ZeroDownTime/KubeZero
3
0
Fork 0
Code Issues 1 Pull Requests 25 Packages Projects Releases Wiki Activity

feat: Istio Ingress migration to new gateway charts

Browse Source
This commit is contained in:
Stefan Reimer 2022-04-21 13:57:34 +02:00
parent 07b2963661
commit 39ba92132e
65 changed files with 1011 additions and 2691 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
charts/kubezero-ci/Chart.yaml
View File

@ -2,7 +2,7 @@ apiVersion: v2
name: kubezero-ci
description: KubeZero umbrella chart for all things CI
type: application
version: 0.4.44
version: 0.4.45
home: https://kubezero.com
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
keywords:
@ -22,7 +22,7 @@ dependencies:
repository: https://gocd.github.io/helm-chart
condition: gocd.enabled
- name: gitea
version: 5.0.3
version: 5.0.5
repository: https://dl.gitea.io/charts/
condition: gitea.enabled
- name: jenkins

2
charts/kubezero-ci/update.sh
View File

@ -1,4 +1,6 @@
#!/bin/bash
helm dep update
# Create ZDT dashboard configmap
../kubezero-metrics/sync_grafana_dashboards.py dashboards.yaml templates/grafana-dashboards.yaml

2
charts/kubezero-ci/values.yaml
View File

@ -17,7 +17,7 @@ gitea:
enabled: false
image:
tag: 1.16.5
tag: 1.16.6
rootless: true
securityContext:

16
charts/kubezero-istio-ingress/Chart.yaml → charts/kubezero-istio-gateway/Chart.yaml
View File

@ -1,9 +1,8 @@
apiVersion: v2
name: kubezero-istio-ingress
description: KubeZero Umbrella Chart for Istio based Ingress
name: kubezero-istio-gateway
description: KubeZero Umbrella Chart for Istio gateways
type: application
version: 0.7.6
appVersion: 1.11.5
version: 0.8.0
home: https://kubezero.com
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
keywords:
@ -17,10 +16,7 @@ dependencies:
- name: kubezero-lib
version: ">= 0.1.4"
repository: https://cdn.zero-downtime.net/charts/
- name: istio-ingress
version: 1.11.5
condition: istio-ingress.enabled
- name: istio-private-ingress
version: 1.11.5
condition: istio-private-ingress.enabled
- name: gateway
version: 1.13.3
repository: https://istio-release.storage.googleapis.com/charts
kubeVersion: ">= 1.20.0"

0
charts/kubezero-istio-ingress/README.md → charts/kubezero-istio-gateway/README.md
View File

0
charts/kubezero-istio-ingress/README.md.gotmpl → charts/kubezero-istio-gateway/README.md.gotmpl
View File

12
charts/kubezero-istio-gateway/charts/gateway/Chart.yaml Normal file
View File

@ -0,0 +1,12 @@
apiVersion: v2
appVersion: 1.13.3
description: Helm chart for deploying Istio gateways
icon: https://istio.io/latest/favicons/android-192x192.png
keywords:
- istio
- gateways
name: gateway
sources:
- http://github.com/istio/istio
type: application
version: 1.13.3

148
charts/kubezero-istio-gateway/charts/gateway/README.md Normal file
View File

@ -0,0 +1,148 @@
# Istio Gateway Helm Chart
This chart installs an Istio gateway deployment.
## Setup Repo Info
```console
helm repo add istio https://istio-release.storage.googleapis.com/charts
helm repo update
```
_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._
## Installing the Chart
To install the chart with the release name `istio-ingressgateway`:
```console
helm install istio-ingressgateway istio/gateway
```
## Uninstalling the Chart
To uninstall/delete the `istio-ingressgateway` deployment:
```console
helm delete istio-ingressgateway
```
## Configuration
To view support configuration options and documentation, run:
```console
helm show values istio/gateway
```
### `image: auto` Information
The image used by the chart, `auto`, may be unintuitive.
This exists because the pod spec will be automatically populated at runtime, using the same mechanism as [Sidecar Injection](istio.io/latest/docs/setup/additional-setup/sidecar-injection).
This allows the same configurations and lifecycle to apply to gateways as sidecars.
Note: this does mean that the namespace the gateway is deployed in must not have the `istio-injection=disabled` label.
See [Controlling the injection policy](https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#controlling-the-injection-policy) for more info.
### Examples
#### Egress Gateway
Deploying a Gateway to be used as an [Egress Gateway](https://istio.io/latest/docs/tasks/traffic-management/egress/egress-gateway/):
```yaml
service:
# Egress gateways do not need an external LoadBalancer IP
type: ClusterIP
```
#### Multi-network/VM Gateway
Deploying a Gateway to be used as a [Multi-network Gateway](https://istio.io/latest/docs/setup/install/multicluster/) for network `network-1`:
```yaml
networkGateway: network-1
```
### Migrating from other installation methods
Installations from other installation methods (such as istioctl, Istio Operator, other helm charts, etc) can be migrated to use the new Helm charts
following the guidance below.
If you are able to, a clean installation is simpler. However, this often requires an external IP migration which can be challenging.
WARNING: when installing over an existing deployment, the two deployments will be merged together by Helm, which may lead to unexpected results.
#### Legacy Gateway Helm charts
Istio historically offered two different charts - `manifests/charts/gateways/istio-ingress` and `manifests/charts/gateways/istio-egress`.
These are replaced by this chart.
While not required, it is recommended all new users use this chart, and existing users migrate when possible.
This chart has the following benefits and differences:
* Designed with Helm best practices in mind (standardized values options, values schema, values are not all nested under `gateways.istio-ingressgateway.*`, release name and namespace taken into account, etc).
* Utilizes Gateway injection, simplifying upgrades, allowing gateways to run in any namespace, and avoiding repeating config for sidecars and gateways.
* Published to official Istio Helm repository.
* Single chart for all gateways (Ingress, Egress, East West).
#### General concerns
For a smooth migration, the resource names and `Deployment.spec.selector` labels must match.
If you install with `helm install istio-gateway istio/gateway`, resources will be named `istio-gateway` and the `selector` labels set to:
```yaml
app: istio-gateway
istio: gateway # the release name with leading istio- prefix stripped
```
If your existing installation doesn't follow these names, you can override them. For example, if you have resources named `my-custom-gateway` with `selector` labels
`foo=bar,istio=ingressgateway`:
```yaml
name: my-custom-gateway # Override the name to match existing resources
labels:
app: "" # Unset default app selector label
istio: ingressgateway # override default istio selector label
foo: bar # Add the existing custom selector label
```
#### Migrating an existing Helm release
An existing helm release can be `helm upgrade`d to this chart by using the same release name. For example, if a previous
installation was done like:
```console
helm install istio-ingress manifests/charts/gateways/istio-ingress -n istio-system
```
It could be upgraded with
```console
helm upgrade istio-ingress manifests/charts/gateway -n istio-system --set name=istio-ingressgateway --set labels.app=istio-ingressgateway --set labels.istio=ingressgateway
```
Note the name and labels are overridden to match the names of the existing installation.
Warning: the helm charts here default to using port 80 and 443, while the old charts used 8080 and 8443.
If you have AuthorizationPolicies that reference port these ports, you should update them during this process,
or customize the ports to match the old defaults.
See the [security advisory](https://istio.io/latest/news/security/istio-security-2021-002/) for more information.
#### Other migrations
If you see errors like `rendered manifests contain a resource that already exists` during installation, you may need to forcibly take ownership.
The script below can handle this for you. Replace `RELEASE` and `NAMESPACE` with the name and namespace of the release:
```console
KINDS=(service deployment)
RELEASE=istio-ingressgateway
NAMESPACE=istio-system
for KIND in "${KINDS[@]}"; do
kubectl --namespace $NAMESPACE --overwrite=true annotate $KIND $RELEASE meta.helm.sh/release-name=$RELEASE
kubectl --namespace $NAMESPACE --overwrite=true annotate $KIND $RELEASE meta.helm.sh/release-namespace=$NAMESPACE
kubectl --namespace $NAMESPACE --overwrite=true label $KIND $RELEASE app.kubernetes.io/managed-by=Helm
done
```
You may ignore errors about resources not being found.

9
charts/kubezero-istio-gateway/charts/gateway/templates/NOTES.txt Normal file
View File

@ -0,0 +1,9 @@
"{{ include "gateway.name" . }}" successfully installed!
To learn more about the release, try:
$ helm status {{ .Release.Name }}
$ helm get all {{ .Release.Name }}
Next steps:
* Deploy an HTTP Gateway: https://istio.io/latest/docs/tasks/traffic-management/ingress/ingress-control/
* Deploy an HTTPS Gateway: https://istio.io/latest/docs/tasks/traffic-management/ingress/secure-ingress/

52
charts/kubezero-istio-gateway/charts/gateway/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,52 @@
{{- define "gateway.name" -}}
{{- if eq .Release.Name "RELEASE-NAME" -}}
{{- .Values.name | default "istio-ingressgateway" -}}
{{- else -}}
{{- .Values.name | default .Release.Name | default "istio-ingressgateway" -}}
{{- end -}}
{{- end }}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "gateway.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- define "gateway.labels" -}}
helm.sh/chart: {{ include "gateway.chart" . }}
{{ include "gateway.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
app.kubernetes.io/name: {{ include "gateway.name" . }}
{{- range $key, $val := .Values.labels }}
{{- if not (or (eq $key "app") (eq $key "istio")) }}
{{ $key | quote }}: {{ $val | quote }}
{{- end }}
{{- end }}
{{- end }}
{{- define "gateway.selectorLabels" -}}
{{- if hasKey .Values.labels "app" }}
{{- with .Values.labels.app }}app: {{.|quote}}
{{- end}}
{{- else }}app: {{ include "gateway.name" . }}
{{- end }}
{{- if hasKey .Values.labels "istio" }}
{{- with .Values.labels.istio }}
istio: {{.|quote}}
{{- end}}
{{- else }}
istio: {{ include "gateway.name" . | trimPrefix "istio-" }}
{{- end }}
{{- end }}
{{- define "gateway.serviceAccountName" -}}
{{- if .Values.serviceAccount.create }}
{{- .Values.serviceAccount.name | default (include "gateway.name" .) }}
{{- else }}
{{- .Values.serviceAccount.name | default "default" }}
{{- end }}
{{- end }}

104
charts/kubezero-istio-gateway/charts/gateway/templates/deployment.yaml Normal file
View File

@ -0,0 +1,104 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "gateway.name" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "gateway.labels" . | nindent 4}}
annotations:
{{- .Values.annotations | toYaml | nindent 4 }}
spec:
{{- if not .Values.autoscaling.enabled }}
replicas: {{ .Values.replicaCount }}
{{- end }}
# Give the LB 120s to detect and take into service
# should only be 40s by we are on AWS so ...
minReadySeconds: 120
selector:
matchLabels:
{{- include "gateway.selectorLabels" . | nindent 6 }}
template:
metadata:
{{- with .Values.podAnnotations }}
annotations:
{{- toYaml . | nindent 8 }}
{{- end }}
labels:
sidecar.istio.io/inject: "true"
{{- with .Values.revision }}
istio.io/rev: {{ . }}
{{- end }}
{{- include "gateway.selectorLabels" . | nindent 8 }}
spec:
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
terminationGracePeriodSeconds: 120
serviceAccountName: {{ include "gateway.serviceAccountName" . }}
securityContext:
{{- if .Values.securityContext }}
{{- toYaml .Values.securityContext | nindent 8 }}
{{- else if (semverCompare ">=1.22-0" .Capabilities.KubeVersion.GitVersion) }}
# Safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326
sysctls:
- name: net.ipv4.ip_unprivileged_port_start
value: "0"
{{- end }}
containers:
- name: istio-proxy
# "auto" will be populated at runtime by the mutating webhook. See https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#customizing-injection
image: auto
securityContext:
{{- if .Values.containerSecurityContext }}
{{- toYaml .Values.containerSecurityContext | nindent 12 }}
{{- else if (semverCompare ">=1.22-0" .Capabilities.KubeVersion.GitVersion) }}
# Safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326
capabilities:
drop:
- ALL
allowPrivilegeEscalation: false
privileged: false
readOnlyRootFilesystem: true
runAsUser: 1337
runAsGroup: 1337
runAsNonRoot: true
{{- else }}
capabilities:
drop:
- ALL
add:
- NET_BIND_SERVICE
runAsUser: 0
runAsGroup: 1337
runAsNonRoot: false
allowPrivilegeEscalation: true
readOnlyRootFilesystem: true
{{- end }}
env:
{{- with .Values.networkGateway }}
- name: ISTIO_META_REQUESTED_NETWORK_VIEW
value: "{{.}}"
{{- end }}
{{- range $key, $val := .Values.env }}
- name: {{ $key }}
value: {{ $val | quote }}
{{- end }}
ports:
- containerPort: 15090
protocol: TCP
name: http-envoy-prom
resources:
{{- toYaml .Values.resources | nindent 12 }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}

28
charts/kubezero-istio-gateway/charts/gateway/templates/hpa.yaml Normal file
View File

@ -0,0 +1,28 @@
{{- if .Values.autoscaling.enabled }}
apiVersion: autoscaling/v2beta2
kind: HorizontalPodAutoscaler
metadata:
name: {{ include "gateway.name" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "gateway.labels" . | nindent 4 }}
annotations:
{{- .Values.annotations | toYaml | nindent 4 }}
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: {{ include "gateway.name" . }}
minReplicas: {{ .Values.autoscaling.minReplicas }}
maxReplicas: {{ .Values.autoscaling.maxReplicas }}
metrics:
{{- if .Values.autoscaling.targetCPUUtilizationPercentage }}
- type: Resource
resource:
name: cpu
target:
averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }}
type: Utilization
{{- end }}
{{- end }}

25
charts/kubezero-istio-gateway/charts/gateway/templates/role.yaml Normal file
View File

@ -0,0 +1,25 @@
{{/*Set up roles for Istio Gateway. Not required for gateway-api*/}}
{{- if .Values.rbac.enabled }}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ include "gateway.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "watch", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "gateway.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ include "gateway.serviceAccountName" . }}
subjects:
- kind: ServiceAccount
name: {{ include "gateway.serviceAccountName" . }}
{{- end }}

52
charts/kubezero-istio-gateway/charts/gateway/templates/service.yaml Normal file
View File

@ -0,0 +1,52 @@
{{- if not (eq .Values.service.type "None") }}
apiVersion: v1
kind: Service
metadata:
name: {{ include "gateway.name" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "gateway.labels" . | nindent 4 }}
{{- with .Values.networkGateway }}
topology.istio.io/network: "{{.}}"
{{- end }}
annotations:
{{- merge (deepCopy .Values.service.annotations) .Values.annotations | toYaml | nindent 4 }}
spec:
{{- with .Values.service.loadBalancerIP }}
loadBalancerIP: "{{ . }}"
{{- end }}
{{- with .Values.service.loadBalancerSourceRanges }}
loadBalancerSourceRanges:
{{ toYaml . | indent 4 }}
{{- end }}
{{- with .Values.service.externalTrafficPolicy }}
externalTrafficPolicy: "{{ . }}"
{{- end }}
type: {{ .Values.service.type }}
ports:
{{- if .Values.networkGateway }}
- name: status-port
port: 15021
targetPort: 15021
- name: tls
port: 15443
targetPort: 15443
- name: tls-istiod
port: 15012
targetPort: 15012
- name: tls-webhook
port: 15017
targetPort: 15017
{{- else }}
{{- range $key, $val := .Values.service.ports }}
-
{{- range $pkey, $pval := $val }}
{{- if has $pkey (list "name" "nodePort" "port" "targetPort") }}
{{ $pkey}}: {{ $pval }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
selector:
{{- include "gateway.selectorLabels" . | nindent 4 }}
{{- end }}

13
charts/kubezero-istio-gateway/charts/gateway/templates/serviceaccount.yaml Normal file
View File

@ -0,0 +1,13 @@
{{- if .Values.serviceAccount.create }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "gateway.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "gateway.labels" . | nindent 4 }}
{{- with .Values.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}

193
charts/kubezero-istio-gateway/charts/gateway/values.schema.json Normal file
View File

@ -0,0 +1,193 @@
{
"$schema": "http://json-schema.org/schema#",
"type": "object",
"additionalProperties": false,
"properties": {
"global": {
"type": "object"
},
"affinity": {
"type": "object"
},
"securityContext": {
"type": ["object", "null"]
},
"containerSecurityContext": {
"type": ["object", "null"]
},
"annotations": {
"additionalProperties": {
"type": [
"string",
"integer"
]
},
"type": "object"
},
"autoscaling": {
"type": "object",
"properties": {
"enabled": {
"type": "boolean"
},
"maxReplicas": {
"type": "integer"
},
"minReplicas": {
"type": "integer"
},
"targetCPUUtilizationPercentage": {
"type": "integer"
}
}
},
"env": {
"type": "object"
},
"labels": {
"type": "object"
},
"name": {
"type": "string"
},
"nodeSelector": {
"type": "object"
},
"podAnnotations": {
"type": "object",
"properties": {
"inject.istio.io/templates": {
"type": "string"
},
"prometheus.io/path": {
"type": "string"
},
"prometheus.io/port": {
"type": "string"
},
"prometheus.io/scrape": {
"type": "string"
}
}
},
"replicaCount": {
"type": "integer"
},
"resources": {
"type": "object",
"properties": {
"limits": {
"type": "object",
"properties": {
"cpu": {
"type": "string"
},
"memory": {
"type": "string"
}
}
},
"requests": {
"type": "object",
"properties": {
"cpu": {
"type": "string"
},
"memory": {
"type": "string"
}
}
}
}
},
"revision": {
"type": "string"
},
"runAsRoot": {
"type": "boolean"
},
"unprivilegedPort": {
"type": ["string", "boolean"],
"enum": [true, false, "auto"]
},
"service": {
"type": "object",
"properties": {
"annotations": {
"type": "object"
},
"externalTrafficPolicy": {
"type": "string"
},
"loadBalancerIP": {
"type": "string"
},
"loadBalancerSourceRanges": {
"type": "array"
},
"ports": {
"type": "array",
"items": {
"type": "object",
"properties": {
"name": {
"type": "string"
},
"port": {
"type": "integer"
},
"protocol": {
"type": "string"
},
"targetPort": {
"type": "integer"
}
}
}
},
"type": {
"type": "string"
}
}
},
"serviceAccount": {
"type": "object",
"properties": {
"annotations": {
"type": "object"
},
"name": {
"type": "string"
},
"create": {
"type": "boolean"
}
}
},
"rbac": {
"type": "object",
"properties": {
"enabled": {
"type": "boolean"
}
}
},
"tolerations": {
"type": "array"
},
"networkGateway": {
"type": "string"
},
"imagePullSecrets": {
"type": "array",
"items": {
"type": "object",
"properties": {
"name": {
"type": "string"
}
}
}
}
}
}

88
charts/kubezero-istio-gateway/charts/gateway/values.yaml Normal file
View File

@ -0,0 +1,88 @@
# Name allows overriding the release name. Generally this should not be set
name: ""
# revision declares which revision this gateway is a part of
revision: ""
replicaCount: 1
rbac:
# If enabled, roles will be created to enable accessing certificates from Gateways. This is not needed
# when using http://gateway-api.org/.
enabled: true
serviceAccount:
# If set, a service account will be created. Otherwise, the default is used
create: true
# Annotations to add to the service account
annotations: {}
# The name of the service account to use.
# If not set, the release name is used
name: ""
podAnnotations:
prometheus.io/port: "15020"
prometheus.io/scrape: "true"
prometheus.io/path: "/stats/prometheus"
inject.istio.io/templates: "gateway"
sidecar.istio.io/inject: "true"
# Define the security context for the pod.
# If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443.
# On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl.
securityContext: ~
containerSecurityContext: ~
service:
# Type of service. Set to "None" to disable the service entirely
type: LoadBalancer
ports:
- name: status-port
port: 15021
protocol: TCP
targetPort: 15021
- name: http2
port: 80
protocol: TCP
targetPort: 80
- name: https
port: 443
protocol: TCP
targetPort: 443
annotations: {}
loadBalancerIP: ""
loadBalancerSourceRanges: []
externalTrafficPolicy: ""
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 2000m
memory: 1024Mi
autoscaling:
enabled: true
minReplicas: 1
maxReplicas: 5
targetCPUUtilizationPercentage: 80
# Pod environment variables
env: {}
# Labels to apply to all resources
labels: {}
# Annotations to apply to all resources
annotations: {}
nodeSelector: {}
tolerations: []
affinity: {}
# If specified, the gateway will act as a network gateway for the given network.
networkGateway: ""
imagePullSecrets: []

11
charts/kubezero-istio-ingress/templates/_gateway.tpl → charts/kubezero-istio-gateway/templates/_gateway.tpl
View File

@ -40,3 +40,14 @@
{{- end }}
{{- end }}
{{- define "gatewayName" -}}
{{ .Values.gateway.name | default .Release.Name | default "istio-ingressgateway" }}
{{- end }}
{{- define "gatewaySelectorLabels" -}}
app: {{ include "gatewayName" . }}
istio: {{ include "gatewayName" . | trimPrefix "istio-" }}
{{- end }}

4
charts/kubezero-istio-ingress/templates/bootstrap-config.yaml → charts/kubezero-istio-gateway/templates/bootstrap-config.yaml
View File

@ -1,10 +1,9 @@
{{- if or (index .Values "istio-ingress" "enabled") (index .Values "istio-private-ingress" "enabled") }}
# https://www.envoyproxy.io/docs/envoy/v1.17.1/configuration/best_practices/edge#configuring-envoy-as-an-edge-proxy
# https://github.com/istio/istio/issues/24715
apiVersion: v1
kind: ConfigMap
metadata:
name: istio-gateway-bootstrap-config
name: {{ include "gatewayName" . | trimPrefix "istio-" }}-bootstrap-config
namespace: {{ .Release.Namespace }}
labels:
{{ include "kubezero-lib.labels" . | indent 4 }}
@ -58,4 +57,3 @@ data:
]
}
}
{{- end }}

9
charts/kubezero-istio-ingress/templates/envoyfilter-hardening.yaml → charts/kubezero-istio-gateway/templates/envoyfilter-hardening.yaml
View File

@ -1,12 +1,14 @@
{{- if or (index .Values "istio-ingress" "enabled") (index .Values "istio-private-ingress" "enabled") }}
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: ingressgateway-hardening
name: {{ include "gatewayName" . | trimPrefix "istio-" }}-hardening
namespace: {{ .Release.Namespace }}
labels:
{{ include "kubezero-lib.labels" . | indent 4 }}
{{ include "kubezero-lib.labels" . | nindent 4 }}
spec:
workloadSelector:
labels:
{{- include "gatewaySelectorLabels" . | nindent 6 }}
configPatches:
- applyTo: CLUSTER
patch:
@ -35,4 +37,3 @@ spec:
initial_connection_window_size: 1048576 # 1 MiB
#stream_idle_timeout: 300s # 5 mins, must be disabled for long-lived and streaming requests
#request_timeout: 300s # 5 mins, must be disabled for long-lived and streaming requests
{{- end }}

29
charts/kubezero-istio-gateway/templates/envoyfilter-keepalive-nlb.yaml Normal file
View File

@ -0,0 +1,29 @@
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: {{ include "gatewayName" . | trimPrefix "istio-" }}-listener-tcp-keepalive
namespace: {{ .Release.Namespace }}
labels:
{{- include "kubezero-lib.labels" . | nindent 4 }}
spec:
workloadSelector:
labels:
{{- include "gatewaySelectorLabels" . | nindent 6 }}
configPatches:
- applyTo: LISTENER
patch:
operation: MERGE
value:
socket_options:
- level: 1 # SOL_SOCKET = 1
name: 9 # SO_KEEPALIVE = 9
int_value: 1
state: STATE_PREBIND
- level: 6 # IPPROTO_TCP = 6
name: 4 # TCP_KEEPIDLE = 4
int_value: 120
state: STATE_PREBIND
- level: 6 # IPPROTO_TCP = 6
name: 5 # TCP_KEEPINTVL = 5
int_value: 60
state: STATE_PREBIND

21
charts/kubezero-istio-gateway/templates/envoyfilter-proxy-protocol.yaml Normal file
View File

@ -0,0 +1,21 @@
{{- if .Values.proxyProtocol }}
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: {{ include "gatewayName" . | trimPrefix "istio-" }}-proxy-protocol
namespace: {{ .Release.Namespace }}
labels:
{{ include "kubezero-lib.labels" . | nindent 4 }}
spec:
workloadSelector:
labels:
{{- include "gatewaySelectorLabels" . | nindent 6 }}
configPatches:
- applyTo: LISTENER
patch:
operation: MERGE
value:
listener_filters:
- name: envoy.listener.proxy_protocol
- name: envoy.listener.tls_inspector
{{- end }}

19
charts/kubezero-istio-gateway/templates/ingress-certificate.yaml Normal file
View File

@ -0,0 +1,19 @@
{{- range $cert := .Values.certificates }}
{{- if $cert.dnsNames }}
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: {{ $cert.name }}
namespace: {{ $.Release.Namespace }}
labels:
{{ include "kubezero-lib.labels" $ | indent 4 }}
spec:
secretName: {{ $cert.name }}
issuerRef:
name: {{ default "letsencrypt-dns-prod" $cert.issuer }}
kind: ClusterIssuer
dnsNames:
{{ toYaml $cert.dnsNames | indent 4 }}
---
{{- end }}
{{- end }}

12
charts/kubezero-istio-ingress/templates/ingress-gateway.yaml → charts/kubezero-istio-gateway/templates/ingress-gateway.yaml
View File

@ -1,19 +1,15 @@
# Public Ingress Gateway
{{- $gateway := index .Values "istio-ingress" }}
{{- if and $gateway.enabled $gateway.certificates }}
# https://istio.io/latest/docs/tasks/traffic-management/ingress/secure-ingress/#configure-a-tls-ingress-gateway-for-multiple-hosts
{{- if .Values.certificates }}
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
name: ingressgateway
name: {{ include "gatewayName" . | trimPrefix "istio-" }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "kubezero-lib.labels" . | nindent 4 }}
spec:
selector:
istio: ingressgateway
{{- include "gatewaySelectorLabels" . | nindent 4 }}
servers:
{{- include "gatewayServers" (dict "certificates" $gateway.certificates "ports" (index $gateway "gateways" "istio-ingressgateway" "ports") ) | nindent 2}}
{{- include "gatewayServers" (dict "certificates" .Values.certificates "ports" .Values.gateway.service.ports ) | nindent 2}}
{{- end }}

6
charts/kubezero-istio-ingress/templates/podmonitor.yaml → charts/kubezero-istio-gateway/templates/podmonitor.yaml
View File

@ -1,8 +1,8 @@
{{- if or ( index .Values "istio-ingress" "telemetry" "enabled" ) ( index .Values "istio-private-ingress" "telemetry" "enabled" )}}
{{- if .Values.telemetry.enabled }}
apiVersion: monitoring.coreos.com/v1
kind: PodMonitor
metadata:
name: envoy-stats-monitor
name: {{ include "gatewayName" . | trimPrefix "istio-" }}-envoy-stats-monitor
namespace: {{ .Release.Namespace }}
labels:
{{ include "kubezero-lib.labels" . | indent 4 }}
@ -10,6 +10,8 @@ spec:
selector:
matchExpressions:
- {key: istio-prometheus-ignore, operator: DoesNotExist}
matchLabels:
{{- include "gatewaySelectorLabels" . | nindent 6 }}
jobLabel: envoy-stats
podMetricsEndpoints:
- path: /stats/prometheus

11
charts/kubezero-istio-gateway/update.sh Executable file
View File

@ -0,0 +1,11 @@
#!/bin/bash
set -ex
export ISTIO_VERSION=$(yq eval '.dependencies[] | select(.name=="gateway") | .version' Chart.yaml)
helm dep update
# Patch
tar xf charts/gateway-$ISTIO_VERSION.tgz -C charts && rm -f charts/gateway-$ISTIO_VERSION.tgz
#diff -tubr charts/gateway.orig charts/gateway
patch -p0 -i zdt.patch --no-backup-if-mismatch

87
charts/kubezero-istio-gateway/values.yaml Normal file
View File

@ -0,0 +1,87 @@
gateway:
autoscaling:
enabled: false
minReplicas: 1
maxReplicas: 4
targetCPUUtilizationPercentage: 80
replicaCount: 1
resources:
requests:
cpu: 50m
memory: 64Mi
limits:
# cpu: 100m
memory: 512Mi
service:
type: NodePort
externalTrafficPolicy: Local
# Map port 80/443 to 8080/8443 so we don't need to root
# ports is extended as follows:
# noGateway: true -> this port does NOT get mapped to a Gateway port
# tls: optional gateway port setting
# gatewayProtocol: Loadbalancer protocol which is NOT the same as Container Procotol !
ports:
- name: status-port
port: 15021
nodePort: 30021
noGateway: true
- name: http2
port: 80
targetPort: 8080
nodePort: 30080
gatewayProtocol: HTTP2
tls:
httpsRedirect: true
- name: https
port: 443
targetPort: 8443
nodePort: 30443
gatewayProtocol: HTTPS
tls:
mode: SIMPLE
affinity:
# Only nodes who are fronted with matching NLB
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: node.kubernetes.io/ingress.public
operator: Exists
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: app
operator: In
values:
- istio-ingressgateway
topologyKey: "kubernetes.io/hostname"
podAnnotations:
proxy.istio.io/config: '{ "terminationDrainDuration": "20s" }'
# TODO
# custom hardened bootstrap config
#env:
# ISTIO_BOOTSTRAP_OVERRIDE: /etc/istio/custom-bootstrap/custom_bootstrap.json
#configVolumes:
#- name: custom-bootstrap-volume
# mountPath: /etc/istio/custom-bootstrap
# configMapName: istio-gateway-bootstrap-config
certificates:
- name: ingress-cert
dnsNames: []
# - '*.example.com'
telemetry:
enabled: false
proxyProtocol: true

40
charts/kubezero-istio-gateway/zdt.patch Normal file
View File

@ -0,0 +1,40 @@
diff -tubr charts/gateway.orig/templates/deployment.yaml charts/gateway/templates/deployment.yaml
--- charts/gateway.orig/templates/deployment.yaml 2022-04-21 01:00:49.624942235 +0200
+++ charts/gateway/templates/deployment.yaml 2022-04-21 01:04:28.276506097 +0200
@@ -11,6 +11,9 @@
{{- if not .Values.autoscaling.enabled }}
replicas: {{ .Values.replicaCount }}
{{- end }}
+ # Give the LB 120s to detect and take into service
+ # should only be 40s by we are on AWS so ...
+ minReadySeconds: 120
selector:
matchLabels:
{{- include "gateway.selectorLabels" . | nindent 6 }}
@@ -31,6 +34,7 @@
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
+ terminationGracePeriodSeconds: 120
serviceAccountName: {{ include "gateway.serviceAccountName" . }}
securityContext:
{{- if .Values.securityContext }}
diff -tubr charts/gateway.orig/templates/service.yaml charts/gateway/templates/service.yaml
--- charts/gateway.orig/templates/service.yaml 2022-04-21 01:00:49.628275645 +0200
+++ charts/gateway/templates/service.yaml 2022-04-21 01:08:56.785411051 +0200
@@ -38,7 +38,14 @@
port: 15017
targetPort: 15017
{{- else }}
-{{ .Values.service.ports | toYaml | indent 4 }}
+ {{- range $key, $val := .Values.service.ports }}
+ -
+ {{- range $pkey, $pval := $val }}
+ {{- if has $pkey (list "name" "nodePort" "port" "targetPort") }}
+ {{ $pkey}}: {{ $pval }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
{{- end }}
selector:
{{- include "gateway.selectorLabels" . | nindent 4 }}

1
charts/kubezero-istio-ingress/.helmignore
View File

@ -1 +0,0 @@
../kubezero-istio/.helmignore

13
charts/kubezero-istio-ingress/charts/istio-ingress/Chart.yaml
View File

@ -1,13 +0,0 @@
apiVersion: v1
name: istio-ingress
version: 1.11.5
tillerVersion: ">=2.7.2"
description: Helm chart for deploying Istio gateways
keywords:
- istio
- ingressgateway
- gateways
sources:
- http://github.com/istio/istio
engine: gotpl
icon: https://istio.io/latest/favicons/android-192x192.png

43
charts/kubezero-istio-ingress/charts/istio-ingress/NOTES.txt
View File

@ -1,43 +0,0 @@
Changes:
- separate namespace allows:
-- easier reconfig of just the gateway
-- TLS secrets and domain name management is isolated, for better security
-- simplified configuration
-- multiple versions of the ingress can be used, to minimize upgrade risks
- the new chart uses the default namespace service account, and doesn't require
additional RBAC permissions.
- simplified label and chart structure.
- ability to run a pilot dedicated for the gateway, isolated from the main pilot. This is more robust, safer on upgrades
and allows a bit more flexibility.
- the dedicated pilot-per-ingress is required if the gateway needs to support k8s-style ingress.
# Port and basic host configuration
In order to configure the Service object, the install/upgrade needs to provide a list of all ports.
In the past, this was done when installing/upgrading full istio, and involved some duplication - ports configured
both in upgrade, Gateway and VirtualService.
The new Ingress chart uses a 'values.yaml' (see user-example-ingress), which auto-generates Service ports,
Gateways and basic VirtualService. It is still possible to only configure the ports in Service, and do manual
config for the rest.
All internal services ( telemetry, pilot debug ports, mesh expansion ) can now be configured via the new mechanism.
# Migration from istio-system
Istio 1.0 includes the gateways in istio-system. Since the external IP is associated
with the Service and bound to the namespace, it is recommended to:
1. Install the new gateway in a new namespace.
2. Copy any TLS certificate to the new namespace, and configure the domains.
3. Checking the new gateway work - for example by overriding the IP in /etc/hosts
4. Modify the DNS server to add the A record of the new namespace
5. Check traffic
6. Delete the A record corresponding to the gateway in istio-system
7. Upgrade istio-system, disabling the ingressgateway
8. Delete the domain TLS certs from istio-system.
If using certmanager, all Certificate and associated configs must be moved as well.

105
charts/kubezero-istio-ingress/charts/istio-ingress/templates/_affinity.tpl
View File

@ -1,105 +0,0 @@
{{/* affinity - https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ */}}
{{ define "nodeaffinity" }}
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
{{- include "nodeAffinityRequiredDuringScheduling" . }}
preferredDuringSchedulingIgnoredDuringExecution:
{{- include "nodeAffinityPreferredDuringScheduling" . }}
{{- end }}
{{- define "nodeAffinityRequiredDuringScheduling" }}
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/arch
operator: In
values:
{{- range $key, $val := .global.arch }}
{{- if gt ($val | int) 0 }}
- {{ $key | quote }}
{{- end }}
{{- end }}
{{- $nodeSelector := default .global.defaultNodeSelector .nodeSelector -}}
{{- range $key, $val := $nodeSelector }}
{{- if eq $val "Exists" }}
- key: {{ $key }}
operator: Exists
{{- else }}
- key: {{ $key }}
operator: In
values:
- {{ $val | quote }}
{{- end }}
{{- end }}
{{- end }}
{{- define "nodeAffinityPreferredDuringScheduling" }}
{{- range $key, $val := .global.arch }}
{{- if gt ($val | int) 0 }}
- weight: {{ $val | int }}
preference:
matchExpressions:
- key: kubernetes.io/arch
operator: In
values:
- {{ $key | quote }}
{{- end }}
{{- end }}
{{- end }}
{{- define "podAntiAffinity" }}
{{- if or .podAntiAffinityLabelSelector .podAntiAffinityTermLabelSelector}}
podAntiAffinity:
{{- if .podAntiAffinityLabelSelector }}
requiredDuringSchedulingIgnoredDuringExecution:
{{- include "podAntiAffinityRequiredDuringScheduling" . }}
{{- end }}
{{- if .podAntiAffinityTermLabelSelector }}
preferredDuringSchedulingIgnoredDuringExecution:
{{- include "podAntiAffinityPreferredDuringScheduling" . }}
{{- end }}
{{- end }}
{{- end }}
{{- define "podAntiAffinityRequiredDuringScheduling" }}
{{- range $index, $item := .podAntiAffinityLabelSelector }}
- labelSelector:
matchExpressions:
- key: {{ $item.key }}
operator: {{ $item.operator }}
{{- if $item.values }}
values:
{{- $vals := split "," $item.values }}
{{- range $i, $v := $vals }}
- {{ $v | quote }}
{{- end }}
{{- end }}
topologyKey: {{ $item.topologyKey }}
{{- if $item.namespaces }}
namespaces:
{{- $ns := split "," $item.namespaces }}
{{- range $i, $n := $ns }}
- {{ $n | quote }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- define "podAntiAffinityPreferredDuringScheduling" }}
{{- range $index, $item := .podAntiAffinityTermLabelSelector }}
- podAffinityTerm:
labelSelector:
matchExpressions:
- key: {{ $item.key }}
operator: {{ $item.operator }}
{{- if $item.values }}
values:
{{- $vals := split "," $item.values }}
{{- range $i, $v := $vals }}
- {{ $v | quote }}
{{- end }}
{{- end }}
topologyKey: {{ $item.topologyKey }}
weight: 100
{{- end }}
{{- end }}

27
charts/kubezero-istio-ingress/charts/istio-ingress/templates/autoscale.yaml
View File

@ -1,27 +0,0 @@
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
{{- if and $gateway.autoscaleEnabled $gateway.autoscaleMin $gateway.autoscaleMax }}
apiVersion: autoscaling/v2beta1
kind: HorizontalPodAutoscaler
metadata:
name: {{ $gateway.name }}
namespace: {{ .Release.Namespace }}
labels:
{{ $gateway.labels | toYaml | indent 4 }}
release: {{ .Release.Name }}
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "IngressGateways"
spec:
maxReplicas: {{ $gateway.autoscaleMax }}
minReplicas: {{ $gateway.autoscaleMin }}
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: {{ $gateway.name }}
metrics:
- type: Resource
resource:
name: cpu
targetAverageUtilization: {{ $gateway.cpu.targetAverageUtilization }}
---
{{- end }}

335
charts/kubezero-istio-ingress/charts/istio-ingress/templates/deployment.yaml
View File

@ -1,335 +0,0 @@
{{- $gateway := index .Values "gateways" "istio-ingressgateway" }}
{{- if eq $gateway.injectionTemplate "" }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ $gateway.name }}
namespace: {{ .Release.Namespace }}
labels:
{{ $gateway.labels | toYaml | indent 4 }}
release: {{ .Release.Name }}
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "IngressGateways"
spec:
{{- if not $gateway.autoscaleEnabled }}
{{- if $gateway.replicaCount }}
replicas: {{ $gateway.replicaCount }}
{{- end }}
# Give the LB 120s to detect and take into service, should only be 40s by we are on AWS so ??
minReadySeconds: 120
{{- end }}
selector:
matchLabels:
{{ $gateway.labels | toYaml | indent 6 }}
strategy:
rollingUpdate:
maxSurge: {{ $gateway.rollingMaxSurge }}
maxUnavailable: {{ $gateway.rollingMaxUnavailable }}
template:
metadata:
labels:
{{ $gateway.labels | toYaml | indent 8 }}
{{- if eq .Release.Namespace "istio-system"}}
heritage: Tiller
release: istio
chart: gateways
{{- end }}
service.istio.io/canonical-name: {{ $gateway.name }}
{{- if not (eq .Values.revision "") }}
service.istio.io/canonical-revision: {{ .Values.revision }}
{{- else}}
service.istio.io/canonical-revision: latest
{{- end }}
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "IngressGateways"
sidecar.istio.io/inject: "false"
annotations:
{{- if .Values.meshConfig.enablePrometheusMerge }}
prometheus.io/port: "15020"
prometheus.io/scrape: "true"
prometheus.io/path: "/stats/prometheus"
{{- end }}
sidecar.istio.io/inject: "false"
{{- if $gateway.podAnnotations }}
{{ toYaml $gateway.podAnnotations | indent 8 }}
{{ end }}
spec:
{{- if not $gateway.runAsRoot }}
securityContext:
runAsUser: 1337
runAsGroup: 1337
runAsNonRoot: true
fsGroup: 1337
{{- end }}
serviceAccountName: {{ $gateway.name }}-service-account
{{- if .Values.global.priorityClassName }}
priorityClassName: "{{ .Values.global.priorityClassName }}"
{{- end }}
terminationGracePeriodSeconds: 120
{{- if .Values.global.proxy.enableCoreDump }}
initContainers:
- name: enable-core-dump
{{- if contains "/" .Values.global.proxy.image }}
image: "{{ .Values.global.proxy.image }}"
{{- else }}
image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image | default "proxyv2" }}:{{ .Values.global.tag }}"
{{- end }}
{{- if .Values.global.imagePullPolicy }}
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
{{- end }}
command:
- /bin/sh
args:
- -c
- sysctl -w kernel.core_pattern=/var/lib/istio/data/core.proxy && ulimit -c unlimited
securityContext:
runAsUser: 0
runAsGroup: 0
runAsNonRoot: false
privileged: true
{{- end }}
containers:
- name: istio-proxy
{{- if contains "/" .Values.global.proxy.image }}
image: "{{ .Values.global.proxy.image }}"
{{- else }}
image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image | default "proxyv2" }}:{{ .Values.global.tag }}"
{{- end }}
{{- if .Values.global.imagePullPolicy }}
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
{{- end }}
ports:
{{- range $key, $val := $gateway.ports }}
- containerPort: {{ $val.targetPort | default $val.port }}
protocol: {{ $val.protocol | default "TCP" }}
{{- end }}
- containerPort: 15090
protocol: TCP
name: http-envoy-prom
args:
- proxy
- router
- --domain
- $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
{{- if .Values.global.proxy.logLevel }}
- --proxyLogLevel={{ .Values.global.proxy.logLevel }}
{{- end}}
{{- if .Values.global.proxy.componentLogLevel }}
- --proxyComponentLogLevel={{ .Values.global.proxy.componentLogLevel }}
{{- end}}
{{- if .Values.global.logging.level }}
- --log_output_level={{ .Values.global.logging.level }}
{{- end}}
{{- if .Values.global.logAsJson }}
- --log_as_json
{{- end }}
{{- if .Values.global.sts.servicePort }}
- --stsPort={{ .Values.global.sts.servicePort }}
{{- end }}
{{- if not $gateway.runAsRoot }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
{{- end }}
#This needs kube-proxy support coming with 1.22 hopefully, cilium ?
#lifecycle:
# preStop:
# exec:
# command: ["/bin/sh","-c","sleep 30"]
readinessProbe:
failureThreshold: 30
httpGet:
path: /healthz/ready
port: 15021
scheme: HTTP
initialDelaySeconds: 1
periodSeconds: 2
successThreshold: 1
timeoutSeconds: 1
resources:
{{- if $gateway.resources }}
{{ toYaml $gateway.resources | indent 12 }}
{{- else }}
{{ toYaml .Values.global.defaultResources | indent 12 }}
{{- end }}
env:
- name: JWT_POLICY
value: {{ .Values.global.jwtPolicy }}
- name: PILOT_CERT_PROVIDER
value: {{ .Values.global.pilotCertProvider }}
- name: CA_ADDR
{{- if .Values.global.caAddress }}
value: {{ .Values.global.caAddress }}
{{- else }}
value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
{{- end }}
- name: NODE_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.nodeName
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: INSTANCE_IP
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: status.podIP
- name: HOST_IP
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: status.hostIP
- name: SERVICE_ACCOUNT
valueFrom:
fieldRef:
fieldPath: spec.serviceAccountName
- name: ISTIO_META_WORKLOAD_NAME
value: {{ $gateway.name }}
- name: ISTIO_META_OWNER
value: kubernetes://apis/apps/v1/namespaces/{{ .Release.Namespace }}/deployments/{{ $gateway.name }}
{{- if $.Values.global.meshID }}
- name: ISTIO_META_MESH_ID
value: "{{ $.Values.global.meshID }}"
{{- else if .Values.meshConfig.trustDomain }}
- name: ISTIO_META_MESH_ID
value: "{{ .Values.meshConfig.trustDomain }}"
{{- end }}
{{- if .Values.meshConfig.trustDomain }}
- name: TRUST_DOMAIN
value: "{{ .Values.meshConfig.trustDomain }}"
{{- end }}
{{- if not $gateway.runAsRoot }}
- name: ISTIO_META_UNPRIVILEGED_POD
value: "true"
{{- end }}
{{- range $key, $val := $gateway.env }}
- name: {{ $key }}
value: "{{ $val }}"
{{- end }}
{{- range $key, $value := .Values.meshConfig.defaultConfig.proxyMetadata }}
- name: {{ $key }}
value: "{{ $value }}"
{{- end }}
{{- $network_set := index $gateway.env "ISTIO_META_NETWORK" }}
{{- if and (not $network_set) .Values.global.network }}
- name: ISTIO_META_NETWORK
value: "{{ .Values.global.network }}"
{{- end }}
- name: ISTIO_META_CLUSTER_ID
value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}"
volumeMounts:
- name: istio-envoy
mountPath: /etc/istio/proxy
- name: config-volume
mountPath: /etc/istio/config
{{- if eq .Values.global.pilotCertProvider "istiod" }}
- mountPath: /var/run/secrets/istio
name: istiod-ca-cert
{{- end }}
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
- name: istio-token
mountPath: /var/run/secrets/tokens
readOnly: true
{{- end }}
{{- if .Values.global.mountMtlsCerts }}
# Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
- name: istio-certs
mountPath: /etc/certs
readOnly: true
{{- end }}
- mountPath: /var/lib/istio/data
name: istio-data
- name: podinfo
mountPath: /etc/istio/pod
{{- range $gateway.secretVolumes }}
- name: {{ .name }}
mountPath: {{ .mountPath | quote }}
readOnly: true
{{- end }}
{{- range $gateway.configVolumes }}
{{- if .mountPath }}
- name: {{ .name }}
mountPath: {{ .mountPath | quote }}
readOnly: true
{{- end }}
{{- end }}
{{- if $gateway.additionalContainers }}
{{ toYaml $gateway.additionalContainers | indent 8 }}
{{- end }}
volumes:
{{- if eq .Values.global.pilotCertProvider "istiod" }}
- name: istiod-ca-cert
configMap:
name: istio-ca-root-cert
{{- end }}
- name: podinfo
downwardAPI:
items:
- path: "labels"
fieldRef:
fieldPath: metadata.labels
- path: "annotations"
fieldRef:
fieldPath: metadata.annotations
- name: istio-envoy
emptyDir: {}
- name: istio-data
emptyDir: {}
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
- name: istio-token
projected:
sources:
- serviceAccountToken:
path: istio-token
expirationSeconds: 43200
audience: {{ .Values.global.sds.token.aud }}
{{- end }}
{{- if .Values.global.mountMtlsCerts }}
# Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
- name: istio-certs
secret:
secretName: istio.istio-ingressgateway-service-account
optional: true
{{- end }}
- name: config-volume
configMap:
name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
optional: true
{{- range $gateway.secretVolumes }}
- name: {{ .name }}
secret:
secretName: {{ .secretName | quote }}
optional: true
{{- end }}
{{- range $gateway.configVolumes }}
- name: {{ .name }}
configMap:
name: {{ .configMapName | quote }}
optional: true
{{- end }}
affinity:
{{ include "nodeaffinity" (dict "global" .Values.global "nodeSelector" $gateway.nodeSelector) | trim | indent 8 }}
{{- include "podAntiAffinity" $gateway | indent 6 }}
{{- if $gateway.tolerations }}
tolerations:
{{ toYaml $gateway.tolerations | indent 6 }}
{{- else if .Values.global.defaultTolerations }}
tolerations:
{{ toYaml .Values.global.defaultTolerations | indent 6 }}
{{- end }}
{{- end }}

143
charts/kubezero-istio-ingress/charts/istio-ingress/templates/injected-deployment.yaml
View File

@ -1,143 +0,0 @@
{{- $gateway := index .Values "gateways" "istio-ingressgateway" }}
{{- if ne $gateway.injectionTemplate "" }}
{{/* This provides a minimal gateway, ready to be injected.
Any settings from values.gateways should be here - these are options specific to the gateway.
Global settings, like the image, various env vars and volumes, etc will be injected.
The normal Deployment is not suitable for this, as the original pod spec will override the injection template. */}}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ $gateway.name | default "istio-ingressgateway" }}
namespace: {{ .Release.Namespace }}
labels:
{{ $gateway.labels | toYaml | indent 4 }}
release: {{ .Release.Name }}
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "IngressGateways"
spec:
{{- if not $gateway.autoscaleEnabled }}
{{- if $gateway.replicaCount }}
replicas: {{ $gateway.replicaCount }}
{{- end }}
{{- end }}
selector:
matchLabels:
{{ $gateway.labels | toYaml | indent 6 }}
strategy:
rollingUpdate:
maxSurge: {{ $gateway.rollingMaxSurge }}
maxUnavailable: {{ $gateway.rollingMaxUnavailable }}
template:
metadata:
labels:
{{ $gateway.labels | toYaml | indent 8 }}
{{- if eq .Release.Namespace "istio-system"}}
heritage: Tiller
release: istio
chart: gateways
{{- end }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "IngressGateways"
sidecar.istio.io/inject: "true"
{{- with .Values.revision }}
istio.io/rev: {{ . }}
{{- end }}
annotations:
{{- if .Values.meshConfig.enablePrometheusMerge }}
prometheus.io/port: "15020"
prometheus.io/scrape: "true"
prometheus.io/path: "/stats/prometheus"
{{- end }}
sidecar.istio.io/inject: "true"
inject.istio.io/templates: "{{ $gateway.injectionTemplate }}"
{{- if $gateway.podAnnotations }}
{{ toYaml $gateway.podAnnotations | indent 8 }}
{{ end }}
spec:
{{- if not $gateway.runAsRoot }}
securityContext:
runAsUser: 1337
runAsGroup: 1337
runAsNonRoot: true
fsGroup: 1337
{{- end }}
serviceAccountName: {{ $gateway.name | default "istio-ingressgateway" }}-service-account
{{- if .Values.global.priorityClassName }}
priorityClassName: "{{ .Values.global.priorityClassName }}"
{{- end }}
containers:
- name: istio-proxy
image: auto
ports:
{{- range $key, $val := $gateway.ports }}
- containerPort: {{ $val.targetPort | default $val.port }}
protocol: {{ $val.protocol | default "TCP" }}
{{- end }}
- containerPort: 15090
protocol: TCP
name: http-envoy-prom
{{- if not $gateway.runAsRoot }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
{{- end }}
resources:
{{- if $gateway.resources }}
{{ toYaml $gateway.resources | indent 12 }}
{{- else }}
{{ toYaml .Values.global.defaultResources | indent 12 }}
{{- end }}
env:
{{- if not $gateway.runAsRoot }}
- name: ISTIO_META_UNPRIVILEGED_POD
value: "true"
{{- end }}
{{- range $key, $val := $gateway.env }}
- name: {{ $key }}
value: {{ $val }}
{{- end }}
volumeMounts:
{{- range $gateway.secretVolumes }}
- name: {{ .name }}
mountPath: {{ .mountPath | quote }}
readOnly: true
{{- end }}
{{- range $gateway.configVolumes }}
{{- if .mountPath }}
- name: {{ .name }}
mountPath: {{ .mountPath | quote }}
readOnly: true
{{- end }}
{{- end }}
{{- if $gateway.additionalContainers }}
{{ toYaml $gateway.additionalContainers | indent 8 }}
{{- end }}
volumes:
{{- range $gateway.secretVolumes }}
- name: {{ .name }}
secret:
secretName: {{ .secretName | quote }}
optional: true
{{- end }}
{{- range $gateway.configVolumes }}
- name: {{ .name }}
configMap:
name: {{ .configMapName | quote }}
optional: true
{{- end }}
affinity:
{{ include "nodeaffinity" (dict "global" .Values.global "nodeSelector" $gateway.nodeSelector) | trim | indent 8 }}
{{- include "podAntiAffinity" $gateway | indent 6 }}
{{- if $gateway.tolerations }}
tolerations:
{{ toYaml $gateway.tolerations | indent 6 }}
{{- else if .Values.global.defaultTolerations }}
tolerations:
{{ toYaml .Values.global.defaultTolerations | indent 6 }}
{{- end }}
{{- end }}

19
charts/kubezero-istio-ingress/charts/istio-ingress/templates/poddisruptionbudget.yaml
View File

@ -1,19 +0,0 @@
{{- if .Values.global.defaultPodDisruptionBudget.enabled }}
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
apiVersion: policy/v1beta1
kind: PodDisruptionBudget
metadata:
name: {{ $gateway.name }}
namespace: {{ .Release.Namespace }}
labels:
{{ $gateway.labels | toYaml | trim | indent 4 }}
release: {{ .Release.Name }}
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "IngressGateways"
spec:
minAvailable: 1
selector:
matchLabels:
{{ $gateway.labels | toYaml | trim | indent 6 }}
{{- end }}

16
charts/kubezero-istio-ingress/charts/istio-ingress/templates/role.yaml
View File

@ -1,16 +0,0 @@
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ $gateway.name }}-sds
namespace: {{ .Release.Namespace }}
labels:
release: {{ .Release.Name }}
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "IngressGateways"
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "watch", "list"]
---

19
charts/kubezero-istio-ingress/charts/istio-ingress/templates/rolebindings.yaml
View File

@ -1,19 +0,0 @@
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ $gateway.name }}-sds
namespace: {{ .Release.Namespace }}
labels:
release: {{ .Release.Name }}
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "IngressGateways"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ $gateway.name }}-sds
subjects:
- kind: ServiceAccount
name: {{ $gateway.name }}-service-account
---

49
charts/kubezero-istio-ingress/charts/istio-ingress/templates/service.yaml
View File

@ -1,49 +0,0 @@
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
{{- if not $gateway.customService }}
apiVersion: v1
kind: Service
metadata:
name: {{ $gateway.name }}
namespace: {{ .Release.Namespace }}
annotations:
{{- range $key, $val := $gateway.serviceAnnotations }}
{{ $key }}: {{ $val | quote }}
{{- end }}
labels:
{{ $gateway.labels | toYaml | indent 4 }}
release: {{ .Release.Name }}
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "IngressGateways"
spec:
{{- if $gateway.loadBalancerIP }}
loadBalancerIP: "{{ $gateway.loadBalancerIP }}"
{{- end }}
{{- if $gateway.loadBalancerSourceRanges }}
loadBalancerSourceRanges:
{{ toYaml $gateway.loadBalancerSourceRanges | indent 4 }}
{{- end }}
{{- if $gateway.externalTrafficPolicy }}
externalTrafficPolicy: {{$gateway.externalTrafficPolicy }}
{{- end }}
type: {{ $gateway.type }}
selector:
{{ $gateway.labels | toYaml | indent 4 }}
ports:
{{- range $key, $val := $gateway.ports }}
-
{{- range $pkey, $pval := $val }}
{{- if has $pkey (list "name" "nodePort" "port" "targetPort") }}
{{ $pkey}}: {{ $pval }}
{{- end }}
{{- end }}
{{- end }}
{{ range $app := $gateway.ingressPorts }}
-
port: {{ $app.port }}
name: {{ $app.name }}
{{- end }}
---
{{ end }}

22
charts/kubezero-istio-ingress/charts/istio-ingress/templates/serviceaccount.yaml
View File

@ -1,22 +0,0 @@
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
apiVersion: v1
kind: ServiceAccount
{{- if .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
{{- end }}
{{- end }}
metadata:
name: {{ $gateway.name }}-service-account
namespace: {{ .Release.Namespace }}
labels:
{{ $gateway.labels | toYaml | trim | indent 4 }}
release: {{ .Release.Name }}
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "IngressGateways"
{{- with $gateway.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}

326
charts/kubezero-istio-ingress/charts/istio-ingress/values.yaml
View File

@ -1,326 +0,0 @@
# A-la-carte istio ingress gateway.
# Must be installed in a separate namespace, to minimize access to secrets.
gateways:
istio-ingressgateway:
name: istio-ingressgateway
labels:
app: istio-ingressgateway
istio: ingressgateway
ports:
## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces.
# Note that AWS ELB will by default perform health checks on the first port
# on this list. Setting this to the health check port will ensure that health
# checks always work. https://github.com/istio/istio/issues/12503
- port: 15021
targetPort: 15021
name: status-port
protocol: TCP
- port: 80
targetPort: 8080
name: http2
protocol: TCP
- port: 443
targetPort: 8443
name: https
protocol: TCP
# Scalability tuning
# replicaCount: 1
rollingMaxSurge: 100%
rollingMaxUnavailable: 25%
autoscaleEnabled: true
autoscaleMin: 1
autoscaleMax: 5
cpu:
targetAverageUtilization: 80
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 2000m
memory: 1024Mi
loadBalancerIP: ""
loadBalancerSourceRanges: []
serviceAnnotations: {}
# Enable cross-cluster access using SNI matching
zvpn:
enabled: false
suffix: global
# To generate an internal load balancer:
# --set serviceAnnotations.cloud.google.com/load-balancer-type=internal
#serviceAnnotations:
# cloud.google.com/load-balancer-type: "internal"
podAnnotations: {}
type: LoadBalancer #change to NodePort, ClusterIP or LoadBalancer if need be
##############
secretVolumes:
- name: ingressgateway-certs
secretName: istio-ingressgateway-certs
mountPath: /etc/istio/ingressgateway-certs
- name: ingressgateway-ca-certs
secretName: istio-ingressgateway-ca-certs
mountPath: /etc/istio/ingressgateway-ca-certs
customService: false
externalTrafficPolicy: ""
ingressPorts: []
additionalContainers: []
configVolumes: []
serviceAccount:
# Annotations to add to the service account
annotations: {}
### Advanced options ############
env:
# A gateway with this mode ensures that pilot generates an additional
# set of clusters for internal services but without Istio mTLS, to
# enable cross cluster routing.
ISTIO_META_ROUTER_MODE: "standard"
nodeSelector: {}
tolerations: []
# Specify the pod anti-affinity that allows you to constrain which nodes
# your pod is eligible to be scheduled based on labels on pods that are
# already running on the node rather than based on labels on nodes.
# There are currently two types of anti-affinity:
# "requiredDuringSchedulingIgnoredDuringExecution"
# "preferredDuringSchedulingIgnoredDuringExecution"
# which denote "hard" vs. "soft" requirements, you can define your values
# in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector"
# correspondingly.
# For example:
# podAntiAffinityLabelSelector:
# - key: security
# operator: In
# values: S1,S2
# topologyKey: "kubernetes.io/hostname"
# This pod anti-affinity rule says that the pod requires not to be scheduled
# onto a node if that node is already running a pod with label having key
# "security" and value "S1".
podAntiAffinityLabelSelector: []
podAntiAffinityTermLabelSelector: []
# whether to run the gateway in a privileged container
runAsRoot: false
# The injection template to use for the gateway. If not set, no injection will be performed.
injectionTemplate: ""
# Revision is set as 'version' label and part of the resource names when installing multiple control planes.
revision: ""
# For Helm compatibility.
ownerName: ""
global:
# set the default set of namespaces to which services, service entries, virtual services, destination
# rules should be exported to. Currently only one value can be provided in this list. This value
# should be one of the following two options:
# * implies these objects are visible to all namespaces, enabling any sidecar to talk to any other sidecar.
# . implies these objects are visible to only to sidecars in the same namespace, or if imported as a Sidecar.egress.host
defaultConfigVisibilitySettings: []
# Default node selector to be applied to all deployments so that all pods can be
# constrained to run a particular nodes. Each component can overwrite these default
# values by adding its node selector block in the relevant section below and setting
# the desired values.
defaultNodeSelector: {}
# enable pod disruption budget for the control plane, which is used to
# ensure Istio control plane components are gradually upgraded or recovered.
defaultPodDisruptionBudget:
enabled: true
# A minimal set of requested resources to applied to all deployments so that
# Horizontal Pod Autoscaler will be able to function (if set).
# Each component can overwrite these default values by adding its own resources
# block in the relevant section below and setting the desired resources values.
defaultResources:
requests:
cpu: 10m
# memory: 128Mi
# limits:
# cpu: 100m
# memory: 128Mi
# Default node tolerations to be applied to all deployments so that all pods can be
# scheduled to a particular nodes with matching taints. Each component can overwrite
# these default values by adding its tolerations block in the relevant section below
# and setting the desired values.
# Configure this field in case that all pods of Istio control plane are expected to
# be scheduled to particular nodes with specified taints.
defaultTolerations: []
# Default hub for Istio images.
# Releases are published to docker hub under 'istio' project.
# Dev builds from prow are on gcr.io
hub: docker.io/istio
# Default tag for Istio images.
tag: 1.11.5
# Specify image pull policy if default behavior isn't desired.
# Default behavior: latest images will be Always else IfNotPresent.
imagePullPolicy: ""
# ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace
# to use for pulling any images in pods that reference this ServiceAccount.
# For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing)
# ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects.
# Must be set for any cluster configured with private docker registry.
imagePullSecrets: []
# - private-registry-key
# To output all istio components logs in json format by adding --log_as_json argument to each container argument
logAsJson: false
# Specify pod scheduling arch(amd64, ppc64le, s390x) and weight as follows:
# 0 - Never scheduled
# 1 - Least preferred
# 2 - No preference
# 3 - Most preferred
arch:
amd64: 2
s390x: 2
ppc64le: 2
# Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>
# The control plane has different scopes depending on component, but can configure default log level across all components
# If empty, default scope and level will be used as configured in code
logging:
level: "default:info"
# Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and
# system-node-critical, it is better to configure this in order to make sure your Istio pods
# will not be killed because of low priority class.
# Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
# for more detail.
priorityClassName: ""
proxy:
image: proxyv2
# CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value
# cluster domain. Default value is "cluster.local".
clusterDomain: "cluster.local"
# Per Component log level for proxy, applies to gateways and sidecars. If a component level is
# not set, then the global "logLevel" will be used.
componentLogLevel: "misc:error"
# If set, newly injected sidecars will have core dumps enabled.
enableCoreDump: false
# Log level for proxy, applies to gateways and sidecars.
# Expected values are: trace|debug|info|warning|error|critical|off
logLevel: warning
##############################################################################################
# The following values are found in other charts. To effectively modify these values, make #
# make sure they are consistent across your Istio helm charts #
##############################################################################################
# The customized CA address to retrieve certificates for the pods in the cluster.
# CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint.
caAddress: ""
# Used to locate istiod.
istioNamespace: istio-system
# Configure the policy for validating JWT.
# Currently, two options are supported: "third-party-jwt" and "first-party-jwt".
jwtPolicy: "third-party-jwt"
# Mesh ID means Mesh Identifier. It should be unique within the scope where
# meshes will interact with each other, but it is not required to be
# globally/universally unique. For example, if any of the following are true,
# then two meshes must have different Mesh IDs:
# - Meshes will have their telemetry aggregated in one place
# - Meshes will be federated together
# - Policy will be written referencing one mesh from the other
#
# If an administrator expects that any of these conditions may become true in
# the future, they should ensure their meshes have different Mesh IDs
# assigned.
#
# Within a multicluster mesh, each cluster must be (manually or auto)
# configured to have the same Mesh ID value. If an existing cluster 'joins' a
# multicluster mesh, it will need to be migrated to the new mesh ID. Details
# of migration TBD, and it may be a disruptive operation to change the Mesh
# ID post-install.
#
# If the mesh admin does not specify a value, Istio will use the value of the
# mesh's Trust Domain. The best practice is to select a proper Trust Domain
# value.
meshID: ""
# Use the user-specified, secret volume mounted key and certs for Pilot and workloads.
mountMtlsCerts: false
multiCluster:
# Set to true to connect two kubernetes clusters via their respective
# ingressgateway services when pods in each cluster cannot directly
# talk to one another. All clusters should be using Istio mTLS and must
# have a shared root CA for this model to work.
enabled: false
# Should be set to the name of the cluster this installation will run in. This is required for sidecar injection
# to properly label proxies
clusterName: ""
# The suffix for global service names
globalDomainSuffix: "global"
# Enable envoy filter to translate `globalDomainSuffix` to cluster local suffix for cross cluster communication
includeEnvoyFilter: true
# Network defines the network this cluster belong to. This name
# corresponds to the networks in the map of mesh networks.
network: ""
# Configure the certificate provider for control plane communication.
# Currently, two providers are supported: "kubernetes" and "istiod".
# As some platforms may not have kubernetes signing APIs,
# Istiod is the default
pilotCertProvider: istiod
sds:
# The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3.
# When a CSR is sent from Citadel Agent to the CA (e.g. Citadel), this aud is to make sure the
# JWT is intended for the CA.
token:
aud: istio-ca
sts:
# The service port used by Security Token Service (STS) server to handle token exchange requests.
# Setting this port to a non-zero value enables STS server.
servicePort: 0
meshConfig:
enablePrometheusMerge: true
# The trust domain corresponds to the trust root of a system
# Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain
trustDomain: "cluster.local"
defaultConfig:
proxyMetadata: {}
tracing:
# tlsSettings:
# mode: DISABLE # DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL
# clientCertificate: # example: /etc/istio/tracer/cert-chain.pem
# privateKey: # example: /etc/istio/tracer/key.pem
# caCertificates: # example: /etc/istio/tracer/root-cert.pem
# sni: # example: tracer.somedomain
# subjectAltNames: []
# - tracer.somedomain

13
charts/kubezero-istio-ingress/charts/istio-private-ingress/Chart.yaml
View File

@ -1,13 +0,0 @@
apiVersion: v1
name: istio-private-ingress
version: 1.11.5
tillerVersion: ">=2.7.2"
description: Helm chart for deploying Istio gateways
keywords:
- istio
- ingressgateway
- gateways
sources:
- http://github.com/istio/istio
engine: gotpl
icon: https://istio.io/latest/favicons/android-192x192.png

43
charts/kubezero-istio-ingress/charts/istio-private-ingress/NOTES.txt
View File

@ -1,43 +0,0 @@
Changes:
- separate namespace allows:
-- easier reconfig of just the gateway
-- TLS secrets and domain name management is isolated, for better security
-- simplified configuration
-- multiple versions of the ingress can be used, to minimize upgrade risks
- the new chart uses the default namespace service account, and doesn't require
additional RBAC permissions.
- simplified label and chart structure.
- ability to run a pilot dedicated for the gateway, isolated from the main pilot. This is more robust, safer on upgrades
and allows a bit more flexibility.
- the dedicated pilot-per-ingress is required if the gateway needs to support k8s-style ingress.
# Port and basic host configuration
In order to configure the Service object, the install/upgrade needs to provide a list of all ports.
In the past, this was done when installing/upgrading full istio, and involved some duplication - ports configured
both in upgrade, Gateway and VirtualService.
The new Ingress chart uses a 'values.yaml' (see user-example-ingress), which auto-generates Service ports,
Gateways and basic VirtualService. It is still possible to only configure the ports in Service, and do manual
config for the rest.
All internal services ( telemetry, pilot debug ports, mesh expansion ) can now be configured via the new mechanism.
# Migration from istio-system
Istio 1.0 includes the gateways in istio-system. Since the external IP is associated
with the Service and bound to the namespace, it is recommended to:
1. Install the new gateway in a new namespace.
2. Copy any TLS certificate to the new namespace, and configure the domains.
3. Checking the new gateway work - for example by overriding the IP in /etc/hosts
4. Modify the DNS server to add the A record of the new namespace
5. Check traffic
6. Delete the A record corresponding to the gateway in istio-system
7. Upgrade istio-system, disabling the ingressgateway
8. Delete the domain TLS certs from istio-system.
If using certmanager, all Certificate and associated configs must be moved as well.

105
charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/_affinity.tpl
View File

@ -1,105 +0,0 @@
{{/* affinity - https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ */}}
{{ define "nodeaffinity" }}
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
{{- include "nodeAffinityRequiredDuringScheduling" . }}
preferredDuringSchedulingIgnoredDuringExecution:
{{- include "nodeAffinityPreferredDuringScheduling" . }}
{{- end }}
{{- define "nodeAffinityRequiredDuringScheduling" }}
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/arch
operator: In
values:
{{- range $key, $val := .global.arch }}
{{- if gt ($val | int) 0 }}
- {{ $key | quote }}
{{- end }}
{{- end }}
{{- $nodeSelector := default .global.defaultNodeSelector .nodeSelector -}}
{{- range $key, $val := $nodeSelector }}
{{- if eq $val "Exists" }}
- key: {{ $key }}
operator: Exists
{{- else }}
- key: {{ $key }}
operator: In
values:
- {{ $val | quote }}
{{- end }}
{{- end }}
{{- end }}
{{- define "nodeAffinityPreferredDuringScheduling" }}
{{- range $key, $val := .global.arch }}
{{- if gt ($val | int) 0 }}
- weight: {{ $val | int }}
preference:
matchExpressions:
- key: kubernetes.io/arch
operator: In
values:
- {{ $key | quote }}
{{- end }}
{{- end }}
{{- end }}
{{- define "podAntiAffinity" }}
{{- if or .podAntiAffinityLabelSelector .podAntiAffinityTermLabelSelector}}
podAntiAffinity:
{{- if .podAntiAffinityLabelSelector }}
requiredDuringSchedulingIgnoredDuringExecution:
{{- include "podAntiAffinityRequiredDuringScheduling" . }}
{{- end }}
{{- if .podAntiAffinityTermLabelSelector }}
preferredDuringSchedulingIgnoredDuringExecution:
{{- include "podAntiAffinityPreferredDuringScheduling" . }}
{{- end }}
{{- end }}
{{- end }}
{{- define "podAntiAffinityRequiredDuringScheduling" }}
{{- range $index, $item := .podAntiAffinityLabelSelector }}
- labelSelector:
matchExpressions:
- key: {{ $item.key }}
operator: {{ $item.operator }}
{{- if $item.values }}
values:
{{- $vals := split "," $item.values }}
{{- range $i, $v := $vals }}
- {{ $v | quote }}
{{- end }}
{{- end }}
topologyKey: {{ $item.topologyKey }}
{{- if $item.namespaces }}
namespaces:
{{- $ns := split "," $item.namespaces }}
{{- range $i, $n := $ns }}
- {{ $n | quote }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- define "podAntiAffinityPreferredDuringScheduling" }}
{{- range $index, $item := .podAntiAffinityTermLabelSelector }}
- podAffinityTerm:
labelSelector:
matchExpressions:
- key: {{ $item.key }}
operator: {{ $item.operator }}
{{- if $item.values }}
values:
{{- $vals := split "," $item.values }}
{{- range $i, $v := $vals }}
- {{ $v | quote }}
{{- end }}
{{- end }}
topologyKey: {{ $item.topologyKey }}
weight: 100
{{- end }}
{{- end }}

27
charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/autoscale.yaml
View File

@ -1,27 +0,0 @@
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
{{- if and $gateway.autoscaleEnabled $gateway.autoscaleMin $gateway.autoscaleMax }}
apiVersion: autoscaling/v2beta1
kind: HorizontalPodAutoscaler
metadata:
name: {{ $gateway.name }}
namespace: {{ .Release.Namespace }}
labels:
{{ $gateway.labels | toYaml | indent 4 }}
release: {{ .Release.Name }}
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "IngressGateways"
spec:
maxReplicas: {{ $gateway.autoscaleMax }}
minReplicas: {{ $gateway.autoscaleMin }}
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: {{ $gateway.name }}
metrics:
- type: Resource
resource:
name: cpu
targetAverageUtilization: {{ $gateway.cpu.targetAverageUtilization }}
---
{{- end }}

335
charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/deployment.yaml
View File

@ -1,335 +0,0 @@
{{- $gateway := index .Values "gateways" "istio-ingressgateway" }}
{{- if eq $gateway.injectionTemplate "" }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ $gateway.name }}
namespace: {{ .Release.Namespace }}
labels:
{{ $gateway.labels | toYaml | indent 4 }}
release: {{ .Release.Name }}
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "IngressGateways"
spec:
{{- if not $gateway.autoscaleEnabled }}
{{- if $gateway.replicaCount }}
replicas: {{ $gateway.replicaCount }}
{{- end }}
# Give the LB 120s to detect and take into service, should only be 40s by we are on AWS so ??
minReadySeconds: 120
{{- end }}
selector:
matchLabels:
{{ $gateway.labels | toYaml | indent 6 }}
strategy:
rollingUpdate:
maxSurge: {{ $gateway.rollingMaxSurge }}
maxUnavailable: {{ $gateway.rollingMaxUnavailable }}
template:
metadata:
labels:
{{ $gateway.labels | toYaml | indent 8 }}
{{- if eq .Release.Namespace "istio-system"}}
heritage: Tiller
release: istio
chart: gateways
{{- end }}
service.istio.io/canonical-name: {{ $gateway.name }}
{{- if not (eq .Values.revision "") }}
service.istio.io/canonical-revision: {{ .Values.revision }}
{{- else}}
service.istio.io/canonical-revision: latest
{{- end }}
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "IngressGateways"
sidecar.istio.io/inject: "false"
annotations:
{{- if .Values.meshConfig.enablePrometheusMerge }}
prometheus.io/port: "15020"
prometheus.io/scrape: "true"
prometheus.io/path: "/stats/prometheus"
{{- end }}
sidecar.istio.io/inject: "false"
{{- if $gateway.podAnnotations }}
{{ toYaml $gateway.podAnnotations | indent 8 }}
{{ end }}
spec:
{{- if not $gateway.runAsRoot }}
securityContext:
runAsUser: 1337
runAsGroup: 1337
runAsNonRoot: true
fsGroup: 1337
{{- end }}
serviceAccountName: {{ $gateway.name }}-service-account
{{- if .Values.global.priorityClassName }}
priorityClassName: "{{ .Values.global.priorityClassName }}"
{{- end }}
terminationGracePeriodSeconds: 120
{{- if .Values.global.proxy.enableCoreDump }}
initContainers:
- name: enable-core-dump
{{- if contains "/" .Values.global.proxy.image }}
image: "{{ .Values.global.proxy.image }}"
{{- else }}
image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image | default "proxyv2" }}:{{ .Values.global.tag }}"
{{- end }}
{{- if .Values.global.imagePullPolicy }}
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
{{- end }}
command:
- /bin/sh
args:
- -c
- sysctl -w kernel.core_pattern=/var/lib/istio/data/core.proxy && ulimit -c unlimited
securityContext:
runAsUser: 0
runAsGroup: 0
runAsNonRoot: false
privileged: true
{{- end }}
containers:
- name: istio-proxy
{{- if contains "/" .Values.global.proxy.image }}
image: "{{ .Values.global.proxy.image }}"
{{- else }}
image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image | default "proxyv2" }}:{{ .Values.global.tag }}"
{{- end }}
{{- if .Values.global.imagePullPolicy }}
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
{{- end }}
ports:
{{- range $key, $val := $gateway.ports }}
- containerPort: {{ $val.targetPort | default $val.port }}
protocol: {{ $val.protocol | default "TCP" }}
{{- end }}
- containerPort: 15090
protocol: TCP
name: http-envoy-prom
args:
- proxy
- router
- --domain
- $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
{{- if .Values.global.proxy.logLevel }}
- --proxyLogLevel={{ .Values.global.proxy.logLevel }}
{{- end}}
{{- if .Values.global.proxy.componentLogLevel }}
- --proxyComponentLogLevel={{ .Values.global.proxy.componentLogLevel }}
{{- end}}
{{- if .Values.global.logging.level }}
- --log_output_level={{ .Values.global.logging.level }}
{{- end}}
{{- if .Values.global.logAsJson }}
- --log_as_json
{{- end }}
{{- if .Values.global.sts.servicePort }}
- --stsPort={{ .Values.global.sts.servicePort }}
{{- end }}
{{- if not $gateway.runAsRoot }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
{{- end }}
#This needs kube-proxy support coming with 1.22 hopefully, cilium ?
#lifecycle:
# preStop:
# exec:
# command: ["/bin/sh","-c","sleep 30"]
readinessProbe:
failureThreshold: 30
httpGet:
path: /healthz/ready
port: 15021
scheme: HTTP
initialDelaySeconds: 1
periodSeconds: 2
successThreshold: 1
timeoutSeconds: 1
resources:
{{- if $gateway.resources }}
{{ toYaml $gateway.resources | indent 12 }}
{{- else }}
{{ toYaml .Values.global.defaultResources | indent 12 }}
{{- end }}
env:
- name: JWT_POLICY
value: {{ .Values.global.jwtPolicy }}
- name: PILOT_CERT_PROVIDER
value: {{ .Values.global.pilotCertProvider }}
- name: CA_ADDR
{{- if .Values.global.caAddress }}
value: {{ .Values.global.caAddress }}
{{- else }}
value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
{{- end }}
- name: NODE_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.nodeName
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: INSTANCE_IP
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: status.podIP
- name: HOST_IP
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: status.hostIP
- name: SERVICE_ACCOUNT
valueFrom:
fieldRef:
fieldPath: spec.serviceAccountName
- name: ISTIO_META_WORKLOAD_NAME
value: {{ $gateway.name }}
- name: ISTIO_META_OWNER
value: kubernetes://apis/apps/v1/namespaces/{{ .Release.Namespace }}/deployments/{{ $gateway.name }}
{{- if $.Values.global.meshID }}
- name: ISTIO_META_MESH_ID
value: "{{ $.Values.global.meshID }}"
{{- else if .Values.meshConfig.trustDomain }}
- name: ISTIO_META_MESH_ID
value: "{{ .Values.meshConfig.trustDomain }}"
{{- end }}
{{- if .Values.meshConfig.trustDomain }}
- name: TRUST_DOMAIN
value: "{{ .Values.meshConfig.trustDomain }}"
{{- end }}
{{- if not $gateway.runAsRoot }}
- name: ISTIO_META_UNPRIVILEGED_POD
value: "true"
{{- end }}
{{- range $key, $val := $gateway.env }}
- name: {{ $key }}
value: "{{ $val }}"
{{- end }}
{{- range $key, $value := .Values.meshConfig.defaultConfig.proxyMetadata }}
- name: {{ $key }}
value: "{{ $value }}"
{{- end }}
{{- $network_set := index $gateway.env "ISTIO_META_NETWORK" }}
{{- if and (not $network_set) .Values.global.network }}
- name: ISTIO_META_NETWORK
value: "{{ .Values.global.network }}"
{{- end }}
- name: ISTIO_META_CLUSTER_ID
value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}"
volumeMounts:
- name: istio-envoy
mountPath: /etc/istio/proxy
- name: config-volume
mountPath: /etc/istio/config
{{- if eq .Values.global.pilotCertProvider "istiod" }}
- mountPath: /var/run/secrets/istio
name: istiod-ca-cert
{{- end }}
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
- name: istio-token
mountPath: /var/run/secrets/tokens
readOnly: true
{{- end }}
{{- if .Values.global.mountMtlsCerts }}
# Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
- name: istio-certs
mountPath: /etc/certs
readOnly: true
{{- end }}
- mountPath: /var/lib/istio/data
name: istio-data
- name: podinfo
mountPath: /etc/istio/pod
{{- range $gateway.secretVolumes }}
- name: {{ .name }}
mountPath: {{ .mountPath | quote }}
readOnly: true
{{- end }}
{{- range $gateway.configVolumes }}
{{- if .mountPath }}
- name: {{ .name }}
mountPath: {{ .mountPath | quote }}
readOnly: true
{{- end }}
{{- end }}
{{- if $gateway.additionalContainers }}
{{ toYaml $gateway.additionalContainers | indent 8 }}
{{- end }}
volumes:
{{- if eq .Values.global.pilotCertProvider "istiod" }}
- name: istiod-ca-cert
configMap:
name: istio-ca-root-cert
{{- end }}
- name: podinfo
downwardAPI:
items:
- path: "labels"
fieldRef:
fieldPath: metadata.labels
- path: "annotations"
fieldRef:
fieldPath: metadata.annotations
- name: istio-envoy
emptyDir: {}
- name: istio-data
emptyDir: {}
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
- name: istio-token
projected:
sources:
- serviceAccountToken:
path: istio-token
expirationSeconds: 43200
audience: {{ .Values.global.sds.token.aud }}
{{- end }}
{{- if .Values.global.mountMtlsCerts }}
# Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
- name: istio-certs
secret:
secretName: istio.istio-ingressgateway-service-account
optional: true
{{- end }}
- name: config-volume
configMap:
name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
optional: true
{{- range $gateway.secretVolumes }}
- name: {{ .name }}
secret:
secretName: {{ .secretName | quote }}
optional: true
{{- end }}
{{- range $gateway.configVolumes }}
- name: {{ .name }}
configMap:
name: {{ .configMapName | quote }}
optional: true
{{- end }}
affinity:
{{ include "nodeaffinity" (dict "global" .Values.global "nodeSelector" $gateway.nodeSelector) | trim | indent 8 }}
{{- include "podAntiAffinity" $gateway | indent 6 }}
{{- if $gateway.tolerations }}
tolerations:
{{ toYaml $gateway.tolerations | indent 6 }}
{{- else if .Values.global.defaultTolerations }}
tolerations:
{{ toYaml .Values.global.defaultTolerations | indent 6 }}
{{- end }}
{{- end }}

143
charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/injected-deployment.yaml
View File

@ -1,143 +0,0 @@
{{- $gateway := index .Values "gateways" "istio-ingressgateway" }}
{{- if ne $gateway.injectionTemplate "" }}
{{/* This provides a minimal gateway, ready to be injected.
Any settings from values.gateways should be here - these are options specific to the gateway.
Global settings, like the image, various env vars and volumes, etc will be injected.
The normal Deployment is not suitable for this, as the original pod spec will override the injection template. */}}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ $gateway.name | default "istio-ingressgateway" }}
namespace: {{ .Release.Namespace }}
labels:
{{ $gateway.labels | toYaml | indent 4 }}
release: {{ .Release.Name }}
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "IngressGateways"
spec:
{{- if not $gateway.autoscaleEnabled }}
{{- if $gateway.replicaCount }}
replicas: {{ $gateway.replicaCount }}
{{- end }}
{{- end }}
selector:
matchLabels:
{{ $gateway.labels | toYaml | indent 6 }}
strategy:
rollingUpdate:
maxSurge: {{ $gateway.rollingMaxSurge }}
maxUnavailable: {{ $gateway.rollingMaxUnavailable }}
template:
metadata:
labels:
{{ $gateway.labels | toYaml | indent 8 }}
{{- if eq .Release.Namespace "istio-system"}}
heritage: Tiller
release: istio
chart: gateways
{{- end }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "IngressGateways"
sidecar.istio.io/inject: "true"
{{- with .Values.revision }}
istio.io/rev: {{ . }}
{{- end }}
annotations:
{{- if .Values.meshConfig.enablePrometheusMerge }}
prometheus.io/port: "15020"
prometheus.io/scrape: "true"
prometheus.io/path: "/stats/prometheus"
{{- end }}
sidecar.istio.io/inject: "true"
inject.istio.io/templates: "{{ $gateway.injectionTemplate }}"
{{- if $gateway.podAnnotations }}
{{ toYaml $gateway.podAnnotations | indent 8 }}
{{ end }}
spec:
{{- if not $gateway.runAsRoot }}
securityContext:
runAsUser: 1337
runAsGroup: 1337
runAsNonRoot: true
fsGroup: 1337
{{- end }}
serviceAccountName: {{ $gateway.name | default "istio-ingressgateway" }}-service-account
{{- if .Values.global.priorityClassName }}
priorityClassName: "{{ .Values.global.priorityClassName }}"
{{- end }}
containers:
- name: istio-proxy
image: auto
ports:
{{- range $key, $val := $gateway.ports }}
- containerPort: {{ $val.targetPort | default $val.port }}
protocol: {{ $val.protocol | default "TCP" }}
{{- end }}
- containerPort: 15090
protocol: TCP
name: http-envoy-prom
{{- if not $gateway.runAsRoot }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
{{- end }}
resources:
{{- if $gateway.resources }}
{{ toYaml $gateway.resources | indent 12 }}
{{- else }}
{{ toYaml .Values.global.defaultResources | indent 12 }}
{{- end }}
env:
{{- if not $gateway.runAsRoot }}
- name: ISTIO_META_UNPRIVILEGED_POD
value: "true"
{{- end }}
{{- range $key, $val := $gateway.env }}
- name: {{ $key }}
value: {{ $val }}
{{- end }}
volumeMounts:
{{- range $gateway.secretVolumes }}
- name: {{ .name }}
mountPath: {{ .mountPath | quote }}
readOnly: true
{{- end }}
{{- range $gateway.configVolumes }}
{{- if .mountPath }}
- name: {{ .name }}
mountPath: {{ .mountPath | quote }}
readOnly: true
{{- end }}
{{- end }}
{{- if $gateway.additionalContainers }}
{{ toYaml $gateway.additionalContainers | indent 8 }}
{{- end }}
volumes:
{{- range $gateway.secretVolumes }}
- name: {{ .name }}
secret:
secretName: {{ .secretName | quote }}
optional: true
{{- end }}
{{- range $gateway.configVolumes }}
- name: {{ .name }}
configMap:
name: {{ .configMapName | quote }}
optional: true
{{- end }}
affinity:
{{ include "nodeaffinity" (dict "global" .Values.global "nodeSelector" $gateway.nodeSelector) | trim | indent 8 }}
{{- include "podAntiAffinity" $gateway | indent 6 }}
{{- if $gateway.tolerations }}
tolerations:
{{ toYaml $gateway.tolerations | indent 6 }}
{{- else if .Values.global.defaultTolerations }}
tolerations:
{{ toYaml .Values.global.defaultTolerations | indent 6 }}
{{- end }}
{{- end }}

19
charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/poddisruptionbudget.yaml
View File

@ -1,19 +0,0 @@
{{- if .Values.global.defaultPodDisruptionBudget.enabled }}
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
apiVersion: policy/v1beta1
kind: PodDisruptionBudget
metadata:
name: {{ $gateway.name }}
namespace: {{ .Release.Namespace }}
labels:
{{ $gateway.labels | toYaml | trim | indent 4 }}
release: {{ .Release.Name }}
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "IngressGateways"
spec:
minAvailable: 1
selector:
matchLabels:
{{ $gateway.labels | toYaml | trim | indent 6 }}
{{- end }}

16
charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/role.yaml
View File

@ -1,16 +0,0 @@
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ $gateway.name }}-sds
namespace: {{ .Release.Namespace }}
labels:
release: {{ .Release.Name }}
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "IngressGateways"
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "watch", "list"]
---

19
charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/rolebindings.yaml
View File

@ -1,19 +0,0 @@
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ $gateway.name }}-sds
namespace: {{ .Release.Namespace }}
labels:
release: {{ .Release.Name }}
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "IngressGateways"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ $gateway.name }}-sds
subjects:
- kind: ServiceAccount
name: {{ $gateway.name }}-service-account
---

49
charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/service.yaml
View File

@ -1,49 +0,0 @@
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
{{- if not $gateway.customService }}
apiVersion: v1
kind: Service
metadata:
name: {{ $gateway.name }}
namespace: {{ .Release.Namespace }}
annotations:
{{- range $key, $val := $gateway.serviceAnnotations }}
{{ $key }}: {{ $val | quote }}
{{- end }}
labels:
{{ $gateway.labels | toYaml | indent 4 }}
release: {{ .Release.Name }}
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "IngressGateways"
spec:
{{- if $gateway.loadBalancerIP }}
loadBalancerIP: "{{ $gateway.loadBalancerIP }}"
{{- end }}
{{- if $gateway.loadBalancerSourceRanges }}
loadBalancerSourceRanges:
{{ toYaml $gateway.loadBalancerSourceRanges | indent 4 }}
{{- end }}
{{- if $gateway.externalTrafficPolicy }}
externalTrafficPolicy: {{$gateway.externalTrafficPolicy }}
{{- end }}
type: {{ $gateway.type }}
selector:
{{ $gateway.labels | toYaml | indent 4 }}
ports:
{{- range $key, $val := $gateway.ports }}
-
{{- range $pkey, $pval := $val }}
{{- if has $pkey (list "name" "nodePort" "port" "targetPort") }}
{{ $pkey}}: {{ $pval }}
{{- end }}
{{- end }}
{{- end }}
{{ range $app := $gateway.ingressPorts }}
-
port: {{ $app.port }}
name: {{ $app.name }}
{{- end }}
---
{{ end }}

22
charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/serviceaccount.yaml
View File

@ -1,22 +0,0 @@
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
apiVersion: v1
kind: ServiceAccount
{{- if .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
{{- end }}
{{- end }}
metadata:
name: {{ $gateway.name }}-service-account
namespace: {{ .Release.Namespace }}
labels:
{{ $gateway.labels | toYaml | trim | indent 4 }}
release: {{ .Release.Name }}
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "IngressGateways"
{{- with $gateway.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}

326
charts/kubezero-istio-ingress/charts/istio-private-ingress/values.yaml
View File

@ -1,326 +0,0 @@
# A-la-carte istio ingress gateway.
# Must be installed in a separate namespace, to minimize access to secrets.
gateways:
istio-ingressgateway:
name: istio-ingressgateway
labels:
app: istio-ingressgateway
istio: ingressgateway
ports:
## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces.
# Note that AWS ELB will by default perform health checks on the first port
# on this list. Setting this to the health check port will ensure that health
# checks always work. https://github.com/istio/istio/issues/12503
- port: 15021
targetPort: 15021
name: status-port
protocol: TCP
- port: 80
targetPort: 8080
name: http2
protocol: TCP
- port: 443
targetPort: 8443
name: https
protocol: TCP
# Scalability tuning
# replicaCount: 1
rollingMaxSurge: 100%
rollingMaxUnavailable: 25%
autoscaleEnabled: true
autoscaleMin: 1
autoscaleMax: 5
cpu:
targetAverageUtilization: 80
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 2000m
memory: 1024Mi
loadBalancerIP: ""
loadBalancerSourceRanges: []
serviceAnnotations: {}
# Enable cross-cluster access using SNI matching
zvpn:
enabled: false
suffix: global
# To generate an internal load balancer:
# --set serviceAnnotations.cloud.google.com/load-balancer-type=internal
#serviceAnnotations:
# cloud.google.com/load-balancer-type: "internal"
podAnnotations: {}
type: LoadBalancer #change to NodePort, ClusterIP or LoadBalancer if need be
##############
secretVolumes:
- name: ingressgateway-certs
secretName: istio-ingressgateway-certs
mountPath: /etc/istio/ingressgateway-certs
- name: ingressgateway-ca-certs
secretName: istio-ingressgateway-ca-certs
mountPath: /etc/istio/ingressgateway-ca-certs
customService: false
externalTrafficPolicy: ""
ingressPorts: []
additionalContainers: []
configVolumes: []
serviceAccount:
# Annotations to add to the service account
annotations: {}
### Advanced options ############
env:
# A gateway with this mode ensures that pilot generates an additional
# set of clusters for internal services but without Istio mTLS, to
# enable cross cluster routing.
ISTIO_META_ROUTER_MODE: "standard"
nodeSelector: {}
tolerations: []
# Specify the pod anti-affinity that allows you to constrain which nodes
# your pod is eligible to be scheduled based on labels on pods that are
# already running on the node rather than based on labels on nodes.
# There are currently two types of anti-affinity:
# "requiredDuringSchedulingIgnoredDuringExecution"
# "preferredDuringSchedulingIgnoredDuringExecution"
# which denote "hard" vs. "soft" requirements, you can define your values
# in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector"
# correspondingly.
# For example:
# podAntiAffinityLabelSelector:
# - key: security
# operator: In
# values: S1,S2
# topologyKey: "kubernetes.io/hostname"
# This pod anti-affinity rule says that the pod requires not to be scheduled
# onto a node if that node is already running a pod with label having key
# "security" and value "S1".
podAntiAffinityLabelSelector: []
podAntiAffinityTermLabelSelector: []
# whether to run the gateway in a privileged container
runAsRoot: false
# The injection template to use for the gateway. If not set, no injection will be performed.
injectionTemplate: ""
# Revision is set as 'version' label and part of the resource names when installing multiple control planes.
revision: ""
# For Helm compatibility.
ownerName: ""
global:
# set the default set of namespaces to which services, service entries, virtual services, destination
# rules should be exported to. Currently only one value can be provided in this list. This value
# should be one of the following two options:
# * implies these objects are visible to all namespaces, enabling any sidecar to talk to any other sidecar.
# . implies these objects are visible to only to sidecars in the same namespace, or if imported as a Sidecar.egress.host
defaultConfigVisibilitySettings: []
# Default node selector to be applied to all deployments so that all pods can be
# constrained to run a particular nodes. Each component can overwrite these default
# values by adding its node selector block in the relevant section below and setting
# the desired values.
defaultNodeSelector: {}
# enable pod disruption budget for the control plane, which is used to
# ensure Istio control plane components are gradually upgraded or recovered.
defaultPodDisruptionBudget:
enabled: true
# A minimal set of requested resources to applied to all deployments so that
# Horizontal Pod Autoscaler will be able to function (if set).
# Each component can overwrite these default values by adding its own resources
# block in the relevant section below and setting the desired resources values.
defaultResources:
requests:
cpu: 10m
# memory: 128Mi
# limits:
# cpu: 100m
# memory: 128Mi
# Default node tolerations to be applied to all deployments so that all pods can be
# scheduled to a particular nodes with matching taints. Each component can overwrite
# these default values by adding its tolerations block in the relevant section below
# and setting the desired values.
# Configure this field in case that all pods of Istio control plane are expected to
# be scheduled to particular nodes with specified taints.
defaultTolerations: []
# Default hub for Istio images.
# Releases are published to docker hub under 'istio' project.
# Dev builds from prow are on gcr.io
hub: docker.io/istio
# Default tag for Istio images.
tag: 1.11.5
# Specify image pull policy if default behavior isn't desired.
# Default behavior: latest images will be Always else IfNotPresent.
imagePullPolicy: ""
# ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace
# to use for pulling any images in pods that reference this ServiceAccount.
# For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing)
# ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects.
# Must be set for any cluster configured with private docker registry.
imagePullSecrets: []
# - private-registry-key
# To output all istio components logs in json format by adding --log_as_json argument to each container argument
logAsJson: false
# Specify pod scheduling arch(amd64, ppc64le, s390x) and weight as follows:
# 0 - Never scheduled
# 1 - Least preferred
# 2 - No preference
# 3 - Most preferred
arch:
amd64: 2
s390x: 2
ppc64le: 2
# Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>
# The control plane has different scopes depending on component, but can configure default log level across all components
# If empty, default scope and level will be used as configured in code
logging:
level: "default:info"
# Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and
# system-node-critical, it is better to configure this in order to make sure your Istio pods
# will not be killed because of low priority class.
# Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
# for more detail.
priorityClassName: ""
proxy:
image: proxyv2
# CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value
# cluster domain. Default value is "cluster.local".
clusterDomain: "cluster.local"
# Per Component log level for proxy, applies to gateways and sidecars. If a component level is
# not set, then the global "logLevel" will be used.
componentLogLevel: "misc:error"
# If set, newly injected sidecars will have core dumps enabled.
enableCoreDump: false
# Log level for proxy, applies to gateways and sidecars.
# Expected values are: trace|debug|info|warning|error|critical|off
logLevel: warning
##############################################################################################
# The following values are found in other charts. To effectively modify these values, make #
# make sure they are consistent across your Istio helm charts #
##############################################################################################
# The customized CA address to retrieve certificates for the pods in the cluster.
# CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint.
caAddress: ""
# Used to locate istiod.
istioNamespace: istio-system
# Configure the policy for validating JWT.
# Currently, two options are supported: "third-party-jwt" and "first-party-jwt".
jwtPolicy: "third-party-jwt"
# Mesh ID means Mesh Identifier. It should be unique within the scope where
# meshes will interact with each other, but it is not required to be
# globally/universally unique. For example, if any of the following are true,
# then two meshes must have different Mesh IDs:
# - Meshes will have their telemetry aggregated in one place
# - Meshes will be federated together
# - Policy will be written referencing one mesh from the other
#
# If an administrator expects that any of these conditions may become true in
# the future, they should ensure their meshes have different Mesh IDs
# assigned.
#
# Within a multicluster mesh, each cluster must be (manually or auto)
# configured to have the same Mesh ID value. If an existing cluster 'joins' a
# multicluster mesh, it will need to be migrated to the new mesh ID. Details
# of migration TBD, and it may be a disruptive operation to change the Mesh
# ID post-install.
#
# If the mesh admin does not specify a value, Istio will use the value of the
# mesh's Trust Domain. The best practice is to select a proper Trust Domain
# value.
meshID: ""
# Use the user-specified, secret volume mounted key and certs for Pilot and workloads.
mountMtlsCerts: false
multiCluster:
# Set to true to connect two kubernetes clusters via their respective
# ingressgateway services when pods in each cluster cannot directly
# talk to one another. All clusters should be using Istio mTLS and must
# have a shared root CA for this model to work.
enabled: false
# Should be set to the name of the cluster this installation will run in. This is required for sidecar injection
# to properly label proxies
clusterName: ""
# The suffix for global service names
globalDomainSuffix: "global"
# Enable envoy filter to translate `globalDomainSuffix` to cluster local suffix for cross cluster communication
includeEnvoyFilter: true
# Network defines the network this cluster belong to. This name
# corresponds to the networks in the map of mesh networks.
network: ""
# Configure the certificate provider for control plane communication.
# Currently, two providers are supported: "kubernetes" and "istiod".
# As some platforms may not have kubernetes signing APIs,
# Istiod is the default
pilotCertProvider: istiod
sds:
# The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3.
# When a CSR is sent from Citadel Agent to the CA (e.g. Citadel), this aud is to make sure the
# JWT is intended for the CA.
token:
aud: istio-ca
sts:
# The service port used by Security Token Service (STS) server to handle token exchange requests.
# Setting this port to a non-zero value enables STS server.
servicePort: 0
meshConfig:
enablePrometheusMerge: true
# The trust domain corresponds to the trust root of a system
# Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain
trustDomain: "cluster.local"
defaultConfig:
proxyMetadata: {}
tracing:
# tlsSettings:
# mode: DISABLE # DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL
# clientCertificate: # example: /etc/istio/tracer/cert-chain.pem
# privateKey: # example: /etc/istio/tracer/key.pem
# caCertificates: # example: /etc/istio/tracer/root-cert.pem
# sni: # example: tracer.somedomain
# subjectAltNames: []
# - tracer.somedomain

64
charts/kubezero-istio-ingress/templates/envoyfilter-keepalive-nlb.yaml
View File

@ -1,64 +0,0 @@
{{- if index .Values "istio-ingress" "enabled" }}
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: ingressgateway-listener-tcp-keepalive
namespace: {{ .Release.Namespace }}
labels:
{{- include "kubezero-lib.labels" . | nindent 4 }}
spec:
workloadSelector:
labels:
istio: ingressgateway
configPatches:
- applyTo: LISTENER
patch:
operation: MERGE
value:
socket_options:
- level: 1 # SOL_SOCKET = 1
name: 9 # SO_KEEPALIVE = 9
int_value: 1
state: STATE_PREBIND
- level: 6 # IPPROTO_TCP = 6
name: 4 # TCP_KEEPIDLE = 4
int_value: 120
state: STATE_PREBIND
- level: 6 # IPPROTO_TCP = 6
name: 5 # TCP_KEEPINTVL = 5
int_value: 60
state: STATE_PREBIND
{{- end }}
{{- if index .Values "istio-private-ingress" "enabled" }}
---
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: private-ingressgateway-listener-tcp-keepalive
namespace: {{ .Release.Namespace }}
labels:
{{- include "kubezero-lib.labels" . | nindent 4 }}
spec:
workloadSelector:
labels:
istio: private-ingressgateway
configPatches:
- applyTo: LISTENER
patch:
operation: MERGE
value:
socket_options:
- level: 1 # SOL_SOCKET = 1
name: 9 # SO_KEEPALIVE = 9
int_value: 1
state: STATE_PREBIND
- level: 6 # IPPROTO_TCP = 6
name: 4 # TCP_KEEPIDLE = 4
int_value: 120
state: STATE_PREBIND
- level: 6 # IPPROTO_TCP = 6
name: 5 # TCP_KEEPINTVL = 5
int_value: 60
state: STATE_PREBIND
{{- end }}

44
charts/kubezero-istio-ingress/templates/envoyfilter-proxy-protocol.yaml
View File

@ -1,44 +0,0 @@
{{- if and (index .Values "istio-ingress" "enabled") (index .Values "istio-ingress" "proxyProtocol") }}
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: ingressgateway-proxy-protocol
namespace: {{ .Release.Namespace }}
labels:
{{ include "kubezero-lib.labels" . | indent 4 }}
spec:
workloadSelector:
labels:
istio: ingressgateway
configPatches:
- applyTo: LISTENER
patch:
operation: MERGE
value:
listener_filters:
- name: envoy.listener.proxy_protocol
- name: envoy.listener.tls_inspector
{{- end }}
{{- if and (index .Values "istio-private-ingress" "enabled") (index .Values "istio-private-ingress" "proxyProtocol") }}
---
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: private-ingressgateway-proxy-protocol
namespace: {{ .Release.Namespace }}
labels:
{{ include "kubezero-lib.labels" . | indent 4 }}
spec:
workloadSelector:
labels:
istio: private-ingressgateway
configPatches:
- applyTo: LISTENER
patch:
operation: MERGE
value:
listener_filters:
- name: envoy.listener.proxy_protocol
- name: envoy.listener.tls_inspector
{{- end }}

39
charts/kubezero-istio-ingress/templates/ingress-certificate.yaml
View File

@ -1,39 +0,0 @@
{{- range $cert := (index .Values "istio-ingress" "certificates") }}
{{- if $cert.dnsNames }}
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: {{ $cert.name }}
namespace: {{ $.Release.Namespace }}
labels:
{{ include "kubezero-lib.labels" $ | indent 4 }}
spec:
secretName: {{ $cert.name }}
issuerRef:
name: {{ default "letsencrypt-dns-prod" $cert.issuer }}
kind: ClusterIssuer
dnsNames:
{{ toYaml $cert.dnsNames | indent 4 }}
---
{{- end }}
{{- end }}
{{- range $cert := (index .Values "istio-private-ingress" "certificates") }}
{{- if $cert.dnsNames }}
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: {{ $cert.name }}
namespace: {{ $.Release.Namespace }}
labels:
{{ include "kubezero-lib.labels" $ | indent 4 }}
spec:
secretName: private-ingress-cert
issuerRef:
name: {{ default "letsencrypt-dns-prod" $cert.issuer }}
kind: ClusterIssuer
dnsNames:
{{ toYaml $cert.dnsNames | indent 4 }}
---
{{- end }}
{{- end }}

19
charts/kubezero-istio-ingress/templates/ingress-private-gateway.yaml
View File

@ -1,19 +0,0 @@
# Private Ingress Gateway
{{- $gateway := index .Values "istio-private-ingress" }}
{{- if and $gateway.enabled $gateway.certificates }}
# https://istio.io/latest/docs/tasks/traffic-management/ingress/secure-ingress/#configure-a-tls-ingress-gateway-for-multiple-hosts
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
name: private-ingressgateway
namespace: {{ .Release.Namespace }}
labels:
{{- include "kubezero-lib.labels" . | nindent 4 }}
spec:
selector:
istio: private-ingressgateway
servers:
{{- include "gatewayServers" (dict "certificates" $gateway.certificates "ports" (index $gateway "gateways" "istio-ingressgateway" "ports") ) | nindent 2}}
{{- end }}

203
charts/kubezero-istio-ingress/values.yaml
View File

@ -1,203 +0,0 @@
# Make sure these values match kuberzero-istio !!!
global:
#hub: docker.io/istio
tag: 1.11.5-distroless
logAsJson: true
priorityClassName: "system-cluster-critical"
defaultPodDisruptionBudget:
enabled: false
arch:
amd64: 2
istio-ingress:
enabled: false
telemetry:
enabled: false
gateways:
istio-ingressgateway:
autoscaleEnabled: false
replicaCount: 1
rollingMaxSurge: 1
rollingMaxUnavailable: 0
resources:
requests:
cpu: 50m
memory: 64Mi
limits:
# cpu: 100m
memory: 512Mi
externalTrafficPolicy: Local
podAntiAffinityLabelSelector:
- key: app
operator: In
topologyKey: kubernetes.io/hostname
values: istio-ingressgateway
type: NodePort
podAnnotations:
proxy.istio.io/config: '{ "terminationDrainDuration": "20s" }'
# custom hardened bootstrap config
env:
ISTIO_BOOTSTRAP_OVERRIDE: /etc/istio/custom-bootstrap/custom_bootstrap.json
configVolumes:
- name: custom-bootstrap-volume
mountPath: /etc/istio/custom-bootstrap
configMapName: istio-gateway-bootstrap-config
# Unfortunately the upstream chart makes this complicated as they abuse the nodeSelector, see zdt.patch
nodeSelector:
node.kubernetes.io/ingress.public: "Exists"
# Only nodes who are fronted with matching NLB
#affintiy:
# nodeAffinity:
# requiredDuringSchedulingIgnoredDuringExecution:
# nodeSelectorTerms:
# - matchExpressions:
# - key: node.kubernetes.io/ingress.public
# operator: Exists
# Map port 80/443 to 8080/8443 so we don't need to root
# ports is extended as follows:
# noGateway: true -> this port does NOT get mapped to a Gateway port
# tls: optional gateway port setting
# gatewayProtocol: Loadbalancer protocol which is NOT the same as Container Procotol !
ports:
- name: status-port
port: 15021
nodePort: 30021
noGateway: true
- name: http2
port: 80
targetPort: 8080
nodePort: 30080
gatewayProtocol: HTTP2
tls:
httpsRedirect: true
- name: https
port: 443
targetPort: 8443
nodePort: 30443
gatewayProtocol: HTTPS
tls:
mode: SIMPLE
certificates:
- name: ingress-cert
dnsNames: []
# - '*.example.com'
proxyProtocol: true
meshConfig:
defaultConfig:
proxyMetadata:
# ISTIO_META_HTTP10: 1
istio-private-ingress:
enabled: false
telemetry:
enabled: false
gateways:
istio-ingressgateway:
# name and labels make the ingress private
name: istio-private-ingressgateway
labels:
app: istio-private-ingressgateway
istio: private-ingressgateway
autoscaleEnabled: false
replicaCount: 1
rollingMaxSurge: 1
rollingMaxUnavailable: 0
resources:
requests:
cpu: 50m
memory: 64Mi
limits:
# cpu: 100m
memory: 512Mi
externalTrafficPolicy: Local
podAntiAffinityLabelSelector:
- key: app
operator: In
topologyKey: kubernetes.io/hostname
values: istio-private-ingressgateway
type: NodePort
podAnnotations:
proxy.istio.io/config: '{ "terminationDrainDuration": "20s" }'
# custom hardened bootstrap config
env:
ISTIO_BOOTSTRAP_OVERRIDE: /etc/istio/custom-bootstrap/custom_bootstrap.json
configVolumes:
- name: custom-bootstrap-volume
mountPath: /etc/istio/custom-bootstrap
configMapName: istio-gateway-bootstrap-config
# Unfortunately the upstream chart makes this complicated as they abuse the nodeSelector, see zdt.patch
nodeSelector:
node.kubernetes.io/ingress.private: "Exists"
# Only nodes who are fronted with matching NLB
#affintiy:
# nodeAffinity:
# requiredDuringSchedulingIgnoredDuringExecution:
# nodeSelectorTerms:
# - matchExpressions:
# - key: node.kubernetes.io/ingress.private
# operator: Exists
ports:
- name: status-port
port: 15021
nodePort: 31021
noGateway: true
- name: http2
port: 80
targetPort: 8080
nodePort: 31080
gatewayProtocol: HTTP2
tls:
httpsRedirect: true
- name: https
port: 443
targetPort: 8443
nodePort: 31443
gatewayProtocol: HTTPS
tls:
mode: SIMPLE
#- name: fluentd-forward
# port: 24224
# nodePort: 31224
# gatewayProtocol: TLS
# tls:
# mode: SIMPLE
#- name: amqps
# port: 5671
# nodePort: 31671
#- name: amqp
# port: 5672
# nodePort: 31672
#- name: redis
# port: 6379
# nodePort: 31379
certificates:
- name: private-ingress-cert
dnsNames: []
#- '*.example.com'
proxyProtocol: true
meshConfig:
defaultConfig:
proxyMetadata:
# ISTIO_META_HTTP10: 1

2
charts/kubezero-istio/dashboards.yaml
View File

@ -2,7 +2,7 @@
configmap: grafana-dashboards
gzip: true
folder: Istio
condition: 'index .Values "istio-discovery" "telemetry" "enabled"'
condition: '.Values.istiod.telemetry.enabled'
dashboards:
- name: istio-control-plane
url: https://grafana.com/api/dashboards/7645/revisions/115/download

2
charts/kubezero-istio/templates/grafana-dashboards.yaml
View File

@ -1,4 +1,4 @@
{{- if index .Values "istio-discovery" "telemetry" "enabled" }}
{{- if .Values.istiod.telemetry.enabled }}
apiVersion: v1
kind: ConfigMap
metadata:

4
charts/kubezero/templates/_app.tpl
View File

@ -17,7 +17,11 @@ spec:
project: kubezero
source:
{{- if index .Values $name "chart" }}
chart: {{ index .Values $name "chart" }}
{{- else }}
chart: kubezero-{{ $name }}
{{- end }}
repoURL: {{ .Values.kubezero.repoURL }}
targetRevision: {{ default .Values.kubezero.targetRevision ( index .Values $name "targetRevision" ) | quote }}
helm:

51
charts/kubezero/templates/istio-ingress.yaml
View File

@ -1,51 +0,0 @@
{{- define "_ingress" }}
enabled: {{ .enabled }}
{{- with .gateway }}
gateways:
istio-ingressgateway:
{{- toYaml . | nindent 6 }}
{{- end }}
certificates:
{{- with .dnsNames }}
# Legacy to be removed with 1.21 !!
- name: ingress-cert
dnsNames:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- range $cert := .certificates }}
- name: {{ $cert.name }}
dnsNames:
{{- toYaml $cert.dnsNames | nindent 4 }}
{{- end }}
proxyProtocol: {{ default true .proxyProtocol }}
{{- end }}
{{- define "istio-ingress-values" }}
{{- with index .Values "istio-ingress" "global" }}
global:
{{- toYaml . | nindent 2 }}
{{- end }}
{{- with index .Values "istio-ingress" "public" }}
istio-ingress:
telemetry:
enabled: {{ $.Values.metrics.enabled }}
{{- include "_ingress" . | nindent 2 }}
{{- end }}
{{- with index .Values "istio-ingress" "private" }}
istio-private-ingress:
telemetry:
enabled: {{ $.Values.metrics.enabled }}
{{- include "_ingress" . | nindent 2 }}
{{- end }}
{{- end }}
{{- define "istio-ingress-argo" }}
{{- end }}
{{ include "kubezero-app.app" . }}

28
charts/kubezero/templates/istio-private-ingress.yaml Normal file
View File

@ -0,0 +1,28 @@
{{- define "istio-private-ingress-values" }}
gateway:
name: istio-private-ingressgateway
labels:
app: istio-private-ingressgateway
istio: private-ingressgateway
{{- with index .Values "istio-private-ingress" "gateway" }}
{{- toYaml . | nindent 2 }}
{{- end }}
telemetry:
enabled: {{ $.Values.metrics.enabled }}
certificates:
{{- range $cert := index .Values "istio-private-ingress" "certificates" }}
- name: {{ $cert.name }}
dnsNames:
{{- toYaml $cert.dnsNames | nindent 4 }}
{{- end }}
proxyProtocol: {{ default true (index .Values "istio-private-ingress" "proxyProtocol") }}
{{- end }}
{{- define "istio-private-ingress-argo" }}
{{- end }}
{{ include "kubezero-app.app" . }}

4
charts/kubezero/templates/istio.yaml
View File

@ -1,7 +1,7 @@
{{- define "istio-values" }}
istio-discovery:
istiod:
telemetry:
enabled: {{ .Values.metrics.enabled }}
enabled: {{ $.Values.metrics.enabled }}
{{- if .Values.HighAvailableControlplane }}
pilot:
replicaCount: 2

10
charts/kubezero/values.yaml
View File

@ -31,12 +31,18 @@ storage:
istio:
enabled: false
namespace: istio-system
targetRevision: 0.7.6
targetRevision: 0.8.0
istio-ingress:
enabled: false
namespace: istio-ingress
targetRevision: 0.7.6
targetRevision: 0.8.0
istio-private-ingress:
enabled: false
chart: kubezero-istio-gateway
namespace: istio-ingress
targetRevision: 0.8.0
metrics:
enabled: false