feat: Istio Ingress migration to new gateway charts

2022-04-21 13:57:34 +02:00 · 2022-04-21 13:57:34 +02:00 · 39ba92132e
commit 39ba92132e
parent 07b2963661
65 changed files with 1011 additions and 2691 deletions
--- a/charts/kubezero-ci/Chart.yaml
+++ b/charts/kubezero-ci/Chart.yaml
@ -2,7 +2,7 @@ apiVersion: v2
 name: kubezero-ci
 description: KubeZero umbrella chart for all things CI
 type: application
-version: 0.4.44
+version: 0.4.45
 home: https://kubezero.com
 icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
 keywords:
@ -22,7 +22,7 @@ dependencies:
    repository: https://gocd.github.io/helm-chart
    condition: gocd.enabled
  - name: gitea
-    version: 5.0.3
+    version: 5.0.5
    repository: https://dl.gitea.io/charts/
    condition: gitea.enabled
  - name: jenkins
--- a/charts/kubezero-ci/update.sh
+++ b/charts/kubezero-ci/update.sh
@ -1,4 +1,6 @@
 #!/bin/bash
 helm dep update
 # Create ZDT dashboard configmap
 ../kubezero-metrics/sync_grafana_dashboards.py dashboards.yaml templates/grafana-dashboards.yaml
--- a/charts/kubezero-ci/values.yaml
+++ b/charts/kubezero-ci/values.yaml
@ -17,7 +17,7 @@ gitea:
  enabled: false
  image:
-    tag: 1.16.5
+    tag: 1.16.6
    rootless: true
  securityContext:
--- a/charts/kubezero-istio-gateway/Chart.yaml
+++ b/charts/kubezero-istio-gateway/Chart.yaml
@ -1,9 +1,8 @@
 apiVersion: v2
-name: kubezero-istio-ingress
+name: kubezero-istio-gateway
-description: KubeZero Umbrella Chart for Istio based Ingress
+description: KubeZero Umbrella Chart for Istio gateways
 type: application
-version: 0.7.6
+version: 0.8.0
 appVersion: 1.11.5
 home: https://kubezero.com
 icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
 keywords:
@ -17,10 +16,7 @@ dependencies:
  - name: kubezero-lib
    version: ">= 0.1.4"
    repository: https://cdn.zero-downtime.net/charts/
-  - name: istio-ingress
+  - name: gateway
-    version: 1.11.5
+    version: 1.13.3
-    condition: istio-ingress.enabled
+    repository: https://istio-release.storage.googleapis.com/charts
  - name: istio-private-ingress
    version: 1.11.5
    condition: istio-private-ingress.enabled
 kubeVersion: ">= 1.20.0"
--- a/charts/kubezero-istio-gateway/README.md
+++ b/charts/kubezero-istio-gateway/README.md
--- a/charts/kubezero-istio-gateway/README.md.gotmpl
+++ b/charts/kubezero-istio-gateway/README.md.gotmpl
--- a/charts/kubezero-istio-gateway/charts/gateway/Chart.yaml
+++ b/charts/kubezero-istio-gateway/charts/gateway/Chart.yaml
@ -0,0 +1,12 @@
 apiVersion: v2
 appVersion: 1.13.3
 description: Helm chart for deploying Istio gateways
 icon: https://istio.io/latest/favicons/android-192x192.png
 keywords:
 - istio
 - gateways
 name: gateway
 sources:
 - http://github.com/istio/istio
 type: application
 version: 1.13.3
--- a/charts/kubezero-istio-gateway/charts/gateway/README.md
+++ b/charts/kubezero-istio-gateway/charts/gateway/README.md
@ -0,0 +1,148 @@
 # Istio Gateway Helm Chart
 This chart installs an Istio gateway deployment.
 ## Setup Repo Info
 ```console
 helm repo add istio https://istio-release.storage.googleapis.com/charts
 helm repo update
 ```
 _See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._
 ## Installing the Chart
 To install the chart with the release name `istio-ingressgateway`:
 ```console
 helm install istio-ingressgateway istio/gateway
 ```
 ## Uninstalling the Chart
 To uninstall/delete the `istio-ingressgateway` deployment:
 ```console
 helm delete istio-ingressgateway
 ```
 ## Configuration
 To view support configuration options and documentation, run:
 ```console
 helm show values istio/gateway
 ```
 ### `image: auto` Information
 The image used by the chart, `auto`, may be unintuitive.
 This exists because the pod spec will be automatically populated at runtime, using the same mechanism as [Sidecar Injection](istio.io/latest/docs/setup/additional-setup/sidecar-injection).
 This allows the same configurations and lifecycle to apply to gateways as sidecars.
 Note: this does mean that the namespace the gateway is deployed in must not have the `istio-injection=disabled` label.
 See [Controlling the injection policy](https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#controlling-the-injection-policy) for more info.
 ### Examples
 #### Egress Gateway
 Deploying a Gateway to be used as an [Egress Gateway](https://istio.io/latest/docs/tasks/traffic-management/egress/egress-gateway/):
 ```yaml
 service:
  # Egress gateways do not need an external LoadBalancer IP
  type: ClusterIP
 ```
 #### Multi-network/VM Gateway
 Deploying a Gateway to be used as a [Multi-network Gateway](https://istio.io/latest/docs/setup/install/multicluster/) for network `network-1`:
 ```yaml
 networkGateway: network-1
 ```
 ### Migrating from other installation methods
 Installations from other installation methods (such as istioctl, Istio Operator, other helm charts, etc) can be migrated to use the new Helm charts
 following the guidance below.
 If you are able to, a clean installation is simpler. However, this often requires an external IP migration which can be challenging.
 WARNING: when installing over an existing deployment, the two deployments will be merged together by Helm, which may lead to unexpected results.
 #### Legacy Gateway Helm charts
 Istio historically offered two different charts - `manifests/charts/gateways/istio-ingress` and `manifests/charts/gateways/istio-egress`.
 These are replaced by this chart.
 While not required, it is recommended all new users use this chart, and existing users migrate when possible.
 This chart has the following benefits and differences:
 * Designed with Helm best practices in mind (standardized values options, values schema, values are not all nested under `gateways.istio-ingressgateway.*`, release name and namespace taken into account, etc).
 * Utilizes Gateway injection, simplifying upgrades, allowing gateways to run in any namespace, and avoiding repeating config for sidecars and gateways.
 * Published to official Istio Helm repository.
 * Single chart for all gateways (Ingress, Egress, East West).
 #### General concerns
 For a smooth migration, the resource names and `Deployment.spec.selector` labels must match.
 If you install with `helm install istio-gateway istio/gateway`, resources will be named `istio-gateway` and the `selector` labels set to:
 ```yaml
 app: istio-gateway
 istio: gateway # the release name with leading istio- prefix stripped
 ```
 If your existing installation doesn't follow these names, you can override them. For example, if you have resources named `my-custom-gateway` with `selector` labels
 `foo=bar,istio=ingressgateway`:
 ```yaml
 name: my-custom-gateway # Override the name to match existing resources
 labels:
  app: "" # Unset default app selector label
  istio: ingressgateway # override default istio selector label
  foo: bar # Add the existing custom selector label
 ```
 #### Migrating an existing Helm release
 An existing helm release can be `helm upgrade`d to this chart by using the same release name. For example, if a previous
 installation was done like:
 ```console
 helm install istio-ingress manifests/charts/gateways/istio-ingress -n istio-system
 ```
 It could be upgraded with
 ```console
 helm upgrade istio-ingress manifests/charts/gateway -n istio-system --set name=istio-ingressgateway --set labels.app=istio-ingressgateway --set labels.istio=ingressgateway
 ```
 Note the name and labels are overridden to match the names of the existing installation.
 Warning: the helm charts here default to using port 80 and 443, while the old charts used 8080 and 8443.
 If you have AuthorizationPolicies that reference port these ports, you should update them during this process,
 or customize the ports to match the old defaults.
 See the [security advisory](https://istio.io/latest/news/security/istio-security-2021-002/) for more information.
 #### Other migrations
 If you see errors like `rendered manifests contain a resource that already exists` during installation, you may need to forcibly take ownership.
 The script below can handle this for you. Replace `RELEASE` and `NAMESPACE` with the name and namespace of the release:
 ```console
 KINDS=(service deployment)
 RELEASE=istio-ingressgateway
 NAMESPACE=istio-system
 for KIND in "${KINDS[@]}"; do
    kubectl --namespace $NAMESPACE --overwrite=true annotate $KIND $RELEASE meta.helm.sh/release-name=$RELEASE
    kubectl --namespace $NAMESPACE --overwrite=true annotate $KIND $RELEASE meta.helm.sh/release-namespace=$NAMESPACE
    kubectl --namespace $NAMESPACE --overwrite=true label $KIND $RELEASE app.kubernetes.io/managed-by=Helm
 done
 ```
 You may ignore errors about resources not being found.
--- a/charts/kubezero-istio-gateway/charts/gateway/templates/NOTES.txt
+++ b/charts/kubezero-istio-gateway/charts/gateway/templates/NOTES.txt
@ -0,0 +1,9 @@
 "{{ include "gateway.name" . }}" successfully installed!
 To learn more about the release, try:
  $ helm status {{ .Release.Name }}
  $ helm get all {{ .Release.Name }}
 Next steps:
  * Deploy an HTTP Gateway: https://istio.io/latest/docs/tasks/traffic-management/ingress/ingress-control/
  * Deploy an HTTPS Gateway: https://istio.io/latest/docs/tasks/traffic-management/ingress/secure-ingress/
--- a/charts/kubezero-istio-gateway/charts/gateway/templates/_helpers.tpl
+++ b/charts/kubezero-istio-gateway/charts/gateway/templates/_helpers.tpl
@ -0,0 +1,52 @@
 {{- define "gateway.name" -}}
 {{- if eq .Release.Name "RELEASE-NAME" -}}
  {{- .Values.name | default "istio-ingressgateway" -}}
 {{- else -}}
  {{- .Values.name | default .Release.Name | default "istio-ingressgateway" -}}
 {{- end -}}
 {{- end }}
 {{/*
 Create chart name and version as used by the chart label.
 */}}
 {{- define "gateway.chart" -}}
 {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
 {{- end }}
 {{- define "gateway.labels" -}}
 helm.sh/chart: {{ include "gateway.chart" . }}
 {{ include "gateway.selectorLabels" . }}
 {{- if .Chart.AppVersion }}
 app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
 {{- end }}
 app.kubernetes.io/managed-by: {{ .Release.Service }}
 app.kubernetes.io/name: {{ include "gateway.name" . }}
 {{- range $key, $val := .Values.labels }}
 {{- if not (or (eq $key "app") (eq $key "istio")) }}
 {{ $key | quote }}: {{ $val | quote }}
 {{- end }}
 {{- end }}
 {{- end }}
 {{- define "gateway.selectorLabels" -}}
 {{- if hasKey .Values.labels "app" }}
 {{- with .Values.labels.app }}app: {{.|quote}}
 {{- end}}
 {{- else }}app: {{ include "gateway.name" . }}
 {{- end }}
 {{- if hasKey .Values.labels "istio" }}
 {{- with .Values.labels.istio }}
 istio: {{.|quote}}
 {{- end}}
 {{- else }}
 istio: {{ include "gateway.name" . | trimPrefix "istio-" }}
 {{- end }}
 {{- end }}
 {{- define "gateway.serviceAccountName" -}}
 {{- if .Values.serviceAccount.create }}
 {{- .Values.serviceAccount.name | default (include "gateway.name" .)    }}
 {{- else }}
 {{- .Values.serviceAccount.name | default "default" }}
 {{- end }}
 {{- end }}
--- a/charts/kubezero-istio-gateway/charts/gateway/templates/deployment.yaml
+++ b/charts/kubezero-istio-gateway/charts/gateway/templates/deployment.yaml
@ -0,0 +1,104 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: {{ include "gateway.name" . }}
  namespace: {{ .Release.Namespace }}
  labels:
    {{- include "gateway.labels" . | nindent 4}}
  annotations:
    {{- .Values.annotations | toYaml | nindent 4 }}
 spec:
  {{- if not .Values.autoscaling.enabled }}
  replicas: {{ .Values.replicaCount }}
  {{- end }}
  # Give the LB 120s to detect and take into service
  # should only be 40s by we are on AWS so ...
  minReadySeconds: 120
  selector:
    matchLabels:
      {{- include "gateway.selectorLabels" . | nindent 6 }}
  template:
    metadata:
      {{- with .Values.podAnnotations }}
      annotations:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      labels:
        sidecar.istio.io/inject: "true"
        {{- with .Values.revision }}
        istio.io/rev: {{ . }}
        {{- end }}
        {{- include "gateway.selectorLabels" . | nindent 8 }}
    spec:
      {{- with .Values.imagePullSecrets }}
      imagePullSecrets:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      terminationGracePeriodSeconds: 120
      serviceAccountName: {{ include "gateway.serviceAccountName" . }}
      securityContext:
      {{- if .Values.securityContext }}
        {{- toYaml .Values.securityContext | nindent 8 }}
      {{- else if (semverCompare ">=1.22-0" .Capabilities.KubeVersion.GitVersion) }}
        # Safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326
        sysctls:
        - name: net.ipv4.ip_unprivileged_port_start
          value: "0"
      {{- end }}
      containers:
        - name: istio-proxy
          # "auto" will be populated at runtime by the mutating webhook. See https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#customizing-injection
          image: auto
          securityContext:
          {{- if .Values.containerSecurityContext }}
            {{- toYaml .Values.containerSecurityContext | nindent 12 }}
          {{- else if (semverCompare ">=1.22-0" .Capabilities.KubeVersion.GitVersion) }}
            # Safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326
            capabilities:
              drop:
              - ALL
            allowPrivilegeEscalation: false
            privileged: false
            readOnlyRootFilesystem: true
            runAsUser: 1337
            runAsGroup: 1337
            runAsNonRoot: true
          {{- else }}
            capabilities:
              drop:
              - ALL
              add:
              - NET_BIND_SERVICE
            runAsUser: 0
            runAsGroup: 1337
            runAsNonRoot: false
            allowPrivilegeEscalation: true
            readOnlyRootFilesystem: true
          {{- end }}
          env:
          {{- with .Values.networkGateway }}
          - name: ISTIO_META_REQUESTED_NETWORK_VIEW
            value: "{{.}}"
          {{- end }}
          {{- range $key, $val := .Values.env }}
          - name: {{ $key }}
            value: {{ $val | quote }}
          {{- end }}
          ports:
          - containerPort: 15090
            protocol: TCP
            name: http-envoy-prom
          resources:
            {{- toYaml .Values.resources | nindent 12 }}
      {{- with .Values.nodeSelector }}
      nodeSelector:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      {{- with .Values.affinity }}
      affinity:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      {{- with .Values.tolerations }}
      tolerations:
        {{- toYaml . | nindent 8 }}
      {{- end }}
--- a/charts/kubezero-istio-gateway/charts/gateway/templates/hpa.yaml
+++ b/charts/kubezero-istio-gateway/charts/gateway/templates/hpa.yaml
@ -0,0 +1,28 @@
 {{- if .Values.autoscaling.enabled }}
 apiVersion: autoscaling/v2beta2
 kind: HorizontalPodAutoscaler
 metadata:
  name: {{ include "gateway.name" . }}
  namespace: {{ .Release.Namespace }}
  labels:
    {{- include "gateway.labels" . | nindent 4 }}
  annotations:
    {{- .Values.annotations | toYaml | nindent 4 }}
 spec:
  scaleTargetRef:
    apiVersion: apps/v1
    kind: Deployment
    name: {{ include "gateway.name" . }}
  minReplicas: {{ .Values.autoscaling.minReplicas }}
  maxReplicas: {{ .Values.autoscaling.maxReplicas }}
  metrics:
    {{- if .Values.autoscaling.targetCPUUtilizationPercentage }}
    - type: Resource
      resource:
        name: cpu
        target:
          averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }}
          type: Utilization
    {{- end }}
 {{- end }}
--- a/charts/kubezero-istio-gateway/charts/gateway/templates/role.yaml
+++ b/charts/kubezero-istio-gateway/charts/gateway/templates/role.yaml
@ -0,0 +1,25 @@
 {{/*Set up roles for Istio Gateway. Not required for gateway-api*/}}
 {{- if .Values.rbac.enabled }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  name: {{ include "gateway.serviceAccountName" . }}
  namespace: {{ .Release.Namespace }}
 rules:
 - apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get", "watch", "list"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  name: {{ include "gateway.serviceAccountName" . }}
  namespace: {{ .Release.Namespace }}
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: {{ include "gateway.serviceAccountName" . }}
 subjects:
 - kind: ServiceAccount
  name: {{ include "gateway.serviceAccountName" . }}
 {{- end }}
--- a/charts/kubezero-istio-gateway/charts/gateway/templates/service.yaml
+++ b/charts/kubezero-istio-gateway/charts/gateway/templates/service.yaml
@ -0,0 +1,52 @@
 {{- if not (eq .Values.service.type "None") }}
 apiVersion: v1
 kind: Service
 metadata:
  name: {{ include "gateway.name" . }}
  namespace: {{ .Release.Namespace }}
  labels:
    {{- include "gateway.labels" . | nindent 4 }}
    {{- with .Values.networkGateway }}
    topology.istio.io/network: "{{.}}"
    {{- end }}
  annotations:
    {{- merge (deepCopy .Values.service.annotations) .Values.annotations | toYaml | nindent 4 }}
 spec:
 {{- with .Values.service.loadBalancerIP }}
  loadBalancerIP: "{{ . }}"
 {{- end }}
 {{- with .Values.service.loadBalancerSourceRanges }}
  loadBalancerSourceRanges:
 {{ toYaml . | indent 4 }}
 {{- end }}
 {{- with .Values.service.externalTrafficPolicy }}
  externalTrafficPolicy: "{{ . }}"
 {{- end }}
  type: {{ .Values.service.type }}
  ports:
 {{- if .Values.networkGateway }}
  - name: status-port
    port: 15021
    targetPort: 15021
  - name: tls
    port: 15443
    targetPort: 15443
  - name: tls-istiod
    port: 15012
    targetPort: 15012
  - name: tls-webhook
    port: 15017
    targetPort: 15017
 {{- else }}
  {{- range $key, $val := .Values.service.ports }}
  -
    {{- range $pkey, $pval := $val }}
    {{- if has $pkey (list "name" "nodePort" "port" "targetPort") }}
    {{ $pkey}}: {{ $pval }}
    {{- end }}
    {{- end }}
  {{- end }}
 {{- end }}
  selector:
    {{- include "gateway.selectorLabels" . | nindent 4 }}
 {{- end }}
--- a/charts/kubezero-istio-gateway/charts/gateway/templates/serviceaccount.yaml
+++ b/charts/kubezero-istio-gateway/charts/gateway/templates/serviceaccount.yaml
@ -0,0 +1,13 @@
 {{- if .Values.serviceAccount.create }}
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: {{ include "gateway.serviceAccountName" . }}
  namespace: {{ .Release.Namespace }}
  labels:
    {{- include "gateway.labels" . | nindent 4 }}
  {{- with .Values.serviceAccount.annotations }}
  annotations:
    {{- toYaml . | nindent 4 }}
  {{- end }}
 {{- end }}
--- a/charts/kubezero-istio-gateway/charts/gateway/values.schema.json
+++ b/charts/kubezero-istio-gateway/charts/gateway/values.schema.json
@ -0,0 +1,193 @@
 {
  "$schema": "http://json-schema.org/schema#",
  "type": "object",
  "additionalProperties": false,
  "properties": {
    "global": {
      "type": "object"
    },
    "affinity": {
      "type": "object"
    },
    "securityContext": {
      "type": ["object", "null"]
    },
    "containerSecurityContext": {
      "type": ["object", "null"]
    },
    "annotations": {
      "additionalProperties": {
        "type": [
          "string",
          "integer"
        ]
      },
      "type": "object"
    },
    "autoscaling": {
      "type": "object",
      "properties": {
        "enabled": {
          "type": "boolean"
        },
        "maxReplicas": {
          "type": "integer"
        },
        "minReplicas": {
          "type": "integer"
        },
        "targetCPUUtilizationPercentage": {
          "type": "integer"
        }
      }
    },
    "env": {
      "type": "object"
    },
    "labels": {
      "type": "object"
    },
    "name": {
      "type": "string"
    },
    "nodeSelector": {
      "type": "object"
    },
    "podAnnotations": {
      "type": "object",
      "properties": {
        "inject.istio.io/templates": {
          "type": "string"
        },
        "prometheus.io/path": {
          "type": "string"
        },
        "prometheus.io/port": {
          "type": "string"
        },
        "prometheus.io/scrape": {
          "type": "string"
        }
      }
    },
    "replicaCount": {
      "type": "integer"
    },
    "resources": {
      "type": "object",
      "properties": {
        "limits": {
          "type": "object",
          "properties": {
            "cpu": {
              "type": "string"
            },
            "memory": {
              "type": "string"
            }
          }
        },
        "requests": {
          "type": "object",
          "properties": {
            "cpu": {
              "type": "string"
            },
            "memory": {
              "type": "string"
            }
          }
        }
      }
    },
    "revision": {
      "type": "string"
    },
    "runAsRoot": {
      "type": "boolean"
    },
    "unprivilegedPort": {
      "type": ["string", "boolean"],
      "enum": [true, false, "auto"]
    },
    "service": {
      "type": "object",
      "properties": {
        "annotations": {
          "type": "object"
        },
        "externalTrafficPolicy": {
          "type": "string"
        },
        "loadBalancerIP": {
          "type": "string"
        },
        "loadBalancerSourceRanges": {
          "type": "array"
        },
        "ports": {
          "type": "array",
          "items": {
            "type": "object",
            "properties": {
              "name": {
                "type": "string"
              },
              "port": {
                "type": "integer"
              },
              "protocol": {
                "type": "string"
              },
              "targetPort": {
                "type": "integer"
              }
            }
          }
        },
        "type": {
          "type": "string"
        }
      }
    },
    "serviceAccount": {
      "type": "object",
      "properties": {
        "annotations": {
          "type": "object"
        },
        "name": {
          "type": "string"
        },
        "create": {
          "type": "boolean"
        }
      }
    },
    "rbac": {
      "type": "object",
      "properties": {
        "enabled": {
          "type": "boolean"
        }
      }
    },
    "tolerations": {
      "type": "array"
    },
    "networkGateway": {
      "type": "string"
    },
    "imagePullSecrets": {
      "type": "array",
      "items": {
        "type": "object",
        "properties": {
          "name": {
            "type": "string"
          }
        }
      }
    }
  }
 }
--- a/charts/kubezero-istio-gateway/charts/gateway/values.yaml
+++ b/charts/kubezero-istio-gateway/charts/gateway/values.yaml
@ -0,0 +1,88 @@
 # Name allows overriding the release name. Generally this should not be set
 name: ""
 # revision declares which revision this gateway is a part of
 revision: ""
 replicaCount: 1
 rbac:
  # If enabled, roles will be created to enable accessing certificates from Gateways. This is not needed
  # when using http://gateway-api.org/.
  enabled: true
 serviceAccount:
  # If set, a service account will be created. Otherwise, the default is used
  create: true
  # Annotations to add to the service account
  annotations: {}
  # The name of the service account to use.
  # If not set, the release name is used
  name: ""
 podAnnotations:
  prometheus.io/port: "15020"
  prometheus.io/scrape: "true"
  prometheus.io/path: "/stats/prometheus"
  inject.istio.io/templates: "gateway"
  sidecar.istio.io/inject: "true"
 # Define the security context for the pod.
 # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443.
 # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl.
 securityContext: ~
 containerSecurityContext: ~
 service:
  # Type of service. Set to "None" to disable the service entirely
  type: LoadBalancer
  ports:
  - name: status-port
    port: 15021
    protocol: TCP
    targetPort: 15021
  - name: http2
    port: 80
    protocol: TCP
    targetPort: 80
  - name: https
    port: 443
    protocol: TCP
    targetPort: 443
  annotations: {}
  loadBalancerIP: ""
  loadBalancerSourceRanges: []
  externalTrafficPolicy: ""
 resources:
  requests:
    cpu: 100m
    memory: 128Mi
  limits:
    cpu: 2000m
    memory: 1024Mi
 autoscaling:
  enabled: true
  minReplicas: 1
  maxReplicas: 5
  targetCPUUtilizationPercentage: 80
 # Pod environment variables
 env: {}
 # Labels to apply to all resources
 labels: {}
 # Annotations to apply to all resources
 annotations: {}
 nodeSelector: {}
 tolerations: []
 affinity: {}
 # If specified, the gateway will act as a network gateway for the given network.
 networkGateway: ""
 imagePullSecrets: []
--- a/charts/kubezero-istio-gateway/templates/_gateway.tpl
+++ b/charts/kubezero-istio-gateway/templates/_gateway.tpl
@ -40,3 +40,14 @@
 {{- end }}
 {{- end }}
 {{- define "gatewayName" -}}
 {{ .Values.gateway.name | default .Release.Name | default "istio-ingressgateway" }}
 {{- end }}
 {{- define "gatewaySelectorLabels" -}}
 app: {{ include "gatewayName" . }}
 istio: {{ include "gatewayName" . | trimPrefix "istio-" }}
 {{- end }}
--- a/charts/kubezero-istio-gateway/templates/bootstrap-config.yaml
+++ b/charts/kubezero-istio-gateway/templates/bootstrap-config.yaml
@ -1,10 +1,9 @@
 {{- if or (index .Values "istio-ingress" "enabled") (index .Values "istio-private-ingress" "enabled") }}
 # https://www.envoyproxy.io/docs/envoy/v1.17.1/configuration/best_practices/edge#configuring-envoy-as-an-edge-proxy
 # https://github.com/istio/istio/issues/24715
 apiVersion: v1
 kind: ConfigMap
 metadata:
-  name: istio-gateway-bootstrap-config
+  name: {{ include "gatewayName" . | trimPrefix "istio-" }}-bootstrap-config
  namespace: {{ .Release.Namespace }}
  labels:
 {{ include "kubezero-lib.labels" . | indent 4 }}
@ -58,4 +57,3 @@ data:
        ]
      }
    }
 {{- end }}
--- a/charts/kubezero-istio-gateway/templates/envoyfilter-hardening.yaml
+++ b/charts/kubezero-istio-gateway/templates/envoyfilter-hardening.yaml
@ -1,12 +1,14 @@
 {{- if or (index .Values "istio-ingress" "enabled") (index .Values "istio-private-ingress" "enabled") }}
 apiVersion: networking.istio.io/v1alpha3
 kind: EnvoyFilter
 metadata:
-  name: ingressgateway-hardening
+  name: {{ include "gatewayName" . | trimPrefix "istio-" }}-hardening
  namespace: {{ .Release.Namespace }}
  labels:
-{{ include "kubezero-lib.labels" . | indent 4 }}
+    {{ include "kubezero-lib.labels" . | nindent 4 }}
 spec:
  workloadSelector:
    labels:
      {{- include "gatewaySelectorLabels" . | nindent 6 }}
  configPatches:
  - applyTo: CLUSTER
    patch:
@ -35,4 +37,3 @@ spec:
            initial_connection_window_size: 1048576 # 1 MiB
          #stream_idle_timeout: 300s # 5 mins, must be disabled for long-lived and streaming requests
          #request_timeout: 300s # 5 mins, must be disabled for long-lived and streaming requests
 {{- end }}
--- a/charts/kubezero-istio-gateway/templates/envoyfilter-keepalive-nlb.yaml
+++ b/charts/kubezero-istio-gateway/templates/envoyfilter-keepalive-nlb.yaml
@ -0,0 +1,29 @@
 apiVersion: networking.istio.io/v1alpha3
 kind: EnvoyFilter
 metadata:
  name: {{ include "gatewayName" . | trimPrefix "istio-" }}-listener-tcp-keepalive
  namespace: {{ .Release.Namespace }}
  labels:
    {{- include "kubezero-lib.labels" . | nindent 4 }}
 spec:
  workloadSelector:
    labels:
      {{- include "gatewaySelectorLabels" . | nindent 6 }}
  configPatches:
  - applyTo: LISTENER
    patch:
      operation: MERGE
      value:
        socket_options:
          - level: 1 # SOL_SOCKET = 1
            name: 9 # SO_KEEPALIVE = 9
            int_value: 1
            state: STATE_PREBIND
          - level: 6 # IPPROTO_TCP = 6
            name: 4 # TCP_KEEPIDLE = 4
            int_value: 120
            state: STATE_PREBIND
          - level: 6 # IPPROTO_TCP = 6
            name: 5 # TCP_KEEPINTVL = 5
            int_value: 60
            state: STATE_PREBIND
--- a/charts/kubezero-istio-gateway/templates/envoyfilter-proxy-protocol.yaml
+++ b/charts/kubezero-istio-gateway/templates/envoyfilter-proxy-protocol.yaml
@ -0,0 +1,21 @@
 {{- if .Values.proxyProtocol }}
 apiVersion: networking.istio.io/v1alpha3
 kind: EnvoyFilter
 metadata:
  name: {{ include "gatewayName" . | trimPrefix "istio-" }}-proxy-protocol
  namespace: {{ .Release.Namespace }}
  labels:
    {{ include "kubezero-lib.labels" . | nindent 4 }}
 spec:
  workloadSelector:
    labels:
      {{- include "gatewaySelectorLabels" . | nindent 6 }}
  configPatches:
  - applyTo: LISTENER
    patch:
      operation: MERGE
      value:
        listener_filters:
        - name: envoy.listener.proxy_protocol
        - name: envoy.listener.tls_inspector
 {{- end }}
--- a/charts/kubezero-istio-gateway/templates/ingress-certificate.yaml
+++ b/charts/kubezero-istio-gateway/templates/ingress-certificate.yaml
@ -0,0 +1,19 @@
 {{- range $cert := .Values.certificates }}
 {{- if $cert.dnsNames }}
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
  name: {{ $cert.name }}
  namespace: {{ $.Release.Namespace }}
  labels:
 {{ include "kubezero-lib.labels" $ | indent 4 }}
 spec:
  secretName: {{ $cert.name }}
  issuerRef:
    name: {{ default "letsencrypt-dns-prod" $cert.issuer }}
    kind: ClusterIssuer
  dnsNames:
 {{ toYaml $cert.dnsNames | indent 4 }}
 ---
 {{- end }}
 {{- end }}
--- a/charts/kubezero-istio-gateway/templates/ingress-gateway.yaml
+++ b/charts/kubezero-istio-gateway/templates/ingress-gateway.yaml
@ -1,19 +1,15 @@
 # Public Ingress Gateway
 {{- $gateway := index .Values "istio-ingress" }}
 {{- if and $gateway.enabled $gateway.certificates }}
 # https://istio.io/latest/docs/tasks/traffic-management/ingress/secure-ingress/#configure-a-tls-ingress-gateway-for-multiple-hosts
-
+{{- if .Values.certificates }}
 apiVersion: networking.istio.io/v1beta1
 kind: Gateway
 metadata:
-  name: ingressgateway
+  name: {{ include "gatewayName" . | trimPrefix "istio-" }}
  namespace: {{ .Release.Namespace }}
  labels:
    {{- include "kubezero-lib.labels" . | nindent 4 }}
 spec:
  selector:
-    istio: ingressgateway
+    {{- include "gatewaySelectorLabels" . | nindent 4 }}
  servers:
-  {{- include "gatewayServers" (dict "certificates" $gateway.certificates "ports" (index $gateway "gateways" "istio-ingressgateway" "ports") ) | nindent 2}}
+  {{- include "gatewayServers" (dict "certificates" .Values.certificates "ports" .Values.gateway.service.ports ) | nindent 2}}
 {{- end }}
--- a/charts/kubezero-istio-gateway/templates/podmonitor.yaml
+++ b/charts/kubezero-istio-gateway/templates/podmonitor.yaml
@ -1,8 +1,8 @@
-{{- if or ( index .Values "istio-ingress" "telemetry" "enabled" ) ( index .Values "istio-private-ingress" "telemetry" "enabled" )}}
+{{- if .Values.telemetry.enabled }}
 apiVersion: monitoring.coreos.com/v1
 kind: PodMonitor
 metadata:
-  name: envoy-stats-monitor
+  name: {{ include "gatewayName" . | trimPrefix "istio-" }}-envoy-stats-monitor
  namespace: {{ .Release.Namespace }}
  labels:
 {{ include "kubezero-lib.labels" . | indent 4 }}
@ -10,6 +10,8 @@ spec:
  selector:
    matchExpressions:
    - {key: istio-prometheus-ignore, operator: DoesNotExist}
    matchLabels:
    {{- include "gatewaySelectorLabels" . | nindent 6 }}
  jobLabel: envoy-stats
  podMetricsEndpoints:
  - path: /stats/prometheus
--- a/charts/kubezero-istio-gateway/update.sh
+++ b/charts/kubezero-istio-gateway/update.sh
@ -0,0 +1,11 @@
 #!/bin/bash
 set -ex
 export ISTIO_VERSION=$(yq eval '.dependencies[] | select(.name=="gateway") | .version' Chart.yaml)
 helm dep update
 # Patch
 tar xf charts/gateway-$ISTIO_VERSION.tgz -C charts && rm -f charts/gateway-$ISTIO_VERSION.tgz
 #diff -tubr charts/gateway.orig charts/gateway
 patch -p0 -i zdt.patch --no-backup-if-mismatch
--- a/charts/kubezero-istio-gateway/values.yaml
+++ b/charts/kubezero-istio-gateway/values.yaml
@ -0,0 +1,87 @@
 gateway:
  autoscaling:
    enabled: false
    minReplicas: 1
    maxReplicas: 4
    targetCPUUtilizationPercentage: 80
  replicaCount: 1
  resources:
    requests:
      cpu: 50m
      memory: 64Mi
    limits:
      # cpu: 100m
      memory: 512Mi
  service:
    type: NodePort
    externalTrafficPolicy: Local
    # Map port 80/443 to 8080/8443 so we don't need to root
    # ports is extended as follows:
    # noGateway: true -> this port does NOT get mapped to a Gateway port
    # tls: optional gateway port setting
    # gatewayProtocol: Loadbalancer protocol which is NOT the same as Container Procotol !
    ports:
    - name: status-port
      port: 15021
      nodePort: 30021
      noGateway: true
    - name: http2
      port: 80
      targetPort: 8080
      nodePort: 30080
      gatewayProtocol: HTTP2
      tls:
        httpsRedirect: true
    - name: https
      port: 443
      targetPort: 8443
      nodePort: 30443
      gatewayProtocol: HTTPS
      tls:
        mode: SIMPLE
  affinity:
    # Only nodes who are fronted with matching NLB
    nodeAffinity:
      requiredDuringSchedulingIgnoredDuringExecution:
        nodeSelectorTerms:
        - matchExpressions:
          - key: node.kubernetes.io/ingress.public
            operator: Exists
    podAntiAffinity:
      requiredDuringSchedulingIgnoredDuringExecution:
      - labelSelector:
          matchExpressions:
          - key: app
            operator: In
            values:
            - istio-ingressgateway
        topologyKey: "kubernetes.io/hostname"
  podAnnotations:
    proxy.istio.io/config: '{ "terminationDrainDuration": "20s" }'
  # TODO
  # custom hardened bootstrap config
  #env:
  #  ISTIO_BOOTSTRAP_OVERRIDE: /etc/istio/custom-bootstrap/custom_bootstrap.json
  #configVolumes:
  #- name: custom-bootstrap-volume
  #  mountPath: /etc/istio/custom-bootstrap
  #  configMapName: istio-gateway-bootstrap-config
 certificates:
 - name: ingress-cert
  dnsNames: []
 #  - '*.example.com'
 telemetry:
  enabled: false
 proxyProtocol: true
--- a/charts/kubezero-istio-gateway/zdt.patch
+++ b/charts/kubezero-istio-gateway/zdt.patch
@ -0,0 +1,40 @@
 diff -tubr charts/gateway.orig/templates/deployment.yaml charts/gateway/templates/deployment.yaml
 --- charts/gateway.orig/templates/deployment.yaml	2022-04-21 01:00:49.624942235 +0200
 +++ charts/gateway/templates/deployment.yaml	2022-04-21 01:04:28.276506097 +0200
@@ -11,6 +11,9 @@
   {{- if not .Values.autoscaling.enabled }}
   replicas: {{ .Values.replicaCount }}
   {{- end }}
 +  # Give the LB 120s to detect and take into service
 +  # should only be 40s by we are on AWS so ...
 +  minReadySeconds: 120
   selector:
     matchLabels:
       {{- include "gateway.selectorLabels" . | nindent 6 }}
@@ -31,6 +34,7 @@
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
       {{- end }}
 +      terminationGracePeriodSeconds: 120
       serviceAccountName: {{ include "gateway.serviceAccountName" . }}
       securityContext:
       {{- if .Values.securityContext }}
 diff -tubr charts/gateway.orig/templates/service.yaml charts/gateway/templates/service.yaml
 --- charts/gateway.orig/templates/service.yaml	2022-04-21 01:00:49.628275645 +0200
 +++ charts/gateway/templates/service.yaml	2022-04-21 01:08:56.785411051 +0200
@@ -38,7 +38,14 @@
     port: 15017
     targetPort: 15017
 {{- else }}
 -{{ .Values.service.ports | toYaml | indent 4 }}
 +  {{- range $key, $val := .Values.service.ports }}
 +  -
 +    {{- range $pkey, $pval := $val }}
 +    {{- if has $pkey (list "name" "nodePort" "port" "targetPort") }}
 +    {{ $pkey}}: {{ $pval }}
 +    {{- end }}
 +    {{- end }}
 +  {{- end }}
 {{- end }}
   selector:
     {{- include "gateway.selectorLabels" . | nindent 4 }}
--- a/charts/kubezero-istio-ingress/.helmignore
+++ b/charts/kubezero-istio-ingress/.helmignore
@ -1 +0,0 @@
 ../kubezero-istio/.helmignore
--- a/charts/kubezero-istio-ingress/charts/istio-ingress/Chart.yaml
+++ b/charts/kubezero-istio-ingress/charts/istio-ingress/Chart.yaml
@ -1,13 +0,0 @@
 apiVersion: v1
 name: istio-ingress
 version: 1.11.5
 tillerVersion: ">=2.7.2"
 description: Helm chart for deploying Istio gateways
 keywords:
  - istio
  - ingressgateway
  - gateways
 sources:
  - http://github.com/istio/istio
 engine: gotpl
 icon: https://istio.io/latest/favicons/android-192x192.png
--- a/charts/kubezero-istio-ingress/charts/istio-ingress/NOTES.txt
+++ b/charts/kubezero-istio-ingress/charts/istio-ingress/NOTES.txt
@ -1,43 +0,0 @@
 Changes:
 - separate namespace allows:
 -- easier reconfig of just the gateway
 -- TLS secrets and domain name management is isolated, for better security
 -- simplified configuration
 -- multiple versions of the ingress can be used, to minimize upgrade risks
 - the new chart uses the default namespace service account, and doesn't require
 additional RBAC permissions.
 - simplified label and chart structure.
 - ability to run a pilot dedicated for the gateway, isolated from the main pilot. This is more robust, safer on upgrades
 and allows a bit more flexibility.
 - the dedicated pilot-per-ingress is required if the gateway needs to support k8s-style ingress.
 # Port and basic host configuration
 In order to configure the Service object, the install/upgrade needs to provide a list of all ports.
 In the past, this was done when installing/upgrading full istio, and involved some duplication - ports configured
 both in upgrade, Gateway and VirtualService.
 The new Ingress chart uses a 'values.yaml' (see user-example-ingress), which auto-generates Service ports,
 Gateways and basic VirtualService. It is still possible to only configure the ports in Service, and do manual
 config for the rest.
 All internal services ( telemetry, pilot debug ports, mesh expansion ) can now be configured via the new mechanism.
 # Migration from istio-system
 Istio 1.0 includes the gateways in istio-system. Since the external IP is associated
 with the Service and bound to the namespace, it is recommended to:
 1. Install the new gateway in a new namespace.
 2. Copy any TLS certificate to the new namespace, and configure the domains.
 3. Checking the new gateway work - for example by overriding the IP in /etc/hosts
 4. Modify the DNS server to add the A record of the new namespace
 5. Check traffic
 6. Delete the A record corresponding to the gateway in istio-system
 7. Upgrade istio-system, disabling the ingressgateway
 8. Delete the domain TLS certs from istio-system.
 If using certmanager, all Certificate and associated configs must be moved as well.
--- a/charts/kubezero-istio-ingress/charts/istio-ingress/templates/_affinity.tpl
+++ b/charts/kubezero-istio-ingress/charts/istio-ingress/templates/_affinity.tpl
@ -1,105 +0,0 @@
 {{/* affinity - https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ */}}
 {{ define "nodeaffinity" }}
 nodeAffinity:
  requiredDuringSchedulingIgnoredDuringExecution:
  {{- include "nodeAffinityRequiredDuringScheduling" . }}
  preferredDuringSchedulingIgnoredDuringExecution:
  {{- include "nodeAffinityPreferredDuringScheduling" . }}
 {{- end }}
 {{- define "nodeAffinityRequiredDuringScheduling" }}
      nodeSelectorTerms:
      - matchExpressions:
        - key: kubernetes.io/arch
          operator: In
          values:
        {{- range $key, $val := .global.arch }}
          {{- if gt ($val | int) 0 }}
          - {{ $key | quote }}
          {{- end }}
        {{- end }}
        {{- $nodeSelector := default .global.defaultNodeSelector .nodeSelector -}}
        {{- range $key, $val := $nodeSelector }}
        {{- if eq $val "Exists" }}
        - key: {{ $key }}
          operator: Exists
        {{- else }}
        - key: {{ $key }}
          operator: In
          values:
          - {{ $val | quote }}
        {{- end }}
        {{- end }}
 {{- end }}
 {{- define "nodeAffinityPreferredDuringScheduling" }}
  {{- range $key, $val := .global.arch }}
    {{- if gt ($val | int) 0 }}
    - weight: {{ $val | int }}
      preference:
        matchExpressions:
        - key: kubernetes.io/arch
          operator: In
          values:
          - {{ $key | quote }}
    {{- end }}
  {{- end }}
 {{- end }}
 {{- define "podAntiAffinity" }}
 {{- if or .podAntiAffinityLabelSelector .podAntiAffinityTermLabelSelector}}
  podAntiAffinity:
    {{- if .podAntiAffinityLabelSelector }}
    requiredDuringSchedulingIgnoredDuringExecution:
    {{- include "podAntiAffinityRequiredDuringScheduling" . }}
    {{- end }}
    {{- if .podAntiAffinityTermLabelSelector }}
    preferredDuringSchedulingIgnoredDuringExecution:
    {{- include "podAntiAffinityPreferredDuringScheduling" . }}
    {{- end }}
 {{- end }}
 {{- end }}
 {{- define "podAntiAffinityRequiredDuringScheduling" }}
    {{- range $index, $item := .podAntiAffinityLabelSelector }}
    - labelSelector:
        matchExpressions:
        - key: {{ $item.key }}
          operator: {{ $item.operator }}
          {{- if $item.values }}
          values:
          {{- $vals := split "," $item.values }}
          {{- range $i, $v := $vals }}
          - {{ $v | quote }}
          {{- end }}
          {{- end }}
      topologyKey: {{ $item.topologyKey }}
      {{- if $item.namespaces }}
      namespaces:
      {{- $ns := split "," $item.namespaces }}
      {{- range $i, $n := $ns }}
      - {{ $n | quote }}
      {{- end }}
      {{- end }}
    {{- end }}
 {{- end }}
 {{- define "podAntiAffinityPreferredDuringScheduling" }}
    {{- range $index, $item := .podAntiAffinityTermLabelSelector }}
    - podAffinityTerm:
        labelSelector:
          matchExpressions:
          - key: {{ $item.key }}
            operator: {{ $item.operator }}
            {{- if $item.values }}
            values:
            {{- $vals := split "," $item.values }}
            {{- range $i, $v := $vals }}
            - {{ $v | quote }}
            {{- end }}
            {{- end }}
        topologyKey: {{ $item.topologyKey }}
      weight: 100
    {{- end }}
 {{- end }}
--- a/charts/kubezero-istio-ingress/charts/istio-ingress/templates/autoscale.yaml
+++ b/charts/kubezero-istio-ingress/charts/istio-ingress/templates/autoscale.yaml
@ -1,27 +0,0 @@
 {{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
 {{- if and $gateway.autoscaleEnabled $gateway.autoscaleMin $gateway.autoscaleMax }}
 apiVersion: autoscaling/v2beta1
 kind: HorizontalPodAutoscaler
 metadata:
  name: {{ $gateway.name }}
  namespace: {{ .Release.Namespace }}
  labels:
 {{ $gateway.labels | toYaml | indent 4 }}
    release: {{ .Release.Name }}
    istio.io/rev: {{ .Values.revision | default "default" }}
    install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
    operator.istio.io/component: "IngressGateways"
 spec:
  maxReplicas: {{ $gateway.autoscaleMax }}
  minReplicas: {{ $gateway.autoscaleMin }}
  scaleTargetRef:
    apiVersion: apps/v1
    kind: Deployment
    name: {{ $gateway.name }}
  metrics:
    - type: Resource
      resource:
        name: cpu
        targetAverageUtilization: {{ $gateway.cpu.targetAverageUtilization }}
 ---
 {{- end }}
--- a/charts/kubezero-istio-ingress/charts/istio-ingress/templates/deployment.yaml
+++ b/charts/kubezero-istio-ingress/charts/istio-ingress/templates/deployment.yaml
@ -1,335 +0,0 @@
 {{- $gateway := index .Values "gateways" "istio-ingressgateway" }}
 {{- if eq $gateway.injectionTemplate "" }}
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: {{ $gateway.name }}
  namespace: {{ .Release.Namespace }}
  labels:
 {{ $gateway.labels | toYaml | indent 4 }}
    release: {{ .Release.Name }}
    istio.io/rev: {{ .Values.revision | default "default" }}
    install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
    operator.istio.io/component: "IngressGateways"
 spec:
 {{- if not $gateway.autoscaleEnabled }}
 {{- if $gateway.replicaCount }}
  replicas: {{ $gateway.replicaCount }}
 {{- end }}
  # Give the LB 120s to detect and take into service, should only be 40s by we are on AWS so ??
  minReadySeconds: 120
 {{- end }}
  selector:
    matchLabels:
 {{ $gateway.labels | toYaml | indent 6 }}
  strategy:
    rollingUpdate:
      maxSurge: {{ $gateway.rollingMaxSurge }}
      maxUnavailable: {{ $gateway.rollingMaxUnavailable }}
  template:
    metadata:
      labels:
 {{ $gateway.labels | toYaml | indent 8 }}
 {{- if eq .Release.Namespace "istio-system"}}
        heritage: Tiller
        release: istio
        chart: gateways
 {{- end }}
        service.istio.io/canonical-name: {{ $gateway.name }}
        {{- if not (eq .Values.revision "") }}
        service.istio.io/canonical-revision: {{ .Values.revision }}
        {{- else}}
        service.istio.io/canonical-revision: latest
        {{- end }}
        istio.io/rev: {{ .Values.revision | default "default" }}
        install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
        operator.istio.io/component: "IngressGateways"
        sidecar.istio.io/inject: "false"
      annotations:
        {{- if .Values.meshConfig.enablePrometheusMerge }}
        prometheus.io/port: "15020"
        prometheus.io/scrape: "true"
        prometheus.io/path: "/stats/prometheus"
        {{- end }}
        sidecar.istio.io/inject: "false"
 {{- if $gateway.podAnnotations }}
 {{ toYaml $gateway.podAnnotations | indent 8 }}
 {{ end }}
    spec:
 {{- if not $gateway.runAsRoot }}
      securityContext:
        runAsUser: 1337
        runAsGroup: 1337
        runAsNonRoot: true
        fsGroup: 1337
 {{- end }}
      serviceAccountName: {{ $gateway.name }}-service-account
 {{- if .Values.global.priorityClassName }}
      priorityClassName: "{{ .Values.global.priorityClassName }}"
 {{- end }}
      terminationGracePeriodSeconds: 120
 {{- if .Values.global.proxy.enableCoreDump }}
      initContainers:
        - name: enable-core-dump
 {{- if contains "/" .Values.global.proxy.image }}
          image: "{{ .Values.global.proxy.image }}"
 {{- else }}
          image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image | default "proxyv2" }}:{{ .Values.global.tag }}"
 {{- end }}
 {{- if .Values.global.imagePullPolicy }}
          imagePullPolicy: {{ .Values.global.imagePullPolicy }}
 {{- end }}
          command:
            - /bin/sh
          args:
            - -c
            - sysctl -w kernel.core_pattern=/var/lib/istio/data/core.proxy && ulimit -c unlimited
          securityContext:
            runAsUser: 0
            runAsGroup: 0
            runAsNonRoot: false
            privileged: true
 {{- end }}
      containers:
        - name: istio-proxy
 {{- if contains "/" .Values.global.proxy.image }}
          image: "{{ .Values.global.proxy.image }}"
 {{- else }}
          image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image | default "proxyv2" }}:{{ .Values.global.tag }}"
 {{- end }}
 {{- if .Values.global.imagePullPolicy }}
          imagePullPolicy: {{ .Values.global.imagePullPolicy }}
 {{- end }}
          ports:
            {{- range $key, $val := $gateway.ports }}
            - containerPort: {{ $val.targetPort | default $val.port }}
              protocol: {{ $val.protocol | default "TCP" }}
            {{- end }}
            - containerPort: 15090
              protocol: TCP
              name: http-envoy-prom
          args:
          - proxy
          - router
          - --domain
          - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
        {{- if .Values.global.proxy.logLevel }}
          - --proxyLogLevel={{ .Values.global.proxy.logLevel }}
        {{- end}}
        {{- if .Values.global.proxy.componentLogLevel }}
          - --proxyComponentLogLevel={{ .Values.global.proxy.componentLogLevel }}
        {{- end}}
        {{- if .Values.global.logging.level }}
          - --log_output_level={{ .Values.global.logging.level }}
        {{- end}}
        {{- if .Values.global.logAsJson }}
          - --log_as_json
        {{- end }}
        {{- if .Values.global.sts.servicePort }}
          - --stsPort={{ .Values.global.sts.servicePort }}
        {{- end }}
        {{- if not $gateway.runAsRoot }}
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop:
              - ALL
            privileged: false
            readOnlyRootFilesystem: true
        {{- end }}
          #This needs kube-proxy support coming with 1.22 hopefully, cilium ?
          #lifecycle:
          #  preStop:
          #    exec:
          #      command: ["/bin/sh","-c","sleep 30"]
          readinessProbe:
            failureThreshold: 30
            httpGet:
              path: /healthz/ready
              port: 15021
              scheme: HTTP
            initialDelaySeconds: 1
            periodSeconds: 2
            successThreshold: 1
            timeoutSeconds: 1
          resources:
 {{- if $gateway.resources }}
 {{ toYaml $gateway.resources | indent 12 }}
 {{- else }}
 {{ toYaml .Values.global.defaultResources | indent 12 }}
 {{- end }}
          env:
          - name: JWT_POLICY
            value: {{ .Values.global.jwtPolicy }}
          - name: PILOT_CERT_PROVIDER
            value: {{ .Values.global.pilotCertProvider }}
          - name: CA_ADDR
          {{- if .Values.global.caAddress }}
            value: {{ .Values.global.caAddress }}
          {{- else }}
            value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
          {{- end }}
          - name: NODE_NAME
            valueFrom:
              fieldRef:
                apiVersion: v1
                fieldPath: spec.nodeName
          - name: POD_NAME
            valueFrom:
              fieldRef:
                apiVersion: v1
                fieldPath: metadata.name
          - name: POD_NAMESPACE
            valueFrom:
              fieldRef:
                apiVersion: v1
                fieldPath: metadata.namespace
          - name: INSTANCE_IP
            valueFrom:
              fieldRef:
                apiVersion: v1
                fieldPath: status.podIP
          - name: HOST_IP
            valueFrom:
              fieldRef:
                apiVersion: v1
                fieldPath: status.hostIP
          - name: SERVICE_ACCOUNT
            valueFrom:
              fieldRef:
                fieldPath: spec.serviceAccountName
          - name: ISTIO_META_WORKLOAD_NAME
            value: {{ $gateway.name }}
          - name: ISTIO_META_OWNER
            value: kubernetes://apis/apps/v1/namespaces/{{ .Release.Namespace }}/deployments/{{ $gateway.name }}
          {{- if $.Values.global.meshID }}
          - name: ISTIO_META_MESH_ID
            value: "{{ $.Values.global.meshID }}"
          {{- else if .Values.meshConfig.trustDomain }}
          - name: ISTIO_META_MESH_ID
            value: "{{ .Values.meshConfig.trustDomain }}"
          {{- end }}
          {{- if .Values.meshConfig.trustDomain }}
          - name: TRUST_DOMAIN
            value: "{{ .Values.meshConfig.trustDomain }}"
          {{- end }}
          {{- if not $gateway.runAsRoot }}
          - name: ISTIO_META_UNPRIVILEGED_POD
            value: "true"
          {{- end }}
          {{- range $key, $val := $gateway.env }}
          - name: {{ $key }}
            value: "{{ $val }}"
          {{- end }}
          {{- range $key, $value := .Values.meshConfig.defaultConfig.proxyMetadata }}
          - name: {{ $key }}
            value: "{{ $value }}"
          {{- end }}
          {{- $network_set := index $gateway.env "ISTIO_META_NETWORK" }}
          {{- if and (not $network_set) .Values.global.network }}
          - name: ISTIO_META_NETWORK
            value: "{{ .Values.global.network }}"
          {{- end }}
          - name: ISTIO_META_CLUSTER_ID
            value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}"
          volumeMounts:
          - name: istio-envoy
            mountPath: /etc/istio/proxy
          - name: config-volume
            mountPath: /etc/istio/config
 {{- if eq .Values.global.pilotCertProvider "istiod" }}
          - mountPath: /var/run/secrets/istio
            name: istiod-ca-cert
 {{- end }}
 {{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
          - name: istio-token
            mountPath: /var/run/secrets/tokens
            readOnly: true
 {{- end }}
          {{- if .Values.global.mountMtlsCerts }}
          # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
          - name: istio-certs
            mountPath: /etc/certs
            readOnly: true
          {{- end }}
          - mountPath: /var/lib/istio/data
            name: istio-data
          - name: podinfo
            mountPath: /etc/istio/pod
          {{- range $gateway.secretVolumes }}
          - name: {{ .name }}
            mountPath: {{ .mountPath | quote }}
            readOnly: true
          {{- end }}
          {{- range $gateway.configVolumes }}
          {{- if .mountPath }}
          - name: {{ .name }}
            mountPath: {{ .mountPath | quote }}
            readOnly: true
          {{- end }}
          {{- end }}
 {{- if $gateway.additionalContainers }}
 {{ toYaml $gateway.additionalContainers | indent 8 }}
 {{- end }}
      volumes:
 {{- if eq .Values.global.pilotCertProvider "istiod" }}
      - name: istiod-ca-cert
        configMap:
          name: istio-ca-root-cert
 {{- end }}
      - name: podinfo
        downwardAPI:
          items:
            - path: "labels"
              fieldRef:
                fieldPath: metadata.labels
            - path: "annotations"
              fieldRef:
                fieldPath: metadata.annotations
      - name: istio-envoy
        emptyDir: {}
      - name: istio-data
        emptyDir: {}
 {{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
      - name: istio-token
        projected:
          sources:
          - serviceAccountToken:
              path: istio-token
              expirationSeconds: 43200
              audience: {{ .Values.global.sds.token.aud }}
 {{- end }}
      {{- if .Values.global.mountMtlsCerts }}
      # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
      - name: istio-certs
        secret:
          secretName: istio.istio-ingressgateway-service-account
          optional: true
      {{- end }}
      - name: config-volume
        configMap:
          name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
          optional: true
      {{- range $gateway.secretVolumes }}
      - name: {{ .name }}
        secret:
          secretName: {{ .secretName | quote }}
          optional: true
      {{- end }}
      {{- range $gateway.configVolumes }}
      - name: {{ .name }}
        configMap:
          name: {{ .configMapName | quote }}
          optional: true
      {{- end }}
      affinity:
 {{ include "nodeaffinity" (dict "global" .Values.global "nodeSelector" $gateway.nodeSelector) | trim | indent 8 }}
      {{- include "podAntiAffinity" $gateway | indent 6 }}
 {{- if $gateway.tolerations }}
      tolerations:
 {{ toYaml $gateway.tolerations | indent 6 }}
 {{- else if .Values.global.defaultTolerations }}
      tolerations:
 {{ toYaml .Values.global.defaultTolerations | indent 6 }}
 {{- end }}
 {{- end }}
--- a/charts/kubezero-istio-ingress/charts/istio-ingress/templates/injected-deployment.yaml
+++ b/charts/kubezero-istio-ingress/charts/istio-ingress/templates/injected-deployment.yaml
@ -1,143 +0,0 @@
 {{- $gateway := index .Values "gateways" "istio-ingressgateway" }}
 {{- if ne $gateway.injectionTemplate "" }}
 {{/* This provides a minimal gateway, ready to be injected.
     Any settings from values.gateways should be here - these are options specific to the gateway.
     Global settings, like the image, various env vars and volumes, etc will be injected.
     The normal Deployment is not suitable for this, as the original pod spec will override the injection template. */}}
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: {{ $gateway.name | default "istio-ingressgateway" }}
  namespace: {{ .Release.Namespace }}
  labels:
 {{ $gateway.labels | toYaml | indent 4 }}
    release: {{ .Release.Name }}
    istio.io/rev: {{ .Values.revision | default "default" }}
    install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
    operator.istio.io/component: "IngressGateways"
 spec:
 {{- if not $gateway.autoscaleEnabled }}
 {{- if $gateway.replicaCount }}
  replicas: {{ $gateway.replicaCount }}
 {{- end }}
 {{- end }}
  selector:
    matchLabels:
 {{ $gateway.labels | toYaml | indent 6 }}
  strategy:
    rollingUpdate:
      maxSurge: {{ $gateway.rollingMaxSurge }}
      maxUnavailable: {{ $gateway.rollingMaxUnavailable }}
  template:
    metadata:
      labels:
 {{ $gateway.labels | toYaml | indent 8 }}
 {{- if eq .Release.Namespace "istio-system"}}
        heritage: Tiller
        release: istio
        chart: gateways
 {{- end }}
        install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
        operator.istio.io/component: "IngressGateways"
        sidecar.istio.io/inject: "true"
        {{- with .Values.revision }}
        istio.io/rev: {{ . }}
        {{- end }}
      annotations:
        {{- if .Values.meshConfig.enablePrometheusMerge }}
        prometheus.io/port: "15020"
        prometheus.io/scrape: "true"
        prometheus.io/path: "/stats/prometheus"
        {{- end }}
        sidecar.istio.io/inject: "true"
        inject.istio.io/templates: "{{ $gateway.injectionTemplate }}"
 {{- if $gateway.podAnnotations }}
 {{ toYaml $gateway.podAnnotations | indent 8 }}
 {{ end }}
    spec:
 {{- if not $gateway.runAsRoot }}
      securityContext:
        runAsUser: 1337
        runAsGroup: 1337
        runAsNonRoot: true
        fsGroup: 1337
 {{- end }}
      serviceAccountName: {{ $gateway.name | default "istio-ingressgateway" }}-service-account
 {{- if .Values.global.priorityClassName }}
      priorityClassName: "{{ .Values.global.priorityClassName }}"
 {{- end }}
      containers:
        - name: istio-proxy
          image: auto
          ports:
            {{- range $key, $val := $gateway.ports }}
            - containerPort: {{ $val.targetPort | default $val.port }}
              protocol: {{ $val.protocol | default "TCP" }}
            {{- end }}
            - containerPort: 15090
              protocol: TCP
              name: http-envoy-prom
        {{- if not $gateway.runAsRoot }}
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop:
              - ALL
            privileged: false
            readOnlyRootFilesystem: true
        {{- end }}
          resources:
 {{- if $gateway.resources }}
 {{ toYaml $gateway.resources | indent 12 }}
 {{- else }}
 {{ toYaml .Values.global.defaultResources | indent 12 }}
 {{- end }}
          env:
          {{- if not $gateway.runAsRoot }}
          - name: ISTIO_META_UNPRIVILEGED_POD
            value: "true"
          {{- end }}
          {{- range $key, $val := $gateway.env }}
          - name: {{ $key }}
            value: {{ $val }}
          {{- end }}
          volumeMounts:
          {{- range $gateway.secretVolumes }}
          - name: {{ .name }}
            mountPath: {{ .mountPath | quote }}
            readOnly: true
          {{- end }}
          {{- range $gateway.configVolumes }}
          {{- if .mountPath }}
          - name: {{ .name }}
            mountPath: {{ .mountPath | quote }}
            readOnly: true
          {{- end }}
          {{- end }}
 {{- if $gateway.additionalContainers }}
 {{ toYaml $gateway.additionalContainers | indent 8 }}
 {{- end }}
      volumes:
      {{- range $gateway.secretVolumes }}
      - name: {{ .name }}
        secret:
          secretName: {{ .secretName | quote }}
          optional: true
      {{- end }}
      {{- range $gateway.configVolumes }}
      - name: {{ .name }}
        configMap:
          name: {{ .configMapName | quote }}
          optional: true
      {{- end }}
      affinity:
 {{ include "nodeaffinity" (dict "global" .Values.global "nodeSelector" $gateway.nodeSelector) | trim | indent 8 }}
      {{- include "podAntiAffinity" $gateway | indent 6 }}
 {{- if $gateway.tolerations }}
      tolerations:
 {{ toYaml $gateway.tolerations | indent 6 }}
 {{- else if .Values.global.defaultTolerations }}
      tolerations:
 {{ toYaml .Values.global.defaultTolerations | indent 6 }}
 {{- end }}
 {{- end }}
--- a/charts/kubezero-istio-ingress/charts/istio-ingress/templates/poddisruptionbudget.yaml
+++ b/charts/kubezero-istio-ingress/charts/istio-ingress/templates/poddisruptionbudget.yaml
@ -1,19 +0,0 @@
 {{- if .Values.global.defaultPodDisruptionBudget.enabled }}
 {{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
 apiVersion: policy/v1beta1
 kind: PodDisruptionBudget
 metadata:
  name: {{ $gateway.name }}
  namespace: {{ .Release.Namespace }}
  labels:
 {{ $gateway.labels | toYaml | trim | indent 4 }}
    release: {{ .Release.Name }}
    istio.io/rev: {{ .Values.revision | default "default" }}
    install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
    operator.istio.io/component: "IngressGateways"
 spec:
  minAvailable: 1
  selector:
    matchLabels:
 {{ $gateway.labels | toYaml | trim | indent 6 }}
 {{- end }}
--- a/charts/kubezero-istio-ingress/charts/istio-ingress/templates/role.yaml
+++ b/charts/kubezero-istio-ingress/charts/istio-ingress/templates/role.yaml
@ -1,16 +0,0 @@
 {{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  name: {{ $gateway.name }}-sds
  namespace: {{ .Release.Namespace }}
  labels:
    release: {{ .Release.Name }}
    istio.io/rev: {{ .Values.revision | default "default" }}
    install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
    operator.istio.io/component: "IngressGateways"
 rules:
 - apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get", "watch", "list"]
 ---
--- a/charts/kubezero-istio-ingress/charts/istio-ingress/templates/rolebindings.yaml
+++ b/charts/kubezero-istio-ingress/charts/istio-ingress/templates/rolebindings.yaml
@ -1,19 +0,0 @@
 {{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  name: {{ $gateway.name }}-sds
  namespace: {{ .Release.Namespace }}
  labels:
    release: {{ .Release.Name }}
    istio.io/rev: {{ .Values.revision | default "default" }}
    install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
    operator.istio.io/component: "IngressGateways"
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: {{ $gateway.name }}-sds
 subjects:
 - kind: ServiceAccount
  name: {{ $gateway.name }}-service-account
 ---
--- a/charts/kubezero-istio-ingress/charts/istio-ingress/templates/service.yaml
+++ b/charts/kubezero-istio-ingress/charts/istio-ingress/templates/service.yaml
@ -1,49 +0,0 @@
 {{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
 {{- if not $gateway.customService }}
 apiVersion: v1
 kind: Service
 metadata:
  name: {{ $gateway.name }}
  namespace: {{ .Release.Namespace }}
  annotations:
    {{- range $key, $val := $gateway.serviceAnnotations }}
    {{ $key }}: {{ $val | quote }}
    {{- end }}
  labels:
 {{ $gateway.labels | toYaml | indent 4 }}
    release: {{ .Release.Name }}
    istio.io/rev: {{ .Values.revision | default "default" }}
    install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
    operator.istio.io/component: "IngressGateways"
 spec:
 {{- if $gateway.loadBalancerIP }}
  loadBalancerIP: "{{ $gateway.loadBalancerIP }}"
 {{- end }}
 {{- if $gateway.loadBalancerSourceRanges }}
  loadBalancerSourceRanges:
 {{ toYaml $gateway.loadBalancerSourceRanges | indent 4 }}
 {{- end }}
 {{- if $gateway.externalTrafficPolicy }}
  externalTrafficPolicy: {{$gateway.externalTrafficPolicy }}
 {{- end }}
  type: {{ $gateway.type }}
  selector:
 {{ $gateway.labels | toYaml | indent 4 }}
  ports:
    {{- range $key, $val := $gateway.ports }}
    -
      {{- range $pkey, $pval := $val }}
      {{- if has $pkey (list "name" "nodePort" "port" "targetPort") }}
      {{ $pkey}}: {{ $pval }}
      {{- end }}
    {{- end }}
    {{- end }}
  {{ range $app := $gateway.ingressPorts }}
    -
      port: {{ $app.port }}
      name: {{ $app.name }}
  {{- end }}
 ---
 {{ end }}
--- a/charts/kubezero-istio-ingress/charts/istio-ingress/templates/serviceaccount.yaml
+++ b/charts/kubezero-istio-ingress/charts/istio-ingress/templates/serviceaccount.yaml
@ -1,22 +0,0 @@
 {{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
 apiVersion: v1
 kind: ServiceAccount
 {{- if .Values.global.imagePullSecrets }}
 imagePullSecrets:
 {{- range .Values.global.imagePullSecrets }}
  - name: {{ . }}
 {{- end }}
 {{- end }}
 metadata:
  name: {{ $gateway.name }}-service-account
  namespace: {{ .Release.Namespace }}
  labels:
 {{ $gateway.labels | toYaml | trim | indent 4 }}
    release: {{ .Release.Name }}
    istio.io/rev: {{ .Values.revision | default "default" }}
    install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
    operator.istio.io/component: "IngressGateways"
  {{- with $gateway.serviceAccount.annotations }}
  annotations:
    {{- toYaml . | nindent 4 }}
  {{- end }}
--- a/charts/kubezero-istio-ingress/charts/istio-ingress/values.yaml
+++ b/charts/kubezero-istio-ingress/charts/istio-ingress/values.yaml
@ -1,326 +0,0 @@
 # A-la-carte istio ingress gateway.
 # Must be installed in a separate namespace, to minimize access to secrets.
 gateways:
  istio-ingressgateway:
    name: istio-ingressgateway
    labels:
      app: istio-ingressgateway
      istio: ingressgateway
    ports:
    ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces.
    # Note that AWS ELB will by default perform health checks on the first port
    # on this list. Setting this to the health check port will ensure that health
    # checks always work. https://github.com/istio/istio/issues/12503
    - port: 15021
      targetPort: 15021
      name: status-port
      protocol: TCP
    - port: 80
      targetPort: 8080
      name: http2
      protocol: TCP
    - port: 443
      targetPort: 8443
      name: https
      protocol: TCP
    # Scalability tuning
    # replicaCount: 1
    rollingMaxSurge: 100%
    rollingMaxUnavailable: 25%
    autoscaleEnabled: true
    autoscaleMin: 1
    autoscaleMax: 5
    cpu:
      targetAverageUtilization: 80
    resources:
      requests:
        cpu: 100m
        memory: 128Mi
      limits:
        cpu: 2000m
        memory: 1024Mi
    loadBalancerIP: ""
    loadBalancerSourceRanges: []
    serviceAnnotations: {}
    # Enable cross-cluster access using SNI matching
    zvpn:
      enabled: false
      suffix: global
    # To generate an internal load balancer:
    # --set serviceAnnotations.cloud.google.com/load-balancer-type=internal
    #serviceAnnotations:
    #    cloud.google.com/load-balancer-type: "internal"
    podAnnotations: {}
    type: LoadBalancer #change to NodePort, ClusterIP or LoadBalancer if need be
    ##############
    secretVolumes:
    - name: ingressgateway-certs
      secretName: istio-ingressgateway-certs
      mountPath: /etc/istio/ingressgateway-certs
    - name: ingressgateway-ca-certs
      secretName: istio-ingressgateway-ca-certs
      mountPath: /etc/istio/ingressgateway-ca-certs
    customService: false
    externalTrafficPolicy: ""
    ingressPorts: []
    additionalContainers: []
    configVolumes: []
    serviceAccount:
      # Annotations to add to the service account
      annotations: {}
    ### Advanced options ############
    env:
      # A gateway with this mode ensures that pilot generates an additional
      # set of clusters for internal services but without Istio mTLS, to
      # enable cross cluster routing.
      ISTIO_META_ROUTER_MODE: "standard"
    nodeSelector: {}
    tolerations: []
    # Specify the pod anti-affinity that allows you to constrain which nodes
    # your pod is eligible to be scheduled based on labels on pods that are
    # already running on the node rather than based on labels on nodes.
    # There are currently two types of anti-affinity:
    #    "requiredDuringSchedulingIgnoredDuringExecution"
    #    "preferredDuringSchedulingIgnoredDuringExecution"
    # which denote "hard" vs. "soft" requirements, you can define your values
    # in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector"
    # correspondingly.
    # For example:
    # podAntiAffinityLabelSelector:
    # - key: security
    #   operator: In
    #   values: S1,S2
    #   topologyKey: "kubernetes.io/hostname"
    # This pod anti-affinity rule says that the pod requires not to be scheduled
    # onto a node if that node is already running a pod with label having key
    # "security" and value "S1".
    podAntiAffinityLabelSelector: []
    podAntiAffinityTermLabelSelector: []
    # whether to run the gateway in a privileged container
    runAsRoot: false
    # The injection template to use for the gateway. If not set, no injection will be performed.
    injectionTemplate: ""
 # Revision is set as 'version' label and part of the resource names when installing multiple control planes.
 revision: ""
 # For Helm compatibility.
 ownerName: ""
 global:
  # set the default set of namespaces to which services, service entries, virtual services, destination
  # rules should be exported to. Currently only one value can be provided in this list. This value
  # should be one of the following two options:
  # * implies these objects are visible to all namespaces, enabling any sidecar to talk to any other sidecar.
  # . implies these objects are visible to only to sidecars in the same namespace, or if imported as a Sidecar.egress.host
  defaultConfigVisibilitySettings: []
  # Default node selector to be applied to all deployments so that all pods can be
  # constrained to run a particular nodes. Each component can overwrite these default
  # values by adding its node selector block in the relevant section below and setting
  # the desired values.
  defaultNodeSelector: {}
  # enable pod disruption budget for the control plane, which is used to
  # ensure Istio control plane components are gradually upgraded or recovered.
  defaultPodDisruptionBudget:
    enabled: true
  # A minimal set of requested resources to applied to all deployments so that
  # Horizontal Pod Autoscaler will be able to function (if set).
  # Each component can overwrite these default values by adding its own resources
  # block in the relevant section below and setting the desired resources values.
  defaultResources:
    requests:
      cpu: 10m
    #   memory: 128Mi
    # limits:
    #   cpu: 100m
    #   memory: 128Mi
  # Default node tolerations to be applied to all deployments so that all pods can be
  # scheduled to a particular nodes with matching taints. Each component can overwrite
  # these default values by adding its tolerations block in the relevant section below
  # and setting the desired values.
  # Configure this field in case that all pods of Istio control plane are expected to
  # be scheduled to particular nodes with specified taints.
  defaultTolerations: []
  # Default hub for Istio images.
  # Releases are published to docker hub under 'istio' project.
  # Dev builds from prow are on gcr.io
  hub: docker.io/istio
  # Default tag for Istio images.
  tag: 1.11.5
  # Specify image pull policy if default behavior isn't desired.
  # Default behavior: latest images will be Always else IfNotPresent.
  imagePullPolicy: ""
  # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace
  # to use for pulling any images in pods that reference this ServiceAccount.
  # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing)
  # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects.
  # Must be set for any cluster configured with private docker registry.
  imagePullSecrets: []
  # - private-registry-key
  # To output all istio components logs in json format by adding --log_as_json argument to each container argument
  logAsJson: false
  # Specify pod scheduling arch(amd64, ppc64le, s390x) and weight as follows:
  #   0 - Never scheduled
  #   1 - Least preferred
  #   2 - No preference
  #   3 - Most preferred
  arch:
    amd64: 2
    s390x: 2
    ppc64le: 2
  # Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>
  # The control plane has different scopes depending on component, but can configure default log level across all components
  # If empty, default scope and level will be used as configured in code
  logging:
    level: "default:info"
  # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and
  # system-node-critical, it is better to configure this in order to make sure your Istio pods
  # will not be killed because of low priority class.
  # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
  # for more detail.
  priorityClassName: ""
  proxy:
    image: proxyv2
    # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value
    # cluster domain. Default value is "cluster.local".
    clusterDomain: "cluster.local"
    # Per Component log level for proxy, applies to gateways and sidecars. If a component level is
    # not set, then the global "logLevel" will be used.
    componentLogLevel: "misc:error"
    # If set, newly injected sidecars will have core dumps enabled.
    enableCoreDump: false
    # Log level for proxy, applies to gateways and sidecars.
    # Expected values are: trace|debug|info|warning|error|critical|off
    logLevel: warning
  ##############################################################################################
  # The following values are found in other charts. To effectively modify these values, make   #
  # make sure they are consistent across your Istio helm charts                                #
  ##############################################################################################
  # The customized CA address to retrieve certificates for the pods in the cluster.
  # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint.
  caAddress: ""
  # Used to locate istiod.
  istioNamespace: istio-system
  # Configure the policy for validating JWT.
  # Currently, two options are supported: "third-party-jwt" and "first-party-jwt".
  jwtPolicy: "third-party-jwt"
  # Mesh ID means Mesh Identifier. It should be unique within the scope where
  # meshes will interact with each other, but it is not required to be
  # globally/universally unique. For example, if any of the following are true,
  # then two meshes must have different Mesh IDs:
  # - Meshes will have their telemetry aggregated in one place
  # - Meshes will be federated together
  # - Policy will be written referencing one mesh from the other
  #
  # If an administrator expects that any of these conditions may become true in
  # the future, they should ensure their meshes have different Mesh IDs
  # assigned.
  #
  # Within a multicluster mesh, each cluster must be (manually or auto)
  # configured to have the same Mesh ID value. If an existing cluster 'joins' a
  # multicluster mesh, it will need to be migrated to the new mesh ID. Details
  # of migration TBD, and it may be a disruptive operation to change the Mesh
  # ID post-install.
  #
  # If the mesh admin does not specify a value, Istio will use the value of the
  # mesh's Trust Domain. The best practice is to select a proper Trust Domain
  # value.
  meshID: ""
  # Use the user-specified, secret volume mounted key and certs for Pilot and workloads.
  mountMtlsCerts: false
  multiCluster:
    # Set to true to connect two kubernetes clusters via their respective
    # ingressgateway services when pods in each cluster cannot directly
    # talk to one another. All clusters should be using Istio mTLS and must
    # have a shared root CA for this model to work.
    enabled: false
    # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection
    # to properly label proxies
    clusterName: ""
    # The suffix for global service names
    globalDomainSuffix: "global"
    # Enable envoy filter to translate `globalDomainSuffix` to cluster local suffix for cross cluster communication
    includeEnvoyFilter: true
  # Network defines the network this cluster belong to. This name
  # corresponds to the networks in the map of mesh networks.
  network: ""
  # Configure the certificate provider for control plane communication.
  # Currently, two providers are supported: "kubernetes" and "istiod".
  # As some platforms may not have kubernetes signing APIs,
  # Istiod is the default
  pilotCertProvider: istiod
  sds:
    # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3.
    # When a CSR is sent from Citadel Agent to the CA (e.g. Citadel), this aud is to make sure the
    # JWT is intended for the CA.
    token:
      aud: istio-ca
  sts:
    # The service port used by Security Token Service (STS) server to handle token exchange requests.
    # Setting this port to a non-zero value enables STS server.
    servicePort: 0
 meshConfig:
  enablePrometheusMerge: true
  # The trust domain corresponds to the trust root of a system
  # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain
  trustDomain: "cluster.local"
  defaultConfig:
    proxyMetadata: {}
    tracing:
    #      tlsSettings:
    #        mode: DISABLE # DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL
    #        clientCertificate: # example: /etc/istio/tracer/cert-chain.pem
    #        privateKey:        # example: /etc/istio/tracer/key.pem
    #        caCertificates:    # example: /etc/istio/tracer/root-cert.pem
    #        sni:               # example: tracer.somedomain
    #        subjectAltNames: []
    # - tracer.somedomain
--- a/charts/kubezero-istio-ingress/charts/istio-private-ingress/Chart.yaml
+++ b/charts/kubezero-istio-ingress/charts/istio-private-ingress/Chart.yaml
@ -1,13 +0,0 @@
 apiVersion: v1
 name: istio-private-ingress
 version: 1.11.5
 tillerVersion: ">=2.7.2"
 description: Helm chart for deploying Istio gateways
 keywords:
  - istio
  - ingressgateway
  - gateways
 sources:
  - http://github.com/istio/istio
 engine: gotpl
 icon: https://istio.io/latest/favicons/android-192x192.png
--- a/charts/kubezero-istio-ingress/charts/istio-private-ingress/NOTES.txt
+++ b/charts/kubezero-istio-ingress/charts/istio-private-ingress/NOTES.txt
@ -1,43 +0,0 @@
 Changes:
 - separate namespace allows:
 -- easier reconfig of just the gateway
 -- TLS secrets and domain name management is isolated, for better security
 -- simplified configuration
 -- multiple versions of the ingress can be used, to minimize upgrade risks
 - the new chart uses the default namespace service account, and doesn't require
 additional RBAC permissions.
 - simplified label and chart structure.
 - ability to run a pilot dedicated for the gateway, isolated from the main pilot. This is more robust, safer on upgrades
 and allows a bit more flexibility.
 - the dedicated pilot-per-ingress is required if the gateway needs to support k8s-style ingress.
 # Port and basic host configuration
 In order to configure the Service object, the install/upgrade needs to provide a list of all ports.
 In the past, this was done when installing/upgrading full istio, and involved some duplication - ports configured
 both in upgrade, Gateway and VirtualService.
 The new Ingress chart uses a 'values.yaml' (see user-example-ingress), which auto-generates Service ports,
 Gateways and basic VirtualService. It is still possible to only configure the ports in Service, and do manual
 config for the rest.
 All internal services ( telemetry, pilot debug ports, mesh expansion ) can now be configured via the new mechanism.
 # Migration from istio-system
 Istio 1.0 includes the gateways in istio-system. Since the external IP is associated
 with the Service and bound to the namespace, it is recommended to:
 1. Install the new gateway in a new namespace.
 2. Copy any TLS certificate to the new namespace, and configure the domains.
 3. Checking the new gateway work - for example by overriding the IP in /etc/hosts
 4. Modify the DNS server to add the A record of the new namespace
 5. Check traffic
 6. Delete the A record corresponding to the gateway in istio-system
 7. Upgrade istio-system, disabling the ingressgateway
 8. Delete the domain TLS certs from istio-system.
 If using certmanager, all Certificate and associated configs must be moved as well.
--- a/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/_affinity.tpl
+++ b/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/_affinity.tpl
@ -1,105 +0,0 @@
 {{/* affinity - https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ */}}
 {{ define "nodeaffinity" }}
 nodeAffinity:
  requiredDuringSchedulingIgnoredDuringExecution:
  {{- include "nodeAffinityRequiredDuringScheduling" . }}
  preferredDuringSchedulingIgnoredDuringExecution:
  {{- include "nodeAffinityPreferredDuringScheduling" . }}
 {{- end }}
 {{- define "nodeAffinityRequiredDuringScheduling" }}
      nodeSelectorTerms:
      - matchExpressions:
        - key: kubernetes.io/arch
          operator: In
          values:
        {{- range $key, $val := .global.arch }}
          {{- if gt ($val | int) 0 }}
          - {{ $key | quote }}
          {{- end }}
        {{- end }}
        {{- $nodeSelector := default .global.defaultNodeSelector .nodeSelector -}}
        {{- range $key, $val := $nodeSelector }}
        {{- if eq $val "Exists" }}
        - key: {{ $key }}
          operator: Exists
        {{- else }}
        - key: {{ $key }}
          operator: In
          values:
          - {{ $val | quote }}
        {{- end }}
        {{- end }}
 {{- end }}
 {{- define "nodeAffinityPreferredDuringScheduling" }}
  {{- range $key, $val := .global.arch }}
    {{- if gt ($val | int) 0 }}
    - weight: {{ $val | int }}
      preference:
        matchExpressions:
        - key: kubernetes.io/arch
          operator: In
          values:
          - {{ $key | quote }}
    {{- end }}
  {{- end }}
 {{- end }}
 {{- define "podAntiAffinity" }}
 {{- if or .podAntiAffinityLabelSelector .podAntiAffinityTermLabelSelector}}
  podAntiAffinity:
    {{- if .podAntiAffinityLabelSelector }}
    requiredDuringSchedulingIgnoredDuringExecution:
    {{- include "podAntiAffinityRequiredDuringScheduling" . }}
    {{- end }}
    {{- if .podAntiAffinityTermLabelSelector }}
    preferredDuringSchedulingIgnoredDuringExecution:
    {{- include "podAntiAffinityPreferredDuringScheduling" . }}
    {{- end }}
 {{- end }}
 {{- end }}
 {{- define "podAntiAffinityRequiredDuringScheduling" }}
    {{- range $index, $item := .podAntiAffinityLabelSelector }}
    - labelSelector:
        matchExpressions:
        - key: {{ $item.key }}
          operator: {{ $item.operator }}
          {{- if $item.values }}
          values:
          {{- $vals := split "," $item.values }}
          {{- range $i, $v := $vals }}
          - {{ $v | quote }}
          {{- end }}
          {{- end }}
      topologyKey: {{ $item.topologyKey }}
      {{- if $item.namespaces }}
      namespaces:
      {{- $ns := split "," $item.namespaces }}
      {{- range $i, $n := $ns }}
      - {{ $n | quote }}
      {{- end }}
      {{- end }}
    {{- end }}
 {{- end }}
 {{- define "podAntiAffinityPreferredDuringScheduling" }}
    {{- range $index, $item := .podAntiAffinityTermLabelSelector }}
    - podAffinityTerm:
        labelSelector:
          matchExpressions:
          - key: {{ $item.key }}
            operator: {{ $item.operator }}
            {{- if $item.values }}
            values:
            {{- $vals := split "," $item.values }}
            {{- range $i, $v := $vals }}
            - {{ $v | quote }}
            {{- end }}
            {{- end }}
        topologyKey: {{ $item.topologyKey }}
      weight: 100
    {{- end }}
 {{- end }}
--- a/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/autoscale.yaml
+++ b/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/autoscale.yaml
@ -1,27 +0,0 @@
 {{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
 {{- if and $gateway.autoscaleEnabled $gateway.autoscaleMin $gateway.autoscaleMax }}
 apiVersion: autoscaling/v2beta1
 kind: HorizontalPodAutoscaler
 metadata:
  name: {{ $gateway.name }}
  namespace: {{ .Release.Namespace }}
  labels:
 {{ $gateway.labels | toYaml | indent 4 }}
    release: {{ .Release.Name }}
    istio.io/rev: {{ .Values.revision | default "default" }}
    install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
    operator.istio.io/component: "IngressGateways"
 spec:
  maxReplicas: {{ $gateway.autoscaleMax }}
  minReplicas: {{ $gateway.autoscaleMin }}
  scaleTargetRef:
    apiVersion: apps/v1
    kind: Deployment
    name: {{ $gateway.name }}
  metrics:
    - type: Resource
      resource:
        name: cpu
        targetAverageUtilization: {{ $gateway.cpu.targetAverageUtilization }}
 ---
 {{- end }}
--- a/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/deployment.yaml
+++ b/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/deployment.yaml
@ -1,335 +0,0 @@
 {{- $gateway := index .Values "gateways" "istio-ingressgateway" }}
 {{- if eq $gateway.injectionTemplate "" }}
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: {{ $gateway.name }}
  namespace: {{ .Release.Namespace }}
  labels:
 {{ $gateway.labels | toYaml | indent 4 }}
    release: {{ .Release.Name }}
    istio.io/rev: {{ .Values.revision | default "default" }}
    install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
    operator.istio.io/component: "IngressGateways"
 spec:
 {{- if not $gateway.autoscaleEnabled }}
 {{- if $gateway.replicaCount }}
  replicas: {{ $gateway.replicaCount }}
 {{- end }}
  # Give the LB 120s to detect and take into service, should only be 40s by we are on AWS so ??
  minReadySeconds: 120
 {{- end }}
  selector:
    matchLabels:
 {{ $gateway.labels | toYaml | indent 6 }}
  strategy:
    rollingUpdate:
      maxSurge: {{ $gateway.rollingMaxSurge }}
      maxUnavailable: {{ $gateway.rollingMaxUnavailable }}
  template:
    metadata:
      labels:
 {{ $gateway.labels | toYaml | indent 8 }}
 {{- if eq .Release.Namespace "istio-system"}}
        heritage: Tiller
        release: istio
        chart: gateways
 {{- end }}
        service.istio.io/canonical-name: {{ $gateway.name }}
        {{- if not (eq .Values.revision "") }}
        service.istio.io/canonical-revision: {{ .Values.revision }}
        {{- else}}
        service.istio.io/canonical-revision: latest
        {{- end }}
        istio.io/rev: {{ .Values.revision | default "default" }}
        install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
        operator.istio.io/component: "IngressGateways"
        sidecar.istio.io/inject: "false"
      annotations:
        {{- if .Values.meshConfig.enablePrometheusMerge }}
        prometheus.io/port: "15020"
        prometheus.io/scrape: "true"
        prometheus.io/path: "/stats/prometheus"
        {{- end }}
        sidecar.istio.io/inject: "false"
 {{- if $gateway.podAnnotations }}
 {{ toYaml $gateway.podAnnotations | indent 8 }}
 {{ end }}
    spec:
 {{- if not $gateway.runAsRoot }}
      securityContext:
        runAsUser: 1337
        runAsGroup: 1337
        runAsNonRoot: true
        fsGroup: 1337
 {{- end }}
      serviceAccountName: {{ $gateway.name }}-service-account
 {{- if .Values.global.priorityClassName }}
      priorityClassName: "{{ .Values.global.priorityClassName }}"
 {{- end }}
      terminationGracePeriodSeconds: 120
 {{- if .Values.global.proxy.enableCoreDump }}
      initContainers:
        - name: enable-core-dump
 {{- if contains "/" .Values.global.proxy.image }}
          image: "{{ .Values.global.proxy.image }}"
 {{- else }}
          image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image | default "proxyv2" }}:{{ .Values.global.tag }}"
 {{- end }}
 {{- if .Values.global.imagePullPolicy }}
          imagePullPolicy: {{ .Values.global.imagePullPolicy }}
 {{- end }}
          command:
            - /bin/sh
          args:
            - -c
            - sysctl -w kernel.core_pattern=/var/lib/istio/data/core.proxy && ulimit -c unlimited
          securityContext:
            runAsUser: 0
            runAsGroup: 0
            runAsNonRoot: false
            privileged: true
 {{- end }}
      containers:
        - name: istio-proxy
 {{- if contains "/" .Values.global.proxy.image }}
          image: "{{ .Values.global.proxy.image }}"
 {{- else }}
          image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image | default "proxyv2" }}:{{ .Values.global.tag }}"
 {{- end }}
 {{- if .Values.global.imagePullPolicy }}
          imagePullPolicy: {{ .Values.global.imagePullPolicy }}
 {{- end }}
          ports:
            {{- range $key, $val := $gateway.ports }}
            - containerPort: {{ $val.targetPort | default $val.port }}
              protocol: {{ $val.protocol | default "TCP" }}
            {{- end }}
            - containerPort: 15090
              protocol: TCP
              name: http-envoy-prom
          args:
          - proxy
          - router
          - --domain
          - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
        {{- if .Values.global.proxy.logLevel }}
          - --proxyLogLevel={{ .Values.global.proxy.logLevel }}
        {{- end}}
        {{- if .Values.global.proxy.componentLogLevel }}
          - --proxyComponentLogLevel={{ .Values.global.proxy.componentLogLevel }}
        {{- end}}
        {{- if .Values.global.logging.level }}
          - --log_output_level={{ .Values.global.logging.level }}
        {{- end}}
        {{- if .Values.global.logAsJson }}
          - --log_as_json
        {{- end }}
        {{- if .Values.global.sts.servicePort }}
          - --stsPort={{ .Values.global.sts.servicePort }}
        {{- end }}
        {{- if not $gateway.runAsRoot }}
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop:
              - ALL
            privileged: false
            readOnlyRootFilesystem: true
        {{- end }}
          #This needs kube-proxy support coming with 1.22 hopefully, cilium ?
          #lifecycle:
          #  preStop:
          #    exec:
          #      command: ["/bin/sh","-c","sleep 30"]
          readinessProbe:
            failureThreshold: 30
            httpGet:
              path: /healthz/ready
              port: 15021
              scheme: HTTP
            initialDelaySeconds: 1
            periodSeconds: 2
            successThreshold: 1
            timeoutSeconds: 1
          resources:
 {{- if $gateway.resources }}
 {{ toYaml $gateway.resources | indent 12 }}
 {{- else }}
 {{ toYaml .Values.global.defaultResources | indent 12 }}
 {{- end }}
          env:
          - name: JWT_POLICY
            value: {{ .Values.global.jwtPolicy }}
          - name: PILOT_CERT_PROVIDER
            value: {{ .Values.global.pilotCertProvider }}
          - name: CA_ADDR
          {{- if .Values.global.caAddress }}
            value: {{ .Values.global.caAddress }}
          {{- else }}
            value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
          {{- end }}
          - name: NODE_NAME
            valueFrom:
              fieldRef:
                apiVersion: v1
                fieldPath: spec.nodeName
          - name: POD_NAME
            valueFrom:
              fieldRef:
                apiVersion: v1
                fieldPath: metadata.name
          - name: POD_NAMESPACE
            valueFrom:
              fieldRef:
                apiVersion: v1
                fieldPath: metadata.namespace
          - name: INSTANCE_IP
            valueFrom:
              fieldRef:
                apiVersion: v1
                fieldPath: status.podIP
          - name: HOST_IP
            valueFrom:
              fieldRef:
                apiVersion: v1
                fieldPath: status.hostIP
          - name: SERVICE_ACCOUNT
            valueFrom:
              fieldRef:
                fieldPath: spec.serviceAccountName
          - name: ISTIO_META_WORKLOAD_NAME
            value: {{ $gateway.name }}
          - name: ISTIO_META_OWNER
            value: kubernetes://apis/apps/v1/namespaces/{{ .Release.Namespace }}/deployments/{{ $gateway.name }}
          {{- if $.Values.global.meshID }}
          - name: ISTIO_META_MESH_ID
            value: "{{ $.Values.global.meshID }}"
          {{- else if .Values.meshConfig.trustDomain }}
          - name: ISTIO_META_MESH_ID
            value: "{{ .Values.meshConfig.trustDomain }}"
          {{- end }}
          {{- if .Values.meshConfig.trustDomain }}
          - name: TRUST_DOMAIN
            value: "{{ .Values.meshConfig.trustDomain }}"
          {{- end }}
          {{- if not $gateway.runAsRoot }}
          - name: ISTIO_META_UNPRIVILEGED_POD
            value: "true"
          {{- end }}
          {{- range $key, $val := $gateway.env }}
          - name: {{ $key }}
            value: "{{ $val }}"
          {{- end }}
          {{- range $key, $value := .Values.meshConfig.defaultConfig.proxyMetadata }}
          - name: {{ $key }}
            value: "{{ $value }}"
          {{- end }}
          {{- $network_set := index $gateway.env "ISTIO_META_NETWORK" }}
          {{- if and (not $network_set) .Values.global.network }}
          - name: ISTIO_META_NETWORK
            value: "{{ .Values.global.network }}"
          {{- end }}
          - name: ISTIO_META_CLUSTER_ID
            value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}"
          volumeMounts:
          - name: istio-envoy
            mountPath: /etc/istio/proxy
          - name: config-volume
            mountPath: /etc/istio/config
 {{- if eq .Values.global.pilotCertProvider "istiod" }}
          - mountPath: /var/run/secrets/istio
            name: istiod-ca-cert
 {{- end }}
 {{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
          - name: istio-token
            mountPath: /var/run/secrets/tokens
            readOnly: true
 {{- end }}
          {{- if .Values.global.mountMtlsCerts }}
          # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
          - name: istio-certs
            mountPath: /etc/certs
            readOnly: true
          {{- end }}
          - mountPath: /var/lib/istio/data
            name: istio-data
          - name: podinfo
            mountPath: /etc/istio/pod
          {{- range $gateway.secretVolumes }}
          - name: {{ .name }}
            mountPath: {{ .mountPath | quote }}
            readOnly: true
          {{- end }}
          {{- range $gateway.configVolumes }}
          {{- if .mountPath }}
          - name: {{ .name }}
            mountPath: {{ .mountPath | quote }}
            readOnly: true
          {{- end }}
          {{- end }}
 {{- if $gateway.additionalContainers }}
 {{ toYaml $gateway.additionalContainers | indent 8 }}
 {{- end }}
      volumes:
 {{- if eq .Values.global.pilotCertProvider "istiod" }}
      - name: istiod-ca-cert
        configMap:
          name: istio-ca-root-cert
 {{- end }}
      - name: podinfo
        downwardAPI:
          items:
            - path: "labels"
              fieldRef:
                fieldPath: metadata.labels
            - path: "annotations"
              fieldRef:
                fieldPath: metadata.annotations
      - name: istio-envoy
        emptyDir: {}
      - name: istio-data
        emptyDir: {}
 {{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
      - name: istio-token
        projected:
          sources:
          - serviceAccountToken:
              path: istio-token
              expirationSeconds: 43200
              audience: {{ .Values.global.sds.token.aud }}
 {{- end }}
      {{- if .Values.global.mountMtlsCerts }}
      # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
      - name: istio-certs
        secret:
          secretName: istio.istio-ingressgateway-service-account
          optional: true
      {{- end }}
      - name: config-volume
        configMap:
          name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
          optional: true
      {{- range $gateway.secretVolumes }}
      - name: {{ .name }}
        secret:
          secretName: {{ .secretName | quote }}
          optional: true
      {{- end }}
      {{- range $gateway.configVolumes }}
      - name: {{ .name }}
        configMap:
          name: {{ .configMapName | quote }}
          optional: true
      {{- end }}
      affinity:
 {{ include "nodeaffinity" (dict "global" .Values.global "nodeSelector" $gateway.nodeSelector) | trim | indent 8 }}
      {{- include "podAntiAffinity" $gateway | indent 6 }}
 {{- if $gateway.tolerations }}
      tolerations:
 {{ toYaml $gateway.tolerations | indent 6 }}
 {{- else if .Values.global.defaultTolerations }}
      tolerations:
 {{ toYaml .Values.global.defaultTolerations | indent 6 }}
 {{- end }}
 {{- end }}
--- a/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/injected-deployment.yaml
+++ b/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/injected-deployment.yaml
@ -1,143 +0,0 @@
 {{- $gateway := index .Values "gateways" "istio-ingressgateway" }}
 {{- if ne $gateway.injectionTemplate "" }}
 {{/* This provides a minimal gateway, ready to be injected.
     Any settings from values.gateways should be here - these are options specific to the gateway.
     Global settings, like the image, various env vars and volumes, etc will be injected.
     The normal Deployment is not suitable for this, as the original pod spec will override the injection template. */}}
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: {{ $gateway.name | default "istio-ingressgateway" }}
  namespace: {{ .Release.Namespace }}
  labels:
 {{ $gateway.labels | toYaml | indent 4 }}
    release: {{ .Release.Name }}
    istio.io/rev: {{ .Values.revision | default "default" }}
    install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
    operator.istio.io/component: "IngressGateways"
 spec:
 {{- if not $gateway.autoscaleEnabled }}
 {{- if $gateway.replicaCount }}
  replicas: {{ $gateway.replicaCount }}
 {{- end }}
 {{- end }}
  selector:
    matchLabels:
 {{ $gateway.labels | toYaml | indent 6 }}
  strategy:
    rollingUpdate:
      maxSurge: {{ $gateway.rollingMaxSurge }}
      maxUnavailable: {{ $gateway.rollingMaxUnavailable }}
  template:
    metadata:
      labels:
 {{ $gateway.labels | toYaml | indent 8 }}
 {{- if eq .Release.Namespace "istio-system"}}
        heritage: Tiller
        release: istio
        chart: gateways
 {{- end }}
        install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
        operator.istio.io/component: "IngressGateways"
        sidecar.istio.io/inject: "true"
        {{- with .Values.revision }}
        istio.io/rev: {{ . }}
        {{- end }}
      annotations:
        {{- if .Values.meshConfig.enablePrometheusMerge }}
        prometheus.io/port: "15020"
        prometheus.io/scrape: "true"
        prometheus.io/path: "/stats/prometheus"
        {{- end }}
        sidecar.istio.io/inject: "true"
        inject.istio.io/templates: "{{ $gateway.injectionTemplate }}"
 {{- if $gateway.podAnnotations }}
 {{ toYaml $gateway.podAnnotations | indent 8 }}
 {{ end }}
    spec:
 {{- if not $gateway.runAsRoot }}
      securityContext:
        runAsUser: 1337
        runAsGroup: 1337
        runAsNonRoot: true
        fsGroup: 1337
 {{- end }}
      serviceAccountName: {{ $gateway.name | default "istio-ingressgateway" }}-service-account
 {{- if .Values.global.priorityClassName }}
      priorityClassName: "{{ .Values.global.priorityClassName }}"
 {{- end }}
      containers:
        - name: istio-proxy
          image: auto
          ports:
            {{- range $key, $val := $gateway.ports }}
            - containerPort: {{ $val.targetPort | default $val.port }}
              protocol: {{ $val.protocol | default "TCP" }}
            {{- end }}
            - containerPort: 15090
              protocol: TCP
              name: http-envoy-prom
        {{- if not $gateway.runAsRoot }}
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop:
              - ALL
            privileged: false
            readOnlyRootFilesystem: true
        {{- end }}
          resources:
 {{- if $gateway.resources }}
 {{ toYaml $gateway.resources | indent 12 }}
 {{- else }}
 {{ toYaml .Values.global.defaultResources | indent 12 }}
 {{- end }}
          env:
          {{- if not $gateway.runAsRoot }}
          - name: ISTIO_META_UNPRIVILEGED_POD
            value: "true"
          {{- end }}
          {{- range $key, $val := $gateway.env }}
          - name: {{ $key }}
            value: {{ $val }}
          {{- end }}
          volumeMounts:
          {{- range $gateway.secretVolumes }}
          - name: {{ .name }}
            mountPath: {{ .mountPath | quote }}
            readOnly: true
          {{- end }}
          {{- range $gateway.configVolumes }}
          {{- if .mountPath }}
          - name: {{ .name }}
            mountPath: {{ .mountPath | quote }}
            readOnly: true
          {{- end }}
          {{- end }}
 {{- if $gateway.additionalContainers }}
 {{ toYaml $gateway.additionalContainers | indent 8 }}
 {{- end }}
      volumes:
      {{- range $gateway.secretVolumes }}
      - name: {{ .name }}
        secret:
          secretName: {{ .secretName | quote }}
          optional: true
      {{- end }}
      {{- range $gateway.configVolumes }}
      - name: {{ .name }}
        configMap:
          name: {{ .configMapName | quote }}
          optional: true
      {{- end }}
      affinity:
 {{ include "nodeaffinity" (dict "global" .Values.global "nodeSelector" $gateway.nodeSelector) | trim | indent 8 }}
      {{- include "podAntiAffinity" $gateway | indent 6 }}
 {{- if $gateway.tolerations }}
      tolerations:
 {{ toYaml $gateway.tolerations | indent 6 }}
 {{- else if .Values.global.defaultTolerations }}
      tolerations:
 {{ toYaml .Values.global.defaultTolerations | indent 6 }}
 {{- end }}
 {{- end }}
--- a/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/poddisruptionbudget.yaml
+++ b/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/poddisruptionbudget.yaml
@ -1,19 +0,0 @@
 {{- if .Values.global.defaultPodDisruptionBudget.enabled }}
 {{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
 apiVersion: policy/v1beta1
 kind: PodDisruptionBudget
 metadata:
  name: {{ $gateway.name }}
  namespace: {{ .Release.Namespace }}
  labels:
 {{ $gateway.labels | toYaml | trim | indent 4 }}
    release: {{ .Release.Name }}
    istio.io/rev: {{ .Values.revision | default "default" }}
    install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
    operator.istio.io/component: "IngressGateways"
 spec:
  minAvailable: 1
  selector:
    matchLabels:
 {{ $gateway.labels | toYaml | trim | indent 6 }}
 {{- end }}
--- a/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/role.yaml
+++ b/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/role.yaml
@ -1,16 +0,0 @@
 {{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  name: {{ $gateway.name }}-sds
  namespace: {{ .Release.Namespace }}
  labels:
    release: {{ .Release.Name }}
    istio.io/rev: {{ .Values.revision | default "default" }}
    install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
    operator.istio.io/component: "IngressGateways"
 rules:
 - apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get", "watch", "list"]
 ---
--- a/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/rolebindings.yaml
+++ b/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/rolebindings.yaml
@ -1,19 +0,0 @@
 {{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  name: {{ $gateway.name }}-sds
  namespace: {{ .Release.Namespace }}
  labels:
    release: {{ .Release.Name }}
    istio.io/rev: {{ .Values.revision | default "default" }}
    install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
    operator.istio.io/component: "IngressGateways"
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: {{ $gateway.name }}-sds
 subjects:
 - kind: ServiceAccount
  name: {{ $gateway.name }}-service-account
 ---
--- a/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/service.yaml
+++ b/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/service.yaml
@ -1,49 +0,0 @@
 {{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
 {{- if not $gateway.customService }}
 apiVersion: v1
 kind: Service
 metadata:
  name: {{ $gateway.name }}
  namespace: {{ .Release.Namespace }}
  annotations:
    {{- range $key, $val := $gateway.serviceAnnotations }}
    {{ $key }}: {{ $val | quote }}
    {{- end }}
  labels:
 {{ $gateway.labels | toYaml | indent 4 }}
    release: {{ .Release.Name }}
    istio.io/rev: {{ .Values.revision | default "default" }}
    install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
    operator.istio.io/component: "IngressGateways"
 spec:
 {{- if $gateway.loadBalancerIP }}
  loadBalancerIP: "{{ $gateway.loadBalancerIP }}"
 {{- end }}
 {{- if $gateway.loadBalancerSourceRanges }}
  loadBalancerSourceRanges:
 {{ toYaml $gateway.loadBalancerSourceRanges | indent 4 }}
 {{- end }}
 {{- if $gateway.externalTrafficPolicy }}
  externalTrafficPolicy: {{$gateway.externalTrafficPolicy }}
 {{- end }}
  type: {{ $gateway.type }}
  selector:
 {{ $gateway.labels | toYaml | indent 4 }}
  ports:
    {{- range $key, $val := $gateway.ports }}
    -
      {{- range $pkey, $pval := $val }}
      {{- if has $pkey (list "name" "nodePort" "port" "targetPort") }}
      {{ $pkey}}: {{ $pval }}
      {{- end }}
    {{- end }}
    {{- end }}
  {{ range $app := $gateway.ingressPorts }}
    -
      port: {{ $app.port }}
      name: {{ $app.name }}
  {{- end }}
 ---
 {{ end }}
--- a/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/serviceaccount.yaml
+++ b/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/serviceaccount.yaml
@ -1,22 +0,0 @@
 {{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
 apiVersion: v1
 kind: ServiceAccount
 {{- if .Values.global.imagePullSecrets }}
 imagePullSecrets:
 {{- range .Values.global.imagePullSecrets }}
  - name: {{ . }}
 {{- end }}
 {{- end }}
 metadata:
  name: {{ $gateway.name }}-service-account
  namespace: {{ .Release.Namespace }}
  labels:
 {{ $gateway.labels | toYaml | trim | indent 4 }}
    release: {{ .Release.Name }}
    istio.io/rev: {{ .Values.revision | default "default" }}
    install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
    operator.istio.io/component: "IngressGateways"
  {{- with $gateway.serviceAccount.annotations }}
  annotations:
    {{- toYaml . | nindent 4 }}
  {{- end }}
--- a/charts/kubezero-istio-ingress/charts/istio-private-ingress/values.yaml
+++ b/charts/kubezero-istio-ingress/charts/istio-private-ingress/values.yaml
@ -1,326 +0,0 @@
 # A-la-carte istio ingress gateway.
 # Must be installed in a separate namespace, to minimize access to secrets.
 gateways:
  istio-ingressgateway:
    name: istio-ingressgateway
    labels:
      app: istio-ingressgateway
      istio: ingressgateway
    ports:
    ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces.
    # Note that AWS ELB will by default perform health checks on the first port
    # on this list. Setting this to the health check port will ensure that health
    # checks always work. https://github.com/istio/istio/issues/12503
    - port: 15021
      targetPort: 15021
      name: status-port
      protocol: TCP
    - port: 80
      targetPort: 8080
      name: http2
      protocol: TCP
    - port: 443
      targetPort: 8443
      name: https
      protocol: TCP
    # Scalability tuning
    # replicaCount: 1
    rollingMaxSurge: 100%
    rollingMaxUnavailable: 25%
    autoscaleEnabled: true
    autoscaleMin: 1
    autoscaleMax: 5
    cpu:
      targetAverageUtilization: 80
    resources:
      requests:
        cpu: 100m
        memory: 128Mi
      limits:
        cpu: 2000m
        memory: 1024Mi
    loadBalancerIP: ""
    loadBalancerSourceRanges: []
    serviceAnnotations: {}
    # Enable cross-cluster access using SNI matching
    zvpn:
      enabled: false
      suffix: global
    # To generate an internal load balancer:
    # --set serviceAnnotations.cloud.google.com/load-balancer-type=internal
    #serviceAnnotations:
    #    cloud.google.com/load-balancer-type: "internal"
    podAnnotations: {}
    type: LoadBalancer #change to NodePort, ClusterIP or LoadBalancer if need be
    ##############
    secretVolumes:
    - name: ingressgateway-certs
      secretName: istio-ingressgateway-certs
      mountPath: /etc/istio/ingressgateway-certs
    - name: ingressgateway-ca-certs
      secretName: istio-ingressgateway-ca-certs
      mountPath: /etc/istio/ingressgateway-ca-certs
    customService: false
    externalTrafficPolicy: ""
    ingressPorts: []
    additionalContainers: []
    configVolumes: []
    serviceAccount:
      # Annotations to add to the service account
      annotations: {}
    ### Advanced options ############
    env:
      # A gateway with this mode ensures that pilot generates an additional
      # set of clusters for internal services but without Istio mTLS, to
      # enable cross cluster routing.
      ISTIO_META_ROUTER_MODE: "standard"
    nodeSelector: {}
    tolerations: []
    # Specify the pod anti-affinity that allows you to constrain which nodes
    # your pod is eligible to be scheduled based on labels on pods that are
    # already running on the node rather than based on labels on nodes.
    # There are currently two types of anti-affinity:
    #    "requiredDuringSchedulingIgnoredDuringExecution"
    #    "preferredDuringSchedulingIgnoredDuringExecution"
    # which denote "hard" vs. "soft" requirements, you can define your values
    # in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector"
    # correspondingly.
    # For example:
    # podAntiAffinityLabelSelector:
    # - key: security
    #   operator: In
    #   values: S1,S2
    #   topologyKey: "kubernetes.io/hostname"
    # This pod anti-affinity rule says that the pod requires not to be scheduled
    # onto a node if that node is already running a pod with label having key
    # "security" and value "S1".
    podAntiAffinityLabelSelector: []
    podAntiAffinityTermLabelSelector: []
    # whether to run the gateway in a privileged container
    runAsRoot: false
    # The injection template to use for the gateway. If not set, no injection will be performed.
    injectionTemplate: ""
 # Revision is set as 'version' label and part of the resource names when installing multiple control planes.
 revision: ""
 # For Helm compatibility.
 ownerName: ""
 global:
  # set the default set of namespaces to which services, service entries, virtual services, destination
  # rules should be exported to. Currently only one value can be provided in this list. This value
  # should be one of the following two options:
  # * implies these objects are visible to all namespaces, enabling any sidecar to talk to any other sidecar.
  # . implies these objects are visible to only to sidecars in the same namespace, or if imported as a Sidecar.egress.host
  defaultConfigVisibilitySettings: []
  # Default node selector to be applied to all deployments so that all pods can be
  # constrained to run a particular nodes. Each component can overwrite these default
  # values by adding its node selector block in the relevant section below and setting
  # the desired values.
  defaultNodeSelector: {}
  # enable pod disruption budget for the control plane, which is used to
  # ensure Istio control plane components are gradually upgraded or recovered.
  defaultPodDisruptionBudget:
    enabled: true
  # A minimal set of requested resources to applied to all deployments so that
  # Horizontal Pod Autoscaler will be able to function (if set).
  # Each component can overwrite these default values by adding its own resources
  # block in the relevant section below and setting the desired resources values.
  defaultResources:
    requests:
      cpu: 10m
    #   memory: 128Mi
    # limits:
    #   cpu: 100m
    #   memory: 128Mi
  # Default node tolerations to be applied to all deployments so that all pods can be
  # scheduled to a particular nodes with matching taints. Each component can overwrite
  # these default values by adding its tolerations block in the relevant section below
  # and setting the desired values.
  # Configure this field in case that all pods of Istio control plane are expected to
  # be scheduled to particular nodes with specified taints.
  defaultTolerations: []
  # Default hub for Istio images.
  # Releases are published to docker hub under 'istio' project.
  # Dev builds from prow are on gcr.io
  hub: docker.io/istio
  # Default tag for Istio images.
  tag: 1.11.5
  # Specify image pull policy if default behavior isn't desired.
  # Default behavior: latest images will be Always else IfNotPresent.
  imagePullPolicy: ""
  # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace
  # to use for pulling any images in pods that reference this ServiceAccount.
  # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing)
  # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects.
  # Must be set for any cluster configured with private docker registry.
  imagePullSecrets: []
  # - private-registry-key
  # To output all istio components logs in json format by adding --log_as_json argument to each container argument
  logAsJson: false
  # Specify pod scheduling arch(amd64, ppc64le, s390x) and weight as follows:
  #   0 - Never scheduled
  #   1 - Least preferred
  #   2 - No preference
  #   3 - Most preferred
  arch:
    amd64: 2
    s390x: 2
    ppc64le: 2
  # Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>
  # The control plane has different scopes depending on component, but can configure default log level across all components
  # If empty, default scope and level will be used as configured in code
  logging:
    level: "default:info"
  # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and
  # system-node-critical, it is better to configure this in order to make sure your Istio pods
  # will not be killed because of low priority class.
  # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
  # for more detail.
  priorityClassName: ""
  proxy:
    image: proxyv2
    # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value
    # cluster domain. Default value is "cluster.local".
    clusterDomain: "cluster.local"
    # Per Component log level for proxy, applies to gateways and sidecars. If a component level is
    # not set, then the global "logLevel" will be used.
    componentLogLevel: "misc:error"
    # If set, newly injected sidecars will have core dumps enabled.
    enableCoreDump: false
    # Log level for proxy, applies to gateways and sidecars.
    # Expected values are: trace|debug|info|warning|error|critical|off
    logLevel: warning
  ##############################################################################################
  # The following values are found in other charts. To effectively modify these values, make   #
  # make sure they are consistent across your Istio helm charts                                #
  ##############################################################################################
  # The customized CA address to retrieve certificates for the pods in the cluster.
  # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint.
  caAddress: ""
  # Used to locate istiod.
  istioNamespace: istio-system
  # Configure the policy for validating JWT.
  # Currently, two options are supported: "third-party-jwt" and "first-party-jwt".
  jwtPolicy: "third-party-jwt"
  # Mesh ID means Mesh Identifier. It should be unique within the scope where
  # meshes will interact with each other, but it is not required to be
  # globally/universally unique. For example, if any of the following are true,
  # then two meshes must have different Mesh IDs:
  # - Meshes will have their telemetry aggregated in one place
  # - Meshes will be federated together
  # - Policy will be written referencing one mesh from the other
  #
  # If an administrator expects that any of these conditions may become true in
  # the future, they should ensure their meshes have different Mesh IDs
  # assigned.
  #
  # Within a multicluster mesh, each cluster must be (manually or auto)
  # configured to have the same Mesh ID value. If an existing cluster 'joins' a
  # multicluster mesh, it will need to be migrated to the new mesh ID. Details
  # of migration TBD, and it may be a disruptive operation to change the Mesh
  # ID post-install.
  #
  # If the mesh admin does not specify a value, Istio will use the value of the
  # mesh's Trust Domain. The best practice is to select a proper Trust Domain
  # value.
  meshID: ""
  # Use the user-specified, secret volume mounted key and certs for Pilot and workloads.
  mountMtlsCerts: false
  multiCluster:
    # Set to true to connect two kubernetes clusters via their respective
    # ingressgateway services when pods in each cluster cannot directly
    # talk to one another. All clusters should be using Istio mTLS and must
    # have a shared root CA for this model to work.
    enabled: false
    # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection
    # to properly label proxies
    clusterName: ""
    # The suffix for global service names
    globalDomainSuffix: "global"
    # Enable envoy filter to translate `globalDomainSuffix` to cluster local suffix for cross cluster communication
    includeEnvoyFilter: true
  # Network defines the network this cluster belong to. This name
  # corresponds to the networks in the map of mesh networks.
  network: ""
  # Configure the certificate provider for control plane communication.
  # Currently, two providers are supported: "kubernetes" and "istiod".
  # As some platforms may not have kubernetes signing APIs,
  # Istiod is the default
  pilotCertProvider: istiod
  sds:
    # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3.
    # When a CSR is sent from Citadel Agent to the CA (e.g. Citadel), this aud is to make sure the
    # JWT is intended for the CA.
    token:
      aud: istio-ca
  sts:
    # The service port used by Security Token Service (STS) server to handle token exchange requests.
    # Setting this port to a non-zero value enables STS server.
    servicePort: 0
 meshConfig:
  enablePrometheusMerge: true
  # The trust domain corresponds to the trust root of a system
  # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain
  trustDomain: "cluster.local"
  defaultConfig:
    proxyMetadata: {}
    tracing:
    #      tlsSettings:
    #        mode: DISABLE # DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL
    #        clientCertificate: # example: /etc/istio/tracer/cert-chain.pem
    #        privateKey:        # example: /etc/istio/tracer/key.pem
    #        caCertificates:    # example: /etc/istio/tracer/root-cert.pem
    #        sni:               # example: tracer.somedomain
    #        subjectAltNames: []
    # - tracer.somedomain
--- a/charts/kubezero-istio-ingress/templates/envoyfilter-keepalive-nlb.yaml
+++ b/charts/kubezero-istio-ingress/templates/envoyfilter-keepalive-nlb.yaml
@ -1,64 +0,0 @@
 {{- if index .Values "istio-ingress" "enabled" }}
 apiVersion: networking.istio.io/v1alpha3
 kind: EnvoyFilter
 metadata:
  name: ingressgateway-listener-tcp-keepalive
  namespace: {{ .Release.Namespace }}
  labels:
    {{- include "kubezero-lib.labels" . | nindent 4 }}
 spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
  - applyTo: LISTENER
    patch:
      operation: MERGE
      value:
        socket_options:
          - level: 1 # SOL_SOCKET = 1
            name: 9 # SO_KEEPALIVE = 9
            int_value: 1
            state: STATE_PREBIND
          - level: 6 # IPPROTO_TCP = 6
            name: 4 # TCP_KEEPIDLE = 4
            int_value: 120
            state: STATE_PREBIND
          - level: 6 # IPPROTO_TCP = 6
            name: 5 # TCP_KEEPINTVL = 5
            int_value: 60
            state: STATE_PREBIND
 {{- end }}
 {{- if index .Values "istio-private-ingress" "enabled" }}
 ---
 apiVersion: networking.istio.io/v1alpha3
 kind: EnvoyFilter
 metadata:
  name: private-ingressgateway-listener-tcp-keepalive
  namespace: {{ .Release.Namespace }}
  labels:
    {{- include "kubezero-lib.labels" . | nindent 4 }}
 spec:
  workloadSelector:
    labels:
      istio: private-ingressgateway
  configPatches:
  - applyTo: LISTENER
    patch:
      operation: MERGE
      value:
        socket_options:
          - level: 1 # SOL_SOCKET = 1
            name: 9 # SO_KEEPALIVE = 9
            int_value: 1
            state: STATE_PREBIND
          - level: 6 # IPPROTO_TCP = 6
            name: 4 # TCP_KEEPIDLE = 4
            int_value: 120
            state: STATE_PREBIND
          - level: 6 # IPPROTO_TCP = 6
            name: 5 # TCP_KEEPINTVL = 5
            int_value: 60
            state: STATE_PREBIND
 {{- end }}
--- a/charts/kubezero-istio-ingress/templates/envoyfilter-proxy-protocol.yaml
+++ b/charts/kubezero-istio-ingress/templates/envoyfilter-proxy-protocol.yaml
@ -1,44 +0,0 @@
 {{- if and (index .Values "istio-ingress" "enabled") (index .Values "istio-ingress" "proxyProtocol") }}
 apiVersion: networking.istio.io/v1alpha3
 kind: EnvoyFilter
 metadata:
  name: ingressgateway-proxy-protocol
  namespace: {{ .Release.Namespace }}
  labels:
 {{ include "kubezero-lib.labels" . | indent 4 }}
 spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
  - applyTo: LISTENER
    patch:
      operation: MERGE
      value:
        listener_filters:
        - name: envoy.listener.proxy_protocol
        - name: envoy.listener.tls_inspector
 {{- end }}
 {{- if and (index .Values "istio-private-ingress" "enabled") (index .Values "istio-private-ingress" "proxyProtocol") }}
 ---
 apiVersion: networking.istio.io/v1alpha3
 kind: EnvoyFilter
 metadata:
  name: private-ingressgateway-proxy-protocol
  namespace: {{ .Release.Namespace }}
  labels:
 {{ include "kubezero-lib.labels" . | indent 4 }}
 spec:
  workloadSelector:
    labels:
      istio: private-ingressgateway
  configPatches:
  - applyTo: LISTENER
    patch:
      operation: MERGE
      value:
        listener_filters:
        - name: envoy.listener.proxy_protocol
        - name: envoy.listener.tls_inspector
 {{- end }}
--- a/charts/kubezero-istio-ingress/templates/ingress-certificate.yaml
+++ b/charts/kubezero-istio-ingress/templates/ingress-certificate.yaml
@ -1,39 +0,0 @@
 {{- range $cert := (index .Values "istio-ingress" "certificates") }}
 {{- if $cert.dnsNames }}
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
  name: {{ $cert.name }}
  namespace: {{ $.Release.Namespace }}
  labels:
 {{ include "kubezero-lib.labels" $ | indent 4 }}
 spec:
  secretName: {{ $cert.name }}
  issuerRef:
    name: {{ default "letsencrypt-dns-prod" $cert.issuer }}
    kind: ClusterIssuer
  dnsNames:
 {{ toYaml $cert.dnsNames | indent 4 }}
 ---
 {{- end }}
 {{- end }}
 {{- range $cert := (index .Values "istio-private-ingress" "certificates") }}
 {{- if $cert.dnsNames }}
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
  name: {{ $cert.name }}
  namespace: {{ $.Release.Namespace }}
  labels:
 {{ include "kubezero-lib.labels" $ | indent 4 }}
 spec:
  secretName: private-ingress-cert
  issuerRef:
    name: {{ default "letsencrypt-dns-prod" $cert.issuer }}
    kind: ClusterIssuer
  dnsNames:
 {{ toYaml $cert.dnsNames | indent 4 }}
 ---
 {{- end }}
 {{- end }}
--- a/charts/kubezero-istio-ingress/templates/ingress-private-gateway.yaml
+++ b/charts/kubezero-istio-ingress/templates/ingress-private-gateway.yaml
@ -1,19 +0,0 @@
 # Private Ingress Gateway
 {{- $gateway := index .Values "istio-private-ingress" }}
 {{- if and $gateway.enabled $gateway.certificates }}
 # https://istio.io/latest/docs/tasks/traffic-management/ingress/secure-ingress/#configure-a-tls-ingress-gateway-for-multiple-hosts
 apiVersion: networking.istio.io/v1beta1
 kind: Gateway
 metadata:
  name: private-ingressgateway
  namespace: {{ .Release.Namespace }}
  labels:
    {{- include "kubezero-lib.labels" . | nindent 4 }}
 spec:
  selector:
    istio: private-ingressgateway
  servers:
  {{- include "gatewayServers" (dict "certificates" $gateway.certificates "ports" (index $gateway "gateways" "istio-ingressgateway" "ports") ) | nindent 2}}
 {{- end }}
--- a/charts/kubezero-istio-ingress/values.yaml
+++ b/charts/kubezero-istio-ingress/values.yaml
@ -1,203 +0,0 @@
 # Make sure these values match kuberzero-istio !!!
 global:
  #hub: docker.io/istio
  tag: 1.11.5-distroless
  logAsJson: true
  priorityClassName: "system-cluster-critical"
  defaultPodDisruptionBudget:
    enabled: false
  arch:
    amd64: 2
 istio-ingress:
  enabled: false
  telemetry:
    enabled: false
  gateways:
    istio-ingressgateway:
      autoscaleEnabled: false
      replicaCount: 1
      rollingMaxSurge: 1
      rollingMaxUnavailable: 0
      resources:
        requests:
          cpu: 50m
          memory: 64Mi
        limits:
          # cpu: 100m
          memory: 512Mi
      externalTrafficPolicy: Local
      podAntiAffinityLabelSelector:
      - key: app
        operator: In
        topologyKey: kubernetes.io/hostname
        values: istio-ingressgateway
      type: NodePort
      podAnnotations:
        proxy.istio.io/config: '{ "terminationDrainDuration": "20s" }'
      # custom hardened bootstrap config
      env:
        ISTIO_BOOTSTRAP_OVERRIDE: /etc/istio/custom-bootstrap/custom_bootstrap.json
      configVolumes:
      - name: custom-bootstrap-volume
        mountPath: /etc/istio/custom-bootstrap
        configMapName: istio-gateway-bootstrap-config
      # Unfortunately the upstream chart makes this complicated as they abuse the nodeSelector, see zdt.patch
      nodeSelector:
        node.kubernetes.io/ingress.public: "Exists"
      # Only nodes who are fronted with matching NLB
      #affintiy:
      #  nodeAffinity:
      #    requiredDuringSchedulingIgnoredDuringExecution:
      #      nodeSelectorTerms:
      #      - matchExpressions:
      #        - key: node.kubernetes.io/ingress.public
      #          operator: Exists
      # Map port 80/443 to 8080/8443 so we don't need to root
      # ports is extended as follows:
      # noGateway: true -> this port does NOT get mapped to a Gateway port
      # tls: optional gateway port setting
      # gatewayProtocol: Loadbalancer protocol which is NOT the same as Container Procotol !
      ports:
      - name: status-port
        port: 15021
        nodePort: 30021
        noGateway: true
      - name: http2
        port: 80
        targetPort: 8080
        nodePort: 30080
        gatewayProtocol: HTTP2
        tls:
          httpsRedirect: true
      - name: https
        port: 443
        targetPort: 8443
        nodePort: 30443
        gatewayProtocol: HTTPS
        tls:
          mode: SIMPLE
  certificates:
  - name: ingress-cert
    dnsNames: []
  #  - '*.example.com'
  proxyProtocol: true
  meshConfig:
   defaultConfig:
     proxyMetadata:
       # ISTIO_META_HTTP10: 1
 istio-private-ingress:
  enabled: false
  telemetry:
    enabled: false
  gateways:
    istio-ingressgateway:
      # name and labels make the ingress private 
      name: istio-private-ingressgateway
      labels:
        app: istio-private-ingressgateway
        istio: private-ingressgateway
      autoscaleEnabled: false
      replicaCount: 1
      rollingMaxSurge: 1
      rollingMaxUnavailable: 0
      resources:
        requests:
          cpu: 50m
          memory: 64Mi
        limits:
          # cpu: 100m
          memory: 512Mi
      externalTrafficPolicy: Local
      podAntiAffinityLabelSelector:
      - key: app
        operator: In
        topologyKey: kubernetes.io/hostname
        values: istio-private-ingressgateway
      type: NodePort
      podAnnotations:
        proxy.istio.io/config: '{ "terminationDrainDuration": "20s" }'
      # custom hardened bootstrap config
      env:
        ISTIO_BOOTSTRAP_OVERRIDE: /etc/istio/custom-bootstrap/custom_bootstrap.json
      configVolumes:
      - name: custom-bootstrap-volume
        mountPath: /etc/istio/custom-bootstrap
        configMapName: istio-gateway-bootstrap-config
      # Unfortunately the upstream chart makes this complicated as they abuse the nodeSelector, see zdt.patch
      nodeSelector:
        node.kubernetes.io/ingress.private: "Exists"
      # Only nodes who are fronted with matching NLB
      #affintiy:
      #  nodeAffinity:
      #    requiredDuringSchedulingIgnoredDuringExecution:
      #      nodeSelectorTerms:
      #      - matchExpressions:
      #        - key: node.kubernetes.io/ingress.private
      #          operator: Exists
      ports:
      - name: status-port
        port: 15021
        nodePort: 31021
        noGateway: true
      - name: http2
        port: 80
        targetPort: 8080
        nodePort: 31080
        gatewayProtocol: HTTP2
        tls:
          httpsRedirect: true
      - name: https
        port: 443
        targetPort: 8443
        nodePort: 31443
        gatewayProtocol: HTTPS
        tls:
          mode: SIMPLE
      #- name: fluentd-forward
      #  port: 24224
      #  nodePort: 31224
      #  gatewayProtocol: TLS
      #  tls:
      #    mode: SIMPLE
      #- name: amqps
      #  port: 5671
      #  nodePort: 31671
      #- name: amqp
      #  port: 5672
      #  nodePort: 31672
      #- name: redis
      #  port: 6379
      #  nodePort: 31379
  certificates:
  - name: private-ingress-cert
    dnsNames: []
    #- '*.example.com'
  proxyProtocol: true
  meshConfig:
   defaultConfig:
     proxyMetadata:
       # ISTIO_META_HTTP10: 1
--- a/charts/kubezero-istio/dashboards.yaml
+++ b/charts/kubezero-istio/dashboards.yaml
@ -2,7 +2,7 @@
 configmap: grafana-dashboards
 gzip: true
 folder: Istio
-condition: 'index .Values "istio-discovery" "telemetry" "enabled"'
+condition: '.Values.istiod.telemetry.enabled'
 dashboards:
 - name: istio-control-plane
  url: https://grafana.com/api/dashboards/7645/revisions/115/download
--- a/charts/kubezero-istio/templates/grafana-dashboards.yaml
+++ b/charts/kubezero-istio/templates/grafana-dashboards.yaml
@ -1,4 +1,4 @@
-{{- if index .Values "istio-discovery" "telemetry" "enabled" }}
+{{- if .Values.istiod.telemetry.enabled }}
 apiVersion: v1
 kind: ConfigMap
 metadata:
--- a/charts/kubezero/templates/_app.tpl
+++ b/charts/kubezero/templates/_app.tpl
@ -17,7 +17,11 @@ spec:
  project: kubezero
  source:
    {{- if index .Values $name "chart" }}
    chart: {{ index .Values $name "chart" }}
    {{- else }}
    chart: kubezero-{{ $name }}
    {{- end }}
    repoURL: {{ .Values.kubezero.repoURL }}
    targetRevision: {{ default .Values.kubezero.targetRevision ( index .Values $name "targetRevision" ) | quote }}
    helm:
--- a/charts/kubezero/templates/istio-ingress.yaml
+++ b/charts/kubezero/templates/istio-ingress.yaml
@ -1,51 +0,0 @@
 {{- define "_ingress" }}
 enabled: {{ .enabled }}
 {{- with .gateway }}
 gateways:
  istio-ingressgateway:
    {{- toYaml . | nindent 6 }}
 {{- end }}
 certificates:
 {{- with .dnsNames }}
 # Legacy to be removed with 1.21 !!
 - name: ingress-cert
  dnsNames:
  {{- toYaml . | nindent 4 }}
 {{- end }}
 {{- range $cert := .certificates }}
 - name: {{ $cert.name }}
  dnsNames:
  {{- toYaml $cert.dnsNames | nindent 4 }}
 {{- end }}
 proxyProtocol: {{ default true .proxyProtocol }}
 {{- end }}
 {{- define "istio-ingress-values" }}
 {{- with index .Values "istio-ingress" "global" }}
 global:
  {{- toYaml . | nindent 2 }}
 {{- end }}
 {{- with index .Values "istio-ingress" "public" }}
 istio-ingress:
  telemetry:
    enabled: {{ $.Values.metrics.enabled }}
 {{- include "_ingress" . | nindent 2 }}
 {{- end }}
 {{- with index .Values "istio-ingress" "private" }}
 istio-private-ingress:
  telemetry:
    enabled: {{ $.Values.metrics.enabled }}
 {{- include "_ingress" . | nindent 2 }}
 {{- end }}
 {{- end }}
 {{- define "istio-ingress-argo" }}
 {{- end }}
 {{ include "kubezero-app.app" . }}
--- a/charts/kubezero/templates/istio-private-ingress.yaml
+++ b/charts/kubezero/templates/istio-private-ingress.yaml
@ -0,0 +1,28 @@
 {{- define "istio-private-ingress-values" }}
 gateway:
  name: istio-private-ingressgateway
  labels:    
    app: istio-private-ingressgateway
    istio: private-ingressgateway
  {{- with index .Values "istio-private-ingress" "gateway" }}
  {{- toYaml . | nindent 2 }}
  {{- end }}
 telemetry:
  enabled: {{ $.Values.metrics.enabled }}
 certificates:
 {{- range $cert := index .Values "istio-private-ingress" "certificates" }}
 - name: {{ $cert.name }}
  dnsNames:
  {{- toYaml $cert.dnsNames | nindent 4 }}
 {{- end }}
 proxyProtocol: {{ default true (index .Values "istio-private-ingress" "proxyProtocol") }}
 {{- end }}
 {{- define "istio-private-ingress-argo" }}
 {{- end }}
 {{ include "kubezero-app.app" . }}
--- a/charts/kubezero/templates/istio.yaml
+++ b/charts/kubezero/templates/istio.yaml
@ -1,7 +1,7 @@
 {{- define "istio-values" }}
-istio-discovery:
+istiod:
  telemetry:
-    enabled: {{ .Values.metrics.enabled }}
+    enabled: {{ $.Values.metrics.enabled }}
 {{- if .Values.HighAvailableControlplane }}
  pilot:
    replicaCount: 2
--- a/charts/kubezero/values.yaml
+++ b/charts/kubezero/values.yaml
@ -31,12 +31,18 @@ storage:
 istio:
  enabled: false
  namespace: istio-system
-  targetRevision: 0.7.6
+  targetRevision: 0.8.0
 istio-ingress:
  enabled: false
  namespace: istio-ingress
-  targetRevision: 0.7.6
+  targetRevision: 0.8.0
 istio-private-ingress:
  enabled: false
  chart: kubezero-istio-gateway
  namespace: istio-ingress
  targetRevision: 0.8.0
 metrics:
  enabled: false