Kiam minor version bump, first draft of istio chart

charts/kubezero-istio/Chart.yaml

@@ -0,0 +1,20 @@
+apiVersion: v2
+name: kubezero-istio
+description: KubeZero Umbrella Chart for Istio
+type: application
+version: 0.0.1
+appVersion: 1.5
+home: https://kubezero.com
+icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
+keywords:
+  - kubezero
+  - istio
+maintainers:
+  - name: Quarky9
+dependencies:
+  - name: kubezero-lib
+    version: ">= 0.1.1"
+    repository: https://zero-down-time.github.io/kubezero/
+  - name: istio-operator
+    version: "= 1.5"
+kubeVersion: ">= 1.16.0"

charts/kubezero-istio/README.md

@@ -0,0 +1,24 @@
+kubezero-istio
+==============
+KubeZero Umbrella Chart for Istio
+
+Installs Istio Operator and KubeZero Istio profile
+
+
+Current chart version is `0.0.1`
+
+Source code can be found [here](https://kubezero.com)
+
+## Chart Requirements
+
+| Repository | Name | Version |
+|------------|------|---------|
+|  | istio-operator | = 1.5 |
+| https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.1 |
+
+## KubeZero default configuration
+
+
+## Resources
+
+- https://istio.io/latest/docs/setup/install/standalone-operator/

charts/kubezero-istio/README.md.gotmpl

@@ -0,0 +1,18 @@
+{{ template "chart.header" . }}
+{{ template "chart.description" . }}
+
+Installs Istio Operator and KubeZero Istio profile
+
+
+{{ template "chart.versionLine" . }}
+
+{{ template "chart.sourceLinkLine" . }}
+
+{{ template "chart.requirementsSection" . }}
+
+## KubeZero default configuration
+
+
+## Resources
+
+- https://istio.io/latest/docs/setup/install/standalone-operator/

charts/kubezero-istio/charts/istio-operator/Chart.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+name: istio-operator
+version: 1.5
+tillerVersion: ">=2.7.2"
+description: Helm chart for deploying Istio operator
+keywords:
+  - istio
+  - operator
+sources:
+  - http://github.com/istio/istio/operator
+engine: gotpl
+icon: https://istio.io/favicons/android-192x192.png

charts/kubezero-istio/charts/istio-operator/templates/clusterrole.yaml

@@ -0,0 +1,113 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  creationTimestamp: null
+  name: istio-operator
+rules:
+# istio groups
+- apiGroups:
+  - authentication.istio.io
+  resources:
+  - '*'
+  verbs:
+  - '*'
+- apiGroups:
+  - config.istio.io
+  resources:
+  - '*'
+  verbs:
+  - '*'
+- apiGroups:
+  - install.istio.io
+  resources:
+  - '*'
+  verbs:
+  - '*'
+- apiGroups:
+  - networking.istio.io
+  resources:
+  - '*'
+  verbs:
+  - '*'
+- apiGroups:
+  - rbac.istio.io
+  resources:
+  - '*'
+  verbs:
+  - '*'
+- apiGroups:
+  - security.istio.io
+  resources:
+  - '*'
+  verbs:
+  - '*'
+# k8s groups
+- apiGroups:
+  - admissionregistration.k8s.io
+  resources:
+  - mutatingwebhookconfigurations
+  - validatingwebhookconfigurations
+  verbs:
+  - '*'
+- apiGroups:
+  - apiextensions.k8s.io
+  resources:
+  - customresourcedefinitions.apiextensions.k8s.io
+  - customresourcedefinitions
+  verbs:
+  - '*'
+- apiGroups:
+  - apps
+  - extensions
+  resources:
+  - daemonsets
+  - deployments
+  - deployments/finalizers
+  - ingresses
+  - replicasets
+  - statefulsets
+  verbs:
+  - '*'
+- apiGroups:
+  - autoscaling
+  resources:
+  - horizontalpodautoscalers
+  verbs:
+  - '*'
+- apiGroups:
+  - monitoring.coreos.com
+  resources:
+  - servicemonitors
+  verbs:
+  - get
+  - create
+- apiGroups:
+  - policy
+  resources:
+  - poddisruptionbudgets
+  verbs:
+  - '*'
+- apiGroups:
+  - rbac.authorization.k8s.io
+  resources:
+  - clusterrolebindings
+  - clusterroles
+  - roles
+  - rolebindings
+  verbs:
+  - '*'
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - endpoints
+  - events
+  - namespaces
+  - pods
+  - persistentvolumeclaims
+  - secrets
+  - services
+  - serviceaccounts
+  verbs:
+  - '*'
+---

charts/kubezero-istio/charts/istio-operator/templates/clusterrole_binding.yaml

@@ -0,0 +1,13 @@
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: istio-operator
+subjects:
+- kind: ServiceAccount
+  name: istio-operator
+  namespace: {{.Values.operatorNamespace}}
+roleRef:
+  kind: ClusterRole
+  name: istio-operator
+  apiGroup: rbac.authorization.k8s.io
+---

charts/kubezero-istio/charts/istio-operator/templates/crd.yaml

@@ -0,0 +1,45 @@
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: istiooperators.install.istio.io
+spec:
+  group: install.istio.io
+  names:
+    kind: IstioOperator
+    plural: istiooperators
+    singular: istiooperator
+    shortNames:
+    - iop
+  scope: Namespaced
+  subresources:
+    status: {}
+  validation:
+    openAPIV3Schema:
+      properties:
+        apiVersion:
+          description: 'APIVersion defines the versioned schema of this representation
+            of an object. Servers should convert recognized schemas to the latest
+            internal value, and may reject unrecognized values.
+            More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#resources'
+          type: string
+        kind:
+          description: 'Kind is a string value representing the REST resource this
+            object represents. Servers may infer this from the endpoint the client
+            submits requests to. Cannot be updated. In CamelCase.
+            More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+          type: string
+        spec:
+          description: 'Specification of the desired state of the istio control plane resource.
+            More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status'
+          type: object
+        status:
+          description: 'Status describes each of istio control plane component status at the current time.
+            0 means NONE, 1 means UPDATING, 2 means HEALTHY, 3 means ERROR, 4 means RECONCILING.
+            More info: https://github.com/istio/api/blob/master/operator/v1alpha1/istio.operator.v1alpha1.pb.html &
+            https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status'
+          type: object
+  versions:
+  - name: v1alpha1
+    served: true
+    storage: true
+---

charts/kubezero-istio/charts/istio-operator/templates/deployment.yaml

@@ -0,0 +1,42 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  namespace: {{.Values.operatorNamespace}}
+  name: istio-operator
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      name: istio-operator
+  template:
+    metadata:
+      labels:
+        name: istio-operator
+    spec:
+      serviceAccountName: istio-operator
+      containers:
+        - name: istio-operator
+          image: {{.Values.hub}}/operator:{{.Values.tag}}
+          command:
+          - operator
+          - server
+          imagePullPolicy: IfNotPresent
+          resources:
+            limits:
+              cpu: 200m
+              memory: 256Mi
+            requests:
+              cpu: 50m
+              memory: 128Mi
+          env:
+            - name: WATCH_NAMESPACE
+              value: {{.Values.istioNamespace}}
+            - name: LEADER_ELECTION_NAMESPACE
+              value: {{.Values.operatorNamespace}}
+            - name: POD_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+            - name: OPERATOR_NAME
+              value: {{.Values.operatorNamespace}}
+---

charts/kubezero-istio/charts/istio-operator/templates/namespace.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: {{.Values.operatorNamespace}}
+  labels:
+    istio-operator-managed: Reconcile
+    istio-injection: disabled
+---

charts/kubezero-istio/charts/istio-operator/templates/service.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+  namespace: {{.Values.operatorNamespace}}
+  labels:
+    name: istio-operator
+  name: istio-operator
+spec:
+  ports:
+  - name: http-metrics
+    port: 8383
+    targetPort: 8383
+  selector:
+    name: istio-operator
+---

charts/kubezero-istio/charts/istio-operator/templates/service_account.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  namespace: {{.Values.operatorNamespace}}
+  name: istio-operator
+---

charts/kubezero-istio/charts/istio-operator/values.yaml

@@ -0,0 +1,4 @@
+hub: gcr.io/istio-testing
+tag: 1.5-dev
+operatorNamespace: istio-operator
+istioNamespace: istio-system

charts/kubezero-istio/update.sh

@@ -0,0 +1,15 @@
+#!/bin/bash
+set -ex
+
+ISTIO_VERSION=1.5.8
+
+NAME="istio-$ISTIO_VERSION"
+URL="https://github.com/istio/istio/releases/download/${ISTIO_VERSION}/istio-${ISTIO_VERSION}-linux.tar.gz"
+
+curl -sL "$URL" | tar xz
+
+# Now lets extract what we need
+rm -rf charts/istio-operator
+cp -r istio-${ISTIO_VERSION}/install/kubernetes/operator/charts/istio-operator charts
+
+rm -rf istio-${ISTIO_VERSION}

charts/kubezero-istio/values.yaml

@@ -0,0 +1 @@
+# istio:

charts/kubezero-kiam/Chart.yaml

@@ -2,7 +2,8 @@ apiVersion: v2
 name: kubezero-kiam
 description: KubeZero Umbrella Chart for Kiam
 type: application
-version: 0.2.5
+version: 0.2.6
+appVersion: 3.6
 home: https://kubezero.com
 icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
 keywords:

charts/kubezero-kiam/README.md

@@ -2,7 +2,7 @@ kubezero-kiam
 =============
 KubeZero Umbrella Chart for Kiam
 
-Current chart version is `0.2.5`
+Current chart version is `0.2.6`
 
 Source code can be found [here](https://kubezero.com)
 
@@ -37,7 +37,7 @@ Required for the *csi ebs plugin* and most likely various others assuming basic
 | kiam.agent.gatewayTimeoutCreation | string | `"5s"` |  |
 | kiam.agent.host.interface | string | `"cali+"` |  |
 | kiam.agent.host.iptables | bool | `false` |  |
-| kiam.agent.image.tag | string | `"v3.6-rc1"` |  |
+| kiam.agent.image.tag | string | `"v3.6"` |  |
 | kiam.agent.log.level | string | `"warn"` |  |
 | kiam.agent.prometheus.servicemonitor.enabled | bool | `false` |  |
 | kiam.agent.sslCertHostPath | string | `"/etc/ssl/certs"` |  |
@@ -52,7 +52,7 @@ Required for the *csi ebs plugin* and most likely various others assuming basic
 | kiam.server.assumeRoleArn | string | `""` |  kiam server IAM role to assume, required as we run the agents next to the servers normally, eg. arn:aws:iam::123456789012:role/kiam-server-role |
 | kiam.server.deployment.enabled | bool | `true` |  |
 | kiam.server.deployment.replicas | int | `1` |  |
-| kiam.server.image.tag | string | `"v3.6-rc1"` |  |
+| kiam.server.image.tag | string | `"v3.6"` |  |
 | kiam.server.log.level | string | `"warn"` |  |
 | kiam.server.nodeSelector."node-role.kubernetes.io/master" | string | `""` |  |
 | kiam.server.prometheus.servicemonitor.enabled | bool | `false` |  |

charts/kubezero-kiam/values.yaml

@@ -1,7 +1,7 @@
 kiam:
   server:
     image:
-      tag: "v3.6-rc1"
+      tag: "v3.6"
     # kiam.server.assumeRoleArn --  kiam server IAM role to assume, required as we run the agents next to the servers normally, eg. arn:aws:iam::123456789012:role/kiam-server-role
     assumeRoleArn: ''
     useHostNetwork: true
@@ -31,7 +31,7 @@ kiam:
 
   agent:
     image:
-      tag: "v3.6-rc1"
+      tag: "v3.6"
     gatewayTimeoutCreation: "5s"
     updateStrategy: RollingUpdate
     # IP tables set on each node at boot, see CloudBender