b/charts/kubezero-istio-ingress/charts/istio-ingress/templates/_affinity.tpl deleted file mode 100644 index f958a959..00000000 --- a/charts/kubezero-istio-ingress/charts/istio-ingress/templates/_affinity.tpl +++ /dev/null @@ -1,105 +0,0 @@ -{{/* affinity - https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ */}} - -{{ define "nodeaffinity" }} -nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - {{- include "nodeAffinityRequiredDuringScheduling" . }} - preferredDuringSchedulingIgnoredDuringExecution: - {{- include "nodeAffinityPreferredDuringScheduling" . }} -{{- end }} - -{{- define "nodeAffinityRequiredDuringScheduling" }} - nodeSelectorTerms: - - matchExpressions: - - key: kubernetes.io/arch - operator: In - values: - {{- range $key, $val := .global.arch }} - {{- if gt ($val | int) 0 }} - - {{ $key | quote }} - {{- end }} - {{- end }} - {{- $nodeSelector := default .global.defaultNodeSelector .nodeSelector -}} - {{- range $key, $val := $nodeSelector }} - {{- if eq $val "Exists" }} - - key: {{ $key }} - operator: Exists - {{- else }} - - key: {{ $key }} - operator: In - values: - - {{ $val | quote }} - {{- end }} - {{- end }} -{{- end }} - -{{- define "nodeAffinityPreferredDuringScheduling" }} - {{- range $key, $val := .global.arch }} - {{- if gt ($val | int) 0 }} - - weight: {{ $val | int }} - preference: - matchExpressions: - - key: kubernetes.io/arch - operator: In - values: - - {{ $key | quote }} - {{- end }} - {{- end }} -{{- end }} - -{{- define "podAntiAffinity" }} -{{- if or .podAntiAffinityLabelSelector .podAntiAffinityTermLabelSelector}} - podAntiAffinity: - {{- if .podAntiAffinityLabelSelector }} - requiredDuringSchedulingIgnoredDuringExecution: - {{- include "podAntiAffinityRequiredDuringScheduling" . }} - {{- end }} - {{- if .podAntiAffinityTermLabelSelector }} - preferredDuringSchedulingIgnoredDuringExecution: - {{- include "podAntiAffinityPreferredDuringScheduling" . }} - {{- end }} -{{- end }} -{{- end }} - -{{- define "podAntiAffinityRequiredDuringScheduling" }} - {{- range $index, $item := .podAntiAffinityLabelSelector }} - - labelSelector: - matchExpressions: - - key: {{ $item.key }} - operator: {{ $item.operator }} - {{- if $item.values }} - values: - {{- $vals := split "," $item.values }} - {{- range $i, $v := $vals }} - - {{ $v | quote }} - {{- end }} - {{- end }} - topologyKey: {{ $item.topologyKey }} - {{- if $item.namespaces }} - namespaces: - {{- $ns := split "," $item.namespaces }} - {{- range $i, $n := $ns }} - - {{ $n | quote }} - {{- end }} - {{- end }} - {{- end }} -{{- end }} - -{{- define "podAntiAffinityPreferredDuringScheduling" }} - {{- range $index, $item := .podAntiAffinityTermLabelSelector }} - - podAffinityTerm: - labelSelector: - matchExpressions: - - key: {{ $item.key }} - operator: {{ $item.operator }} - {{- if $item.values }} - values: - {{- $vals := split "," $item.values }} - {{- range $i, $v := $vals }} - - {{ $v | quote }} - {{- end }} - {{- end }} - topologyKey: {{ $item.topologyKey }} - weight: 100 - {{- end }} -{{- end }} diff --git a/charts/kubezero-istio-ingress/charts/istio-ingress/templates/autoscale.yaml b/charts/kubezero-istio-ingress/charts/istio-ingress/templates/autoscale.yaml deleted file mode 100644 index 8cf8f668..00000000 --- a/charts/kubezero-istio-ingress/charts/istio-ingress/templates/autoscale.yaml +++ /dev/null @@ -1,27 +0,0 @@ -{{ $gateway := index .Values "gateways" "istio-ingressgateway" }} -{{- if and $gateway.autoscaleEnabled $gateway.autoscaleMin $gateway.autoscaleMax }} -apiVersion: autoscaling/v2beta1 -kind: HorizontalPodAutoscaler -metadata: - name: {{ $gateway.name }} - namespace: {{ .Release.Namespace }} - labels: -{{ $gateway.labels | toYaml | indent 4 }} - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "IngressGateways" -spec: - maxReplicas: {{ $gateway.autoscaleMax }} - minReplicas: {{ $gateway.autoscaleMin }} - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: {{ $gateway.name }} - metrics: - - type: Resource - resource: - name: cpu - targetAverageUtilization: {{ $gateway.cpu.targetAverageUtilization }} ---- -{{- end }} diff --git a/charts/kubezero-istio-ingress/charts/istio-ingress/templates/deployment.yaml b/charts/kubezero-istio-ingress/charts/istio-ingress/templates/deployment.yaml deleted file mode 100644 index 9ce9008b..00000000 --- a/charts/kubezero-istio-ingress/charts/istio-ingress/templates/deployment.yaml +++ /dev/null @@ -1,335 +0,0 @@ -{{- $gateway := index .Values "gateways" "istio-ingressgateway" }} -{{- if eq $gateway.injectionTemplate "" }} -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ $gateway.name }} - namespace: {{ .Release.Namespace }} - labels: -{{ $gateway.labels | toYaml | indent 4 }} - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "IngressGateways" -spec: -{{- if not $gateway.autoscaleEnabled }} -{{- if $gateway.replicaCount }} - replicas: {{ $gateway.replicaCount }} -{{- end }} - # Give the LB 120s to detect and take into service, should only be 40s by we are on AWS so ?? - minReadySeconds: 120 -{{- end }} - selector: - matchLabels: -{{ $gateway.labels | toYaml | indent 6 }} - strategy: - rollingUpdate: - maxSurge: {{ $gateway.rollingMaxSurge }} - maxUnavailable: {{ $gateway.rollingMaxUnavailable }} - template: - metadata: - labels: -{{ $gateway.labels | toYaml | indent 8 }} -{{- if eq .Release.Namespace "istio-system"}} - heritage: Tiller - release: istio - chart: gateways -{{- end }} - service.istio.io/canonical-name: {{ $gateway.name }} - {{- if not (eq .Values.revision "") }} - service.istio.io/canonical-revision: {{ .Values.revision }} - {{- else}} - service.istio.io/canonical-revision: latest - {{- end }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "IngressGateways" - sidecar.istio.io/inject: "false" - annotations: - {{- if .Values.meshConfig.enablePrometheusMerge }} - prometheus.io/port: "15020" - prometheus.io/scrape: "true" - prometheus.io/path: "/stats/prometheus" - {{- end }} - sidecar.istio.io/inject: "false" -{{- if $gateway.podAnnotations }} -{{ toYaml $gateway.podAnnotations | indent 8 }} -{{ end }} - spec: -{{- if not $gateway.runAsRoot }} - securityContext: - runAsUser: 1337 - runAsGroup: 1337 - runAsNonRoot: true - fsGroup: 1337 -{{- end }} - serviceAccountName: {{ $gateway.name }}-service-account -{{- if .Values.global.priorityClassName }} - priorityClassName: "{{ .Values.global.priorityClassName }}" -{{- end }} - terminationGracePeriodSeconds: 120 -{{- if .Values.global.proxy.enableCoreDump }} - initContainers: - - name: enable-core-dump -{{- if contains "/" .Values.global.proxy.image }} - image: "{{ .Values.global.proxy.image }}" -{{- else }} - image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image | default "proxyv2" }}:{{ .Values.global.tag }}" -{{- end }} -{{- if .Values.global.imagePullPolicy }} - imagePullPolicy: {{ .Values.global.imagePullPolicy }} -{{- end }} - command: - - /bin/sh - args: - - -c - - sysctl -w kernel.core_pattern=/var/lib/istio/data/core.proxy && ulimit -c unlimited - securityContext: - runAsUser: 0 - runAsGroup: 0 - runAsNonRoot: false - privileged: true -{{- end }} - containers: - - name: istio-proxy -{{- if contains "/" .Values.global.proxy.image }} - image: "{{ .Values.global.proxy.image }}" -{{- else }} - image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image | default "proxyv2" }}:{{ .Values.global.tag }}" -{{- end }} -{{- if .Values.global.imagePullPolicy }} - imagePullPolicy: {{ .Values.global.imagePullPolicy }} -{{- end }} - ports: - {{- range $key, $val := $gateway.ports }} - - containerPort: {{ $val.targetPort | default $val.port }} - protocol: {{ $val.protocol | default "TCP" }} - {{- end }} - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - args: - - proxy - - router - - --domain - - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - {{- if .Values.global.proxy.logLevel }} - - --proxyLogLevel={{ .Values.global.proxy.logLevel }} - {{- end}} - {{- if .Values.global.proxy.componentLogLevel }} - - --proxyComponentLogLevel={{ .Values.global.proxy.componentLogLevel }} - {{- end}} - {{- if .Values.global.logging.level }} - - --log_output_level={{ .Values.global.logging.level }} - {{- end}} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end }} - {{- if .Values.global.sts.servicePort }} - - --stsPort={{ .Values.global.sts.servicePort }} - {{- end }} - {{- if not $gateway.runAsRoot }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: true - {{- end }} - #This needs kube-proxy support coming with 1.22 hopefully, cilium ? - #lifecycle: - # preStop: - # exec: - # command: ["/bin/sh","-c","sleep 30"] - readinessProbe: - failureThreshold: 30 - httpGet: - path: /healthz/ready - port: 15021 - scheme: HTTP - initialDelaySeconds: 1 - periodSeconds: 2 - successThreshold: 1 - timeoutSeconds: 1 - resources: -{{- if $gateway.resources }} -{{ toYaml $gateway.resources | indent 12 }} -{{- else }} -{{ toYaml .Values.global.defaultResources | indent 12 }} -{{- end }} - env: - - name: JWT_POLICY - value: {{ .Values.global.jwtPolicy }} - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: CA_ADDR - {{- if .Values.global.caAddress }} - value: {{ .Values.global.caAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 - {{- end }} - - name: NODE_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: spec.nodeName - - name: POD_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.podIP - - name: HOST_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.hostIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: ISTIO_META_WORKLOAD_NAME - value: {{ $gateway.name }} - - name: ISTIO_META_OWNER - value: kubernetes://apis/apps/v1/namespaces/{{ .Release.Namespace }}/deployments/{{ $gateway.name }} - {{- if $.Values.global.meshID }} - - name: ISTIO_META_MESH_ID - value: "{{ $.Values.global.meshID }}" - {{- else if .Values.meshConfig.trustDomain }} - - name: ISTIO_META_MESH_ID - value: "{{ .Values.meshConfig.trustDomain }}" - {{- end }} - {{- if .Values.meshConfig.trustDomain }} - - name: TRUST_DOMAIN - value: "{{ .Values.meshConfig.trustDomain }}" - {{- end }} - {{- if not $gateway.runAsRoot }} - - name: ISTIO_META_UNPRIVILEGED_POD - value: "true" - {{- end }} - {{- range $key, $val := $gateway.env }} - - name: {{ $key }} - value: "{{ $val }}" - {{- end }} - {{- range $key, $value := .Values.meshConfig.defaultConfig.proxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{- $network_set := index $gateway.env "ISTIO_META_NETWORK" }} - {{- if and (not $network_set) .Values.global.network }} - - name: ISTIO_META_NETWORK - value: "{{ .Values.global.network }}" - {{- end }} - - name: ISTIO_META_CLUSTER_ID - value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}" - volumeMounts: - - name: istio-envoy - mountPath: /etc/istio/proxy - - name: config-volume - mountPath: /etc/istio/config -{{- if eq .Values.global.pilotCertProvider "istiod" }} - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert -{{- end }} -{{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - - name: istio-token - mountPath: /var/run/secrets/tokens - readOnly: true -{{- end }} - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - name: istio-certs - mountPath: /etc/certs - readOnly: true - {{- end }} - - mountPath: /var/lib/istio/data - name: istio-data - - name: podinfo - mountPath: /etc/istio/pod - {{- range $gateway.secretVolumes }} - - name: {{ .name }} - mountPath: {{ .mountPath | quote }} - readOnly: true - {{- end }} - {{- range $gateway.configVolumes }} - {{- if .mountPath }} - - name: {{ .name }} - mountPath: {{ .mountPath | quote }} - readOnly: true - {{- end }} - {{- end }} -{{- if $gateway.additionalContainers }} -{{ toYaml $gateway.additionalContainers | indent 8 }} -{{- end }} - volumes: -{{- if eq .Values.global.pilotCertProvider "istiod" }} - - name: istiod-ca-cert - configMap: - name: istio-ca-root-cert -{{- end }} - - name: podinfo - downwardAPI: - items: - - path: "labels" - fieldRef: - fieldPath: metadata.labels - - path: "annotations" - fieldRef: - fieldPath: metadata.annotations - - name: istio-envoy - emptyDir: {} - - name: istio-data - emptyDir: {} -{{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - - name: istio-token - projected: - sources: - - serviceAccountToken: - path: istio-token - expirationSeconds: 43200 - audience: {{ .Values.global.sds.token.aud }} -{{- end }} - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - name: istio-certs - secret: - secretName: istio.istio-ingressgateway-service-account - optional: true - {{- end }} - - name: config-volume - configMap: - name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - optional: true - {{- range $gateway.secretVolumes }} - - name: {{ .name }} - secret: - secretName: {{ .secretName | quote }} - optional: true - {{- end }} - {{- range $gateway.configVolumes }} - - name: {{ .name }} - configMap: - name: {{ .configMapName | quote }} - optional: true - {{- end }} - affinity: -{{ include "nodeaffinity" (dict "global" .Values.global "nodeSelector" $gateway.nodeSelector) | trim | indent 8 }} - {{- include "podAntiAffinity" $gateway | indent 6 }} -{{- if $gateway.tolerations }} - tolerations: -{{ toYaml $gateway.tolerations | indent 6 }} -{{- else if .Values.global.defaultTolerations }} - tolerations: -{{ toYaml .Values.global.defaultTolerations | indent 6 }} -{{- end }} -{{- end }} diff --git a/charts/kubezero-istio-ingress/charts/istio-ingress/templates/injected-deployment.yaml b/charts/kubezero-istio-ingress/charts/istio-ingress/templates/injected-deployment.yaml deleted file mode 100644 index 1115d18d..00000000 --- a/charts/kubezero-istio-ingress/charts/istio-ingress/templates/injected-deployment.yaml +++ /dev/null @@ -1,143 +0,0 @@ -{{- $gateway := index .Values "gateways" "istio-ingressgateway" }} -{{- if ne $gateway.injectionTemplate "" }} -{{/* This provides a minimal gateway, ready to be injected. - Any settings from values.gateways should be here - these are options specific to the gateway. - Global settings, like the image, various env vars and volumes, etc will be injected. - The normal Deployment is not suitable for this, as the original pod spec will override the injection template. */}} -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ $gateway.name | default "istio-ingressgateway" }} - namespace: {{ .Release.Namespace }} - labels: -{{ $gateway.labels | toYaml | indent 4 }} - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "IngressGateways" -spec: -{{- if not $gateway.autoscaleEnabled }} -{{- if $gateway.replicaCount }} - replicas: {{ $gateway.replicaCount }} -{{- end }} -{{- end }} - selector: - matchLabels: -{{ $gateway.labels | toYaml | indent 6 }} - strategy: - rollingUpdate: - maxSurge: {{ $gateway.rollingMaxSurge }} - maxUnavailable: {{ $gateway.rollingMaxUnavailable }} - template: - metadata: - labels: -{{ $gateway.labels | toYaml | indent 8 }} -{{- if eq .Release.Namespace "istio-system"}} - heritage: Tiller - release: istio - chart: gateways -{{- end }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "IngressGateways" - sidecar.istio.io/inject: "true" - {{- with .Values.revision }} - istio.io/rev: {{ . }} - {{- end }} - annotations: - {{- if .Values.meshConfig.enablePrometheusMerge }} - prometheus.io/port: "15020" - prometheus.io/scrape: "true" - prometheus.io/path: "/stats/prometheus" - {{- end }} - sidecar.istio.io/inject: "true" - inject.istio.io/templates: "{{ $gateway.injectionTemplate }}" -{{- if $gateway.podAnnotations }} -{{ toYaml $gateway.podAnnotations | indent 8 }} -{{ end }} - spec: -{{- if not $gateway.runAsRoot }} - securityContext: - runAsUser: 1337 - runAsGroup: 1337 - runAsNonRoot: true - fsGroup: 1337 -{{- end }} - serviceAccountName: {{ $gateway.name | default "istio-ingressgateway" }}-service-account -{{- if .Values.global.priorityClassName }} - priorityClassName: "{{ .Values.global.priorityClassName }}" -{{- end }} - containers: - - name: istio-proxy - image: auto - ports: - {{- range $key, $val := $gateway.ports }} - - containerPort: {{ $val.targetPort | default $val.port }} - protocol: {{ $val.protocol | default "TCP" }} - {{- end }} - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - {{- if not $gateway.runAsRoot }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: true - {{- end }} - resources: -{{- if $gateway.resources }} -{{ toYaml $gateway.resources | indent 12 }} -{{- else }} -{{ toYaml .Values.global.defaultResources | indent 12 }} -{{- end }} - env: - {{- if not $gateway.runAsRoot }} - - name: ISTIO_META_UNPRIVILEGED_POD - value: "true" - {{- end }} - {{- range $key, $val := $gateway.env }} - - name: {{ $key }} - value: {{ $val }} - {{- end }} - volumeMounts: - {{- range $gateway.secretVolumes }} - - name: {{ .name }} - mountPath: {{ .mountPath | quote }} - readOnly: true - {{- end }} - {{- range $gateway.configVolumes }} - {{- if .mountPath }} - - name: {{ .name }} - mountPath: {{ .mountPath | quote }} - readOnly: true - {{- end }} - {{- end }} -{{- if $gateway.additionalContainers }} -{{ toYaml $gateway.additionalContainers | indent 8 }} -{{- end }} - volumes: - {{- range $gateway.secretVolumes }} - - name: {{ .name }} - secret: - secretName: {{ .secretName | quote }} - optional: true - {{- end }} - {{- range $gateway.configVolumes }} - - name: {{ .name }} - configMap: - name: {{ .configMapName | quote }} - optional: true - {{- end }} - affinity: -{{ include "nodeaffinity" (dict "global" .Values.global "nodeSelector" $gateway.nodeSelector) | trim | indent 8 }} - {{- include "podAntiAffinity" $gateway | indent 6 }} -{{- if $gateway.tolerations }} - tolerations: -{{ toYaml $gateway.tolerations | indent 6 }} -{{- else if .Values.global.defaultTolerations }} - tolerations: -{{ toYaml .Values.global.defaultTolerations | indent 6 }} -{{- end }} -{{- end }} diff --git a/charts/kubezero-istio-ingress/charts/istio-ingress/templates/poddisruptionbudget.yaml b/charts/kubezero-istio-ingress/charts/istio-ingress/templates/poddisruptionbudget.yaml deleted file mode 100644 index 523a43fc..00000000 --- a/charts/kubezero-istio-ingress/charts/istio-ingress/templates/poddisruptionbudget.yaml +++ /dev/null @@ -1,19 +0,0 @@ -{{- if .Values.global.defaultPodDisruptionBudget.enabled }} -{{ $gateway := index .Values "gateways" "istio-ingressgateway" }} -apiVersion: policy/v1beta1 -kind: PodDisruptionBudget -metadata: - name: {{ $gateway.name }} - namespace: {{ .Release.Namespace }} - labels: -{{ $gateway.labels | toYaml | trim | indent 4 }} - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "IngressGateways" -spec: - minAvailable: 1 - selector: - matchLabels: -{{ $gateway.labels | toYaml | trim | indent 6 }} -{{- end }} diff --git a/charts/kubezero-istio-ingress/charts/istio-ingress/templates/role.yaml b/charts/kubezero-istio-ingress/charts/istio-ingress/templates/role.yaml deleted file mode 100644 index 3e21bca5..00000000 --- a/charts/kubezero-istio-ingress/charts/istio-ingress/templates/role.yaml +++ /dev/null @@ -1,16 +0,0 @@ -{{ $gateway := index .Values "gateways" "istio-ingressgateway" }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: {{ $gateway.name }}-sds - namespace: {{ .Release.Namespace }} - labels: - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "IngressGateways" -rules: -- apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "watch", "list"] ---- diff --git a/charts/kubezero-istio-ingress/charts/istio-ingress/templates/rolebindings.yaml b/charts/kubezero-istio-ingress/charts/istio-ingress/templates/rolebindings.yaml deleted file mode 100644 index d4525579..00000000 --- a/charts/kubezero-istio-ingress/charts/istio-ingress/templates/rolebindings.yaml +++ /dev/null @@ -1,19 +0,0 @@ -{{ $gateway := index .Values "gateways" "istio-ingressgateway" }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: {{ $gateway.name }}-sds - namespace: {{ .Release.Namespace }} - labels: - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "IngressGateways" -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: {{ $gateway.name }}-sds -subjects: -- kind: ServiceAccount - name: {{ $gateway.name }}-service-account ---- diff --git a/charts/kubezero-istio-ingress/charts/istio-ingress/templates/service.yaml b/charts/kubezero-istio-ingress/charts/istio-ingress/templates/service.yaml deleted file mode 100644 index e3893c5e..00000000 --- a/charts/kubezero-istio-ingress/charts/istio-ingress/templates/service.yaml +++ /dev/null @@ -1,49 +0,0 @@ -{{ $gateway := index .Values "gateways" "istio-ingressgateway" }} -{{- if not $gateway.customService }} -apiVersion: v1 -kind: Service -metadata: - name: {{ $gateway.name }} - namespace: {{ .Release.Namespace }} - annotations: - {{- range $key, $val := $gateway.serviceAnnotations }} - {{ $key }}: {{ $val | quote }} - {{- end }} - labels: -{{ $gateway.labels | toYaml | indent 4 }} - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "IngressGateways" -spec: -{{- if $gateway.loadBalancerIP }} - loadBalancerIP: "{{ $gateway.loadBalancerIP }}" -{{- end }} -{{- if $gateway.loadBalancerSourceRanges }} - loadBalancerSourceRanges: -{{ toYaml $gateway.loadBalancerSourceRanges | indent 4 }} -{{- end }} -{{- if $gateway.externalTrafficPolicy }} - externalTrafficPolicy: {{$gateway.externalTrafficPolicy }} -{{- end }} - type: {{ $gateway.type }} - selector: -{{ $gateway.labels | toYaml | indent 4 }} - ports: - - {{- range $key, $val := $gateway.ports }} - - - {{- range $pkey, $pval := $val }} - {{- if has $pkey (list "name" "nodePort" "port" "targetPort") }} - {{ $pkey}}: {{ $pval }} - {{- end }} - {{- end }} - {{- end }} - - {{ range $app := $gateway.ingressPorts }} - - - port: {{ $app.port }} - name: {{ $app.name }} - {{- end }} ---- -{{ end }} diff --git a/charts/kubezero-istio-ingress/charts/istio-ingress/templates/serviceaccount.yaml b/charts/kubezero-istio-ingress/charts/istio-ingress/templates/serviceaccount.yaml deleted file mode 100644 index 9cf3034c..00000000 --- a/charts/kubezero-istio-ingress/charts/istio-ingress/templates/serviceaccount.yaml +++ /dev/null @@ -1,22 +0,0 @@ -{{ $gateway := index .Values "gateways" "istio-ingressgateway" }} -apiVersion: v1 -kind: ServiceAccount -{{- if .Values.global.imagePullSecrets }} -imagePullSecrets: -{{- range .Values.global.imagePullSecrets }} - - name: {{ . }} -{{- end }} -{{- end }} -metadata: - name: {{ $gateway.name }}-service-account - namespace: {{ .Release.Namespace }} - labels: -{{ $gateway.labels | toYaml | trim | indent 4 }} - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "IngressGateways" - {{- with $gateway.serviceAccount.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} diff --git a/charts/kubezero-istio-ingress/charts/istio-ingress/values.yaml b/charts/kubezero-istio-ingress/charts/istio-ingress/values.yaml deleted file mode 100644 index ab5a0da2..00000000 --- a/charts/kubezero-istio-ingress/charts/istio-ingress/values.yaml +++ /dev/null @@ -1,326 +0,0 @@ -# A-la-carte istio ingress gateway. -# Must be installed in a separate namespace, to minimize access to secrets. - -gateways: - istio-ingressgateway: - name: istio-ingressgateway - labels: - app: istio-ingressgateway - istio: ingressgateway - ports: - ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. - # Note that AWS ELB will by default perform health checks on the first port - # on this list. Setting this to the health check port will ensure that health - # checks always work. https://github.com/istio/istio/issues/12503 - - port: 15021 - targetPort: 15021 - name: status-port - protocol: TCP - - port: 80 - targetPort: 8080 - name: http2 - protocol: TCP - - port: 443 - targetPort: 8443 - name: https - protocol: TCP - - # Scalability tuning - # replicaCount: 1 - rollingMaxSurge: 100% - rollingMaxUnavailable: 25% - autoscaleEnabled: true - autoscaleMin: 1 - autoscaleMax: 5 - - cpu: - targetAverageUtilization: 80 - - resources: - requests: - cpu: 100m - memory: 128Mi - limits: - cpu: 2000m - memory: 1024Mi - - loadBalancerIP: "" - loadBalancerSourceRanges: [] - serviceAnnotations: {} - - # Enable cross-cluster access using SNI matching - zvpn: - enabled: false - suffix: global - - # To generate an internal load balancer: - # --set serviceAnnotations.cloud.google.com/load-balancer-type=internal - #serviceAnnotations: - # cloud.google.com/load-balancer-type: "internal" - - podAnnotations: {} - type: LoadBalancer #change to NodePort, ClusterIP or LoadBalancer if need be - - ############## - secretVolumes: - - name: ingressgateway-certs - secretName: istio-ingressgateway-certs - mountPath: /etc/istio/ingressgateway-certs - - name: ingressgateway-ca-certs - secretName: istio-ingressgateway-ca-certs - mountPath: /etc/istio/ingressgateway-ca-certs - - customService: false - externalTrafficPolicy: "" - - ingressPorts: [] - additionalContainers: [] - configVolumes: [] - - serviceAccount: - # Annotations to add to the service account - annotations: {} - - ### Advanced options ############ - env: - # A gateway with this mode ensures that pilot generates an additional - # set of clusters for internal services but without Istio mTLS, to - # enable cross cluster routing. - ISTIO_META_ROUTER_MODE: "standard" - - nodeSelector: {} - tolerations: [] - - # Specify the pod anti-affinity that allows you to constrain which nodes - # your pod is eligible to be scheduled based on labels on pods that are - # already running on the node rather than based on labels on nodes. - # There are currently two types of anti-affinity: - # "requiredDuringSchedulingIgnoredDuringExecution" - # "preferredDuringSchedulingIgnoredDuringExecution" - # which denote "hard" vs. "soft" requirements, you can define your values - # in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector" - # correspondingly. - # For example: - # podAntiAffinityLabelSelector: - # - key: security - # operator: In - # values: S1,S2 - # topologyKey: "kubernetes.io/hostname" - # This pod anti-affinity rule says that the pod requires not to be scheduled - # onto a node if that node is already running a pod with label having key - # "security" and value "S1". - podAntiAffinityLabelSelector: [] - podAntiAffinityTermLabelSelector: [] - - # whether to run the gateway in a privileged container - runAsRoot: false - - # The injection template to use for the gateway. If not set, no injection will be performed. - injectionTemplate: "" - -# Revision is set as 'version' label and part of the resource names when installing multiple control planes. -revision: "" - -# For Helm compatibility. -ownerName: "" - -global: - # set the default set of namespaces to which services, service entries, virtual services, destination - # rules should be exported to. Currently only one value can be provided in this list. This value - # should be one of the following two options: - # * implies these objects are visible to all namespaces, enabling any sidecar to talk to any other sidecar. - # . implies these objects are visible to only to sidecars in the same namespace, or if imported as a Sidecar.egress.host - defaultConfigVisibilitySettings: [] - - # Default node selector to be applied to all deployments so that all pods can be - # constrained to run a particular nodes. Each component can overwrite these default - # values by adding its node selector block in the relevant section below and setting - # the desired values. - defaultNodeSelector: {} - - # enable pod disruption budget for the control plane, which is used to - # ensure Istio control plane components are gradually upgraded or recovered. - defaultPodDisruptionBudget: - enabled: true - - # A minimal set of requested resources to applied to all deployments so that - # Horizontal Pod Autoscaler will be able to function (if set). - # Each component can overwrite these default values by adding its own resources - # block in the relevant section below and setting the desired resources values. - defaultResources: - requests: - cpu: 10m - # memory: 128Mi - # limits: - # cpu: 100m - # memory: 128Mi - - # Default node tolerations to be applied to all deployments so that all pods can be - # scheduled to a particular nodes with matching taints. Each component can overwrite - # these default values by adding its tolerations block in the relevant section below - # and setting the desired values. - # Configure this field in case that all pods of Istio control plane are expected to - # be scheduled to particular nodes with specified taints. - defaultTolerations: [] - - # Default hub for Istio images. - # Releases are published to docker hub under 'istio' project. - # Dev builds from prow are on gcr.io - hub: docker.io/istio - - # Default tag for Istio images. - tag: 1.11.5 - - # Specify image pull policy if default behavior isn't desired. - # Default behavior: latest images will be Always else IfNotPresent. - imagePullPolicy: "" - - # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace - # to use for pulling any images in pods that reference this ServiceAccount. - # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) - # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. - # Must be set for any cluster configured with private docker registry. - imagePullSecrets: [] - # - private-registry-key - - # To output all istio components logs in json format by adding --log_as_json argument to each container argument - logAsJson: false - - # Specify pod scheduling arch(amd64, ppc64le, s390x) and weight as follows: - # 0 - Never scheduled - # 1 - Least preferred - # 2 - No preference - # 3 - Most preferred - arch: - amd64: 2 - s390x: 2 - ppc64le: 2 - - # Comma-separated minimum per-scope logging level of messages to output, in the form of :,: - # The control plane has different scopes depending on component, but can configure default log level across all components - # If empty, default scope and level will be used as configured in code - logging: - level: "default:info" - - # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and - # system-node-critical, it is better to configure this in order to make sure your Istio pods - # will not be killed because of low priority class. - # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass - # for more detail. - priorityClassName: "" - - proxy: - image: proxyv2 - - # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value - # cluster domain. Default value is "cluster.local". - clusterDomain: "cluster.local" - - # Per Component log level for proxy, applies to gateways and sidecars. If a component level is - # not set, then the global "logLevel" will be used. - componentLogLevel: "misc:error" - - # If set, newly injected sidecars will have core dumps enabled. - enableCoreDump: false - - # Log level for proxy, applies to gateways and sidecars. - # Expected values are: trace|debug|info|warning|error|critical|off - logLevel: warning - - ############################################################################################## - # The following values are found in other charts. To effectively modify these values, make # - # make sure they are consistent across your Istio helm charts # - ############################################################################################## - - # The customized CA address to retrieve certificates for the pods in the cluster. - # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. - caAddress: "" - - # Used to locate istiod. - istioNamespace: istio-system - - # Configure the policy for validating JWT. - # Currently, two options are supported: "third-party-jwt" and "first-party-jwt". - jwtPolicy: "third-party-jwt" - - # Mesh ID means Mesh Identifier. It should be unique within the scope where - # meshes will interact with each other, but it is not required to be - # globally/universally unique. For example, if any of the following are true, - # then two meshes must have different Mesh IDs: - # - Meshes will have their telemetry aggregated in one place - # - Meshes will be federated together - # - Policy will be written referencing one mesh from the other - # - # If an administrator expects that any of these conditions may become true in - # the future, they should ensure their meshes have different Mesh IDs - # assigned. - # - # Within a multicluster mesh, each cluster must be (manually or auto) - # configured to have the same Mesh ID value. If an existing cluster 'joins' a - # multicluster mesh, it will need to be migrated to the new mesh ID. Details - # of migration TBD, and it may be a disruptive operation to change the Mesh - # ID post-install. - # - # If the mesh admin does not specify a value, Istio will use the value of the - # mesh's Trust Domain. The best practice is to select a proper Trust Domain - # value. - meshID: "" - - # Use the user-specified, secret volume mounted key and certs for Pilot and workloads. - mountMtlsCerts: false - - multiCluster: - # Set to true to connect two kubernetes clusters via their respective - # ingressgateway services when pods in each cluster cannot directly - # talk to one another. All clusters should be using Istio mTLS and must - # have a shared root CA for this model to work. - enabled: false - # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection - # to properly label proxies - clusterName: "" - # The suffix for global service names - globalDomainSuffix: "global" - # Enable envoy filter to translate `globalDomainSuffix` to cluster local suffix for cross cluster communication - includeEnvoyFilter: true - - # Network defines the network this cluster belong to. This name - # corresponds to the networks in the map of mesh networks. - network: "" - - # Configure the certificate provider for control plane communication. - # Currently, two providers are supported: "kubernetes" and "istiod". - # As some platforms may not have kubernetes signing APIs, - # Istiod is the default - pilotCertProvider: istiod - - sds: - # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3. - # When a CSR is sent from Citadel Agent to the CA (e.g. Citadel), this aud is to make sure the - # JWT is intended for the CA. - token: - aud: istio-ca - - sts: - # The service port used by Security Token Service (STS) server to handle token exchange requests. - # Setting this port to a non-zero value enables STS server. - servicePort: 0 - - -meshConfig: - enablePrometheusMerge: true - - # The trust domain corresponds to the trust root of a system - # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain - trustDomain: "cluster.local" - - defaultConfig: - proxyMetadata: {} - tracing: - # tlsSettings: - # mode: DISABLE # DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL - # clientCertificate: # example: /etc/istio/tracer/cert-chain.pem - # privateKey: # example: /etc/istio/tracer/key.pem - # caCertificates: # example: /etc/istio/tracer/root-cert.pem - # sni: # example: tracer.somedomain - # subjectAltNames: [] - # - tracer.somedomain diff --git a/charts/kubezero-istio-ingress/charts/istio-private-ingress/Chart.yaml b/charts/kubezero-istio-ingress/charts/istio-private-ingress/Chart.yaml deleted file mode 100644 index 4b132cb1..00000000 --- a/charts/kubezero-istio-ingress/charts/istio-private-ingress/Chart.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: v1 -name: istio-private-ingress -version: 1.11.5 -tillerVersion: ">=2.7.2" -description: Helm chart for deploying Istio gateways -keywords: - - istio - - ingressgateway - - gateways -sources: - - http://github.com/istio/istio -engine: gotpl -icon: https://istio.io/latest/favicons/android-192x192.png diff --git a/charts/kubezero-istio-ingress/charts/istio-private-ingress/NOTES.txt b/charts/kubezero-istio-ingress/charts/istio-private-ingress/NOTES.txt deleted file mode 100644 index 221ee560..00000000 --- a/charts/kubezero-istio-ingress/charts/istio-private-ingress/NOTES.txt +++ /dev/null @@ -1,43 +0,0 @@ - -Changes: -- separate namespace allows: --- easier reconfig of just the gateway --- TLS secrets and domain name management is isolated, for better security --- simplified configuration --- multiple versions of the ingress can be used, to minimize upgrade risks - -- the new chart uses the default namespace service account, and doesn't require -additional RBAC permissions. - -- simplified label and chart structure. -- ability to run a pilot dedicated for the gateway, isolated from the main pilot. This is more robust, safer on upgrades -and allows a bit more flexibility. -- the dedicated pilot-per-ingress is required if the gateway needs to support k8s-style ingress. - -# Port and basic host configuration - -In order to configure the Service object, the install/upgrade needs to provide a list of all ports. -In the past, this was done when installing/upgrading full istio, and involved some duplication - ports configured -both in upgrade, Gateway and VirtualService. - -The new Ingress chart uses a 'values.yaml' (see user-example-ingress), which auto-generates Service ports, -Gateways and basic VirtualService. It is still possible to only configure the ports in Service, and do manual -config for the rest. - -All internal services ( telemetry, pilot debug ports, mesh expansion ) can now be configured via the new mechanism. - -# Migration from istio-system - -Istio 1.0 includes the gateways in istio-system. Since the external IP is associated -with the Service and bound to the namespace, it is recommended to: - -1. Install the new gateway in a new namespace. -2. Copy any TLS certificate to the new namespace, and configure the domains. -3. Checking the new gateway work - for example by overriding the IP in /etc/hosts -4. Modify the DNS server to add the A record of the new namespace -5. Check traffic -6. Delete the A record corresponding to the gateway in istio-system -7. Upgrade istio-system, disabling the ingressgateway -8. Delete the domain TLS certs from istio-system. - -If using certmanager, all Certificate and associated configs must be moved as well. diff --git a/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/_affinity.tpl b/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/_affinity.tpl deleted file mode 100644 index f958a959..00000000 --- a/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/_affinity.tpl +++ /dev/null @@ -1,105 +0,0 @@ -{{/* affinity - https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ */}} - -{{ define "nodeaffinity" }} -nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - {{- include "nodeAffinityRequiredDuringScheduling" . }} - preferredDuringSchedulingIgnoredDuringExecution: - {{- include "nodeAffinityPreferredDuringScheduling" . }} -{{- end }} - -{{- define "nodeAffinityRequiredDuringScheduling" }} - nodeSelectorTerms: - - matchExpressions: - - key: kubernetes.io/arch - operator: In - values: - {{- range $key, $val := .global.arch }} - {{- if gt ($val | int) 0 }} - - {{ $key | quote }} - {{- end }} - {{- end }} - {{- $nodeSelector := default .global.defaultNodeSelector .nodeSelector -}} - {{- range $key, $val := $nodeSelector }} - {{- if eq $val "Exists" }} - - key: {{ $key }} - operator: Exists - {{- else }} - - key: {{ $key }} - operator: In - values: - - {{ $val | quote }} - {{- end }} - {{- end }} -{{- end }} - -{{- define "nodeAffinityPreferredDuringScheduling" }} - {{- range $key, $val := .global.arch }} - {{- if gt ($val | int) 0 }} - - weight: {{ $val | int }} - preference: - matchExpressions: - - key: kubernetes.io/arch - operator: In - values: - - {{ $key | quote }} - {{- end }} - {{- end }} -{{- end }} - -{{- define "podAntiAffinity" }} -{{- if or .podAntiAffinityLabelSelector .podAntiAffinityTermLabelSelector}} - podAntiAffinity: - {{- if .podAntiAffinityLabelSelector }} - requiredDuringSchedulingIgnoredDuringExecution: - {{- include "podAntiAffinityRequiredDuringScheduling" . }} - {{- end }} - {{- if .podAntiAffinityTermLabelSelector }} - preferredDuringSchedulingIgnoredDuringExecution: - {{- include "podAntiAffinityPreferredDuringScheduling" . }} - {{- end }} -{{- end }} -{{- end }} - -{{- define "podAntiAffinityRequiredDuringScheduling" }} - {{- range $index, $item := .podAntiAffinityLabelSelector }} - - labelSelector: - matchExpressions: - - key: {{ $item.key }} - operator: {{ $item.operator }} - {{- if $item.values }} - values: - {{- $vals := split "," $item.values }} - {{- range $i, $v := $vals }} - - {{ $v | quote }} - {{- end }} - {{- end }} - topologyKey: {{ $item.topologyKey }} - {{- if $item.namespaces }} - namespaces: - {{- $ns := split "," $item.namespaces }} - {{- range $i, $n := $ns }} - - {{ $n | quote }} - {{- end }} - {{- end }} - {{- end }} -{{- end }} - -{{- define "podAntiAffinityPreferredDuringScheduling" }} - {{- range $index, $item := .podAntiAffinityTermLabelSelector }} - - podAffinityTerm: - labelSelector: - matchExpressions: - - key: {{ $item.key }} - operator: {{ $item.operator }} - {{- if $item.values }} - values: - {{- $vals := split "," $item.values }} - {{- range $i, $v := $vals }} - - {{ $v | quote }} - {{- end }} - {{- end }} - topologyKey: {{ $item.topologyKey }} - weight: 100 - {{- end }} -{{- end }} diff --git a/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/autoscale.yaml b/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/autoscale.yaml deleted file mode 100644 index 8cf8f668..00000000 --- a/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/autoscale.yaml +++ /dev/null @@ -1,27 +0,0 @@ -{{ $gateway := index .Values "gateways" "istio-ingressgateway" }} -{{- if and $gateway.autoscaleEnabled $gateway.autoscaleMin $gateway.autoscaleMax }} -apiVersion: autoscaling/v2beta1 -kind: HorizontalPodAutoscaler -metadata: - name: {{ $gateway.name }} - namespace: {{ .Release.Namespace }} - labels: -{{ $gateway.labels | toYaml | indent 4 }} - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "IngressGateways" -spec: - maxReplicas: {{ $gateway.autoscaleMax }} - minReplicas: {{ $gateway.autoscaleMin }} - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: {{ $gateway.name }} - metrics: - - type: Resource - resource: - name: cpu - targetAverageUtilization: {{ $gateway.cpu.targetAverageUtilization }} ---- -{{- end }} diff --git a/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/deployment.yaml b/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/deployment.yaml deleted file mode 100644 index 9ce9008b..00000000 --- a/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/deployment.yaml +++ /dev/null @@ -1,335 +0,0 @@ -{{- $gateway := index .Values "gateways" "istio-ingressgateway" }} -{{- if eq $gateway.injectionTemplate "" }} -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ $gateway.name }} - namespace: {{ .Release.Namespace }} - labels: -{{ $gateway.labels | toYaml | indent 4 }} - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "IngressGateways" -spec: -{{- if not $gateway.autoscaleEnabled }} -{{- if $gateway.replicaCount }} - replicas: {{ $gateway.replicaCount }} -{{- end }} - # Give the LB 120s to detect and take into service, should only be 40s by we are on AWS so ?? - minReadySeconds: 120 -{{- end }} - selector: - matchLabels: -{{ $gateway.labels | toYaml | indent 6 }} - strategy: - rollingUpdate: - maxSurge: {{ $gateway.rollingMaxSurge }} - maxUnavailable: {{ $gateway.rollingMaxUnavailable }} - template: - metadata: - labels: -{{ $gateway.labels | toYaml | indent 8 }} -{{- if eq .Release.Namespace "istio-system"}} - heritage: Tiller - release: istio - chart: gateways -{{- end }} - service.istio.io/canonical-name: {{ $gateway.name }} - {{- if not (eq .Values.revision "") }} - service.istio.io/canonical-revision: {{ .Values.revision }} - {{- else}} - service.istio.io/canonical-revision: latest - {{- end }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "IngressGateways" - sidecar.istio.io/inject: "false" - annotations: - {{- if .Values.meshConfig.enablePrometheusMerge }} - prometheus.io/port: "15020" - prometheus.io/scrape: "true" - prometheus.io/path: "/stats/prometheus" - {{- end }} - sidecar.istio.io/inject: "false" -{{- if $gateway.podAnnotations }} -{{ toYaml $gateway.podAnnotations | indent 8 }} -{{ end }} - spec: -{{- if not $gateway.runAsRoot }} - securityContext: - runAsUser: 1337 - runAsGroup: 1337 - runAsNonRoot: true - fsGroup: 1337 -{{- end }} - serviceAccountName: {{ $gateway.name }}-service-account -{{- if .Values.global.priorityClassName }} - priorityClassName: "{{ .Values.global.priorityClassName }}" -{{- end }} - terminationGracePeriodSeconds: 120 -{{- if .Values.global.proxy.enableCoreDump }} - initContainers: - - name: enable-core-dump -{{- if contains "/" .Values.global.proxy.image }} - image: "{{ .Values.global.proxy.image }}" -{{- else }} - image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image | default "proxyv2" }}:{{ .Values.global.tag }}" -{{- end }} -{{- if .Values.global.imagePullPolicy }} - imagePullPolicy: {{ .Values.global.imagePullPolicy }} -{{- end }} - command: - - /bin/sh - args: - - -c - - sysctl -w kernel.core_pattern=/var/lib/istio/data/core.proxy && ulimit -c unlimited - securityContext: - runAsUser: 0 - runAsGroup: 0 - runAsNonRoot: false - privileged: true -{{- end }} - containers: - - name: istio-proxy -{{- if contains "/" .Values.global.proxy.image }} - image: "{{ .Values.global.proxy.image }}" -{{- else }} - image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image | default "proxyv2" }}:{{ .Values.global.tag }}" -{{- end }} -{{- if .Values.global.imagePullPolicy }} - imagePullPolicy: {{ .Values.global.imagePullPolicy }} -{{- end }} - ports: - {{- range $key, $val := $gateway.ports }} - - containerPort: {{ $val.targetPort | default $val.port }} - protocol: {{ $val.protocol | default "TCP" }} - {{- end }} - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - args: - - proxy - - router - - --domain - - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - {{- if .Values.global.proxy.logLevel }} - - --proxyLogLevel={{ .Values.global.proxy.logLevel }} - {{- end}} - {{- if .Values.global.proxy.componentLogLevel }} - - --proxyComponentLogLevel={{ .Values.global.proxy.componentLogLevel }} - {{- end}} - {{- if .Values.global.logging.level }} - - --log_output_level={{ .Values.global.logging.level }} - {{- end}} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end }} - {{- if .Values.global.sts.servicePort }} - - --stsPort={{ .Values.global.sts.servicePort }} - {{- end }} - {{- if not $gateway.runAsRoot }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: true - {{- end }} - #This needs kube-proxy support coming with 1.22 hopefully, cilium ? - #lifecycle: - # preStop: - # exec: - # command: ["/bin/sh","-c","sleep 30"] - readinessProbe: - failureThreshold: 30 - httpGet: - path: /healthz/ready - port: 15021 - scheme: HTTP - initialDelaySeconds: 1 - periodSeconds: 2 - successThreshold: 1 - timeoutSeconds: 1 - resources: -{{- if $gateway.resources }} -{{ toYaml $gateway.resources | indent 12 }} -{{- else }} -{{ toYaml .Values.global.defaultResources | indent 12 }} -{{- end }} - env: - - name: JWT_POLICY - value: {{ .Values.global.jwtPolicy }} - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: CA_ADDR - {{- if .Values.global.caAddress }} - value: {{ .Values.global.caAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 - {{- end }} - - name: NODE_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: spec.nodeName - - name: POD_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.podIP - - name: HOST_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.hostIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: ISTIO_META_WORKLOAD_NAME - value: {{ $gateway.name }} - - name: ISTIO_META_OWNER - value: kubernetes://apis/apps/v1/namespaces/{{ .Release.Namespace }}/deployments/{{ $gateway.name }} - {{- if $.Values.global.meshID }} - - name: ISTIO_META_MESH_ID - value: "{{ $.Values.global.meshID }}" - {{- else if .Values.meshConfig.trustDomain }} - - name: ISTIO_META_MESH_ID - value: "{{ .Values.meshConfig.trustDomain }}" - {{- end }} - {{- if .Values.meshConfig.trustDomain }} - - name: TRUST_DOMAIN - value: "{{ .Values.meshConfig.trustDomain }}" - {{- end }} - {{- if not $gateway.runAsRoot }} - - name: ISTIO_META_UNPRIVILEGED_POD - value: "true" - {{- end }} - {{- range $key, $val := $gateway.env }} - - name: {{ $key }} - value: "{{ $val }}" - {{- end }} - {{- range $key, $value := .Values.meshConfig.defaultConfig.proxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{- $network_set := index $gateway.env "ISTIO_META_NETWORK" }} - {{- if and (not $network_set) .Values.global.network }} - - name: ISTIO_META_NETWORK - value: "{{ .Values.global.network }}" - {{- end }} - - name: ISTIO_META_CLUSTER_ID - value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}" - volumeMounts: - - name: istio-envoy - mountPath: /etc/istio/proxy - - name: config-volume - mountPath: /etc/istio/config -{{- if eq .Values.global.pilotCertProvider "istiod" }} - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert -{{- end }} -{{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - - name: istio-token - mountPath: /var/run/secrets/tokens - readOnly: true -{{- end }} - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - name: istio-certs - mountPath: /etc/certs - readOnly: true - {{- end }} - - mountPath: /var/lib/istio/data - name: istio-data - - name: podinfo - mountPath: /etc/istio/pod - {{- range $gateway.secretVolumes }} - - name: {{ .name }} - mountPath: {{ .mountPath | quote }} - readOnly: true - {{- end }} - {{- range $gateway.configVolumes }} - {{- if .mountPath }} - - name: {{ .name }} - mountPath: {{ .mountPath | quote }} - readOnly: true - {{- end }} - {{- end }} -{{- if $gateway.additionalContainers }} -{{ toYaml $gateway.additionalContainers | indent 8 }} -{{- end }} - volumes: -{{- if eq .Values.global.pilotCertProvider "istiod" }} - - name: istiod-ca-cert - configMap: - name: istio-ca-root-cert -{{- end }} - - name: podinfo - downwardAPI: - items: - - path: "labels" - fieldRef: - fieldPath: metadata.labels - - path: "annotations" - fieldRef: - fieldPath: metadata.annotations - - name: istio-envoy - emptyDir: {} - - name: istio-data - emptyDir: {} -{{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - - name: istio-token - projected: - sources: - - serviceAccountToken: - path: istio-token - expirationSeconds: 43200 - audience: {{ .Values.global.sds.token.aud }} -{{- end }} - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - name: istio-certs - secret: - secretName: istio.istio-ingressgateway-service-account - optional: true - {{- end }} - - name: config-volume - configMap: - name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - optional: true - {{- range $gateway.secretVolumes }} - - name: {{ .name }} - secret: - secretName: {{ .secretName | quote }} - optional: true - {{- end }} - {{- range $gateway.configVolumes }} - - name: {{ .name }} - configMap: - name: {{ .configMapName | quote }} - optional: true - {{- end }} - affinity: -{{ include "nodeaffinity" (dict "global" .Values.global "nodeSelector" $gateway.nodeSelector) | trim | indent 8 }} - {{- include "podAntiAffinity" $gateway | indent 6 }} -{{- if $gateway.tolerations }} - tolerations: -{{ toYaml $gateway.tolerations | indent 6 }} -{{- else if .Values.global.defaultTolerations }} - tolerations: -{{ toYaml .Values.global.defaultTolerations | indent 6 }} -{{- end }} -{{- end }} diff --git a/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/injected-deployment.yaml b/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/injected-deployment.yaml deleted file mode 100644 index 1115d18d..00000000 --- a/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/injected-deployment.yaml +++ /dev/null @@ -1,143 +0,0 @@ -{{- $gateway := index .Values "gateways" "istio-ingressgateway" }} -{{- if ne $gateway.injectionTemplate "" }} -{{/* This provides a minimal gateway, ready to be injected. - Any settings from values.gateways should be here - these are options specific to the gateway. - Global settings, like the image, various env vars and volumes, etc will be injected. - The normal Deployment is not suitable for this, as the original pod spec will override the injection template. */}} -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ $gateway.name | default "istio-ingressgateway" }} - namespace: {{ .Release.Namespace }} - labels: -{{ $gateway.labels | toYaml | indent 4 }} - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "IngressGateways" -spec: -{{- if not $gateway.autoscaleEnabled }} -{{- if $gateway.replicaCount }} - replicas: {{ $gateway.replicaCount }} -{{- end }} -{{- end }} - selector: - matchLabels: -{{ $gateway.labels | toYaml | indent 6 }} - strategy: - rollingUpdate: - maxSurge: {{ $gateway.rollingMaxSurge }} - maxUnavailable: {{ $gateway.rollingMaxUnavailable }} - template: - metadata: - labels: -{{ $gateway.labels | toYaml | indent 8 }} -{{- if eq .Release.Namespace "istio-system"}} - heritage: Tiller - release: istio - chart: gateways -{{- end }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "IngressGateways" - sidecar.istio.io/inject: "true" - {{- with .Values.revision }} - istio.io/rev: {{ . }} - {{- end }} - annotations: - {{- if .Values.meshConfig.enablePrometheusMerge }} - prometheus.io/port: "15020" - prometheus.io/scrape: "true" - prometheus.io/path: "/stats/prometheus" - {{- end }} - sidecar.istio.io/inject: "true" - inject.istio.io/templates: "{{ $gateway.injectionTemplate }}" -{{- if $gateway.podAnnotations }} -{{ toYaml $gateway.podAnnotations | indent 8 }} -{{ end }} - spec: -{{- if not $gateway.runAsRoot }} - securityContext: - runAsUser: 1337 - runAsGroup: 1337 - runAsNonRoot: true - fsGroup: 1337 -{{- end }} - serviceAccountName: {{ $gateway.name | default "istio-ingressgateway" }}-service-account -{{- if .Values.global.priorityClassName }} - priorityClassName: "{{ .Values.global.priorityClassName }}" -{{- end }} - containers: - - name: istio-proxy - image: auto - ports: - {{- range $key, $val := $gateway.ports }} - - containerPort: {{ $val.targetPort | default $val.port }} - protocol: {{ $val.protocol | default "TCP" }} - {{- end }} - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - {{- if not $gateway.runAsRoot }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: true - {{- end }} - resources: -{{- if $gateway.resources }} -{{ toYaml $gateway.resources | indent 12 }} -{{- else }} -{{ toYaml .Values.global.defaultResources | indent 12 }} -{{- end }} - env: - {{- if not $gateway.runAsRoot }} - - name: ISTIO_META_UNPRIVILEGED_POD - value: "true" - {{- end }} - {{- range $key, $val := $gateway.env }} - - name: {{ $key }} - value: {{ $val }} - {{- end }} - volumeMounts: - {{- range $gateway.secretVolumes }} - - name: {{ .name }} - mountPath: {{ .mountPath | quote }} - readOnly: true - {{- end }} - {{- range $gateway.configVolumes }} - {{- if .mountPath }} - - name: {{ .name }} - mountPath: {{ .mountPath | quote }} - readOnly: true - {{- end }} - {{- end }} -{{- if $gateway.additionalContainers }} -{{ toYaml $gateway.additionalContainers | indent 8 }} -{{- end }} - volumes: - {{- range $gateway.secretVolumes }} - - name: {{ .name }} - secret: - secretName: {{ .secretName | quote }} - optional: true - {{- end }} - {{- range $gateway.configVolumes }} - - name: {{ .name }} - configMap: - name: {{ .configMapName | quote }} - optional: true - {{- end }} - affinity: -{{ include "nodeaffinity" (dict "global" .Values.global "nodeSelector" $gateway.nodeSelector) | trim | indent 8 }} - {{- include "podAntiAffinity" $gateway | indent 6 }} -{{- if $gateway.tolerations }} - tolerations: -{{ toYaml $gateway.tolerations | indent 6 }} -{{- else if .Values.global.defaultTolerations }} - tolerations: -{{ toYaml .Values.global.defaultTolerations | indent 6 }} -{{- end }} -{{- end }} diff --git a/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/poddisruptionbudget.yaml b/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/poddisruptionbudget.yaml deleted file mode 100644 index 523a43fc..00000000 --- a/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/poddisruptionbudget.yaml +++ /dev/null @@ -1,19 +0,0 @@ -{{- if .Values.global.defaultPodDisruptionBudget.enabled }} -{{ $gateway := index .Values "gateways" "istio-ingressgateway" }} -apiVersion: policy/v1beta1 -kind: PodDisruptionBudget -metadata: - name: {{ $gateway.name }} - namespace: {{ .Release.Namespace }} - labels: -{{ $gateway.labels | toYaml | trim | indent 4 }} - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "IngressGateways" -spec: - minAvailable: 1 - selector: - matchLabels: -{{ $gateway.labels | toYaml | trim | indent 6 }} -{{- end }} diff --git a/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/role.yaml b/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/role.yaml deleted file mode 100644 index 3e21bca5..00000000 --- a/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/role.yaml +++ /dev/null @@ -1,16 +0,0 @@ -{{ $gateway := index .Values "gateways" "istio-ingressgateway" }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: {{ $gateway.name }}-sds - namespace: {{ .Release.Namespace }} - labels: - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "IngressGateways" -rules: -- apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "watch", "list"] ---- diff --git a/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/rolebindings.yaml b/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/rolebindings.yaml deleted file mode 100644 index d4525579..00000000 --- a/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/rolebindings.yaml +++ /dev/null @@ -1,19 +0,0 @@ -{{ $gateway := index .Values "gateways" "istio-ingressgateway" }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: {{ $gateway.name }}-sds - namespace: {{ .Release.Namespace }} - labels: - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "IngressGateways" -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: {{ $gateway.name }}-sds -subjects: -- kind: ServiceAccount - name: {{ $gateway.name }}-service-account ---- diff --git a/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/service.yaml b/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/service.yaml deleted file mode 100644 index e3893c5e..00000000 --- a/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/service.yaml +++ /dev/null @@ -1,49 +0,0 @@ -{{ $gateway := index .Values "gateways" "istio-ingressgateway" }} -{{- if not $gateway.customService }} -apiVersion: v1 -kind: Service -metadata: - name: {{ $gateway.name }} - namespace: {{ .Release.Namespace }} - annotations: - {{- range $key, $val := $gateway.serviceAnnotations }} - {{ $key }}: {{ $val | quote }} - {{- end }} - labels: -{{ $gateway.labels | toYaml | indent 4 }} - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "IngressGateways" -spec: -{{- if $gateway.loadBalancerIP }} - loadBalancerIP: "{{ $gateway.loadBalancerIP }}" -{{- end }} -{{- if $gateway.loadBalancerSourceRanges }} - loadBalancerSourceRanges: -{{ toYaml $gateway.loadBalancerSourceRanges | indent 4 }} -{{- end }} -{{- if $gateway.externalTrafficPolicy }} - externalTrafficPolicy: {{$gateway.externalTrafficPolicy }} -{{- end }} - type: {{ $gateway.type }} - selector: -{{ $gateway.labels | toYaml | indent 4 }} - ports: - - {{- range $key, $val := $gateway.ports }} - - - {{- range $pkey, $pval := $val }} - {{- if has $pkey (list "name" "nodePort" "port" "targetPort") }} - {{ $pkey}}: {{ $pval }} - {{- end }} - {{- end }} - {{- end }} - - {{ range $app := $gateway.ingressPorts }} - - - port: {{ $app.port }} - name: {{ $app.name }} - {{- end }} ---- -{{ end }} diff --git a/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/serviceaccount.yaml b/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/serviceaccount.yaml deleted file mode 100644 index 9cf3034c..00000000 --- a/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/serviceaccount.yaml +++ /dev/null @@ -1,22 +0,0 @@ -{{ $gateway := index .Values "gateways" "istio-ingressgateway" }} -apiVersion: v1 -kind: ServiceAccount -{{- if .Values.global.imagePullSecrets }} -imagePullSecrets: -{{- range .Values.global.imagePullSecrets }} - - name: {{ . }} -{{- end }} -{{- end }} -metadata: - name: {{ $gateway.name }}-service-account - namespace: {{ .Release.Namespace }} - labels: -{{ $gateway.labels | toYaml | trim | indent 4 }} - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "IngressGateways" - {{- with $gateway.serviceAccount.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} diff --git a/charts/kubezero-istio-ingress/charts/istio-private-ingress/values.yaml b/charts/kubezero-istio-ingress/charts/istio-private-ingress/values.yaml deleted file mode 100644 index ab5a0da2..00000000 --- a/charts/kubezero-istio-ingress/charts/istio-private-ingress/values.yaml +++ /dev/null @@ -1,326 +0,0 @@ -# A-la-carte istio ingress gateway. -# Must be installed in a separate namespace, to minimize access to secrets. - -gateways: - istio-ingressgateway: - name: istio-ingressgateway - labels: - app: istio-ingressgateway - istio: ingressgateway - ports: - ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. - # Note that AWS ELB will by default perform health checks on the first port - # on this list. Setting this to the health check port will ensure that health - # checks always work. https://github.com/istio/istio/issues/12503 - - port: 15021 - targetPort: 15021 - name: status-port - protocol: TCP - - port: 80 - targetPort: 8080 - name: http2 - protocol: TCP - - port: 443 - targetPort: 8443 - name: https - protocol: TCP - - # Scalability tuning - # replicaCount: 1 - rollingMaxSurge: 100% - rollingMaxUnavailable: 25% - autoscaleEnabled: true - autoscaleMin: 1 - autoscaleMax: 5 - - cpu: - targetAverageUtilization: 80 - - resources: - requests: - cpu: 100m - memory: 128Mi - limits: - cpu: 2000m - memory: 1024Mi - - loadBalancerIP: "" - loadBalancerSourceRanges: [] - serviceAnnotations: {} - - # Enable cross-cluster access using SNI matching - zvpn: - enabled: false - suffix: global - - # To generate an internal load balancer: - # --set serviceAnnotations.cloud.google.com/load-balancer-type=internal - #serviceAnnotations: - # cloud.google.com/load-balancer-type: "internal" - - podAnnotations: {} - type: LoadBalancer #change to NodePort, ClusterIP or LoadBalancer if need be - - ############## - secretVolumes: - - name: ingressgateway-certs - secretName: istio-ingressgateway-certs - mountPath: /etc/istio/ingressgateway-certs - - name: ingressgateway-ca-certs - secretName: istio-ingressgateway-ca-certs - mountPath: /etc/istio/ingressgateway-ca-certs - - customService: false - externalTrafficPolicy: "" - - ingressPorts: [] - additionalContainers: [] - configVolumes: [] - - serviceAccount: - # Annotations to add to the service account - annotations: {} - - ### Advanced options ############ - env: - # A gateway with this mode ensures that pilot generates an additional - # set of clusters for internal services but without Istio mTLS, to - # enable cross cluster routing. - ISTIO_META_ROUTER_MODE: "standard" - - nodeSelector: {} - tolerations: [] - - # Specify the pod anti-affinity that allows you to constrain which nodes - # your pod is eligible to be scheduled based on labels on pods that are - # already running on the node rather than based on labels on nodes. - # There are currently two types of anti-affinity: - # "requiredDuringSchedulingIgnoredDuringExecution" - # "preferredDuringSchedulingIgnoredDuringExecution" - # which denote "hard" vs. "soft" requirements, you can define your values - # in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector" - # correspondingly. - # For example: - # podAntiAffinityLabelSelector: - # - key: security - # operator: In - # values: S1,S2 - # topologyKey: "kubernetes.io/hostname" - # This pod anti-affinity rule says that the pod requires not to be scheduled - # onto a node if that node is already running a pod with label having key - # "security" and value "S1". - podAntiAffinityLabelSelector: [] - podAntiAffinityTermLabelSelector: [] - - # whether to run the gateway in a privileged container - runAsRoot: false - - # The injection template to use for the gateway. If not set, no injection will be performed. - injectionTemplate: "" - -# Revision is set as 'version' label and part of the resource names when installing multiple control planes. -revision: "" - -# For Helm compatibility. -ownerName: "" - -global: - # set the default set of namespaces to which services, service entries, virtual services, destination - # rules should be exported to. Currently only one value can be provided in this list. This value - # should be one of the following two options: - # * implies these objects are visible to all namespaces, enabling any sidecar to talk to any other sidecar. - # . implies these objects are visible to only to sidecars in the same namespace, or if imported as a Sidecar.egress.host - defaultConfigVisibilitySettings: [] - - # Default node selector to be applied to all deployments so that all pods can be - # constrained to run a particular nodes. Each component can overwrite these default - # values by adding its node selector block in the relevant section below and setting - # the desired values. - defaultNodeSelector: {} - - # enable pod disruption budget for the control plane, which is used to - # ensure Istio control plane components are gradually upgraded or recovered. - defaultPodDisruptionBudget: - enabled: true - - # A minimal set of requested resources to applied to all deployments so that - # Horizontal Pod Autoscaler will be able to function (if set). - # Each component can overwrite these default values by adding its own resources - # block in the relevant section below and setting the desired resources values. - defaultResources: - requests: - cpu: 10m - # memory: 128Mi - # limits: - # cpu: 100m - # memory: 128Mi - - # Default node tolerations to be applied to all deployments so that all pods can be - # scheduled to a particular nodes with matching taints. Each component can overwrite - # these default values by adding its tolerations block in the relevant section below - # and setting the desired values. - # Configure this field in case that all pods of Istio control plane are expected to - # be scheduled to particular nodes with specified taints. - defaultTolerations: [] - - # Default hub for Istio images. - # Releases are published to docker hub under 'istio' project. - # Dev builds from prow are on gcr.io - hub: docker.io/istio - - # Default tag for Istio images. - tag: 1.11.5 - - # Specify image pull policy if default behavior isn't desired. - # Default behavior: latest images will be Always else IfNotPresent. - imagePullPolicy: "" - - # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace - # to use for pulling any images in pods that reference this ServiceAccount. - # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) - # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. - # Must be set for any cluster configured with private docker registry. - imagePullSecrets: [] - # - private-registry-key - - # To output all istio components logs in json format by adding --log_as_json argument to each container argument - logAsJson: false - - # Specify pod scheduling arch(amd64, ppc64le, s390x) and weight as follows: - # 0 - Never scheduled - # 1 - Least preferred - # 2 - No preference - # 3 - Most preferred - arch: - amd64: 2 - s390x: 2 - ppc64le: 2 - - # Comma-separated minimum per-scope logging level of messages to output, in the form of :,: - # The control plane has different scopes depending on component, but can configure default log level across all components - # If empty, default scope and level will be used as configured in code - logging: - level: "default:info" - - # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and - # system-node-critical, it is better to configure this in order to make sure your Istio pods - # will not be killed because of low priority class. - # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass - # for more detail. - priorityClassName: "" - - proxy: - image: proxyv2 - - # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value - # cluster domain. Default value is "cluster.local". - clusterDomain: "cluster.local" - - # Per Component log level for proxy, applies to gateways and sidecars. If a component level is - # not set, then the global "logLevel" will be used. - componentLogLevel: "misc:error" - - # If set, newly injected sidecars will have core dumps enabled. - enableCoreDump: false - - # Log level for proxy, applies to gateways and sidecars. - # Expected values are: trace|debug|info|warning|error|critical|off - logLevel: warning - - ############################################################################################## - # The following values are found in other charts. To effectively modify these values, make # - # make sure they are consistent across your Istio helm charts # - ############################################################################################## - - # The customized CA address to retrieve certificates for the pods in the cluster. - # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. - caAddress: "" - - # Used to locate istiod. - istioNamespace: istio-system - - # Configure the policy for validating JWT. - # Currently, two options are supported: "third-party-jwt" and "first-party-jwt". - jwtPolicy: "third-party-jwt" - - # Mesh ID means Mesh Identifier. It should be unique within the scope where - # meshes will interact with each other, but it is not required to be - # globally/universally unique. For example, if any of the following are true, - # then two meshes must have different Mesh IDs: - # - Meshes will have their telemetry aggregated in one place - # - Meshes will be federated together - # - Policy will be written referencing one mesh from the other - # - # If an administrator expects that any of these conditions may become true in - # the future, they should ensure their meshes have different Mesh IDs - # assigned. - # - # Within a multicluster mesh, each cluster must be (manually or auto) - # configured to have the same Mesh ID value. If an existing cluster 'joins' a - # multicluster mesh, it will need to be migrated to the new mesh ID. Details - # of migration TBD, and it may be a disruptive operation to change the Mesh - # ID post-install. - # - # If the mesh admin does not specify a value, Istio will use the value of the - # mesh's Trust Domain. The best practice is to select a proper Trust Domain - # value. - meshID: "" - - # Use the user-specified, secret volume mounted key and certs for Pilot and workloads. - mountMtlsCerts: false - - multiCluster: - # Set to true to connect two kubernetes clusters via their respective - # ingressgateway services when pods in each cluster cannot directly - # talk to one another. All clusters should be using Istio mTLS and must - # have a shared root CA for this model to work. - enabled: false - # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection - # to properly label proxies - clusterName: "" - # The suffix for global service names - globalDomainSuffix: "global" - # Enable envoy filter to translate `globalDomainSuffix` to cluster local suffix for cross cluster communication - includeEnvoyFilter: true - - # Network defines the network this cluster belong to. This name - # corresponds to the networks in the map of mesh networks. - network: "" - - # Configure the certificate provider for control plane communication. - # Currently, two providers are supported: "kubernetes" and "istiod". - # As some platforms may not have kubernetes signing APIs, - # Istiod is the default - pilotCertProvider: istiod - - sds: - # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3. - # When a CSR is sent from Citadel Agent to the CA (e.g. Citadel), this aud is to make sure the - # JWT is intended for the CA. - token: - aud: istio-ca - - sts: - # The service port used by Security Token Service (STS) server to handle token exchange requests. - # Setting this port to a non-zero value enables STS server. - servicePort: 0 - - -meshConfig: - enablePrometheusMerge: true - - # The trust domain corresponds to the trust root of a system - # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain - trustDomain: "cluster.local" - - defaultConfig: - proxyMetadata: {} - tracing: - # tlsSettings: - # mode: DISABLE # DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL - # clientCertificate: # example: /etc/istio/tracer/cert-chain.pem - # privateKey: # example: /etc/istio/tracer/key.pem - # caCertificates: # example: /etc/istio/tracer/root-cert.pem - # sni: # example: tracer.somedomain - # subjectAltNames: [] - # - tracer.somedomain diff --git a/charts/kubezero-istio-ingress/templates/envoyfilter-keepalive-nlb.yaml b/charts/kubezero-istio-ingress/templates/envoyfilter-keepalive-nlb.yaml deleted file mode 100644 index abb21c34..00000000 --- a/charts/kubezero-istio-ingress/templates/envoyfilter-keepalive-nlb.yaml +++ /dev/null @@ -1,64 +0,0 @@ -{{- if index .Values "istio-ingress" "enabled" }} -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: ingressgateway-listener-tcp-keepalive - namespace: {{ .Release.Namespace }} - labels: - {{- include "kubezero-lib.labels" . | nindent 4 }} -spec: - workloadSelector: - labels: - istio: ingressgateway - configPatches: - - applyTo: LISTENER - patch: - operation: MERGE - value: - socket_options: - - level: 1 # SOL_SOCKET = 1 - name: 9 # SO_KEEPALIVE = 9 - int_value: 1 - state: STATE_PREBIND - - level: 6 # IPPROTO_TCP = 6 - name: 4 # TCP_KEEPIDLE = 4 - int_value: 120 - state: STATE_PREBIND - - level: 6 # IPPROTO_TCP = 6 - name: 5 # TCP_KEEPINTVL = 5 - int_value: 60 - state: STATE_PREBIND -{{- end }} - -{{- if index .Values "istio-private-ingress" "enabled" }} ---- -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: private-ingressgateway-listener-tcp-keepalive - namespace: {{ .Release.Namespace }} - labels: - {{- include "kubezero-lib.labels" . | nindent 4 }} -spec: - workloadSelector: - labels: - istio: private-ingressgateway - configPatches: - - applyTo: LISTENER - patch: - operation: MERGE - value: - socket_options: - - level: 1 # SOL_SOCKET = 1 - name: 9 # SO_KEEPALIVE = 9 - int_value: 1 - state: STATE_PREBIND - - level: 6 # IPPROTO_TCP = 6 - name: 4 # TCP_KEEPIDLE = 4 - int_value: 120 - state: STATE_PREBIND - - level: 6 # IPPROTO_TCP = 6 - name: 5 # TCP_KEEPINTVL = 5 - int_value: 60 - state: STATE_PREBIND -{{- end }} diff --git a/charts/kubezero-istio-ingress/templates/envoyfilter-proxy-protocol.yaml b/charts/kubezero-istio-ingress/templates/envoyfilter-proxy-protocol.yaml deleted file mode 100644 index e3d4fe41..00000000 --- a/charts/kubezero-istio-ingress/templates/envoyfilter-proxy-protocol.yaml +++ /dev/null @@ -1,44 +0,0 @@ -{{- if and (index .Values "istio-ingress" "enabled") (index .Values "istio-ingress" "proxyProtocol") }} -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: ingressgateway-proxy-protocol - namespace: {{ .Release.Namespace }} - labels: -{{ include "kubezero-lib.labels" . | indent 4 }} -spec: - workloadSelector: - labels: - istio: ingressgateway - configPatches: - - applyTo: LISTENER - patch: - operation: MERGE - value: - listener_filters: - - name: envoy.listener.proxy_protocol - - name: envoy.listener.tls_inspector -{{- end }} - -{{- if and (index .Values "istio-private-ingress" "enabled") (index .Values "istio-private-ingress" "proxyProtocol") }} ---- -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: private-ingressgateway-proxy-protocol - namespace: {{ .Release.Namespace }} - labels: -{{ include "kubezero-lib.labels" . | indent 4 }} -spec: - workloadSelector: - labels: - istio: private-ingressgateway - configPatches: - - applyTo: LISTENER - patch: - operation: MERGE - value: - listener_filters: - - name: envoy.listener.proxy_protocol - - name: envoy.listener.tls_inspector -{{- end }} diff --git a/charts/kubezero-istio-ingress/templates/ingress-certificate.yaml b/charts/kubezero-istio-ingress/templates/ingress-certificate.yaml deleted file mode 100644 index 53d05a6f..00000000 --- a/charts/kubezero-istio-ingress/templates/ingress-certificate.yaml +++ /dev/null @@ -1,39 +0,0 @@ -{{- range $cert := (index .Values "istio-ingress" "certificates") }} -{{- if $cert.dnsNames }} -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: {{ $cert.name }} - namespace: {{ $.Release.Namespace }} - labels: -{{ include "kubezero-lib.labels" $ | indent 4 }} -spec: - secretName: {{ $cert.name }} - issuerRef: - name: {{ default "letsencrypt-dns-prod" $cert.issuer }} - kind: ClusterIssuer - dnsNames: -{{ toYaml $cert.dnsNames | indent 4 }} ---- -{{- end }} -{{- end }} - -{{- range $cert := (index .Values "istio-private-ingress" "certificates") }} -{{- if $cert.dnsNames }} -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: {{ $cert.name }} - namespace: {{ $.Release.Namespace }} - labels: -{{ include "kubezero-lib.labels" $ | indent 4 }} -spec: - secretName: private-ingress-cert - issuerRef: - name: {{ default "letsencrypt-dns-prod" $cert.issuer }} - kind: ClusterIssuer - dnsNames: -{{ toYaml $cert.dnsNames | indent 4 }} ---- -{{- end }} -{{- end }} diff --git a/charts/kubezero-istio-ingress/templates/ingress-private-gateway.yaml b/charts/kubezero-istio-ingress/templates/ingress-private-gateway.yaml deleted file mode 100644 index 6ee25df1..00000000 --- a/charts/kubezero-istio-ingress/templates/ingress-private-gateway.yaml +++ /dev/null @@ -1,19 +0,0 @@ -# Private Ingress Gateway -{{- $gateway := index .Values "istio-private-ingress" }} - -{{- if and $gateway.enabled $gateway.certificates }} -# https://istio.io/latest/docs/tasks/traffic-management/ingress/secure-ingress/#configure-a-tls-ingress-gateway-for-multiple-hosts - -apiVersion: networking.istio.io/v1beta1 -kind: Gateway -metadata: - name: private-ingressgateway - namespace: {{ .Release.Namespace }} - labels: - {{- include "kubezero-lib.labels" . | nindent 4 }} -spec: - selector: - istio: private-ingressgateway - servers: - {{- include "gatewayServers" (dict "certificates" $gateway.certificates "ports" (index $gateway "gateways" "istio-ingressgateway" "ports") ) | nindent 2}} -{{- end }} diff --git a/charts/kubezero-istio-ingress/values.yaml b/charts/kubezero-istio-ingress/values.yaml deleted file mode 100644 index 8c575e1d..00000000 --- a/charts/kubezero-istio-ingress/values.yaml +++ /dev/null @@ -1,203 +0,0 @@ -# Make sure these values match kuberzero-istio !!! -global: - #hub: docker.io/istio - tag: 1.11.5-distroless - - logAsJson: true - - priorityClassName: "system-cluster-critical" - - defaultPodDisruptionBudget: - enabled: false - - arch: - amd64: 2 - -istio-ingress: - enabled: false - - telemetry: - enabled: false - - gateways: - istio-ingressgateway: - autoscaleEnabled: false - replicaCount: 1 - rollingMaxSurge: 1 - rollingMaxUnavailable: 0 - resources: - requests: - cpu: 50m - memory: 64Mi - limits: - # cpu: 100m - memory: 512Mi - externalTrafficPolicy: Local - podAntiAffinityLabelSelector: - - key: app - operator: In - topologyKey: kubernetes.io/hostname - values: istio-ingressgateway - type: NodePort - podAnnotations: - proxy.istio.io/config: '{ "terminationDrainDuration": "20s" }' - - # custom hardened bootstrap config - env: - ISTIO_BOOTSTRAP_OVERRIDE: /etc/istio/custom-bootstrap/custom_bootstrap.json - configVolumes: - - name: custom-bootstrap-volume - mountPath: /etc/istio/custom-bootstrap - configMapName: istio-gateway-bootstrap-config - - # Unfortunately the upstream chart makes this complicated as they abuse the nodeSelector, see zdt.patch - nodeSelector: - node.kubernetes.io/ingress.public: "Exists" - # Only nodes who are fronted with matching NLB - #affintiy: - # nodeAffinity: - # requiredDuringSchedulingIgnoredDuringExecution: - # nodeSelectorTerms: - # - matchExpressions: - # - key: node.kubernetes.io/ingress.public - # operator: Exists - - # Map port 80/443 to 8080/8443 so we don't need to root - - # ports is extended as follows: - # noGateway: true -> this port does NOT get mapped to a Gateway port - # tls: optional gateway port setting - # gatewayProtocol: Loadbalancer protocol which is NOT the same as Container Procotol ! - ports: - - name: status-port - port: 15021 - nodePort: 30021 - noGateway: true - - name: http2 - port: 80 - targetPort: 8080 - nodePort: 30080 - gatewayProtocol: HTTP2 - tls: - httpsRedirect: true - - name: https - port: 443 - targetPort: 8443 - nodePort: 30443 - gatewayProtocol: HTTPS - tls: - mode: SIMPLE - - certificates: - - name: ingress-cert - dnsNames: [] - # - '*.example.com' - - proxyProtocol: true - - meshConfig: - defaultConfig: - proxyMetadata: - # ISTIO_META_HTTP10: 1 - -istio-private-ingress: - enabled: false - - telemetry: - enabled: false - - gateways: - istio-ingressgateway: - # name and labels make the ingress private - name: istio-private-ingressgateway - labels: - app: istio-private-ingressgateway - istio: private-ingressgateway - - autoscaleEnabled: false - replicaCount: 1 - rollingMaxSurge: 1 - rollingMaxUnavailable: 0 - resources: - requests: - cpu: 50m - memory: 64Mi - limits: - # cpu: 100m - memory: 512Mi - externalTrafficPolicy: Local - podAntiAffinityLabelSelector: - - key: app - operator: In - topologyKey: kubernetes.io/hostname - values: istio-private-ingressgateway - type: NodePort - podAnnotations: - proxy.istio.io/config: '{ "terminationDrainDuration": "20s" }' - - # custom hardened bootstrap config - env: - ISTIO_BOOTSTRAP_OVERRIDE: /etc/istio/custom-bootstrap/custom_bootstrap.json - configVolumes: - - name: custom-bootstrap-volume - mountPath: /etc/istio/custom-bootstrap - configMapName: istio-gateway-bootstrap-config - - # Unfortunately the upstream chart makes this complicated as they abuse the nodeSelector, see zdt.patch - nodeSelector: - node.kubernetes.io/ingress.private: "Exists" - # Only nodes who are fronted with matching NLB - #affintiy: - # nodeAffinity: - # requiredDuringSchedulingIgnoredDuringExecution: - # nodeSelectorTerms: - # - matchExpressions: - # - key: node.kubernetes.io/ingress.private - # operator: Exists - - ports: - - name: status-port - port: 15021 - nodePort: 31021 - noGateway: true - - name: http2 - port: 80 - targetPort: 8080 - nodePort: 31080 - gatewayProtocol: HTTP2 - tls: - httpsRedirect: true - - name: https - port: 443 - targetPort: 8443 - nodePort: 31443 - gatewayProtocol: HTTPS - tls: - mode: SIMPLE - #- name: fluentd-forward - # port: 24224 - # nodePort: 31224 - # gatewayProtocol: TLS - # tls: - # mode: SIMPLE - #- name: amqps - # port: 5671 - # nodePort: 31671 - #- name: amqp - # port: 5672 - # nodePort: 31672 - #- name: redis - # port: 6379 - # nodePort: 31379 - - certificates: - - name: private-ingress-cert - dnsNames: [] - #- '*.example.com' - - proxyProtocol: true - - meshConfig: - defaultConfig: - proxyMetadata: - # ISTIO_META_HTTP10: 1 diff --git a/charts/kubezero-istio/dashboards.yaml b/charts/kubezero-istio/dashboards.yaml index e29967b6..b04bff94 100644 --- a/charts/kubezero-istio/dashboards.yaml +++ b/charts/kubezero-istio/dashboards.yaml @@ -2,7 +2,7 @@ configmap: grafana-dashboards gzip: true folder: Istio -condition: 'index .Values "istio-discovery" "telemetry" "enabled"' +condition: '.Values.istiod.telemetry.enabled' dashboards: - name: istio-control-plane url: https://grafana.com/api/dashboards/7645/revisions/115/download diff --git a/charts/kubezero-istio/templates/grafana-dashboards.yaml b/charts/kubezero-istio/templates/grafana-dashboards.yaml index daaa5a14..eff48c92 100644 --- a/charts/kubezero-istio/templates/grafana-dashboards.yaml +++ b/charts/kubezero-istio/templates/grafana-dashboards.yaml @@ -1,4 +1,4 @@ -{{- if index .Values "istio-discovery" "telemetry" "enabled" }} +{{- if .Values.istiod.telemetry.enabled }} apiVersion: v1 kind: ConfigMap metadata: diff --git a/charts/kubezero/templates/_app.tpl b/charts/kubezero/templates/_app.tpl index ba0a0beb..8f434747 100644 --- a/charts/kubezero/templates/_app.tpl +++ b/charts/kubezero/templates/_app.tpl @@ -17,7 +17,11 @@ spec: project: kubezero source: + {{- if index .Values $name "chart" }} + chart: {{ index .Values $name "chart" }} + {{- else }} chart: kubezero-{{ $name }} + {{- end }} repoURL: {{ .Values.kubezero.repoURL }} targetRevision: {{ default .Values.kubezero.targetRevision ( index .Values $name "targetRevision" ) | quote }} helm: diff --git a/charts/kubezero/templates/istio-ingress.yaml b/charts/kubezero/templates/istio-ingress.yaml deleted file mode 100644 index 691403ca..00000000 --- a/charts/kubezero/templates/istio-ingress.yaml +++ /dev/null @@ -1,51 +0,0 @@ -{{- define "_ingress" }} -enabled: {{ .enabled }} -{{- with .gateway }} -gateways: - istio-ingressgateway: - {{- toYaml . | nindent 6 }} -{{- end }} -certificates: -{{- with .dnsNames }} -# Legacy to be removed with 1.21 !! -- name: ingress-cert - dnsNames: - {{- toYaml . | nindent 4 }} -{{- end }} -{{- range $cert := .certificates }} -- name: {{ $cert.name }} - dnsNames: - {{- toYaml $cert.dnsNames | nindent 4 }} -{{- end }} -proxyProtocol: {{ default true .proxyProtocol }} -{{- end }} - - -{{- define "istio-ingress-values" }} - -{{- with index .Values "istio-ingress" "global" }} -global: - {{- toYaml . | nindent 2 }} -{{- end }} - -{{- with index .Values "istio-ingress" "public" }} -istio-ingress: - telemetry: - enabled: {{ $.Values.metrics.enabled }} -{{- include "_ingress" . | nindent 2 }} -{{- end }} - -{{- with index .Values "istio-ingress" "private" }} -istio-private-ingress: - telemetry: - enabled: {{ $.Values.metrics.enabled }} -{{- include "_ingress" . | nindent 2 }} -{{- end }} - -{{- end }} - - -{{- define "istio-ingress-argo" }} -{{- end }} - -{{ include "kubezero-app.app" . }} diff --git a/charts/kubezero/templates/istio-private-ingress.yaml b/charts/kubezero/templates/istio-private-ingress.yaml new file mode 100644 index 00000000..ae18564a --- /dev/null +++ b/charts/kubezero/templates/istio-private-ingress.yaml @@ -0,0 +1,28 @@ +{{- define "istio-private-ingress-values" }} + +gateway: + name: istio-private-ingressgateway + labels: + app: istio-private-ingressgateway + istio: private-ingressgateway + {{- with index .Values "istio-private-ingress" "gateway" }} + {{- toYaml . | nindent 2 }} + {{- end }} + +telemetry: + enabled: {{ $.Values.metrics.enabled }} +certificates: +{{- range $cert := index .Values "istio-private-ingress" "certificates" }} +- name: {{ $cert.name }} + dnsNames: + {{- toYaml $cert.dnsNames | nindent 4 }} +{{- end }} +proxyProtocol: {{ default true (index .Values "istio-private-ingress" "proxyProtocol") }} + +{{- end }} + + +{{- define "istio-private-ingress-argo" }} +{{- end }} + +{{ include "kubezero-app.app" . }} diff --git a/charts/kubezero/templates/istio.yaml b/charts/kubezero/templates/istio.yaml index f23d0f84..6f556c8b 100644 --- a/charts/kubezero/templates/istio.yaml +++ b/charts/kubezero/templates/istio.yaml @@ -1,7 +1,7 @@ {{- define "istio-values" }} -istio-discovery: +istiod: telemetry: - enabled: {{ .Values.metrics.enabled }} + enabled: {{ $.Values.metrics.enabled }} {{- if .Values.HighAvailableControlplane }} pilot: replicaCount: 2 diff --git a/charts/kubezero/values.yaml b/charts/kubezero/values.yaml index 5239819e..d8f00876 100644 --- a/charts/kubezero/values.yaml +++ b/charts/kubezero/values.yaml @@ -31,12 +31,18 @@ storage: istio: enabled: false namespace: istio-system - targetRevision: 0.7.6 + targetRevision: 0.8.0 istio-ingress: enabled: false namespace: istio-ingress - targetRevision: 0.7.6 + targetRevision: 0.8.0 + +istio-private-ingress: + enabled: false + chart: kubezero-istio-gateway + namespace: istio-ingress + targetRevision: 0.8.0 metrics: enabled: false