ZeroDownTime/KubeZero
3
0
Fork 0
Code Issues 1 Pull Requests 21 Packages Projects Releases Wiki Activity

Merge pull request 'Merge argoless branch into master' (#30) from argoless into master

Browse Source 
Reviewed-on: ZeroDownTime/kubezero#30
This commit is contained in:
Stefan Reimer 2021-01-12 15:03:35 +00:00
commit a570431940
523 changed files with 100596 additions and 15498 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
Makefile Normal file
View File

@ -0,0 +1,14 @@
BUCKET ?= zero-downtime
BUCKET_PREFIX ?= /cloudbender/distfiles
FILES ?= distfiles.txt
.PHONY: clean update
all: update
clean:
rm -f kube*.tgz
update:
./script/update_helm.sh

1
charts/fluent-bit
View File

@ -1 +0,0 @@
../../helm-charts/charts/fluent-bit

13
charts/kubeadm/Chart.yaml Normal file
View File

@ -0,0 +1,13 @@
apiVersion: v2
name: kubeadm
description: KubeZero Kubeadm golden config
type: application
version: 1.18.14
home: https://kubezero.com
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
keywords:
- kubezero
- kubeadm
maintainers:
- name: Quarky9
kubeVersion: ">= 1.16.0"

0
charts/kubezero-logging/values-remote-es.yaml → charts/kubeadm/README.md
View File

28
charts/kubeadm/README.md.gotmpl Normal file
View File

@ -0,0 +1,28 @@
{{ template "chart.header" . }}
{{ template "chart.deprecationWarning" . }}
{{ template "chart.versionBadge" . }}{{ template "chart.typeBadge" . }}{{ template "chart.appVersionBadge" . }}
{{ template "chart.description" . }}
Installs the Istio control plane
{{ template "chart.homepageLine" . }}
{{ template "chart.maintainersSection" . }}
{{ template "chart.sourcesSection" . }}
{{ template "chart.requirementsSection" . }}
{{ template "chart.valuesSection" . }}
## Resources
- https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/troubleshooting-kubeadm/
- https://godoc.org/k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/v1beta2
- https://github.com/kubernetes/kubernetes/blob/master/staging/src/k8s.io/kubelet/config/v1beta1/types.go
- https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/control-plane-flags/
- https://godoc.org/k8s.io/kube-proxy/config/v1alpha1#KubeProxyConfiguration
- https://github.com/awslabs/amazon-eks-ami

61
charts/kubeadm/templates/ClusterConfiguration.yaml Normal file
View File

@ -0,0 +1,61 @@
apiVersion: kubeadm.k8s.io/v1beta2
kind: ClusterConfiguration
metadata:
name: kubezero-clusterconfiguration
kubernetesVersion: {{ .Values.clusterVersion }}
clusterName: {{ .Values.clusterName }}
controlPlaneEndpoint: {{ .Values.apiEndpoint }}
networking:
podSubnet: 10.244.0.0/16
etcd:
local:
extraArgs:
listen-metrics-urls: "http://0.0.0.0:2381"
{{- with .Values.etcdExtraArgs }}
{{- toYaml . | nindent 6 }}
{{- end }}
controllerManager:
extraArgs:
profiling: "false"
bind-address: 0.0.0.0
terminated-pod-gc-threshold: "300"
leader-elect: {{ .Values.clusterHighAvailable | quote }}
# Default anyways but make kube-bench happy
feature-gates: "RotateKubeletServerCertificate=true"
scheduler:
extraArgs:
profiling: "false"
bind-address: 0.0.0.0
leader-elect: {{ .Values.clusterHighAvailable | quote }}
apiServer:
certSANs:
- {{ regexSplit ":" .Values.apiEndpoint -1 | first }}
extraArgs:
etcd-servers: {{ .Values.allEtcdEndpoints }}
profiling: "false"
feature-gates: "CSIMigration=true,CSIMigrationAWS=true,CSIMigrationAWSComplete=true"
audit-log-path: "/var/log/kubernetes/audit.log"
audit-policy-file: /etc/kubernetes/apiserver/audit-policy.yaml
audit-log-maxage: "7"
audit-log-maxsize: "100"
audit-log-maxbackup: "3"
tls-cipher-suites: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
admission-control-config-file: /etc/kubernetes/apiserver/admission-configuration.yaml
authentication-token-webhook-config-file: /etc/kubernetes/apiserver/aws-iam-authenticator.yaml
enable-admission-plugins: NodeRestriction,EventRateLimit
{{- if .Values.clusterHighAvailable }}
goaway-chance: ".001"
{{- end }}
{{- with .Values.apiExtraArgs }}
{{- toYaml . | nindent 4 }}
{{- end }}
extraVolumes:
- name: kubezero-apiserver
hostPath: /etc/kubernetes/apiserver
mountPath: /etc/kubernetes/apiserver
readOnly: true
pathType: DirectoryOrCreate
- name: audit-log
hostPath: /var/log/kubernetes
mountPath: /var/log/kubernetes
pathType: DirectoryOrCreate

12
charts/kubeadm/templates/InitConfiguration.yaml Normal file
View File

@ -0,0 +1,12 @@
apiVersion: kubeadm.k8s.io/v1beta2
kind: InitConfiguration
metadata:
name: kubezero-initconfiguration
localAPIEndpoint:
bindPort: {{ regexSplit ":" .Values.apiEndpoint -1 | last }}
nodeRegistration:
ignorePreflightErrors:
- Swap
- DirAvailable--var-lib-etcd
kubeletExtraArgs:
node-labels: {{ .Values.nodeLabels | quote }}

18
charts/kubeadm/templates/JoinConfiguration.yaml Normal file
View File

@ -0,0 +1,18 @@
apiVersion: kubeadm.k8s.io/v1beta2
kind: JoinConfiguration
metadata:
name: kubezero-joinconfiguration
discovery:
bootstrapToken:
apiServerEndpoint: {{ .Values.apiEndpoint }}
token: {{ .Values.joinToken }}
caCertHashes:
- "{{ .Values.caCertHash }}"
nodeRegistration:
ignorePreflightErrors:
- DirAvailable--var-lib-etcd
- Swap
controlPlane:
localAPIEndpoint:
advertiseAddress: {{ .Values.ipAddress }}
bindPort: {{ regexSplit ":" .Values.apiEndpoint -1 | last }}

6
charts/kubeadm/templates/KubeProxyConfiguration.yaml Normal file
View File

@ -0,0 +1,6 @@
apiVersion: kubeproxy.config.k8s.io/v1alpha1
kind: KubeProxyConfiguration
metadata:
name: kubezero-kubeproxyconfiguration
metricsBindAddress: "0.0.0.0:10249"
mode: ""

19
charts/kubeadm/templates/KubeletConfiguration.yaml Normal file
View File

@ -0,0 +1,19 @@
apiVersion: kubelet.config.k8s.io/v1beta1
kind: KubeletConfiguration
metadata:
name: kubezero-kubeletconfiguration
failSwapOn: false
hairpinMode: hairpin-veth
resolvConf: /run/systemd/resolve/resolv.conf
protectKernelDefaults: true
eventRecordQPS: 0
# Breaks kubelet at boot time
# tlsCertFile: /var/lib/kubelet/pki/kubelet.crt
# tlsPrivateKeyFile: /var/lib/kubelet/pki/kubelet.key
tlsCipherSuites: [TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256]
featureGates:
# Default anyways but make kube-bench happy
RotateKubeletServerCertificate: true
CSIMigration: true
CSIMigrationAWS: true
CSIMigrationAWSComplete: true

7
charts/kubeadm/templates/apiserver/admission-configuration.yaml Normal file
View File

@ -0,0 +1,7 @@
apiVersion: apiserver.config.k8s.io/v1
kind: AdmissionConfiguration
metadata:
name: kubezero-admissionconfiguration
plugins:
- name: EventRateLimit
path: /etc/kubernetes/apiserver/event-config.yaml

7
charts/kubeadm/templates/apiserver/audit-policy.yaml Normal file
View File

@ -0,0 +1,7 @@
# Don't Log anything, but audit policy enabled
apiVersion: audit.k8s.io/v1
kind: Policy
metadata:
name: kubezero-auditpolicy
rules:
- level: None

13
charts/kubeadm/templates/apiserver/event-config.yaml Normal file
View File

@ -0,0 +1,13 @@
apiVersion: eventratelimit.admission.k8s.io/v1alpha1
kind: Configuration
metadata:
name: kubezero-eventratelimits
limits:
- type: Namespace
qps: 50
burst: 100
cacheSize: 20
- type: User
qps: 10
burst: 50
cacheSize: 20

32
charts/kubeadm/templates/aws-iam-authenticator/crds.yaml Normal file
View File

@ -0,0 +1,32 @@
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: iamidentitymappings.iamauthenticator.k8s.aws
spec:
group: iamauthenticator.k8s.aws
version: v1alpha1
scope: Cluster
names:
plural: iamidentitymappings
singular: iamidentitymapping
kind: IAMIdentityMapping
categories:
- all
subresources:
status: {}
validation:
openAPIV3Schema:
properties:
spec:
required:
- arn
- username
properties:
arn:
type: string
username:
type: string
groups:
type: array
items:
type: string

164
charts/kubeadm/templates/aws-iam-authenticator/deployment.yaml Normal file
View File

@ -0,0 +1,164 @@
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: aws-iam-authenticator
rules:
- apiGroups:
- iamauthenticator.k8s.aws
resources:
- iamidentitymappings
verbs:
- get
- list
- watch
- apiGroups:
- iamauthenticator.k8s.aws
resources:
- iamidentitymappings/status
verbs:
- patch
- update
- apiGroups:
- ""
resources:
- events
verbs:
- create
- update
- patch
- apiGroups:
- ""
resources:
- configmaps
verbs:
- list
- watch
- apiGroups:
- ""
resources:
- configmaps
resourceNames:
- aws-auth
verbs:
- get
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: aws-iam-authenticator
namespace: kube-system
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: aws-iam-authenticator
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: aws-iam-authenticator
subjects:
- kind: ServiceAccount
name: aws-iam-authenticator
namespace: kube-system
---
apiVersion: v1
kind: ConfigMap
metadata:
namespace: kube-system
name: aws-iam-authenticator
labels:
k8s-app: aws-iam-authenticator
data:
config.yaml: |
clusterID: {{ .Values.clusterName }}
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
namespace: kube-system
name: aws-iam-authenticator
labels:
k8s-app: aws-iam-authenticator
annotations:
seccomp.security.alpha.kubernetes.io/pod: runtime/default
spec:
selector:
matchLabels:
k8s-app: aws-iam-authenticator
updateStrategy:
type: RollingUpdate
template:
metadata:
annotations:
scheduler.alpha.kubernetes.io/critical-pod: ""
labels:
k8s-app: aws-iam-authenticator
spec:
# use service account with access to
serviceAccountName: aws-iam-authenticator
# run on the host network (don't depend on CNI)
hostNetwork: true
# run on each master node
nodeSelector:
node-role.kubernetes.io/master: ""
tolerations:
- effect: NoSchedule
key: node-role.kubernetes.io/master
- key: CriticalAddonsOnly
operator: Exists
containers:
- name: aws-iam-authenticator
image: public.ecr.aws/x8h8t2o1/aws-iam-authenticator:v0.5.2
args:
- server
- --backend-mode=CRD,MountedFile
- --config=/etc/aws-iam-authenticator/config.yaml
- --state-dir=/var/aws-iam-authenticator
- --kubeconfig-pregenerated=true
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
resources:
requests:
memory: 20Mi
cpu: 10m
limits:
memory: 20Mi
cpu: 100m
volumeMounts:
- name: config
mountPath: /etc/aws-iam-authenticator/
- name: state
mountPath: /var/aws-iam-authenticator/
volumes:
- name: config
configMap:
name: aws-iam-authenticator
- name: state
hostPath:
path: /var/aws-iam-authenticator/
---
apiVersion: iamauthenticator.k8s.aws/v1alpha1
kind: IAMIdentityMapping
metadata:
name: kubernetes-admin
spec:
# Arn of the User or Role to be allowed to authenticate
arn: {{ .Values.kubeAdminRole }}
username: kubernetes-admin
groups:
- system:masters

11
charts/kubeadm/values.yaml Normal file
View File

@ -0,0 +1,11 @@
clusterVersion: 1.18.0
clusterName: pleasechangeme
apiEndpoint: kube-api.changeme.org:6443
etcdExtraArgs: {}
# Enable for > 1.18
# unsafe-no-fsync: "true"
apiExtraArgs: {}
clusterHighAvailable: false
allEtcdEndpoints: ""
joinToken: ""
caCertHash: ""

26
charts/kubezero-argo-cd/templates/app.yaml
View File

@ -1,26 +0,0 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: kubezero
namespace: argocd
labels:
{{ include "kubezero-lib.labels" . | indent 4 }}
spec:
project: kubezero
source:
repoURL: {{ .Values.kubezero.global.defaultSource.repoURL }}
targetRevision: {{ .Values.kubezero.global.defaultSource.targetRevision }}
path: {{ .Values.kubezero.global.defaultSource.pathPrefix}}charts/kubezero
helm:
values: |
{{- toYaml .Values.kubezero | nindent 8 }}
destination:
server: {{ .Values.kubezero.global.defaultDestination.server }}
namespace: argocd
{{- if .Values.kubezero.global.syncPolicy }}
syncPolicy:
{{- toYaml .Values.kubezero.global.syncPolicy | nindent 4 }}
{{- end }}

8
charts/kubezero-argo-cd/Chart.yaml → charts/kubezero-argocd/Chart.yaml
View File

@ -1,7 +1,7 @@
apiVersion: v2 apiVersion: v2
description: KubeZero ArgoCD Helm chart to install ArgoCD itself and the KubeZero ArgoCD Application description: KubeZero ArgoCD Helm chart to install ArgoCD itself and the KubeZero ArgoCD Application
name: kubezero-argo-cd name: kubezero-argocd
version: 0.6.0 version: 0.6.1
home: https://kubezero.com home: https://kubezero.com
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
keywords: keywords:
@ -15,6 +15,6 @@ dependencies:
version: ">= 0.1.3" version: ">= 0.1.3"
repository: https://zero-down-time.github.io/kubezero/ repository: https://zero-down-time.github.io/kubezero/
- name: argo-cd - name: argo-cd
version: 2.9.3 version: 2.9.5
repository: https://argoproj.github.io/argo-helm repository: https://argoproj.github.io/argo-helm
kubeVersion: ">= 1.17.0" kubeVersion: ">= 1.16.0"

29
charts/kubezero-argo-cd/README.md → charts/kubezero-argocd/README.md
View File

@ -1,6 +1,6 @@
# kubezero-argo-cd # kubezero-argocd
![Version: 0.6.0](https://img.shields.io/badge/Version-0.6.0-informational?style=flat-square) ![Version: 0.6.1](https://img.shields.io/badge/Version-0.6.1-informational?style=flat-square)
KubeZero ArgoCD Helm chart to install ArgoCD itself and the KubeZero ArgoCD Application KubeZero ArgoCD Helm chart to install ArgoCD itself and the KubeZero ArgoCD Application
@ -14,11 +14,11 @@ KubeZero ArgoCD Helm chart to install ArgoCD itself and the KubeZero ArgoCD Appl
## Requirements ## Requirements
Kubernetes: `>= 1.17.0` Kubernetes: `>= 1.16.0`
| Repository | Name | Version | | Repository | Name | Version |
|------------|------|---------| |------------|------|---------|
| https://argoproj.github.io/argo-helm | argo-cd | 2.9.3 | | https://argoproj.github.io/argo-helm | argo-cd | 2.9.5 |
| https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 | | https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 |
## Values ## Values
@ -32,20 +32,15 @@ Kubernetes: `>= 1.17.0`
| argo-cd.controller.metrics.enabled | bool | `false` | | | argo-cd.controller.metrics.enabled | bool | `false` | |
| argo-cd.controller.metrics.serviceMonitor.additionalLabels.release | string | `"metrics"` | | | argo-cd.controller.metrics.serviceMonitor.additionalLabels.release | string | `"metrics"` | |
| argo-cd.controller.metrics.serviceMonitor.enabled | bool | `true` | | | argo-cd.controller.metrics.serviceMonitor.enabled | bool | `true` | |
| argo-cd.controller.metrics.serviceMonitor.namespace | string | `"monitoring"` | |
| argo-cd.controller.resources.requests.cpu | string | `"100m"` | | | argo-cd.controller.resources.requests.cpu | string | `"100m"` | |
| argo-cd.controller.resources.requests.memory | string | `"256Mi"` | | | argo-cd.controller.resources.requests.memory | string | `"256Mi"` | |
| argo-cd.dex.enabled | bool | `false` | | | argo-cd.dex.enabled | bool | `false` | |
| argo-cd.global.image.tag | string | `"v1.7.8"` | | | argo-cd.global.image.tag | string | `"v1.7.10"` | |
| argo-cd.installCRDs | bool | `false` | | | argo-cd.installCRDs | bool | `false` | |
| argo-cd.istio.enabled | bool | `false` | Deploy Istio VirtualService to expose ArgoCD |
| argo-cd.istio.gateway | string | `"istio-system/ingressgateway"` | Name of the Istio gateway to add the VirtualService to |
| argo-cd.istio.ipBlocks | list | `[]` | |
| argo-cd.repoServer.logFormat | string | `"json"` | | | argo-cd.repoServer.logFormat | string | `"json"` | |
| argo-cd.repoServer.metrics.enabled | bool | `false` | | | argo-cd.repoServer.metrics.enabled | bool | `false` | |
| argo-cd.repoServer.metrics.serviceMonitor.additionalLabels.release | string | `"metrics"` | | | argo-cd.repoServer.metrics.serviceMonitor.additionalLabels.release | string | `"metrics"` | |
| argo-cd.repoServer.metrics.serviceMonitor.enabled | bool | `true` | | | argo-cd.repoServer.metrics.serviceMonitor.enabled | bool | `true` | |
| argo-cd.repoServer.metrics.serviceMonitor.namespace | string | `"monitoring"` | |
| argo-cd.server.config."resource.customizations" | string | `"cert-manager.io/Certificate:\n # Lua script for customizing the health status assessment\n health.lua: |\n hs = {}\n if obj.status ~= nil then\n if obj.status.conditions ~= nil then\n for i, condition in ipairs(obj.status.conditions) do\n if condition.type == \"Ready\" and condition.status == \"False\" then\n hs.status = \"Degraded\"\n hs.message = condition.message\n return hs\n end\n if condition.type == \"Ready\" and condition.status == \"True\" then\n hs.status = \"Healthy\"\n hs.message = condition.message\n return hs\n end\n end\n end\n end\n hs.status = \"Progressing\"\n hs.message = \"Waiting for certificate\"\n return hs\n"` | | | argo-cd.server.config."resource.customizations" | string | `"cert-manager.io/Certificate:\n # Lua script for customizing the health status assessment\n health.lua: |\n hs = {}\n if obj.status ~= nil then\n if obj.status.conditions ~= nil then\n for i, condition in ipairs(obj.status.conditions) do\n if condition.type == \"Ready\" and condition.status == \"False\" then\n hs.status = \"Degraded\"\n hs.message = condition.message\n return hs\n end\n if condition.type == \"Ready\" and condition.status == \"True\" then\n hs.status = \"Healthy\"\n hs.message = condition.message\n return hs\n end\n end\n end\n end\n hs.status = \"Progressing\"\n hs.message = \"Waiting for certificate\"\n return hs\n"` | |
| argo-cd.server.config.url | string | `"argocd.example.com"` | ArgoCD hostname to be exposed via Istio | | argo-cd.server.config.url | string | `"argocd.example.com"` | ArgoCD hostname to be exposed via Istio |
| argo-cd.server.extraArgs[0] | string | `"--insecure"` | | | argo-cd.server.extraArgs[0] | string | `"--insecure"` | |
@ -53,12 +48,16 @@ Kubernetes: `>= 1.17.0`
| argo-cd.server.metrics.enabled | bool | `false` | | | argo-cd.server.metrics.enabled | bool | `false` | |
| argo-cd.server.metrics.serviceMonitor.additionalLabels.release | string | `"metrics"` | | | argo-cd.server.metrics.serviceMonitor.additionalLabels.release | string | `"metrics"` | |
| argo-cd.server.metrics.serviceMonitor.enabled | bool | `true` | | | argo-cd.server.metrics.serviceMonitor.enabled | bool | `true` | |
| argo-cd.server.metrics.serviceMonitor.namespace | string | `"monitoring"` | |
| argo-cd.server.service.servicePortHttpsName | string | `"grpc"` | | | argo-cd.server.service.servicePortHttpsName | string | `"grpc"` | |
| kubezero.global.defaultDestination | object | `{"server":"https://kubernetes.default.svc"}` | Destination cluster | | istio.enabled | bool | `false` | Deploy Istio VirtualService to expose ArgoCD |
| kubezero.global.defaultSource.pathPrefix | string | `""` | optional path prefix within repoURL to support eg. remote subtrees | | istio.gateway | string | `"istio-ingress/ingressgateway"` | Name of the Istio gateway to add the VirtualService to |
| kubezero.global.defaultSource.repoURL | string | `"https://github.com/zero-down-time/kubezero"` | default repository for argocd applications | | istio.ipBlocks | list | `[]` | |
| kubezero.global.defaultSource.targetRevision | string | `"HEAD"` | default tracking of repoURL | | kubezero.enabled | bool | `false` | |
| kubezero.path | string | `"charts/kubezero"` | path within repoURL |
| kubezero.repoURL | string | `"https://github.com/zero-down-time/kubezero"` | repository for kubezero argo applications |
| kubezero.server | string | `"https://kubernetes.default.svc"` | destination cluster |
| kubezero.targetRevision | string | `"HEAD"` | git branch to track |
| kubezero.valuesFiles[0] | string | `"values.yaml"` | |
## Resources ## Resources
- https://argoproj.github.io/argo-cd/operator-manual/metrics/ - https://argoproj.github.io/argo-cd/operator-manual/metrics/

0
charts/kubezero-argo-cd/README.md.gotmpl → charts/kubezero-argocd/README.md.gotmpl
View File

6
charts/kubezero-argo-cd/templates/istio-authorization-policy.yaml → charts/kubezero-argocd/templates/istio-authorization-policy.yaml
View File

@ -1,5 +1,5 @@
{{- if index .Values "argo-cd" "istio" "enabled" }} {{- if .Values.istio.enabled }}
{{- if index .Values "argo-cd" "istio" "ipBlocks" }} {{- if .Values.istio.ipBlocks }}
apiVersion: security.istio.io/v1beta1 apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy kind: AuthorizationPolicy
metadata: metadata:
@ -16,7 +16,7 @@ spec:
- from: - from:
- source: - source:
notIpBlocks: notIpBlocks:
{{- with index .Values "argo-cd" "istio" "ipBlocks" }} {{- with .Values.istio.ipBlocks }}
{{- . | toYaml | nindent 8 }} {{- . | toYaml | nindent 8 }}
{{- end }} {{- end }}
to: to:

8
charts/kubezero-argo-cd/templates/istio-service.yaml → charts/kubezero-argocd/templates/istio-service.yaml
View File

@ -1,4 +1,4 @@
{{- if index .Values "argo-cd" "istio" "enabled" }} {{- if .Values.istio.enabled }}
apiVersion: networking.istio.io/v1alpha3 apiVersion: networking.istio.io/v1alpha3
kind: VirtualService kind: VirtualService
metadata: metadata:
@ -7,7 +7,7 @@ metadata:
{{ include "kubezero-lib.labels" . | indent 4 }} {{ include "kubezero-lib.labels" . | indent 4 }}
spec: spec:
gateways: gateways:
- {{ index .Values "argo-cd" "istio" "gateway" }} - {{ .Values.istio.gateway }}
hosts: hosts:
- {{ index .Values "argo-cd" "server" "config" "url" }} - {{ index .Values "argo-cd" "server" "config" "url" }}
http: http:
@ -18,13 +18,13 @@ spec:
prefix: argocd-client prefix: argocd-client
route: route:
- destination: - destination:
host: {{ .Release.Name }}-argocd-server host: argocd-server
port: port:
number: 443 number: 443
- name: http - name: http
route: route:
- destination: - destination:
host: {{ .Release.Name }}-argocd-server host: argocd-server
port: port:
number: 80 number: 80
{{- end }} {{- end }}

35
charts/kubezero-argo-cd/templates/project.yaml → charts/kubezero-argocd/templates/kubezero.yaml
View File

@ -1,3 +1,4 @@
{{- if .Values.kubezero.enabled }}
apiVersion: argoproj.io/v1alpha1 apiVersion: argoproj.io/v1alpha1
kind: AppProject kind: AppProject
metadata: metadata:
@ -12,7 +13,6 @@ spec:
sourceRepos: sourceRepos:
- '*' - '*'
# Only permit applications to deploy to the guestbook namespace in the same cluster
destinations: destinations:
- namespace: argocd - namespace: argocd
server: https://kubernetes.default.svc server: https://kubernetes.default.svc
@ -20,10 +20,10 @@ spec:
server: https://kubernetes.default.svc server: https://kubernetes.default.svc
- namespace: cert-manager - namespace: cert-manager
server: https://kubernetes.default.svc server: https://kubernetes.default.svc
- namespace: istio-operator
server: https://kubernetes.default.svc
- namespace: istio-system - namespace: istio-system
server: https://kubernetes.default.svc server: https://kubernetes.default.svc
- namespace: istio-ingress
server: https://kubernetes.default.svc
- namespace: monitoring - namespace: monitoring
server: https://kubernetes.default.svc server: https://kubernetes.default.svc
- namespace: elastic-system - namespace: elastic-system
@ -34,3 +34,32 @@ spec:
clusterResourceWhitelist: clusterResourceWhitelist:
- group: '*' - group: '*'
kind: '*' kind: '*'
---
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: kubezero
namespace: argocd
labels:
{{ include "kubezero-lib.labels" . | indent 4 }}
spec:
project: kubezero
source:
repoURL: {{ .Values.kubezero.repoURL }}
targetRevision: {{ .Values.kubezero.targetRevision }}
path: {{ .Values.kubezero.path }}
helm:
valueFiles:
{{- toYaml .Values.kubezero.valuesFiles | nindent 6 }}
destination:
server: {{ .Values.kubezero.server }}
namespace: argocd
{{- with .Values.kubezero.syncPolicy }}
syncPolicy:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}

62
charts/kubezero-argo-cd/values.yaml → charts/kubezero-argocd/values.yaml
View File

@ -1,24 +1,35 @@
# Configure app of apps
kubezero: kubezero:
global: enabled: false
# kubezero.global.defaultDestination -- Destination cluster
defaultDestination:
server: https://kubernetes.default.svc
# This repoURL is used a base for all the repoURLs applications # kubezero.server -- destination cluster
# Setting this to a eg. private git repo incl. the use of pathPrefix allows kubezero to be server: https://kubernetes.default.svc
# integrated into any repository as a git subtree if for example public internet access is unavailable
defaultSource:
# kubezero.global.defaultSource.repoURL -- default repository for argocd applications
repoURL: https://github.com/zero-down-time/kubezero
# kubezero.global.defaultSource.targetRevision -- default tracking of repoURL
targetRevision: HEAD
# kubezero.global.defaultSource.pathPrefix -- optional path prefix within repoURL to support eg. remote subtrees
pathPrefix: ''
# syncPolicy, details see: https://argoproj.github.io/argo-cd/user-guide/auto_sync # This repoURL is used a base for all the repoURLs applications
#syncPolicy: # Setting this to a eg. private git repo incl. the use of pathPrefix allows kubezero to be
# automated: # integrated into any repository as a git subtree if for example public internet access is unavailable
# prune: true # kubezero.repoURL -- repository for kubezero argo applications
repoURL: https://github.com/zero-down-time/kubezero
# kubezero.targetRevision -- git branch to track
targetRevision: HEAD
# kubezero.path -- path within repoURL
path: 'charts/kubezero'
# syncPolicy, details see: https://argoproj.github.io/argo-cd/user-guide/auto_sync
#syncPolicy:
# automated:
# prune: true
valuesFiles:
- values.yaml
# Support for Istio Ingress for ArgoCD
istio:
# istio.enabled -- Deploy Istio VirtualService to expose ArgoCD
enabled: false
# istio.gateway -- Name of the Istio gateway to add the VirtualService to
gateway: istio-ingress/ingressgateway
ipBlocks: []
argo-cd: argo-cd:
installCRDs: false installCRDs: false
@ -31,7 +42,7 @@ argo-cd:
global: global:
image: image:
tag: v1.7.8 tag: v1.7.10
controller: controller:
args: args:
@ -44,7 +55,6 @@ argo-cd:
enabled: false enabled: false
serviceMonitor: serviceMonitor:
enabled: true enabled: true
namespace: monitoring
additionalLabels: additionalLabels:
release: metrics release: metrics
@ -62,7 +72,6 @@ argo-cd:
enabled: false enabled: false
serviceMonitor: serviceMonitor:
enabled: true enabled: true
namespace: monitoring
additionalLabels: additionalLabels:
release: metrics release: metrics
@ -72,6 +81,9 @@ argo-cd:
# argo-cd.server.config.url -- ArgoCD hostname to be exposed via Istio # argo-cd.server.config.url -- ArgoCD hostname to be exposed via Istio
url: argocd.example.com url: argocd.example.com
#repositories: |
# - url: https://zero-down-time.github.io/kubezero.git
resource.customizations: | resource.customizations: |
cert-manager.io/Certificate: cert-manager.io/Certificate:
# Lua script for customizing the health status assessment # Lua script for customizing the health status assessment
@ -105,7 +117,6 @@ argo-cd:
enabled: false enabled: false
serviceMonitor: serviceMonitor:
enabled: true enabled: true
namespace: monitoring
additionalLabels: additionalLabels:
release: metrics release: metrics
@ -118,10 +129,3 @@ argo-cd:
dex: dex:
enabled: false enabled: false
istio:
# argo-cd.istio.enabled -- Deploy Istio VirtualService to expose ArgoCD
enabled: false
# argo-cd.istio.gateway -- Name of the Istio gateway to add the VirtualService to
gateway: istio-system/ingressgateway
ipBlocks: []

1
charts/kubezero-aws-ebs-csi-driver/.gitignore vendored
View File

@ -1 +0,0 @@
git

7
charts/kubezero-aws-ebs-csi-driver/Chart.yaml
View File

@ -2,8 +2,8 @@ apiVersion: v2
name: kubezero-aws-ebs-csi-driver name: kubezero-aws-ebs-csi-driver
description: KubeZero Umbrella Chart for aws-ebs-csi-driver description: KubeZero Umbrella Chart for aws-ebs-csi-driver
type: application type: application
version: 0.3.2 version: 0.3.4
appVersion: 0.7.0 appVersion: 0.8.0
home: https://kubezero.com home: https://kubezero.com
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
sources: sources:
@ -17,6 +17,9 @@ keywords:
maintainers: maintainers:
- name: Quarky9 - name: Quarky9
dependencies: dependencies:
- name: aws-ebs-csi-driver
version: 0.7.1
repository: https://kubernetes-sigs.github.io/aws-ebs-csi-driver
- name: kubezero-lib - name: kubezero-lib
version: ">= 0.1.3" version: ">= 0.1.3"
repository: https://zero-down-time.github.io/kubezero/ repository: https://zero-down-time.github.io/kubezero/

3
charts/kubezero-aws-ebs-csi-driver/README.md
View File

@ -1,6 +1,6 @@
# kubezero-aws-ebs-csi-driver # kubezero-aws-ebs-csi-driver
![Version: 0.3.2](https://img.shields.io/badge/Version-0.3.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.7.0](https://img.shields.io/badge/AppVersion-0.7.0-informational?style=flat-square) ![Version: 0.3.4](https://img.shields.io/badge/Version-0.3.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.8.0](https://img.shields.io/badge/AppVersion-0.8.0-informational?style=flat-square)
KubeZero Umbrella Chart for aws-ebs-csi-driver KubeZero Umbrella Chart for aws-ebs-csi-driver
@ -23,6 +23,7 @@ Kubernetes: `>= 1.16.0`
| Repository | Name | Version | | Repository | Name | Version |
|------------|------|---------| |------------|------|---------|
| https://kubernetes-sigs.github.io/aws-ebs-csi-driver | aws-ebs-csi-driver | 0.7.1 |
| https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 | | https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 |
## IAM Role ## IAM Role

16
charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/Chart.yaml
View File

@ -1,16 +0,0 @@
apiVersion: v1
appVersion: "0.7.0"
name: aws-ebs-csi-driver
description: A Helm chart for AWS EBS CSI Driver
version: 0.6.0
kubeVersion: ">=1.13.0-0"
home: https://github.com/kubernetes-sigs/aws-ebs-csi-driver
sources:
- https://github.com/kubernetes-sigs/aws-ebs-csi-driver
keywords:
- aws
- ebs
- csi
maintainers:
- name: leakingtapan
email: chengpan@amazon.com

3
charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/NOTES.txt
View File

@ -1,3 +0,0 @@
To verify that aws-ebs-csi-driver has started, run:
kubectl get pod -n kube-system -l "app.kubernetes.io/name={{ include "aws-ebs-csi-driver.name" . }},app.kubernetes.io/instance={{ .Release.Name }}"

20
charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/clusterrole-attacher.yaml
View File

@ -1,20 +0,0 @@
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: ebs-external-attacher-role
labels:
{{- include "aws-ebs-csi-driver.labels" . | nindent 4 }}
rules:
- apiGroups: [""]
resources: ["persistentvolumes"]
verbs: ["get", "list", "watch", "update"]
- apiGroups: [""]
resources: ["nodes"]
verbs: ["get", "list", "watch"]
- apiGroups: ["csi.storage.k8s.io"]
resources: ["csinodeinfos"]
verbs: ["get", "list", "watch"]
- apiGroups: ["storage.k8s.io"]
resources: ["volumeattachments"]
verbs: ["get", "list", "watch", "update"]

35
charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/clusterrole-provisioner.yaml
View File

@ -1,35 +0,0 @@
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: ebs-external-provisioner-role
labels:
{{- include "aws-ebs-csi-driver.labels" . | nindent 4 }}
rules:
- apiGroups: [""]
resources: ["persistentvolumes"]
verbs: ["get", "list", "watch", "create", "delete"]
- apiGroups: [""]
resources: ["persistentvolumeclaims"]
verbs: ["get", "list", "watch", "update"]
- apiGroups: ["storage.k8s.io"]
resources: ["storageclasses"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["events"]
verbs: ["list", "watch", "create", "update", "patch"]
- apiGroups: ["snapshot.storage.k8s.io"]
resources: ["volumesnapshots"]
verbs: ["get", "list"]
- apiGroups: ["snapshot.storage.k8s.io"]
resources: ["volumesnapshotcontents"]
verbs: ["get", "list"]
- apiGroups: ["storage.k8s.io"]
resources: ["csinodes"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["nodes"]
verbs: ["get", "list", "watch"]
- apiGroups: ["coordination.k8s.io"]
resources: ["leases"]
verbs: ["get", "watch", "list", "delete", "update", "create"]

31
charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/clusterrole-resizer.yaml
View File

@ -1,31 +0,0 @@
{{- if .Values.enableVolumeResizing }}
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: ebs-external-resizer-role
labels:
{{- include "aws-ebs-csi-driver.labels" . | nindent 4 }}
rules:
# The following rule should be uncommented for plugins that require secrets
# for provisioning.
# - apiGroups: [""]
# resources: ["secrets"]
# verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["persistentvolumes"]
verbs: ["get", "list", "watch", "update", "patch"]
- apiGroups: [""]
resources: ["persistentvolumeclaims"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["persistentvolumeclaims/status"]
verbs: ["update", "patch"]
- apiGroups: ["storage.k8s.io"]
resources: ["storageclasses"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["events"]
verbs: ["list", "watch", "create", "update", "patch"]
{{- end}}

35
charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/clusterrole-snapshot-controller.yaml
View File

@ -1,35 +0,0 @@
{{- if .Values.enableVolumeSnapshot }}
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: ebs-snapshot-controller-role
labels:
{{- include "aws-ebs-csi-driver.labels" . | nindent 4 }}
rules:
- apiGroups: [""]
resources: ["persistentvolumes"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["persistentvolumeclaims"]
verbs: ["get", "list", "watch", "update"]
- apiGroups: ["storage.k8s.io"]
resources: ["storageclasses"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["events"]
verbs: ["list", "watch", "create", "update", "patch"]
- apiGroups: ["snapshot.storage.k8s.io"]
resources: ["volumesnapshotclasses"]
verbs: ["get", "list", "watch"]
- apiGroups: ["snapshot.storage.k8s.io"]
resources: ["volumesnapshotcontents"]
verbs: ["create", "get", "list", "watch", "update", "delete"]
- apiGroups: ["snapshot.storage.k8s.io"]
resources: ["volumesnapshots"]
verbs: ["get", "list", "watch", "update"]
- apiGroups: ["snapshot.storage.k8s.io"]
resources: ["volumesnapshots/status"]
verbs: ["update"]
{{- end }}

25
charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/clusterrole-snapshotter.yaml
View File

@ -1,25 +0,0 @@
{{- if .Values.enableVolumeSnapshot }}
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: ebs-external-snapshotter-role
labels:
{{- include "aws-ebs-csi-driver.labels" . | nindent 4 }}
rules:
- apiGroups: [""]
resources: ["events"]
verbs: ["list", "watch", "create", "update", "patch"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list"]
- apiGroups: ["snapshot.storage.k8s.io"]
resources: ["volumesnapshotclasses"]
verbs: ["get", "list", "watch"]
- apiGroups: ["snapshot.storage.k8s.io"]
resources: ["volumesnapshotcontents"]
verbs: ["create", "get", "list", "watch", "update", "delete"]
- apiGroups: ["snapshot.storage.k8s.io"]
resources: ["volumesnapshotcontents/status"]
verbs: ["update"]
{{- end }}

15
charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/clusterrolebinding-attacher.yaml
View File

@ -1,15 +0,0 @@
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: ebs-csi-attacher-binding
labels:
{{- include "aws-ebs-csi-driver.labels" . | nindent 4 }}
subjects:
- kind: ServiceAccount
name: ebs-csi-controller-sa
namespace: kube-system
roleRef:
kind: ClusterRole
name: ebs-external-attacher-role
apiGroup: rbac.authorization.k8s.io

15
charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/clusterrolebinding-provisioner.yaml
View File

@ -1,15 +0,0 @@
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: ebs-csi-provisioner-binding
labels:
{{- include "aws-ebs-csi-driver.labels" . | nindent 4 }}
subjects:
- kind: ServiceAccount
name: ebs-csi-controller-sa
namespace: kube-system
roleRef:
kind: ClusterRole
name: ebs-external-provisioner-role
apiGroup: rbac.authorization.k8s.io

18
charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/clusterrolebinding-resizer.yaml
View File

@ -1,18 +0,0 @@
{{- if .Values.enableVolumeResizing }}
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: ebs-csi-resizer-binding
labels:
{{- include "aws-ebs-csi-driver.labels" . | nindent 4 }}
subjects:
- kind: ServiceAccount
name: ebs-csi-controller-sa
namespace: kube-system
roleRef:
kind: ClusterRole
name: ebs-external-resizer-role
apiGroup: rbac.authorization.k8s.io
{{- end}}

18
charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/clusterrolebinding-snapshot-controller.yaml
View File

@ -1,18 +0,0 @@
{{- if .Values.enableVolumeSnapshot }}
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: ebs-csi-snapshot-controller-binding
labels:
{{- include "aws-ebs-csi-driver.labels" . | nindent 4 }}
subjects:
- kind: ServiceAccount
name: ebs-snapshot-controller
namespace: kube-system
roleRef:
kind: ClusterRole
name: ebs-snapshot-controller-role
apiGroup: rbac.authorization.k8s.io
{{- end }}

18
charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/clusterrolebinding-snapshotter.yaml
View File

@ -1,18 +0,0 @@
{{- if .Values.enableVolumeSnapshot }}
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: ebs-csi-snapshotter-binding
labels:
{{- include "aws-ebs-csi-driver.labels" . | nindent 4 }}
subjects:
- kind: ServiceAccount
name: ebs-csi-controller-sa
namespace: kube-system
roleRef:
kind: ClusterRole
name: ebs-external-snapshotter-role
apiGroup: rbac.authorization.k8s.io
{{- end }}

157
charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/controller.yaml
View File

@ -1,157 +0,0 @@
# Controller Service
kind: Deployment
apiVersion: apps/v1
metadata:
name: ebs-csi-controller
namespace: kube-system
labels:
{{- include "aws-ebs-csi-driver.labels" . | nindent 4 }}
spec:
replicas: {{ .Values.replicaCount }}
selector:
matchLabels:
app: ebs-csi-controller
{{- include "aws-ebs-csi-driver.selectorLabels" . | nindent 6 }}
template:
metadata:
labels:
app: ebs-csi-controller
{{- include "aws-ebs-csi-driver.labels" . | nindent 8 }}
{{- if .Values.podAnnotations }}
annotations: {{ toYaml .Values.podAnnotations | nindent 8 }}
{{- end }}
spec:
nodeSelector:
kubernetes.io/os: linux
{{- with .Values.nodeSelector }}
{{ toYaml . | indent 8 }}
{{- end }}
serviceAccountName: ebs-csi-controller-sa
priorityClassName: system-cluster-critical
{{- with .Values.affinity }}
affinity: {{ toYaml . | nindent 8 }}
{{- end }}
tolerations:
- operator: Exists
{{- with .Values.tolerations }}
{{ toYaml . | indent 8 }}
{{- end }}
containers:
- name: ebs-plugin
image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
args:
{{- if ne .Release.Name "kustomize" }}
- controller
{{- else }}
# - {all,controller,node} # specify the driver mode
{{- end }}
- --endpoint=$(CSI_ENDPOINT)
{{- if .Values.extraVolumeTags }}
{{- include "aws-ebs-csi-driver.extra-volume-tags" . | nindent 12 }}
{{- end }}
- --logtostderr
- --v=5
env:
- name: CSI_ENDPOINT
value: unix:///var/lib/csi/sockets/pluginproxy/csi.sock
- name: AWS_ACCESS_KEY_ID
valueFrom:
secretKeyRef:
name: aws-secret
key: key_id
optional: true
- name: AWS_SECRET_ACCESS_KEY
valueFrom:
secretKeyRef:
name: aws-secret
key: access_key
optional: true
{{- if .Values.region }}
- name: AWS_REGION
value: {{ .Values.region }}
{{- end }}
volumeMounts:
- name: socket-dir
mountPath: /var/lib/csi/sockets/pluginproxy/
ports:
- name: healthz
containerPort: 9808
protocol: TCP
livenessProbe:
httpGet:
path: /healthz
port: healthz
initialDelaySeconds: 10
timeoutSeconds: 3
periodSeconds: 10
failureThreshold: 5
{{- with .Values.resources }}
resources: {{ toYaml . | nindent 12 }}
{{- end }}
- name: csi-provisioner
image: {{ printf "%s:%s" .Values.sidecars.provisionerImage.repository .Values.sidecars.provisionerImage.tag }}
args:
- --csi-address=$(ADDRESS)
- --v=5
{{- if .Values.enableVolumeScheduling }}
- --feature-gates=Topology=true
{{- end}}
- --enable-leader-election
- --leader-election-type=leases
env:
- name: ADDRESS
value: /var/lib/csi/sockets/pluginproxy/csi.sock
volumeMounts:
- name: socket-dir
mountPath: /var/lib/csi/sockets/pluginproxy/
- name: csi-attacher
image: {{ printf "%s:%s" .Values.sidecars.attacherImage.repository .Values.sidecars.attacherImage.tag }}
args:
- --csi-address=$(ADDRESS)
- --v=5
- --leader-election=true
- --leader-election-type=leases
env:
- name: ADDRESS
value: /var/lib/csi/sockets/pluginproxy/csi.sock
volumeMounts:
- name: socket-dir
mountPath: /var/lib/csi/sockets/pluginproxy/
{{- if .Values.enableVolumeSnapshot }}
- name: csi-snapshotter
image: {{ printf "%s:%s" .Values.sidecars.snapshotterImage.repository .Values.sidecars.snapshotterImage.tag }}
args:
- --csi-address=$(ADDRESS)
- --leader-election=true
env:
- name: ADDRESS
value: /var/lib/csi/sockets/pluginproxy/csi.sock
volumeMounts:
- name: socket-dir
mountPath: /var/lib/csi/sockets/pluginproxy/
{{- end }}
{{- if .Values.enableVolumeResizing }}
- name: csi-resizer
image: {{ printf "%s:%s" .Values.sidecars.resizerImage.repository .Values.sidecars.resizerImage.tag }}
imagePullPolicy: Always
args:
- --csi-address=$(ADDRESS)
- --v=5
env:
- name: ADDRESS
value: /var/lib/csi/sockets/pluginproxy/csi.sock
volumeMounts:
- name: socket-dir
mountPath: /var/lib/csi/sockets/pluginproxy/
{{- end }}
- name: liveness-probe
image: {{ printf "%s:%s" .Values.sidecars.livenessProbeImage.repository .Values.sidecars.livenessProbeImage.tag }}
args:
- --csi-address=/csi/csi.sock
volumeMounts:
- name: socket-dir
mountPath: /csi
volumes:
- name: socket-dir
emptyDir: {}

9
charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/csidriver.yaml
View File

@ -1,9 +0,0 @@
apiVersion: storage.k8s.io/v1beta1
kind: CSIDriver
metadata:
name: ebs.csi.aws.com
labels:
{{- include "aws-ebs-csi-driver.labels" . | nindent 4 }}
spec:
attachRequired: true
podInfoOnMount: false

117
charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/node.yaml
View File

@ -1,117 +0,0 @@
# Node Service
kind: DaemonSet
apiVersion: apps/v1
metadata:
name: ebs-csi-node
namespace: kube-system
labels:
{{- include "aws-ebs-csi-driver.labels" . | nindent 4 }}
spec:
selector:
matchLabels:
app: ebs-csi-node
{{- include "aws-ebs-csi-driver.selectorLabels" . | nindent 6 }}
template:
metadata:
labels:
app: ebs-csi-node
{{- include "aws-ebs-csi-driver.labels" . | nindent 8 }}
{{- if .Values.node.podAnnotations }}
annotations: {{ toYaml .Values.node.podAnnotations | nindent 8 }}
{{- end }}
spec:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: eks.amazonaws.com/compute-type
operator: NotIn
values:
- fargate
nodeSelector:
kubernetes.io/os: linux
hostNetwork: true
priorityClassName: system-node-critical
tolerations:
- operator: Exists
{{- with .Values.node.tolerations }}
{{ toYaml . | indent 8 }}
{{- end }}
containers:
- name: ebs-plugin
securityContext:
privileged: true
image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
args:
- node
- --endpoint=$(CSI_ENDPOINT)
- --logtostderr
- --v=5
env:
- name: CSI_ENDPOINT
value: unix:/csi/csi.sock
volumeMounts:
- name: kubelet-dir
mountPath: /var/lib/kubelet
mountPropagation: "Bidirectional"
- name: plugin-dir
mountPath: /csi
- name: device-dir
mountPath: /dev
ports:
- name: healthz
containerPort: 9808
protocol: TCP
livenessProbe:
httpGet:
path: /healthz
port: healthz
initialDelaySeconds: 10
timeoutSeconds: 3
periodSeconds: 10
failureThreshold: 5
- name: node-driver-registrar
image: {{ printf "%s:%s" .Values.sidecars.nodeDriverRegistrarImage.repository .Values.sidecars.nodeDriverRegistrarImage.tag }}
args:
- --csi-address=$(ADDRESS)
- --kubelet-registration-path=$(DRIVER_REG_SOCK_PATH)
- --v=5
lifecycle:
preStop:
exec:
command: ["/bin/sh", "-c", "rm -rf /registration/ebs.csi.aws.com-reg.sock /csi/csi.sock"]
env:
- name: ADDRESS
value: /csi/csi.sock
- name: DRIVER_REG_SOCK_PATH
value: /var/lib/kubelet/plugins/ebs.csi.aws.com/csi.sock
volumeMounts:
- name: plugin-dir
mountPath: /csi
- name: registration-dir
mountPath: /registration
- name: liveness-probe
image: {{ printf "%s:%s" .Values.sidecars.livenessProbeImage.repository .Values.sidecars.livenessProbeImage.tag }}
args:
- --csi-address=/csi/csi.sock
volumeMounts:
- name: plugin-dir
mountPath: /csi
volumes:
- name: kubelet-dir
hostPath:
path: /var/lib/kubelet
type: Directory
- name: plugin-dir
hostPath:
path: /var/lib/kubelet/plugins/ebs.csi.aws.com/
type: DirectoryOrCreate
- name: registration-dir
hostPath:
path: /var/lib/kubelet/plugins_registry/
type: Directory
- name: device-dir
hostPath:
path: /dev
type: Directory

15
charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/role-snapshot-controller-leaderelection.yaml
View File

@ -1,15 +0,0 @@
{{- if .Values.enableVolumeSnapshot }}
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: ebs-snapshot-controller-leaderelection
namespace: kube-system
labels:
{{- include "aws-ebs-csi-driver.labels" . | nindent 4 }}
rules:
- apiGroups: ["coordination.k8s.io"]
resources: ["leases"]
verbs: ["get", "watch", "list", "delete", "update", "create"]
{{- end }}

19
charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/rolebinding-snapshot-controller-leaderelection.yaml
View File

@ -1,19 +0,0 @@
{{- if .Values.enableVolumeSnapshot }}
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: snapshot-controller-leaderelection
namespace: kube-system
labels:
{{- include "aws-ebs-csi-driver.labels" . | nindent 4 }}
subjects:
- kind: ServiceAccount
name: ebs-snapshot-controller
namespace: kube-system
roleRef:
kind: Role
name: snapshot-controller-leaderelection
apiGroup: rbac.authorization.k8s.io
{{- end }}

15
charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/serviceaccount-csi-controller.yaml
View File

@ -1,15 +0,0 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: ebs-csi-controller-sa
namespace: kube-system
labels:
{{- include "aws-ebs-csi-driver.labels" . | nindent 4 }}
{{- with .Values.serviceAccount.controller.annotations }}
annotations: {{ toYaml . | nindent 4 }}
{{- end }}
{{- if eq .Release.Name "kustomize" }}
#Enable if EKS IAM for SA is used
#annotations:
# eks.amazonaws.com/role-arn: arn:aws:iam::586565787010:role/ebs-csi-role
{{- end }}

13
charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/serviceaccount-snapshot-controller.yaml
View File

@ -1,13 +0,0 @@
{{- if .Values.enableVolumeSnapshot }}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: ebs-snapshot-controller
namespace: kube-system
labels:
{{- include "aws-ebs-csi-driver.labels" . | nindent 4 }}
{{- with .Values.serviceAccount.snapshot.annotations }}
annotations: {{ toYaml . | nindent 4 }}
{{- end }}
{{- end }}

30
charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/statefulset.yaml
View File

@ -1,30 +0,0 @@
{{- if .Values.enableVolumeSnapshot }}
#Snapshot controller
kind: StatefulSet
apiVersion: apps/v1
metadata:
name: ebs-snapshot-controller
namespace: kube-system
labels:
{{- include "aws-ebs-csi-driver.labels" . | nindent 4 }}
spec:
serviceName: ebs-snapshot-controller
replicas: 1
selector:
matchLabels:
app: ebs-snapshot-controller
{{- include "aws-ebs-csi-driver.selectorLabels" . | nindent 6 }}
template:
metadata:
labels:
app: ebs-snapshot-controller
{{- include "aws-ebs-csi-driver.labels" . | nindent 8 }}
spec:
serviceAccountName: ebs-snapshot-controller
containers:
- name: snapshot-controller
image: quay.io/k8scsi/snapshot-controller:v2.1.1
args:
- --v=5
- --leader-election=false
{{- end }}

86
charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/values.yaml
View File

@ -1,86 +0,0 @@
# Default values for aws-ebs-csi-driver.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
replicaCount: 2
image:
repository: amazon/aws-ebs-csi-driver
tag: "v0.7.0"
pullPolicy: IfNotPresent
sidecars:
provisionerImage:
repository: quay.io/k8scsi/csi-provisioner
tag: "v1.5.0"
attacherImage:
repository: quay.io/k8scsi/csi-attacher
tag: "v1.2.0"
snapshotterImage:
repository: quay.io/k8scsi/csi-snapshotter
tag: "v2.1.1"
livenessProbeImage:
repository: quay.io/k8scsi/livenessprobe
tag: "v1.1.0"
resizerImage:
repository: quay.io/k8scsi/csi-resizer
tag: "v0.3.0"
nodeDriverRegistrarImage:
repository: quay.io/k8scsi/csi-node-driver-registrar
tag: "v1.1.0"
imagePullSecrets: []
nameOverride: ""
fullnameOverride: ""
podAnnotations: {}
# True if enable volume scheduling for dynamic volume provisioning
enableVolumeScheduling: false
# True if enable volume resizing
enableVolumeResizing: false
# True if enable volume snapshot
enableVolumeSnapshot: false
resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
nodeSelector: {}
tolerations: []
affinity: {}
# Extra volume tags to attach to each dynamically provisioned volume.
# ---
# extraVolumeTags:
# key1: value1
# key2: value2
extraVolumeTags: {}
# AWS region to use. If not specified then the region will be looked up via the AWS EC2 metadata
# service.
# ---
# region: us-east-1
region: ""
node:
podAnnotations: {}
tolerations: []
serviceAccount:
controller:
annotations: {}
snapshot:
annotations: {}

18
charts/kubezero-aws-ebs-csi-driver/templates/storage-class.yaml
View File

@ -4,6 +4,22 @@ apiVersion: storage.k8s.io/v1
metadata: metadata:
name: ebs-sc-gp2-xfs name: ebs-sc-gp2-xfs
labels: labels:
{{ include "kubezero-lib.labels" . | indent 4 }}
provisioner: ebs.csi.aws.com
volumeBindingMode: WaitForFirstConsumer
parameters:
csi.storage.k8s.io/fstype: xfs
type: gp2
encrypted: "true"
{{- if index .Values "aws-ebs-csi-driver" "enableVolumeResizing" }}
allowVolumeExpansion: true
{{- end }}
---
kind: StorageClass
apiVersion: storage.k8s.io/v1
metadata:
name: ebs-sc-gp3-xfs
labels:
{{ include "kubezero-lib.labels" . | indent 4 }} {{ include "kubezero-lib.labels" . | indent 4 }}
{{- if .Values.StorageClass.default }} {{- if .Values.StorageClass.default }}
annotations: annotations:
@ -13,7 +29,7 @@ provisioner: ebs.csi.aws.com
volumeBindingMode: WaitForFirstConsumer volumeBindingMode: WaitForFirstConsumer
parameters: parameters:
csi.storage.k8s.io/fstype: xfs csi.storage.k8s.io/fstype: xfs
type: gp2 type: gp3
encrypted: "true" encrypted: "true"
{{- if index .Values "aws-ebs-csi-driver" "enableVolumeResizing" }} {{- if index .Values "aws-ebs-csi-driver" "enableVolumeResizing" }}
allowVolumeExpansion: true allowVolumeExpansion: true

14
charts/kubezero-aws-ebs-csi-driver/update.sh
View File

@ -1,14 +0,0 @@
#!/bin/bash
set -ex
# Upstream doesnt have proper Helm repo yet so we just download latest release and stuff it into charts
REPO="kubernetes-sigs/aws-ebs-csi-driver"
[ -z "$RELEASE" ] && RELEASE=$(curl -sL -s https://api.github.com/repos/${REPO}/releases | grep '"tag_name":' | cut -d'"' -f4 | grep -v -E "(alpha|beta|rc)" | sort -t"." -k 1,1 -k 2,2 -k 3,3 -k 4,4 | tail -n 1)
rm -rf git
git clone https://github.com/$REPO.git git
cd git && git checkout $RELEASE && cd -
rm -rf charts/aws-ebs-csi-driver && mkdir -p charts/aws-ebs-csi-driver
mv git/aws-ebs-csi-driver/* charts/aws-ebs-csi-driver

2
charts/kubezero-aws-ebs-csi-driver/.helmignore → charts/kubezero-aws-efs-csi-driver/.helmignore
View File

@ -20,3 +20,5 @@
.idea/ .idea/
*.tmproj *.tmproj
.vscode/ .vscode/
git

4
charts/kubezero-calico/Chart.yaml
View File

@ -2,8 +2,8 @@ apiVersion: v2
name: kubezero-calico name: kubezero-calico
description: KubeZero Umbrella Chart for Calico description: KubeZero Umbrella Chart for Calico
type: application type: application
version: 0.2.0 version: 0.2.1
appVersion: v3.16.1 appVersion: v3.16.5
home: https://kubezero.com home: https://kubezero.com
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
keywords: keywords:

3
charts/kubezero-calico/README.md
View File

@ -1,6 +1,6 @@
# kubezero-calico # kubezero-calico
![Version: 0.2.0](https://img.shields.io/badge/Version-0.2.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v3.16.1](https://img.shields.io/badge/AppVersion-v3.16.1-informational?style=flat-square) ![Version: 0.2.1](https://img.shields.io/badge/Version-0.2.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v3.16.5](https://img.shields.io/badge/AppVersion-v3.16.5-informational?style=flat-square)
KubeZero Umbrella Chart for Calico KubeZero Umbrella Chart for Calico
@ -47,7 +47,6 @@ The setup is based on the upstream calico-vxlan config from
| Key | Type | Default | Description | | Key | Type | Default | Description |
|-----|------|---------|-------------| |-----|------|---------|-------------|
| image.tag | string | `""` | | | image.tag | string | `""` | |
| installCRDs | bool | `false` | |
| loglevel | string | `"Warning"` | | | loglevel | string | `"Warning"` | |
| mtu | int | `8941` | | | mtu | int | `8941` | |
| network | string | `"vxlan"` | | | network | string | `"vxlan"` | |

101
charts/kubezero-calico/calico-v3.15.patch
View File

@ -1,101 +0,0 @@
--- calico-vxlan.yaml 2020-07-03 15:32:40.740506882 +0100
+++ calico.yaml 2020-07-03 15:27:47.651499841 +0100
@@ -10,13 +10,13 @@
# Typha is disabled.
typha_service_name: "none"
# Configure the backend to use.
- calico_backend: "bird"
+ calico_backend: "vxlan"
# Configure the MTU to use for workload interfaces and tunnels.
# - If Wireguard is enabled, set to your network MTU - 60
# - Otherwise, if VXLAN or BPF mode is enabled, set to your network MTU - 50
# - Otherwise, if IPIP is enabled, set to your network MTU - 20
# - Otherwise, if not using any encapsulation, set to your network MTU.
- veth_mtu: "1410"
+ veth_mtu: "8941"
# The CNI network configuration to install on each node. The special
# values in this config will be automatically populated.
@@ -3451,29 +3451,6 @@
terminationGracePeriodSeconds: 0
priorityClassName: system-node-critical
initContainers:
- # This container performs upgrade from host-local IPAM to calico-ipam.
- # It can be deleted if this is a fresh installation, or if you have already
- # upgraded to use calico-ipam.
- - name: upgrade-ipam
- image: calico/cni:v3.15.0
- command: ["/opt/cni/bin/calico-ipam", "-upgrade"]
- env:
- - name: KUBERNETES_NODE_NAME
- valueFrom:
- fieldRef:
- fieldPath: spec.nodeName
- - name: CALICO_NETWORKING_BACKEND
- valueFrom:
- configMapKeyRef:
- name: calico-config
- key: calico_backend
- volumeMounts:
- - mountPath: /var/lib/cni/networks
- name: host-local-net-dir
- - mountPath: /host/opt/cni/bin
- name: cni-bin-dir
- securityContext:
- privileged: true
# This container installs the CNI binaries
# and CNI network config file on each node.
- name: install-cni
@@ -3545,7 +3522,7 @@
key: calico_backend
# Cluster type to identify the deployment type
- name: CLUSTER_TYPE
- value: "k8s,bgp"
+ value: "k8s,kubeadm"
# Auto-detect the BGP IP address.
- name: IP
value: "autodetect"
@@ -3554,7 +3531,7 @@
value: "Never"
# Enable or Disable VXLAN on the default IP pool.
- name: CALICO_IPV4POOL_VXLAN
- value: "CrossSubnet"
+ value: "Always"
# Set MTU for tunnel device used if ipip is enabled
- name: FELIX_IPINIPMTU
valueFrom:
@@ -3595,9 +3572,17 @@
value: "false"
# Set Felix logging to "info"
- name: FELIX_LOGSEVERITYSCREEN
- value: "info"
+ value: "Warning"
+ - name: FELIX_LOGSEVERITYFILE
+ value: "Warning"
+ - name: FELIX_LOGSEVERITYSYS
+ value: ""
- name: FELIX_HEALTHENABLED
value: "true"
+ - name: FELIX_PROMETHEUSGOMETRICSENABLED
+ value: "false"
+ - name: FELIX_PROMETHEUSMETRICSENABLED
+ value: "true"
securityContext:
privileged: true
resources:
@@ -3608,7 +3593,6 @@
command:
- /bin/calico-node
- -felix-live
- - -bird-live
periodSeconds: 10
initialDelaySeconds: 10
failureThreshold: 6
@@ -3617,7 +3601,6 @@
command:
- /bin/calico-node
- -felix-ready
- - -bird-ready
periodSeconds: 10
volumeMounts:
- mountPath: /lib/modules

3359
charts/kubezero-calico/calico-v3.16.5.patch Normal file
View File

File diff suppressed because it is too large Load Diff

34
charts/kubezero-calico/crds/crds.yaml
View File

@ -1,3 +1,4 @@
---
# Source: calico/templates/kdd-crds.yaml # Source: calico/templates/kdd-crds.yaml
@ -192,6 +193,29 @@ spec:
description: Selector for the nodes that should have this peering. When description: Selector for the nodes that should have this peering. When
this is set, the Node field must be empty. this is set, the Node field must be empty.
type: string type: string
password:
description: Optional BGP password for the peerings generated by this
BGPPeer resource.
properties:
secretKeyRef:
description: Selects a key of a secret in the node pod's namespace.
properties:
key:
description: The key of the secret to select from. Must be
a valid secret key.
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
optional:
description: Specify whether the Secret or its key must be
defined
type: boolean
required:
- key
type: object
type: object
peerIP: peerIP:
description: The IP address of the peer followed by an optional port description: The IP address of the peer followed by an optional port
number to peer with. If port number is given, format should be `[<IPv6>]:port` number to peer with. If port number is given, format should be `[<IPv6>]:port`
@ -396,6 +420,16 @@ spec:
spec: spec:
description: FelixConfigurationSpec contains the values of the Felix configuration. description: FelixConfigurationSpec contains the values of the Felix configuration.
properties: properties:
allowIPIPPacketsFromWorkloads:
description: 'AllowIPIPPacketsFromWorkloads controls whether Felix
will add a rule to drop IPIP encapsulated traffic from workloads
[Default: false]'
type: boolean
allowVXLANPacketsFromWorkloads:
description: 'AllowVXLANPacketsFromWorkloads controls whether Felix
will add a rule to drop VXLAN encapsulated traffic from workloads
[Default: false]'
type: boolean
awsSrcDstCheck: awsSrcDstCheck:
description: 'Set source-destination-check on AWS EC2 instances. Accepted description: 'Set source-destination-check on AWS EC2 instances. Accepted
value must be one of "DoNothing", "Enabled" or "Disabled". [Default: value must be one of "DoNothing", "Enabled" or "Disabled". [Default:

6
charts/kubezero-calico/templates/crds.yaml
View File

@ -1,6 +0,0 @@
{{- if .Values.installCRDs }}
{{- range $path, $_ := .Files.Glob "crds/*.yaml" }}
{{ $.Files.Get $path }}
---
{{- end }}
{{- end }}

2
charts/kubezero-calico/values.yaml
View File

@ -1,5 +1,3 @@
installCRDs: false
image: image:
tag: "" tag: ""

5
charts/kubezero-cert-manager/Chart.yaml
View File

@ -2,7 +2,7 @@ apiVersion: v2
name: kubezero-cert-manager name: kubezero-cert-manager
description: KubeZero Umbrella Chart for cert-manager description: KubeZero Umbrella Chart for cert-manager
type: application type: application
version: 0.4.0 version: 0.4.1
home: https://kubezero.com home: https://kubezero.com
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
keywords: keywords:
@ -15,6 +15,7 @@ dependencies:
version: ">= 0.1.3" version: ">= 0.1.3"
repository: https://zero-down-time.github.io/kubezero/ repository: https://zero-down-time.github.io/kubezero/
- name: cert-manager - name: cert-manager
version: 1.0.3 version: 1.1.0
repository: https://charts.jetstack.io repository: https://charts.jetstack.io
condition: cert-manager.enabled
kubeVersion: ">= 1.16.0" kubeVersion: ">= 1.16.0"

11
charts/kubezero-cert-manager/README.md
View File

@ -1,6 +1,6 @@
# kubezero-cert-manager # kubezero-cert-manager
![Version: 0.4.0](https://img.shields.io/badge/Version-0.4.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![Version: 0.4.1](https://img.shields.io/badge/Version-0.4.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
KubeZero Umbrella Chart for cert-manager KubeZero Umbrella Chart for cert-manager
@ -18,7 +18,7 @@ Kubernetes: `>= 1.16.0`
| Repository | Name | Version | | Repository | Name | Version |
|------------|------|---------| |------------|------|---------|
| https://charts.jetstack.io | cert-manager | 1.0.3 | | https://charts.jetstack.io | cert-manager | 1.1.0 |
| https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 | | https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 |
## AWS - IAM Role ## AWS - IAM Role
@ -38,12 +38,13 @@ If your resolvers need additional sercrets like CloudFlare API tokens etc. make
| cert-manager.cainjector.nodeSelector."node-role.kubernetes.io/master" | string | `""` | | | cert-manager.cainjector.nodeSelector."node-role.kubernetes.io/master" | string | `""` | |
| cert-manager.cainjector.tolerations[0].effect | string | `"NoSchedule"` | | | cert-manager.cainjector.tolerations[0].effect | string | `"NoSchedule"` | |
| cert-manager.cainjector.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | | | cert-manager.cainjector.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | |
| cert-manager.enabled | bool | `true` | |
| cert-manager.extraArgs[0] | string | `"--dns01-recursive-nameservers-only"` | | | cert-manager.extraArgs[0] | string | `"--dns01-recursive-nameservers-only"` | |
| cert-manager.global.leaderElection.namespace | string | `"cert-manager"` | |
| cert-manager.ingressShim.defaultIssuerKind | string | `"ClusterIssuer"` | | | cert-manager.ingressShim.defaultIssuerKind | string | `"ClusterIssuer"` | |
| cert-manager.ingressShim.defaultIssuerName | string | `"letsencrypt-dns-prod"` | | | cert-manager.ingressShim.defaultIssuerName | string | `"letsencrypt-dns-prod"` | |
| cert-manager.installCRDs | bool | `true` | |
| cert-manager.nodeSelector."node-role.kubernetes.io/master" | string | `""` | | | cert-manager.nodeSelector."node-role.kubernetes.io/master" | string | `""` | |
| cert-manager.podAnnotations | object | `{}` | "iam.amazonaws.com/roleIAM:" role ARN the cert-manager might use via kiam eg."arn:aws:iam::123456789012:role/certManagerRoleArn" | | cert-manager.podAnnotations | object | `{}` | |
| cert-manager.prometheus.servicemonitor.enabled | bool | `false` | | | cert-manager.prometheus.servicemonitor.enabled | bool | `false` | |
| cert-manager.tolerations[0].effect | string | `"NoSchedule"` | | | cert-manager.tolerations[0].effect | string | `"NoSchedule"` | |
| cert-manager.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | | | cert-manager.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | |
@ -51,5 +52,5 @@ If your resolvers need additional sercrets like CloudFlare API tokens etc. make
| cert-manager.webhook.tolerations[0].effect | string | `"NoSchedule"` | | | cert-manager.webhook.tolerations[0].effect | string | `"NoSchedule"` | |
| cert-manager.webhook.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | | | cert-manager.webhook.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | |
| clusterIssuer | object | `{}` | | | clusterIssuer | object | `{}` | |
| localCA.enabled | bool | `true` | | | localCA.enabled | bool | `false` | |
| localCA.selfsigning | bool | `true` | | | localCA.selfsigning | bool | `true` | |

19
charts/kubezero-cert-manager/templates/cluster-ca.yaml
View File

@ -3,11 +3,11 @@
# KubeZero / Local cluster CA # KubeZero / Local cluster CA
# The resources are serialized via waves in Argo # The resources are serialized via waves in Argo
apiVersion: cert-manager.io/v1alpha2 apiVersion: cert-manager.io/v1
kind: Issuer kind: ClusterIssuer
metadata: metadata:
name: kubezero-selfsigning-issuer name: kubezero-selfsigning-issuer
namespace: kube-system namespace: {{ .Release.Namespace }}
labels: labels:
{{ include "kubezero-lib.labels" . | indent 4 }} {{ include "kubezero-lib.labels" . | indent 4 }}
annotations: annotations:
@ -15,11 +15,11 @@ metadata:
spec: spec:
selfSigned: {} selfSigned: {}
--- ---
apiVersion: cert-manager.io/v1alpha2 apiVersion: cert-manager.io/v1
kind: Certificate kind: Certificate
metadata: metadata:
name: kubezero-local-ca name: kubezero-local-ca
namespace: kube-system namespace: {{ .Release.Namespace }}
labels: labels:
{{ include "kubezero-lib.labels" . | indent 4 }} {{ include "kubezero-lib.labels" . | indent 4 }}
annotations: annotations:
@ -30,6 +30,7 @@ spec:
isCA: true isCA: true
issuerRef: issuerRef:
name: kubezero-selfsigning-issuer name: kubezero-selfsigning-issuer
kind: ClusterIssuer
usages: usages:
- "any" - "any"
--- ---
@ -39,7 +40,7 @@ apiVersion: v1
kind: Secret kind: Secret
metadata: metadata:
name: kubezero-ca-tls name: kubezero-ca-tls
namespace: kube-system namespace: {{ .Release.Namespace }}
labels: labels:
{{ include "kubezero-lib.labels" . | indent 4 }} {{ include "kubezero-lib.labels" . | indent 4 }}
data: data:
@ -48,11 +49,11 @@ data:
--- ---
{{- end }} {{- end }}
apiVersion: cert-manager.io/v1alpha2 apiVersion: cert-manager.io/v1
kind: Issuer kind: ClusterIssuer
metadata: metadata:
name: kubezero-local-ca-issuer name: kubezero-local-ca-issuer
namespace: kube-system namespace: {{ .Release.Namespace }}
labels: labels:
{{ include "kubezero-lib.labels" . | indent 4 }} {{ include "kubezero-lib.labels" . | indent 4 }}
annotations: annotations:

2
charts/kubezero-cert-manager/templates/cluster-issuer.yaml
View File

@ -1,5 +1,5 @@
{{- if .Values.clusterIssuer.name }} {{- if .Values.clusterIssuer.name }}
apiVersion: cert-manager.io/v1alpha2 apiVersion: cert-manager.io/v1
kind: ClusterIssuer kind: ClusterIssuer
metadata: metadata:
name: {{ .Values.clusterIssuer.name }} name: {{ .Values.clusterIssuer.name }}

19
charts/kubezero-cert-manager/values.yaml
View File

@ -9,7 +9,7 @@ clusterIssuer: {}
# hostedZoneID: 1234567890 # hostedZoneID: 1234567890
localCA: localCA:
enabled: true enabled: false
# If selfsigning is false you must provide the ca key and crt below # If selfsigning is false you must provide the ca key and crt below
selfsigning: true selfsigning: true
#ca: #ca:
@ -17,34 +17,45 @@ localCA:
# crt: <pem-crt-material> # crt: <pem-crt-material>
cert-manager: cert-manager:
installCRDs: true enabled: true
global:
leaderElection:
namespace: "cert-manager"
podAnnotations: {}
# iam.amazonaws.com/role: ""
tolerations: tolerations:
- key: node-role.kubernetes.io/master - key: node-role.kubernetes.io/master
effect: NoSchedule effect: NoSchedule
nodeSelector: nodeSelector:
node-role.kubernetes.io/master: "" node-role.kubernetes.io/master: ""
ingressShim: ingressShim:
defaultIssuerName: letsencrypt-dns-prod defaultIssuerName: letsencrypt-dns-prod
defaultIssuerKind: ClusterIssuer defaultIssuerKind: ClusterIssuer
webhook: webhook:
tolerations: tolerations:
- key: node-role.kubernetes.io/master - key: node-role.kubernetes.io/master
effect: NoSchedule effect: NoSchedule
nodeSelector: nodeSelector:
node-role.kubernetes.io/master: "" node-role.kubernetes.io/master: ""
cainjector: cainjector:
tolerations: tolerations:
- key: node-role.kubernetes.io/master - key: node-role.kubernetes.io/master
effect: NoSchedule effect: NoSchedule
nodeSelector: nodeSelector:
node-role.kubernetes.io/master: "" node-role.kubernetes.io/master: ""
extraArgs: extraArgs:
- "--dns01-recursive-nameservers-only" - "--dns01-recursive-nameservers-only"
# When this flag is enabled, secrets will be automatically removed when the certificate resource is deleted # When this flag is enabled, secrets will be automatically removed when the certificate resource is deleted
# - --enable-certificate-owner-ref=true # - --enable-certificate-owner-ref=true
prometheus: prometheus:
servicemonitor: servicemonitor:
enabled: false enabled: false
# cert-manager.podAnnotations -- "iam.amazonaws.com/roleIAM:" role ARN the cert-manager might use via kiam eg."arn:aws:iam::123456789012:role/certManagerRoleArn" # cert-manager.podAnnotations -- "iam.amazonaws.com/roleIAM:" role ARN the cert-manager might use via kiam eg."arn:aws:iam::123456789012:role/certManagerRoleArn"
podAnnotations: {}
# iam.amazonaws.com/role: ""

24
charts/kubezero-istio-ingress/Chart.yaml Normal file
View File

@ -0,0 +1,24 @@
apiVersion: v2
name: kubezero-istio-ingress
description: KubeZero Umbrella Chart for Istio based Ingress
type: application
version: 0.1.1
appVersion: 1.8.1
home: https://kubezero.com
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
keywords:
- kubezero
- istio
maintainers:
- name: Quarky9
dependencies:
- name: kubezero-lib
version: ">= 0.1.3"
repository: https://zero-down-time.github.io/kubezero/
- name: istio-ingress
version: 1.1.0
condition: istio-ingress.enabled
- name: istio-private-ingress
version: 1.1.0
condition: istio-private-ingress.enabled
kubeVersion: ">= 1.16.0"

97
charts/kubezero-istio-ingress/README.md Normal file
View File

@ -0,0 +1,97 @@
# kubezero-istio-ingress
![Version: 0.1.1](https://img.shields.io/badge/Version-0.1.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.8.1](https://img.shields.io/badge/AppVersion-1.8.1-informational?style=flat-square)
KubeZero Umbrella Chart for Istio based Ingress
Installs Istio Ingress Gateways, requires kubezero-istio to be installed !
**Homepage:** <https://kubezero.com>
## Maintainers
| Name | Email | Url |
| ---- | ------ | --- |
| Quarky9 | | |
## Requirements
Kubernetes: `>= 1.16.0`
| Repository | Name | Version |
|------------|------|---------|
| | istio-ingress | 1.1.0 |
| | istio-private-ingress | 1.1.0 |
| https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 |
## Values
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| global.arch.amd64 | int | `2` | |
| global.defaultPodDisruptionBudget.enabled | bool | `false` | |
| global.hub | string | `"docker.io/istio"` | |
| global.jwtPolicy | string | `"first-party-jwt"` | |
| global.logAsJson | bool | `true` | |
| global.priorityClassName | string | `"system-cluster-critical"` | |
| global.tag | string | `"1.8.1"` | |
| istio-ingress.dnsNames | list | `[]` | |
| istio-ingress.enabled | bool | `false` | |
| istio-ingress.gateways.istio-ingressgateway.autoscaleEnabled | bool | `false` | |
| istio-ingress.gateways.istio-ingressgateway.env.TERMINATION_DRAIN_DURATION_SECONDS | string | `"\"60\""` | |
| istio-ingress.gateways.istio-ingressgateway.externalTrafficPolicy | string | `"Local"` | |
| istio-ingress.gateways.istio-ingressgateway.nodeSelector."node.kubernetes.io/ingress.public" | string | `"30080_30443"` | |
| istio-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].key | string | `"app"` | |
| istio-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].operator | string | `"In"` | |
| istio-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].topologyKey | string | `"kubernetes.io/hostname"` | |
| istio-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].values | string | `"istio-ingressgateway"` | |
| istio-ingress.gateways.istio-ingressgateway.ports[0].name | string | `"http-status"` | |
| istio-ingress.gateways.istio-ingressgateway.ports[0].nodePort | int | `30021` | |
| istio-ingress.gateways.istio-ingressgateway.ports[0].port | int | `15021` | |
| istio-ingress.gateways.istio-ingressgateway.ports[1].name | string | `"http2"` | |
| istio-ingress.gateways.istio-ingressgateway.ports[1].nodePort | int | `30080` | |
| istio-ingress.gateways.istio-ingressgateway.ports[1].port | int | `80` | |
| istio-ingress.gateways.istio-ingressgateway.ports[1].targetPort | int | `8080` | |
| istio-ingress.gateways.istio-ingressgateway.ports[2].name | string | `"https"` | |
| istio-ingress.gateways.istio-ingressgateway.ports[2].nodePort | int | `30443` | |
| istio-ingress.gateways.istio-ingressgateway.ports[2].port | int | `443` | |
| istio-ingress.gateways.istio-ingressgateway.ports[2].targetPort | int | `8443` | |
| istio-ingress.gateways.istio-ingressgateway.replicaCount | int | `1` | |
| istio-ingress.gateways.istio-ingressgateway.resources.limits.memory | string | `"256Mi"` | |
| istio-ingress.gateways.istio-ingressgateway.resources.requests.memory | string | `"64Mi"` | |
| istio-ingress.gateways.istio-ingressgateway.type | string | `"NodePort"` | |
| istio-private-ingress.dnsNames | list | `[]` | |
| istio-private-ingress.enabled | bool | `false` | |
| istio-private-ingress.gateways.istio-ingressgateway.autoscaleEnabled | bool | `false` | |
| istio-private-ingress.gateways.istio-ingressgateway.env.TERMINATION_DRAIN_DURATION_SECONDS | string | `"\"60\""` | |
| istio-private-ingress.gateways.istio-ingressgateway.externalTrafficPolicy | string | `"Local"` | |
| istio-private-ingress.gateways.istio-ingressgateway.labels.app | string | `"istio-private-ingressgateway"` | |
| istio-private-ingress.gateways.istio-ingressgateway.labels.istio | string | `"private-ingressgateway"` | |
| istio-private-ingress.gateways.istio-ingressgateway.name | string | `"istio-private-ingressgateway"` | |
| istio-private-ingress.gateways.istio-ingressgateway.nodeSelector."node.kubernetes.io/ingress.private" | string | `"31080_31443"` | |
| istio-private-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].key | string | `"app"` | |
| istio-private-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].operator | string | `"In"` | |
| istio-private-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].topologyKey | string | `"kubernetes.io/hostname"` | |
| istio-private-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].values | string | `"istio-private-ingressgateway"` | |
| istio-private-ingress.gateways.istio-ingressgateway.ports[0].name | string | `"http-status"` | |
| istio-private-ingress.gateways.istio-ingressgateway.ports[0].nodePort | int | `31021` | |
| istio-private-ingress.gateways.istio-ingressgateway.ports[0].port | int | `15021` | |
| istio-private-ingress.gateways.istio-ingressgateway.ports[1].name | string | `"http2"` | |
| istio-private-ingress.gateways.istio-ingressgateway.ports[1].nodePort | int | `31080` | |
| istio-private-ingress.gateways.istio-ingressgateway.ports[1].port | int | `80` | |
| istio-private-ingress.gateways.istio-ingressgateway.ports[1].targetPort | int | `8080` | |
| istio-private-ingress.gateways.istio-ingressgateway.ports[2].name | string | `"https"` | |
| istio-private-ingress.gateways.istio-ingressgateway.ports[2].nodePort | int | `31443` | |
| istio-private-ingress.gateways.istio-ingressgateway.ports[2].port | int | `443` | |
| istio-private-ingress.gateways.istio-ingressgateway.ports[2].targetPort | int | `8443` | |
| istio-private-ingress.gateways.istio-ingressgateway.replicaCount | int | `1` | |
| istio-private-ingress.gateways.istio-ingressgateway.resources.limits.memory | string | `"256Mi"` | |
| istio-private-ingress.gateways.istio-ingressgateway.resources.requests.cpu | string | `"100m"` | |
| istio-private-ingress.gateways.istio-ingressgateway.resources.requests.memory | string | `"64Mi"` | |
| istio-private-ingress.gateways.istio-ingressgateway.type | string | `"NodePort"` | |
## Resources
- https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#IstioOperatorSpec
- https://github.com/istio/istio/blob/master/manifests/profiles/default.yaml
- https://istio.io/latest/docs/setup/install/standalone-operator/

24
charts/kubezero-istio-ingress/README.md.gotmpl Normal file
View File

@ -0,0 +1,24 @@
{{ template "chart.header" . }}
{{ template "chart.deprecationWarning" . }}
{{ template "chart.versionBadge" . }}{{ template "chart.typeBadge" . }}{{ template "chart.appVersionBadge" . }}
{{ template "chart.description" . }}
Installs Istio Ingress Gateways, requires kubezero-istio to be installed !
{{ template "chart.homepageLine" . }}
{{ template "chart.maintainersSection" . }}
{{ template "chart.sourcesSection" . }}
{{ template "chart.requirementsSection" . }}
{{ template "chart.valuesSection" . }}
## Resources
- https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#IstioOperatorSpec
- https://github.com/istio/istio/blob/master/manifests/profiles/default.yaml
- https://istio.io/latest/docs/setup/install/standalone-operator/

13
charts/kubezero-istio-ingress/charts/istio-ingress/Chart.yaml Normal file
View File

@ -0,0 +1,13 @@
apiVersion: v1
name: istio-ingress
version: 1.1.0
tillerVersion: ">=2.7.2"
description: Helm chart for deploying Istio gateways
keywords:
- istio
- ingressgateway
- gateways
sources:
- http://github.com/istio/istio
engine: gotpl
icon: https://istio.io/latest/favicons/android-192x192.png

43
charts/kubezero-istio-ingress/charts/istio-ingress/NOTES.txt Normal file
View File

@ -0,0 +1,43 @@
Changes:
- separate namespace allows:
-- easier reconfig of just the gateway
-- TLS secrets and domain name management is isolated, for better security
-- simplified configuration
-- multiple versions of the ingress can be used, to minimize upgrade risks
- the new chart uses the default namespace service account, and doesn't require
additional RBAC permissions.
- simplified label and chart structure.
- ability to run a pilot dedicated for the gateway, isolated from the main pilot. This is more robust, safer on upgrades
and allows a bit more flexibility.
- the dedicated pilot-per-ingress is required if the gateway needs to support k8s-style ingress.
# Port and basic host configuration
In order to configure the Service object, the install/upgrade needs to provide a list of all ports.
In the past, this was done when installing/upgrading full istio, and involved some duplication - ports configured
both in upgrade, Gateway and VirtualService.
The new Ingress chart uses a 'values.yaml' (see user-example-ingress), which auto-generates Service ports,
Gateways and basic VirtualService. It is still possible to only configure the ports in Service, and do manual
config for the rest.
All internal services ( telemetry, pilot debug ports, mesh expansion ) can now be configured via the new mechanism.
# Migration from istio-system
Istio 1.0 includes the gateways in istio-system. Since the external IP is associated
with the Service and bound to the namespace, it is recommended to:
1. Install the new gateway in a new namespace.
2. Copy any TLS certificate to the new namespace, and configure the domains.
3. Checking the new gateway work - for example by overriding the IP in /etc/hosts
4. Modify the DNS server to add the A record of the new namespace
5. Check traffic
6. Delete the A record corresponding to the gateway in istio-system
7. Upgrade istio-system, disabling the ingressgateway
8. Delete the domain TLS certs from istio-system.
If using certmanager, all Certificate and associated configs must be moved as well.

93
charts/kubezero-istio-ingress/charts/istio-ingress/templates/_affinity.tpl Normal file
View File

@ -0,0 +1,93 @@
{{/* affinity - https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ */}}
{{- define "nodeaffinity" }}
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
{{- include "nodeAffinityRequiredDuringScheduling" . }}
preferredDuringSchedulingIgnoredDuringExecution:
{{- include "nodeAffinityPreferredDuringScheduling" . }}
{{- end }}
{{- define "nodeAffinityRequiredDuringScheduling" }}
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/arch
operator: In
values:
{{- range $key, $val := .global.arch }}
{{- if gt ($val | int) 0 }}
- {{ $key | quote }}
{{- end }}
{{- end }}
{{- $nodeSelector := default .global.defaultNodeSelector .nodeSelector -}}
{{- range $key, $val := $nodeSelector }}
- key: {{ $key }}
operator: In
values:
- {{ $val | quote }}
{{- end }}
{{- end }}
{{- define "nodeAffinityPreferredDuringScheduling" }}
{{- range $key, $val := .global.arch }}
{{- if gt ($val | int) 0 }}
- weight: {{ $val | int }}
preference:
matchExpressions:
- key: kubernetes.io/arch
operator: In
values:
- {{ $key | quote }}
{{- end }}
{{- end }}
{{- end }}
{{- define "podAntiAffinity" }}
{{- if or .podAntiAffinityLabelSelector .podAntiAffinityTermLabelSelector}}
podAntiAffinity:
{{- if .podAntiAffinityLabelSelector }}
requiredDuringSchedulingIgnoredDuringExecution:
{{- include "podAntiAffinityRequiredDuringScheduling" . }}
{{- end }}
{{- if .podAntiAffinityTermLabelSelector }}
preferredDuringSchedulingIgnoredDuringExecution:
{{- include "podAntiAffinityPreferredDuringScheduling" . }}
{{- end }}
{{- end }}
{{- end }}
{{- define "podAntiAffinityRequiredDuringScheduling" }}
{{- range $index, $item := .podAntiAffinityLabelSelector }}
- labelSelector:
matchExpressions:
- key: {{ $item.key }}
operator: {{ $item.operator }}
{{- if $item.values }}
values:
{{- $vals := split "," $item.values }}
{{- range $i, $v := $vals }}
- {{ $v | quote }}
{{- end }}
{{- end }}
topologyKey: {{ $item.topologyKey }}
{{- end }}
{{- end }}
{{- define "podAntiAffinityPreferredDuringScheduling" }}
{{- range $index, $item := .podAntiAffinityTermLabelSelector }}
- podAffinityTerm:
labelSelector:
matchExpressions:
- key: {{ $item.key }}
operator: {{ $item.operator }}
{{- if $item.values }}
values:
{{- $vals := split "," $item.values }}
{{- range $i, $v := $vals }}
- {{ $v | quote }}
{{- end }}
{{- end }}
topologyKey: {{ $item.topologyKey }}
weight: 100
{{- end }}
{{- end }}

27
charts/kubezero-istio-ingress/charts/istio-ingress/templates/autoscale.yaml Normal file
View File

@ -0,0 +1,27 @@
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
{{- if and $gateway.autoscaleEnabled $gateway.autoscaleMin $gateway.autoscaleMax }}
apiVersion: autoscaling/v2beta1
kind: HorizontalPodAutoscaler
metadata:
name: {{ $gateway.name | default "istio-ingressgateway" }}
namespace: {{ .Release.Namespace }}
labels:
{{ $gateway.labels | toYaml | indent 4 }}
release: {{ .Release.Name }}
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "IngressGateways"
spec:
maxReplicas: {{ $gateway.autoscaleMax }}
minReplicas: {{ $gateway.autoscaleMin }}
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: {{ $gateway.name | default "istio-ingressgateway" }}
metrics:
- type: Resource
resource:
name: cpu
targetAverageUtilization: {{ $gateway.cpu.targetAverageUtilization }}
---
{{- end }}

346
charts/kubezero-istio-ingress/charts/istio-ingress/templates/deployment.yaml Normal file
View File

@ -0,0 +1,346 @@
{{- $gateway := index .Values "gateways" "istio-ingressgateway" }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ $gateway.name | default "istio-ingressgateway" }}
namespace: {{ .Release.Namespace }}
labels:
{{ $gateway.labels | toYaml | indent 4 }}
release: {{ .Release.Name }}
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "IngressGateways"
spec:
{{- if not $gateway.autoscaleEnabled }}
{{- if $gateway.replicaCount }}
replicas: {{ $gateway.replicaCount }}
{{- end }}
{{- end }}
selector:
matchLabels:
{{ $gateway.labels | toYaml | indent 6 }}
strategy:
rollingUpdate:
maxSurge: {{ $gateway.rollingMaxSurge }}
maxUnavailable: {{ $gateway.rollingMaxUnavailable }}
template:
metadata:
labels:
{{ $gateway.labels | toYaml | indent 8 }}
{{- if eq .Release.Namespace "istio-system"}}
heritage: Tiller
release: istio
chart: gateways
{{- end }}
service.istio.io/canonical-name: {{ $gateway.name | default "istio-ingressgateway" }}
{{- if not (eq .Values.revision "") }}
service.istio.io/canonical-revision: {{ .Values.revision }}
{{- else}}
service.istio.io/canonical-revision: latest
{{- end }}
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "IngressGateways"
annotations:
{{- if .Values.meshConfig.enablePrometheusMerge }}
prometheus.io/port: "15020"
prometheus.io/scrape: "true"
prometheus.io/path: "/stats/prometheus"
{{- end }}
sidecar.istio.io/inject: "false"
{{- if $gateway.podAnnotations }}
{{ toYaml $gateway.podAnnotations | indent 8 }}
{{ end }}
spec:
{{- if not $gateway.runAsRoot }}
securityContext:
runAsUser: 1337
runAsGroup: 1337
runAsNonRoot: true
fsGroup: 1337
{{- end }}
serviceAccountName: {{ $gateway.name | default "istio-ingressgateway" }}-service-account
{{- if .Values.global.priorityClassName }}
priorityClassName: "{{ .Values.global.priorityClassName }}"
{{- end }}
terminationGracePeriodSeconds: 90
{{- if .Values.global.proxy.enableCoreDump }}
initContainers:
- name: enable-core-dump
{{- if contains "/" .Values.global.proxy.image }}
image: "{{ .Values.global.proxy.image }}"
{{- else }}
image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image | default "proxyv2" }}:{{ .Values.global.tag }}"
{{- end }}
{{- if .Values.global.imagePullPolicy }}
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
{{- end }}
command:
- /bin/sh
args:
- -c
- sysctl -w kernel.core_pattern=/var/lib/istio/data/core.proxy && ulimit -c unlimited
securityContext:
runAsUser: 0
runAsGroup: 0
runAsNonRoot: false
privileged: true
{{- end }}
containers:
- name: istio-proxy
{{- if contains "/" .Values.global.proxy.image }}
image: "{{ .Values.global.proxy.image }}"
{{- else }}
image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image | default "proxyv2" }}:{{ .Values.global.tag }}"
{{- end }}
{{- if .Values.global.imagePullPolicy }}
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
{{- end }}
ports:
{{- range $key, $val := $gateway.ports }}
- containerPort: {{ $val.targetPort | default $val.port }}
protocol: {{ $val.protocol | default "TCP" }}
{{- end }}
{{- if $.Values.global.meshExpansion.enabled }}
{{- range $key, $val := $gateway.meshExpansionPorts }}
- containerPort: {{ $val.targetPort | default $val.port }}
protocol: {{ $val.protocol | default "TCP" }}
{{- end }}
{{- end }}
- containerPort: 15090
protocol: TCP
name: http-envoy-prom
args:
- proxy
- router
- --domain
- $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
{{- if .Values.global.proxy.logLevel }}
- --proxyLogLevel={{ .Values.global.proxy.logLevel }}
{{- end}}
{{- if .Values.global.proxy.componentLogLevel }}
- --proxyComponentLogLevel={{ .Values.global.proxy.componentLogLevel }}
{{- end}}
{{- if .Values.global.logging.level }}
- --log_output_level={{ .Values.global.logging.level }}
{{- end}}
{{- if .Values.global.logAsJson }}
- --log_as_json
{{- end }}
- --serviceCluster
- {{ $gateway.name | default "istio-ingressgateway" }}
{{- if .Values.global.sts.servicePort }}
- --stsPort={{ .Values.global.sts.servicePort }}
{{- end }}
{{- if not $gateway.runAsRoot }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
{{- end }}
readinessProbe:
failureThreshold: 30
httpGet:
path: /healthz/ready
port: 15021
scheme: HTTP
initialDelaySeconds: 1
periodSeconds: 2
successThreshold: 1
timeoutSeconds: 1
resources:
{{- if $gateway.resources }}
{{ toYaml $gateway.resources | indent 12 }}
{{- else }}
{{ toYaml .Values.global.defaultResources | indent 12 }}
{{- end }}
env:
- name: JWT_POLICY
value: {{ .Values.global.jwtPolicy }}
- name: PILOT_CERT_PROVIDER
value: {{ .Values.global.pilotCertProvider }}
- name: CA_ADDR
{{- if .Values.global.caAddress }}
value: {{ .Values.global.caAddress }}
{{- else }}
value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
{{- end }}
- name: NODE_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.nodeName
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: INSTANCE_IP
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: status.podIP
- name: HOST_IP
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: status.hostIP
- name: SERVICE_ACCOUNT
valueFrom:
fieldRef:
fieldPath: spec.serviceAccountName
- name: CANONICAL_SERVICE
valueFrom:
fieldRef:
fieldPath: metadata.labels['service.istio.io/canonical-name']
- name: CANONICAL_REVISION
valueFrom:
fieldRef:
fieldPath: metadata.labels['service.istio.io/canonical-revision']
- name: ISTIO_META_WORKLOAD_NAME
value: {{ $gateway.name | default "istio-ingressgateway" }}
- name: ISTIO_META_OWNER
value: kubernetes://apis/apps/v1/namespaces/{{ .Release.Namespace }}/deployments/{{ $gateway.name | default "istio-ingressgateway" }}
{{- if $.Values.global.meshID }}
- name: ISTIO_META_MESH_ID
value: "{{ $.Values.global.meshID }}"
{{- else if $.Values.global.trustDomain | default (index .Values.meshConfig "trustDomain") }}
- name: ISTIO_META_MESH_ID
value: "{{ $.Values.global.trustDomain | default (index .Values.meshConfig "trustDomain") }}"
{{- end }}
{{- if .Values.global.trustDomain | default (index .Values.meshConfig "trustDomain") }}
- name: TRUST_DOMAIN
value: "{{ .Values.global.trustDomain | default (index .Values.meshConfig "trustDomain") }}"
{{- end }}
{{- range $key, $val := $gateway.env }}
- name: {{ $key }}
value: {{ $val }}
{{- end }}
{{- range $key, $value := .Values.meshConfig.defaultConfig.proxyMetadata }}
- name: {{ $key }}
value: "{{ $value }}"
{{- end }}
{{ $network_set := index $gateway.env "ISTIO_META_NETWORK" }}
{{- if and (not $network_set) .Values.global.network }}
- name: ISTIO_META_NETWORK
value: {{ .Values.global.network }}
{{- end }}
{{- if $gateway.podAnnotations }}
- name: "ISTIO_METAJSON_ANNOTATIONS"
value: |
{{ toJson $gateway.podAnnotations | indent 16}}
{{ end }}
- name: ISTIO_META_CLUSTER_ID
value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}"
volumeMounts:
- name: istio-envoy
mountPath: /etc/istio/proxy
- name: config-volume
mountPath: /etc/istio/config
{{- if eq .Values.global.pilotCertProvider "istiod" }}
- mountPath: /var/run/secrets/istio
name: istiod-ca-cert
{{- end }}
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
- name: istio-token
mountPath: /var/run/secrets/tokens
readOnly: true
{{- end }}
- name: gatewaysdsudspath
mountPath: /var/run/ingress_gateway
{{- if .Values.global.mountMtlsCerts }}
# Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
- name: istio-certs
mountPath: /etc/certs
readOnly: true
{{- end }}
- mountPath: /var/lib/istio/data
name: istio-data
- name: podinfo
mountPath: /etc/istio/pod
{{- range $gateway.secretVolumes }}
- name: {{ .name }}
mountPath: {{ .mountPath | quote }}
readOnly: true
{{- end }}
{{- range $gateway.configVolumes }}
{{- if .mountPath }}
- name: {{ .name }}
mountPath: {{ .mountPath | quote }}
readOnly: true
{{- end }}
{{- end }}
{{- if $gateway.additionalContainers }}
{{ toYaml $gateway.additionalContainers | indent 8 }}
{{- end }}
volumes:
{{- if eq .Values.global.pilotCertProvider "istiod" }}
- name: istiod-ca-cert
configMap:
name: istio-ca-root-cert
{{- end }}
- name: podinfo
downwardAPI:
items:
- path: "labels"
fieldRef:
fieldPath: metadata.labels
- path: "annotations"
fieldRef:
fieldPath: metadata.annotations
- name: istio-envoy
emptyDir: {}
- name: gatewaysdsudspath
emptyDir: {}
- name: istio-data
emptyDir: {}
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
- name: istio-token
projected:
sources:
- serviceAccountToken:
path: istio-token
expirationSeconds: 43200
audience: {{ .Values.global.sds.token.aud }}
{{- end }}
{{- if .Values.global.mountMtlsCerts }}
# Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
- name: istio-certs
secret:
secretName: istio.istio-ingressgateway-service-account
optional: true
{{- end }}
- name: config-volume
configMap:
name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
optional: true
{{- range $gateway.secretVolumes }}
- name: {{ .name }}
secret:
secretName: {{ .secretName | quote }}
optional: true
{{- end }}
{{- range $gateway.configVolumes }}
- name: {{ .name }}
configMap:
name: {{ .configMapName | quote }}
optional: true
{{- end }}
affinity:
{{- include "nodeaffinity" (dict "global" .Values.global "nodeSelector" $gateway.nodeSelector) | indent 6 }}
{{- include "podAntiAffinity" $gateway | indent 6 }}
{{- if $gateway.tolerations }}
tolerations:
{{ toYaml $gateway.tolerations | indent 6 }}
{{- else if .Values.global.defaultTolerations }}
tolerations:
{{ toYaml .Values.global.defaultTolerations | indent 6 }}
{{- end }}

79
charts/kubezero-istio-ingress/charts/istio-ingress/templates/meshexpansion.yaml Normal file
View File

@ -0,0 +1,79 @@
{{- if .Values.global.meshExpansion.enabled }}
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: meshexpansion-gateway
namespace: {{ .Release.Namespace }}
labels:
release: {{ .Release.Name }}
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "IngressGateways"
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 15012
protocol: TCP
name: tcp-istiod
hosts:
- "*"
- port:
number: 15017
protocol: TCP
name: tcp-istiodwebhook
hosts:
- "*"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: meshexpansion-vs-istiod
namespace: {{ .Release.Namespace }}
labels:
release: {{ .Release.Name }}
spec:
hosts:
- istiod.{{ .Values.global.istioNamespace }}.svc.{{ .Values.global.proxy.clusterDomain }}
gateways:
- meshexpansion-gateway
tcp:
- match:
- port: 15012
route:
- destination:
host: istiod.{{ .Values.global.istioNamespace }}.svc.{{ .Values.global.proxy.clusterDomain }}
port:
number: 15012
- match:
- port: 15017
route:
- destination:
host: istiod.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }}
port:
number: 443
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: meshexpansion-dr-istiod
namespace: {{ .Release.Namespace }}
labels:
release: {{ .Release.Name }}
spec:
host: istiod.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }}
trafficPolicy:
portLevelSettings:
- port:
number: 15012
tls:
mode: DISABLE
- port:
number: 15017
tls:
mode: DISABLE
{{- end }}

19
charts/kubezero-istio-ingress/charts/istio-ingress/templates/poddisruptionbudget.yaml Normal file
View File

@ -0,0 +1,19 @@
{{- if .Values.global.defaultPodDisruptionBudget.enabled }}
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
apiVersion: policy/v1beta1
kind: PodDisruptionBudget
metadata:
name: {{ $gateway.name | default "istio-ingressgateway" }}
namespace: {{ .Release.Namespace }}
labels:
{{ $gateway.labels | toYaml | trim | indent 4 }}
release: {{ .Release.Name }}
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "IngressGateways"
spec:
minAvailable: 1
selector:
matchLabels:
{{ $gateway.labels | toYaml | trim | indent 6 }}
{{- end }}

78
charts/kubezero-istio-ingress/charts/istio-ingress/templates/preconfigured.yaml Normal file
View File

@ -0,0 +1,78 @@
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
{{- if .Values.global.multiCluster.enabled }}
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: istio-multicluster-ingressgateway
namespace: {{ .Release.Namespace }}
labels:
{{ $gateway.labels | toYaml | indent 4 }}
release: {{ .Release.Name }}
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "IngressGateways"
spec:
selector:
istio: ingressgateway
servers:
- hosts:
- "*.{{ .Values.global.multiCluster.globalDomainSuffix | trim }}"
port:
name: tls
number: 15443
protocol: TLS
tls:
mode: AUTO_PASSTHROUGH
---
{{- if .Values.global.multiCluster.includeEnvoyFilter }}
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: istio-multicluster-ingressgateway
namespace: {{ .Release.Namespace }}
labels:
{{ $gateway.labels | toYaml | indent 4 }}
release: {{ .Release.Name }}
spec:
workloadSelector:
labels:
istio: ingressgateway
configPatches:
- applyTo: NETWORK_FILTER
match:
context: GATEWAY
listener:
portNumber: 15443
filterChain:
filter:
name: "envoy.filters.network.sni_cluster"
patch:
operation: INSERT_AFTER
value:
name: "envoy.filters.network.tcp_cluster_rewrite"
typed_config:
"@type": "type.googleapis.com/istio.envoy.config.filter.network.tcp_cluster_rewrite.v2alpha1.TcpClusterRewrite"
cluster_pattern: "\\.{{ .Values.global.multiCluster.globalDomainSuffix | trim }}$"
cluster_replacement: ".svc.{{ .Values.global.proxy.clusterDomain }}"
---
{{- end }}
## To ensure all traffic to globalDomainSuffix is using mTLS
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: istio-multicluster-ingressgateway
namespace: {{ .Release.Namespace }}
labels:
{{ $gateway.labels | toYaml | indent 4 }}
release: {{ .Release.Name }}
spec:
host: "*.{{ .Values.global.multiCluster.globalDomainSuffix | trim }}"
{{- if .Values.global.defaultConfigVisibilitySettings }}
exportTo:
- '*'
{{- end }}
trafficPolicy:
tls:
mode: ISTIO_MUTUAL
---
{{- end }}

16
charts/kubezero-istio-ingress/charts/istio-ingress/templates/role.yaml Normal file
View File

@ -0,0 +1,16 @@
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ $gateway.name | default "istio-ingressgateway" }}-sds
namespace: {{ .Release.Namespace }}
labels:
release: {{ .Release.Name }}
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "IngressGateways"
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "watch", "list"]
---

19
charts/kubezero-istio-ingress/charts/istio-ingress/templates/rolebindings.yaml Normal file
View File

@ -0,0 +1,19 @@
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ $gateway.name | default "istio-ingressgateway" }}-sds
namespace: {{ .Release.Namespace }}
labels:
release: {{ .Release.Name }}
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "IngressGateways"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ $gateway.name | default "istio-ingressgateway" }}-sds
subjects:
- kind: ServiceAccount
name: {{ $gateway.name | default "istio-ingressgateway" }}-service-account
---

55
charts/kubezero-istio-ingress/charts/istio-ingress/templates/service.yaml Normal file
View File

@ -0,0 +1,55 @@
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
{{- if not $gateway.customService }}
apiVersion: v1
kind: Service
metadata:
name: {{ $gateway.name | default "istio-ingressgateway" }}
namespace: {{ .Release.Namespace }}
annotations:
{{- range $key, $val := $gateway.serviceAnnotations }}
{{ $key }}: {{ $val | quote }}
{{- end }}
labels:
{{ $gateway.labels | toYaml | indent 4 }}
release: {{ .Release.Name }}
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "IngressGateways"
spec:
{{- if $gateway.loadBalancerIP }}
loadBalancerIP: "{{ $gateway.loadBalancerIP }}"
{{- end }}
{{- if $gateway.loadBalancerSourceRanges }}
loadBalancerSourceRanges:
{{ toYaml $gateway.loadBalancerSourceRanges | indent 4 }}
{{- end }}
{{- if $gateway.externalTrafficPolicy }}
externalTrafficPolicy: {{$gateway.externalTrafficPolicy }}
{{- end }}
type: {{ $gateway.type }}
selector:
{{ $gateway.labels | toYaml | indent 4 }}
ports:
{{- range $key, $val := $gateway.ports }}
-
{{- range $pkey, $pval := $val }}
{{ $pkey}}: {{ $pval }}
{{- end }}
{{- end }}
{{- if $.Values.global.meshExpansion.enabled }}
{{- range $key, $val := $gateway.meshExpansionPorts }}
-
{{- range $pkey, $pval := $val }}
{{ $pkey}}: {{ $pval }}
{{- end }}
{{- end }}
{{- end }}
{{ range $app := $gateway.ingressPorts }}
-
port: {{ $app.port }}
name: {{ $app.name }}
{{- end }}
---
{{ end }}

18
charts/kubezero-istio-ingress/charts/istio-ingress/templates/serviceaccount.yaml Normal file
View File

@ -0,0 +1,18 @@
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
apiVersion: v1
kind: ServiceAccount
{{- if .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
{{- end }}
{{- end }}
metadata:
name: {{ $gateway.name | default "istio-ingressgateway" }}-service-account
namespace: {{ .Release.Namespace }}
labels:
{{ $gateway.labels | toYaml | trim | indent 4 }}
release: {{ .Release.Name }}
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "IngressGateways"

336
charts/kubezero-istio-ingress/charts/istio-ingress/values.yaml Normal file
View File

@ -0,0 +1,336 @@
# A-la-carte istio ingress gateway.
# Must be installed in a separate namespace, to minimize access to secrets.
gateways:
istio-ingressgateway:
name: istio-ingressgateway
labels:
app: istio-ingressgateway
istio: ingressgateway
ports:
## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces.
# Note that AWS ELB will by default perform health checks on the first port
# on this list. Setting this to the health check port will ensure that health
# checks always work. https://github.com/istio/istio/issues/12503
- port: 15021
targetPort: 15021
name: status-port
protocol: TCP
- port: 80
targetPort: 8080
name: http2
protocol: TCP
- port: 443
targetPort: 8443
name: https
protocol: TCP
# This is the port where sni routing happens
- port: 15443
targetPort: 15443
name: tls
protocol: TCP
# Scalability tunning
# replicaCount: 1
rollingMaxSurge: 100%
rollingMaxUnavailable: 25%
autoscaleEnabled: true
autoscaleMin: 1
autoscaleMax: 5
cpu:
targetAverageUtilization: 80
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 2000m
memory: 1024Mi
loadBalancerIP: ""
loadBalancerSourceRanges: []
serviceAnnotations: {}
# Enable cross-cluster access using SNI matching
zvpn:
enabled: false
suffix: global
# To generate an internal load balancer:
# --set serviceAnnotations.cloud.google.com/load-balancer-type=internal
#serviceAnnotations:
# cloud.google.com/load-balancer-type: "internal"
podAnnotations: {}
type: LoadBalancer #change to NodePort, ClusterIP or LoadBalancer if need be
#### MESH EXPANSION PORTS ########
# Pilot and Citadel MTLS ports are enabled in gateway - but will only redirect
# to pilot/citadel if global.meshExpansion settings are enabled.
# Delete these ports if mesh expansion is not enabled, to avoid
# exposing unnecessary ports on the web.
# You can remove these ports if you are not using mesh expansion
meshExpansionPorts:
- port: 15012
targetPort: 15012
name: tcp-istiod
####### end MESH EXPANSION PORTS ######
##############
secretVolumes:
- name: ingressgateway-certs
secretName: istio-ingressgateway-certs
mountPath: /etc/istio/ingressgateway-certs
- name: ingressgateway-ca-certs
secretName: istio-ingressgateway-ca-certs
mountPath: /etc/istio/ingressgateway-ca-certs
customService: false
externalTrafficPolicy: ""
ingressPorts: []
additionalContainers: []
configVolumes: []
### Advanced options ############
env:
# A gateway with this mode ensures that pilot generates an additional
# set of clusters for internal services but without Istio mTLS, to
# enable cross cluster routing.
ISTIO_META_ROUTER_MODE: "sni-dnat"
nodeSelector: {}
tolerations: []
# Specify the pod anti-affinity that allows you to constrain which nodes
# your pod is eligible to be scheduled based on labels on pods that are
# already running on the node rather than based on labels on nodes.
# There are currently two types of anti-affinity:
# "requiredDuringSchedulingIgnoredDuringExecution"
# "preferredDuringSchedulingIgnoredDuringExecution"
# which denote "hard" vs. "soft" requirements, you can define your values
# in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector"
# correspondingly.
# For example:
# podAntiAffinityLabelSelector:
# - key: security
# operator: In
# values: S1,S2
# topologyKey: "kubernetes.io/hostname"
# This pod anti-affinity rule says that the pod requires not to be scheduled
# onto a node if that node is already running a pod with label having key
# "security" and value "S1".
podAntiAffinityLabelSelector: []
podAntiAffinityTermLabelSelector: []
# whether to run the gateway in a privileged container
runAsRoot: false
# Revision is set as 'version' label and part of the resource names when installing multiple control planes.
revision: ""
# For Helm compatibility.
ownerName: ""
global:
# set the default set of namespaces to which services, service entries, virtual services, destination
# rules should be exported to. Currently only one value can be provided in this list. This value
# should be one of the following two options:
# * implies these objects are visible to all namespaces, enabling any sidecar to talk to any other sidecar.
# . implies these objects are visible to only to sidecars in the same namespace, or if imported as a Sidecar.egress.host
defaultConfigVisibilitySettings: []
# enable pod disruption budget for the control plane, which is used to
# ensure Istio control plane components are gradually upgraded or recovered.
defaultPodDisruptionBudget:
enabled: true
# A minimal set of requested resources to applied to all deployments so that
# Horizontal Pod Autoscaler will be able to function (if set).
# Each component can overwrite these default values by adding its own resources
# block in the relevant section below and setting the desired resources values.
defaultResources:
requests:
cpu: 10m
# memory: 128Mi
# limits:
# cpu: 100m
# memory: 128Mi
# Default node tolerations to be applied to all deployments so that all pods can be
# scheduled to a particular nodes with matching taints. Each component can overwrite
# these default values by adding its tolerations block in the relevant section below
# and setting the desired values.
# Configure this field in case that all pods of Istio control plane are expected to
# be scheduled to particular nodes with specified taints.
defaultTolerations: []
# Default hub for Istio images.
# Releases are published to docker hub under 'istio' project.
# Dev builds from prow are on gcr.io
hub: gcr.io/istio-testing
# Default tag for Istio images.
tag: latest
# Specify image pull policy if default behavior isn't desired.
# Default behavior: latest images will be Always else IfNotPresent.
imagePullPolicy: ""
# ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace
# to use for pulling any images in pods that reference this ServiceAccount.
# For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing)
# ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects.
# Must be set for any cluster configured with private docker registry.
imagePullSecrets: []
# - private-registry-key
# To output all istio components logs in json format by adding --log_as_json argument to each container argument
logAsJson: false
# Specify pod scheduling arch(amd64, ppc64le, s390x) and weight as follows:
# 0 - Never scheduled
# 1 - Least preferred
# 2 - No preference
# 3 - Most preferred
arch:
amd64: 2
s390x: 2
ppc64le: 2
# Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>
# The control plane has different scopes depending on component, but can configure default log level across all components
# If empty, default scope and level will be used as configured in code
logging:
level: "default:info"
# If set to true, the pilot and citadel mtls will be exposed on the
# ingress gateway
meshExpansion:
enabled: false
# If set to true, the pilot and citadel mtls and the plain text pilot ports
# will be exposed on an internal gateway
useILB: false
# Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and
# system-node-critical, it is better to configure this in order to make sure your Istio pods
# will not be killed because of low priority class.
# Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
# for more detail.
priorityClassName: ""
proxy:
image: proxyv2
# CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value
# cluster domain. Default value is "cluster.local".
clusterDomain: "cluster.local"
# Per Component log level for proxy, applies to gateways and sidecars. If a component level is
# not set, then the global "logLevel" will be used.
componentLogLevel: "misc:error"
# If set, newly injected sidecars will have core dumps enabled.
enableCoreDump: false
# Log level for proxy, applies to gateways and sidecars.
# Expected values are: trace|debug|info|warning|error|critical|off
logLevel: warning
##############################################################################################
# The following values are found in other charts. To effectively modify these values, make #
# make sure they are consistent across your Istio helm charts #
##############################################################################################
# The customized CA address to retrieve certificates for the pods in the cluster.
# CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint.
caAddress: ""
# Used to locate istiod.
istioNamespace: istio-system
# Configure the policy for validating JWT.
# Currently, two options are supported: "third-party-jwt" and "first-party-jwt".
jwtPolicy: "third-party-jwt"
# Mesh ID means Mesh Identifier. It should be unique within the scope where
# meshes will interact with each other, but it is not required to be
# globally/universally unique. For example, if any of the following are true,
# then two meshes must have different Mesh IDs:
# - Meshes will have their telemetry aggregated in one place
# - Meshes will be federated together
# - Policy will be written referencing one mesh from the other
#
# If an administrator expects that any of these conditions may become true in
# the future, they should ensure their meshes have different Mesh IDs
# assigned.
#
# Within a multicluster mesh, each cluster must be (manually or auto)
# configured to have the same Mesh ID value. If an existing cluster 'joins' a
# multicluster mesh, it will need to be migrated to the new mesh ID. Details
# of migration TBD, and it may be a disruptive operation to change the Mesh
# ID post-install.
#
# If the mesh admin does not specify a value, Istio will use the value of the
# mesh's Trust Domain. The best practice is to select a proper Trust Domain
# value.
meshID: ""
# Use the user-specified, secret volume mounted key and certs for Pilot and workloads.
mountMtlsCerts: false
multiCluster:
# Set to true to connect two kubernetes clusters via their respective
# ingressgateway services when pods in each cluster cannot directly
# talk to one another. All clusters should be using Istio mTLS and must
# have a shared root CA for this model to work.
enabled: false
# Should be set to the name of the cluster this installation will run in. This is required for sidecar injection
# to properly label proxies
clusterName: ""
# The suffix for global service names
globalDomainSuffix: "global"
# Enable envoy filter to translate `globalDomainSuffix` to cluster local suffix for cross cluster communication
includeEnvoyFilter: true
# Network defines the network this cluster belong to. This name
# corresponds to the networks in the map of mesh networks.
network: ""
# Configure the certificate provider for control plane communication.
# Currently, two providers are supported: "kubernetes" and "istiod".
# As some platforms may not have kubernetes signing APIs,
# Istiod is the default
pilotCertProvider: istiod
sds:
# The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3.
# When a CSR is sent from Citadel Agent to the CA (e.g. Citadel), this aud is to make sure the
# JWT is intended for the CA.
token:
aud: istio-ca
sts:
# The service port used by Security Token Service (STS) server to handle token exchange requests.
# Setting this port to a non-zero value enables STS server.
servicePort: 0
# Deprecated, use meshConfig.trustDomain
# trustDomain: ""
meshConfig:
enablePrometheusMerge: true
# trustDomain: ""
defaultConfig:
proxyMetadata: {}
tracing:
# tlsSettings:
# mode: DISABLE # DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL
# clientCertificate: # example: /etc/istio/tracer/cert-chain.pem
# privateKey: # example: /etc/istio/tracer/key.pem
# caCertificates: # example: /etc/istio/tracer/root-cert.pem
# sni: # example: tracer.somedomain
# subjectAltNames: []
# - tracer.somedomain

13
charts/kubezero-istio-ingress/charts/istio-private-ingress/Chart.yaml Normal file
View File

@ -0,0 +1,13 @@
apiVersion: v1
name: istio-private-ingress
version: 1.1.0
tillerVersion: ">=2.7.2"
description: Helm chart for deploying Istio gateways
keywords:
- istio
- ingressgateway
- gateways
sources:
- http://github.com/istio/istio
engine: gotpl
icon: https://istio.io/latest/favicons/android-192x192.png

43
charts/kubezero-istio-ingress/charts/istio-private-ingress/NOTES.txt Normal file
View File

@ -0,0 +1,43 @@
Changes:
- separate namespace allows:
-- easier reconfig of just the gateway
-- TLS secrets and domain name management is isolated, for better security
-- simplified configuration
-- multiple versions of the ingress can be used, to minimize upgrade risks
- the new chart uses the default namespace service account, and doesn't require
additional RBAC permissions.
- simplified label and chart structure.
- ability to run a pilot dedicated for the gateway, isolated from the main pilot. This is more robust, safer on upgrades
and allows a bit more flexibility.
- the dedicated pilot-per-ingress is required if the gateway needs to support k8s-style ingress.
# Port and basic host configuration
In order to configure the Service object, the install/upgrade needs to provide a list of all ports.
In the past, this was done when installing/upgrading full istio, and involved some duplication - ports configured
both in upgrade, Gateway and VirtualService.
The new Ingress chart uses a 'values.yaml' (see user-example-ingress), which auto-generates Service ports,
Gateways and basic VirtualService. It is still possible to only configure the ports in Service, and do manual
config for the rest.
All internal services ( telemetry, pilot debug ports, mesh expansion ) can now be configured via the new mechanism.
# Migration from istio-system
Istio 1.0 includes the gateways in istio-system. Since the external IP is associated
with the Service and bound to the namespace, it is recommended to:
1. Install the new gateway in a new namespace.
2. Copy any TLS certificate to the new namespace, and configure the domains.
3. Checking the new gateway work - for example by overriding the IP in /etc/hosts
4. Modify the DNS server to add the A record of the new namespace
5. Check traffic
6. Delete the A record corresponding to the gateway in istio-system
7. Upgrade istio-system, disabling the ingressgateway
8. Delete the domain TLS certs from istio-system.
If using certmanager, all Certificate and associated configs must be moved as well.

93
charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/_affinity.tpl Normal file
View File

@ -0,0 +1,93 @@
{{/* affinity - https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ */}}
{{- define "nodeaffinity" }}
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
{{- include "nodeAffinityRequiredDuringScheduling" . }}
preferredDuringSchedulingIgnoredDuringExecution:
{{- include "nodeAffinityPreferredDuringScheduling" . }}
{{- end }}
{{- define "nodeAffinityRequiredDuringScheduling" }}
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/arch
operator: In
values:
{{- range $key, $val := .global.arch }}
{{- if gt ($val | int) 0 }}
- {{ $key | quote }}
{{- end }}
{{- end }}
{{- $nodeSelector := default .global.defaultNodeSelector .nodeSelector -}}
{{- range $key, $val := $nodeSelector }}
- key: {{ $key }}
operator: In
values:
- {{ $val | quote }}
{{- end }}
{{- end }}
{{- define "nodeAffinityPreferredDuringScheduling" }}
{{- range $key, $val := .global.arch }}
{{- if gt ($val | int) 0 }}
- weight: {{ $val | int }}
preference:
matchExpressions:
- key: kubernetes.io/arch
operator: In
values:
- {{ $key | quote }}
{{- end }}
{{- end }}
{{- end }}
{{- define "podAntiAffinity" }}
{{- if or .podAntiAffinityLabelSelector .podAntiAffinityTermLabelSelector}}
podAntiAffinity:
{{- if .podAntiAffinityLabelSelector }}
requiredDuringSchedulingIgnoredDuringExecution:
{{- include "podAntiAffinityRequiredDuringScheduling" . }}
{{- end }}
{{- if .podAntiAffinityTermLabelSelector }}
preferredDuringSchedulingIgnoredDuringExecution:
{{- include "podAntiAffinityPreferredDuringScheduling" . }}
{{- end }}
{{- end }}
{{- end }}
{{- define "podAntiAffinityRequiredDuringScheduling" }}
{{- range $index, $item := .podAntiAffinityLabelSelector }}
- labelSelector:
matchExpressions:
- key: {{ $item.key }}
operator: {{ $item.operator }}
{{- if $item.values }}
values:
{{- $vals := split "," $item.values }}
{{- range $i, $v := $vals }}
- {{ $v | quote }}
{{- end }}
{{- end }}
topologyKey: {{ $item.topologyKey }}
{{- end }}
{{- end }}
{{- define "podAntiAffinityPreferredDuringScheduling" }}
{{- range $index, $item := .podAntiAffinityTermLabelSelector }}
- podAffinityTerm:
labelSelector:
matchExpressions:
- key: {{ $item.key }}
operator: {{ $item.operator }}
{{- if $item.values }}
values:
{{- $vals := split "," $item.values }}
{{- range $i, $v := $vals }}
- {{ $v | quote }}
{{- end }}
{{- end }}
topologyKey: {{ $item.topologyKey }}
weight: 100
{{- end }}
{{- end }}

27
charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/autoscale.yaml Normal file
View File

@ -0,0 +1,27 @@
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
{{- if and $gateway.autoscaleEnabled $gateway.autoscaleMin $gateway.autoscaleMax }}
apiVersion: autoscaling/v2beta1
kind: HorizontalPodAutoscaler
metadata:
name: {{ $gateway.name | default "istio-ingressgateway" }}
namespace: {{ .Release.Namespace }}
labels:
{{ $gateway.labels | toYaml | indent 4 }}
release: {{ .Release.Name }}
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "IngressGateways"
spec:
maxReplicas: {{ $gateway.autoscaleMax }}
minReplicas: {{ $gateway.autoscaleMin }}
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: {{ $gateway.name | default "istio-ingressgateway" }}
metrics:
- type: Resource
resource:
name: cpu
targetAverageUtilization: {{ $gateway.cpu.targetAverageUtilization }}
---
{{- end }}

346
charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/deployment.yaml Normal file
View File

@ -0,0 +1,346 @@
{{- $gateway := index .Values "gateways" "istio-ingressgateway" }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ $gateway.name | default "istio-ingressgateway" }}
namespace: {{ .Release.Namespace }}
labels:
{{ $gateway.labels | toYaml | indent 4 }}
release: {{ .Release.Name }}
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "IngressGateways"
spec:
{{- if not $gateway.autoscaleEnabled }}
{{- if $gateway.replicaCount }}
replicas: {{ $gateway.replicaCount }}
{{- end }}
{{- end }}
selector:
matchLabels:
{{ $gateway.labels | toYaml | indent 6 }}
strategy:
rollingUpdate:
maxSurge: {{ $gateway.rollingMaxSurge }}
maxUnavailable: {{ $gateway.rollingMaxUnavailable }}
template:
metadata:
labels:
{{ $gateway.labels | toYaml | indent 8 }}
{{- if eq .Release.Namespace "istio-system"}}
heritage: Tiller
release: istio
chart: gateways
{{- end }}
service.istio.io/canonical-name: {{ $gateway.name | default "istio-ingressgateway" }}
{{- if not (eq .Values.revision "") }}
service.istio.io/canonical-revision: {{ .Values.revision }}
{{- else}}
service.istio.io/canonical-revision: latest
{{- end }}
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "IngressGateways"
annotations:
{{- if .Values.meshConfig.enablePrometheusMerge }}
prometheus.io/port: "15020"
prometheus.io/scrape: "true"
prometheus.io/path: "/stats/prometheus"
{{- end }}
sidecar.istio.io/inject: "false"
{{- if $gateway.podAnnotations }}
{{ toYaml $gateway.podAnnotations | indent 8 }}
{{ end }}
spec:
{{- if not $gateway.runAsRoot }}
securityContext:
runAsUser: 1337
runAsGroup: 1337
runAsNonRoot: true
fsGroup: 1337
{{- end }}
serviceAccountName: {{ $gateway.name | default "istio-ingressgateway" }}-service-account
{{- if .Values.global.priorityClassName }}
priorityClassName: "{{ .Values.global.priorityClassName }}"
{{- end }}
terminationGracePeriodSeconds: 90
{{- if .Values.global.proxy.enableCoreDump }}
initContainers:
- name: enable-core-dump
{{- if contains "/" .Values.global.proxy.image }}
image: "{{ .Values.global.proxy.image }}"
{{- else }}
image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image | default "proxyv2" }}:{{ .Values.global.tag }}"
{{- end }}
{{- if .Values.global.imagePullPolicy }}
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
{{- end }}
command:
- /bin/sh
args:
- -c
- sysctl -w kernel.core_pattern=/var/lib/istio/data/core.proxy && ulimit -c unlimited
securityContext:
runAsUser: 0
runAsGroup: 0
runAsNonRoot: false
privileged: true
{{- end }}
containers:
- name: istio-proxy
{{- if contains "/" .Values.global.proxy.image }}
image: "{{ .Values.global.proxy.image }}"
{{- else }}
image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image | default "proxyv2" }}:{{ .Values.global.tag }}"
{{- end }}
{{- if .Values.global.imagePullPolicy }}
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
{{- end }}
ports:
{{- range $key, $val := $gateway.ports }}
- containerPort: {{ $val.targetPort | default $val.port }}
protocol: {{ $val.protocol | default "TCP" }}
{{- end }}
{{- if $.Values.global.meshExpansion.enabled }}
{{- range $key, $val := $gateway.meshExpansionPorts }}
- containerPort: {{ $val.targetPort | default $val.port }}
protocol: {{ $val.protocol | default "TCP" }}
{{- end }}
{{- end }}
- containerPort: 15090
protocol: TCP
name: http-envoy-prom
args:
- proxy
- router
- --domain
- $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
{{- if .Values.global.proxy.logLevel }}
- --proxyLogLevel={{ .Values.global.proxy.logLevel }}
{{- end}}
{{- if .Values.global.proxy.componentLogLevel }}
- --proxyComponentLogLevel={{ .Values.global.proxy.componentLogLevel }}
{{- end}}
{{- if .Values.global.logging.level }}
- --log_output_level={{ .Values.global.logging.level }}
{{- end}}
{{- if .Values.global.logAsJson }}
- --log_as_json
{{- end }}
- --serviceCluster
- {{ $gateway.name | default "istio-ingressgateway" }}
{{- if .Values.global.sts.servicePort }}
- --stsPort={{ .Values.global.sts.servicePort }}
{{- end }}
{{- if not $gateway.runAsRoot }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
{{- end }}
readinessProbe:
failureThreshold: 30
httpGet:
path: /healthz/ready
port: 15021
scheme: HTTP
initialDelaySeconds: 1
periodSeconds: 2
successThreshold: 1
timeoutSeconds: 1
resources:
{{- if $gateway.resources }}
{{ toYaml $gateway.resources | indent 12 }}
{{- else }}
{{ toYaml .Values.global.defaultResources | indent 12 }}
{{- end }}
env:
- name: JWT_POLICY
value: {{ .Values.global.jwtPolicy }}
- name: PILOT_CERT_PROVIDER
value: {{ .Values.global.pilotCertProvider }}
- name: CA_ADDR
{{- if .Values.global.caAddress }}
value: {{ .Values.global.caAddress }}
{{- else }}
value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
{{- end }}
- name: NODE_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.nodeName
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: INSTANCE_IP
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: status.podIP
- name: HOST_IP
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: status.hostIP
- name: SERVICE_ACCOUNT
valueFrom:
fieldRef:
fieldPath: spec.serviceAccountName
- name: CANONICAL_SERVICE
valueFrom:
fieldRef:
fieldPath: metadata.labels['service.istio.io/canonical-name']
- name: CANONICAL_REVISION
valueFrom:
fieldRef:
fieldPath: metadata.labels['service.istio.io/canonical-revision']
- name: ISTIO_META_WORKLOAD_NAME
value: {{ $gateway.name | default "istio-ingressgateway" }}
- name: ISTIO_META_OWNER
value: kubernetes://apis/apps/v1/namespaces/{{ .Release.Namespace }}/deployments/{{ $gateway.name | default "istio-ingressgateway" }}
{{- if $.Values.global.meshID }}
- name: ISTIO_META_MESH_ID
value: "{{ $.Values.global.meshID }}"
{{- else if $.Values.global.trustDomain | default (index .Values.meshConfig "trustDomain") }}
- name: ISTIO_META_MESH_ID
value: "{{ $.Values.global.trustDomain | default (index .Values.meshConfig "trustDomain") }}"
{{- end }}
{{- if .Values.global.trustDomain | default (index .Values.meshConfig "trustDomain") }}
- name: TRUST_DOMAIN
value: "{{ .Values.global.trustDomain | default (index .Values.meshConfig "trustDomain") }}"
{{- end }}
{{- range $key, $val := $gateway.env }}
- name: {{ $key }}
value: {{ $val }}
{{- end }}
{{- range $key, $value := .Values.meshConfig.defaultConfig.proxyMetadata }}
- name: {{ $key }}
value: "{{ $value }}"
{{- end }}
{{ $network_set := index $gateway.env "ISTIO_META_NETWORK" }}
{{- if and (not $network_set) .Values.global.network }}
- name: ISTIO_META_NETWORK
value: {{ .Values.global.network }}
{{- end }}
{{- if $gateway.podAnnotations }}
- name: "ISTIO_METAJSON_ANNOTATIONS"
value: |
{{ toJson $gateway.podAnnotations | indent 16}}
{{ end }}
- name: ISTIO_META_CLUSTER_ID
value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}"
volumeMounts:
- name: istio-envoy
mountPath: /etc/istio/proxy
- name: config-volume
mountPath: /etc/istio/config
{{- if eq .Values.global.pilotCertProvider "istiod" }}
- mountPath: /var/run/secrets/istio
name: istiod-ca-cert
{{- end }}
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
- name: istio-token
mountPath: /var/run/secrets/tokens
readOnly: true
{{- end }}
- name: gatewaysdsudspath
mountPath: /var/run/ingress_gateway
{{- if .Values.global.mountMtlsCerts }}
# Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
- name: istio-certs
mountPath: /etc/certs
readOnly: true
{{- end }}
- mountPath: /var/lib/istio/data
name: istio-data
- name: podinfo
mountPath: /etc/istio/pod
{{- range $gateway.secretVolumes }}
- name: {{ .name }}
mountPath: {{ .mountPath | quote }}
readOnly: true
{{- end }}
{{- range $gateway.configVolumes }}
{{- if .mountPath }}
- name: {{ .name }}
mountPath: {{ .mountPath | quote }}
readOnly: true
{{- end }}
{{- end }}
{{- if $gateway.additionalContainers }}
{{ toYaml $gateway.additionalContainers | indent 8 }}
{{- end }}
volumes:
{{- if eq .Values.global.pilotCertProvider "istiod" }}
- name: istiod-ca-cert
configMap:
name: istio-ca-root-cert
{{- end }}
- name: podinfo
downwardAPI:
items:
- path: "labels"
fieldRef:
fieldPath: metadata.labels
- path: "annotations"
fieldRef:
fieldPath: metadata.annotations
- name: istio-envoy
emptyDir: {}
- name: gatewaysdsudspath
emptyDir: {}
- name: istio-data
emptyDir: {}
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
- name: istio-token
projected:
sources:
- serviceAccountToken:
path: istio-token
expirationSeconds: 43200
audience: {{ .Values.global.sds.token.aud }}
{{- end }}
{{- if .Values.global.mountMtlsCerts }}
# Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
- name: istio-certs
secret:
secretName: istio.istio-ingressgateway-service-account
optional: true
{{- end }}
- name: config-volume
configMap:
name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
optional: true
{{- range $gateway.secretVolumes }}
- name: {{ .name }}
secret:
secretName: {{ .secretName | quote }}
optional: true
{{- end }}
{{- range $gateway.configVolumes }}
- name: {{ .name }}
configMap:
name: {{ .configMapName | quote }}
optional: true
{{- end }}
affinity:
{{- include "nodeaffinity" (dict "global" .Values.global "nodeSelector" $gateway.nodeSelector) | indent 6 }}
{{- include "podAntiAffinity" $gateway | indent 6 }}
{{- if $gateway.tolerations }}
tolerations:
{{ toYaml $gateway.tolerations | indent 6 }}
{{- else if .Values.global.defaultTolerations }}
tolerations:
{{ toYaml .Values.global.defaultTolerations | indent 6 }}
{{- end }}

79
charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/meshexpansion.yaml Normal file
View File

@ -0,0 +1,79 @@
{{- if .Values.global.meshExpansion.enabled }}
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: meshexpansion-gateway
namespace: {{ .Release.Namespace }}
labels:
release: {{ .Release.Name }}
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "IngressGateways"
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 15012
protocol: TCP
name: tcp-istiod
hosts:
- "*"
- port:
number: 15017
protocol: TCP
name: tcp-istiodwebhook
hosts:
- "*"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: meshexpansion-vs-istiod
namespace: {{ .Release.Namespace }}
labels:
release: {{ .Release.Name }}
spec:
hosts:
- istiod.{{ .Values.global.istioNamespace }}.svc.{{ .Values.global.proxy.clusterDomain }}
gateways:
- meshexpansion-gateway
tcp:
- match:
- port: 15012
route:
- destination:
host: istiod.{{ .Values.global.istioNamespace }}.svc.{{ .Values.global.proxy.clusterDomain }}
port:
number: 15012
- match:
- port: 15017
route:
- destination:
host: istiod.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }}
port:
number: 443
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: meshexpansion-dr-istiod
namespace: {{ .Release.Namespace }}
labels:
release: {{ .Release.Name }}
spec:
host: istiod.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }}
trafficPolicy:
portLevelSettings:
- port:
number: 15012
tls:
mode: DISABLE
- port:
number: 15017
tls:
mode: DISABLE
{{- end }}

19
charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/poddisruptionbudget.yaml Normal file
View File

@ -0,0 +1,19 @@
{{- if .Values.global.defaultPodDisruptionBudget.enabled }}
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
apiVersion: policy/v1beta1
kind: PodDisruptionBudget
metadata:
name: {{ $gateway.name | default "istio-ingressgateway" }}
namespace: {{ .Release.Namespace }}
labels:
{{ $gateway.labels | toYaml | trim | indent 4 }}
release: {{ .Release.Name }}
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "IngressGateways"
spec:
minAvailable: 1
selector:
matchLabels:
{{ $gateway.labels | toYaml | trim | indent 6 }}
{{- end }}

78
charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/preconfigured.yaml Normal file
View File

@ -0,0 +1,78 @@
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
{{- if .Values.global.multiCluster.enabled }}
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: istio-multicluster-ingressgateway
namespace: {{ .Release.Namespace }}
labels:
{{ $gateway.labels | toYaml | indent 4 }}
release: {{ .Release.Name }}
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "IngressGateways"
spec:
selector:
istio: ingressgateway
servers:
- hosts:
- "*.{{ .Values.global.multiCluster.globalDomainSuffix | trim }}"
port:
name: tls
number: 15443
protocol: TLS
tls:
mode: AUTO_PASSTHROUGH
---
{{- if .Values.global.multiCluster.includeEnvoyFilter }}
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: istio-multicluster-ingressgateway
namespace: {{ .Release.Namespace }}
labels:
{{ $gateway.labels | toYaml | indent 4 }}
release: {{ .Release.Name }}
spec:
workloadSelector:
labels:
istio: ingressgateway
configPatches:
- applyTo: NETWORK_FILTER
match:
context: GATEWAY
listener:
portNumber: 15443
filterChain:
filter:
name: "envoy.filters.network.sni_cluster"
patch:
operation: INSERT_AFTER
value:
name: "envoy.filters.network.tcp_cluster_rewrite"
typed_config:
"@type": "type.googleapis.com/istio.envoy.config.filter.network.tcp_cluster_rewrite.v2alpha1.TcpClusterRewrite"
cluster_pattern: "\\.{{ .Values.global.multiCluster.globalDomainSuffix | trim }}$"
cluster_replacement: ".svc.{{ .Values.global.proxy.clusterDomain }}"
---
{{- end }}
## To ensure all traffic to globalDomainSuffix is using mTLS
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: istio-multicluster-ingressgateway
namespace: {{ .Release.Namespace }}
labels:
{{ $gateway.labels | toYaml | indent 4 }}
release: {{ .Release.Name }}
spec:
host: "*.{{ .Values.global.multiCluster.globalDomainSuffix | trim }}"
{{- if .Values.global.defaultConfigVisibilitySettings }}
exportTo:
- '*'
{{- end }}
trafficPolicy:
tls:
mode: ISTIO_MUTUAL
---
{{- end }}

16
charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/role.yaml Normal file
View File

@ -0,0 +1,16 @@
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ $gateway.name | default "istio-ingressgateway" }}-sds
namespace: {{ .Release.Namespace }}
labels:
release: {{ .Release.Name }}
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "IngressGateways"
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "watch", "list"]
---

19
charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/rolebindings.yaml Normal file
View File

@ -0,0 +1,19 @@
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ $gateway.name | default "istio-ingressgateway" }}-sds
namespace: {{ .Release.Namespace }}
labels:
release: {{ .Release.Name }}
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "IngressGateways"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ $gateway.name | default "istio-ingressgateway" }}-sds
subjects:
- kind: ServiceAccount
name: {{ $gateway.name | default "istio-ingressgateway" }}-service-account
---

55
charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/service.yaml Normal file
View File

@ -0,0 +1,55 @@
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
{{- if not $gateway.customService }}
apiVersion: v1
kind: Service
metadata:
name: {{ $gateway.name | default "istio-ingressgateway" }}
namespace: {{ .Release.Namespace }}
annotations:
{{- range $key, $val := $gateway.serviceAnnotations }}
{{ $key }}: {{ $val | quote }}
{{- end }}
labels:
{{ $gateway.labels | toYaml | indent 4 }}
release: {{ .Release.Name }}
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "IngressGateways"
spec:
{{- if $gateway.loadBalancerIP }}
loadBalancerIP: "{{ $gateway.loadBalancerIP }}"
{{- end }}
{{- if $gateway.loadBalancerSourceRanges }}
loadBalancerSourceRanges:
{{ toYaml $gateway.loadBalancerSourceRanges | indent 4 }}
{{- end }}
{{- if $gateway.externalTrafficPolicy }}
externalTrafficPolicy: {{$gateway.externalTrafficPolicy }}
{{- end }}
type: {{ $gateway.type }}
selector:
{{ $gateway.labels | toYaml | indent 4 }}
ports:
{{- range $key, $val := $gateway.ports }}
-
{{- range $pkey, $pval := $val }}
{{ $pkey}}: {{ $pval }}
{{- end }}
{{- end }}
{{- if $.Values.global.meshExpansion.enabled }}
{{- range $key, $val := $gateway.meshExpansionPorts }}
-
{{- range $pkey, $pval := $val }}
{{ $pkey}}: {{ $pval }}
{{- end }}
{{- end }}
{{- end }}
{{ range $app := $gateway.ingressPorts }}
-
port: {{ $app.port }}
name: {{ $app.name }}
{{- end }}
---
{{ end }}

18
charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/serviceaccount.yaml Normal file
View File

@ -0,0 +1,18 @@
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
apiVersion: v1
kind: ServiceAccount
{{- if .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
{{- end }}
{{- end }}
metadata:
name: {{ $gateway.name | default "istio-ingressgateway" }}-service-account
namespace: {{ .Release.Namespace }}
labels:
{{ $gateway.labels | toYaml | trim | indent 4 }}
release: {{ .Release.Name }}
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "IngressGateways"

336
charts/kubezero-istio-ingress/charts/istio-private-ingress/values.yaml Normal file
View File

@ -0,0 +1,336 @@
# A-la-carte istio ingress gateway.
# Must be installed in a separate namespace, to minimize access to secrets.
gateways:
istio-ingressgateway:
name: istio-ingressgateway
labels:
app: istio-ingressgateway
istio: ingressgateway
ports:
## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces.
# Note that AWS ELB will by default perform health checks on the first port
# on this list. Setting this to the health check port will ensure that health
# checks always work. https://github.com/istio/istio/issues/12503
- port: 15021
targetPort: 15021
name: status-port
protocol: TCP
- port: 80
targetPort: 8080
name: http2
protocol: TCP
- port: 443
targetPort: 8443
name: https
protocol: TCP
# This is the port where sni routing happens
- port: 15443
targetPort: 15443
name: tls
protocol: TCP
# Scalability tunning
# replicaCount: 1
rollingMaxSurge: 100%
rollingMaxUnavailable: 25%
autoscaleEnabled: true
autoscaleMin: 1
autoscaleMax: 5
cpu:
targetAverageUtilization: 80
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 2000m
memory: 1024Mi
loadBalancerIP: ""
loadBalancerSourceRanges: []
serviceAnnotations: {}
# Enable cross-cluster access using SNI matching
zvpn:
enabled: false
suffix: global
# To generate an internal load balancer:
# --set serviceAnnotations.cloud.google.com/load-balancer-type=internal
#serviceAnnotations:
# cloud.google.com/load-balancer-type: "internal"
podAnnotations: {}
type: LoadBalancer #change to NodePort, ClusterIP or LoadBalancer if need be
#### MESH EXPANSION PORTS ########
# Pilot and Citadel MTLS ports are enabled in gateway - but will only redirect
# to pilot/citadel if global.meshExpansion settings are enabled.
# Delete these ports if mesh expansion is not enabled, to avoid
# exposing unnecessary ports on the web.
# You can remove these ports if you are not using mesh expansion
meshExpansionPorts:
- port: 15012
targetPort: 15012
name: tcp-istiod
####### end MESH EXPANSION PORTS ######
##############
secretVolumes:
- name: ingressgateway-certs
secretName: istio-ingressgateway-certs
mountPath: /etc/istio/ingressgateway-certs
- name: ingressgateway-ca-certs
secretName: istio-ingressgateway-ca-certs
mountPath: /etc/istio/ingressgateway-ca-certs
customService: false
externalTrafficPolicy: ""
ingressPorts: []
additionalContainers: []
configVolumes: []
### Advanced options ############
env:
# A gateway with this mode ensures that pilot generates an additional
# set of clusters for internal services but without Istio mTLS, to
# enable cross cluster routing.
ISTIO_META_ROUTER_MODE: "sni-dnat"
nodeSelector: {}
tolerations: []
# Specify the pod anti-affinity that allows you to constrain which nodes
# your pod is eligible to be scheduled based on labels on pods that are
# already running on the node rather than based on labels on nodes.
# There are currently two types of anti-affinity:
# "requiredDuringSchedulingIgnoredDuringExecution"
# "preferredDuringSchedulingIgnoredDuringExecution"
# which denote "hard" vs. "soft" requirements, you can define your values
# in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector"
# correspondingly.
# For example:
# podAntiAffinityLabelSelector:
# - key: security
# operator: In
# values: S1,S2
# topologyKey: "kubernetes.io/hostname"
# This pod anti-affinity rule says that the pod requires not to be scheduled
# onto a node if that node is already running a pod with label having key
# "security" and value "S1".
podAntiAffinityLabelSelector: []
podAntiAffinityTermLabelSelector: []
# whether to run the gateway in a privileged container
runAsRoot: false
# Revision is set as 'version' label and part of the resource names when installing multiple control planes.
revision: ""
# For Helm compatibility.
ownerName: ""
global:
# set the default set of namespaces to which services, service entries, virtual services, destination
# rules should be exported to. Currently only one value can be provided in this list. This value
# should be one of the following two options:
# * implies these objects are visible to all namespaces, enabling any sidecar to talk to any other sidecar.
# . implies these objects are visible to only to sidecars in the same namespace, or if imported as a Sidecar.egress.host
defaultConfigVisibilitySettings: []
# enable pod disruption budget for the control plane, which is used to
# ensure Istio control plane components are gradually upgraded or recovered.
defaultPodDisruptionBudget:
enabled: true
# A minimal set of requested resources to applied to all deployments so that
# Horizontal Pod Autoscaler will be able to function (if set).
# Each component can overwrite these default values by adding its own resources
# block in the relevant section below and setting the desired resources values.
defaultResources:
requests:
cpu: 10m
# memory: 128Mi
# limits:
# cpu: 100m
# memory: 128Mi
# Default node tolerations to be applied to all deployments so that all pods can be
# scheduled to a particular nodes with matching taints. Each component can overwrite
# these default values by adding its tolerations block in the relevant section below
# and setting the desired values.
# Configure this field in case that all pods of Istio control plane are expected to
# be scheduled to particular nodes with specified taints.
defaultTolerations: []
# Default hub for Istio images.
# Releases are published to docker hub under 'istio' project.
# Dev builds from prow are on gcr.io
hub: gcr.io/istio-testing
# Default tag for Istio images.
tag: latest
# Specify image pull policy if default behavior isn't desired.
# Default behavior: latest images will be Always else IfNotPresent.
imagePullPolicy: ""
# ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace
# to use for pulling any images in pods that reference this ServiceAccount.
# For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing)
# ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects.
# Must be set for any cluster configured with private docker registry.
imagePullSecrets: []
# - private-registry-key
# To output all istio components logs in json format by adding --log_as_json argument to each container argument
logAsJson: false
# Specify pod scheduling arch(amd64, ppc64le, s390x) and weight as follows:
# 0 - Never scheduled
# 1 - Least preferred
# 2 - No preference
# 3 - Most preferred
arch:
amd64: 2
s390x: 2
ppc64le: 2
# Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>
# The control plane has different scopes depending on component, but can configure default log level across all components
# If empty, default scope and level will be used as configured in code
logging:
level: "default:info"
# If set to true, the pilot and citadel mtls will be exposed on the
# ingress gateway
meshExpansion:
enabled: false
# If set to true, the pilot and citadel mtls and the plain text pilot ports
# will be exposed on an internal gateway
useILB: false
# Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and
# system-node-critical, it is better to configure this in order to make sure your Istio pods
# will not be killed because of low priority class.
# Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
# for more detail.
priorityClassName: ""
proxy:
image: proxyv2
# CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value
# cluster domain. Default value is "cluster.local".
clusterDomain: "cluster.local"
# Per Component log level for proxy, applies to gateways and sidecars. If a component level is
# not set, then the global "logLevel" will be used.
componentLogLevel: "misc:error"
# If set, newly injected sidecars will have core dumps enabled.
enableCoreDump: false
# Log level for proxy, applies to gateways and sidecars.
# Expected values are: trace|debug|info|warning|error|critical|off
logLevel: warning
##############################################################################################
# The following values are found in other charts. To effectively modify these values, make #
# make sure they are consistent across your Istio helm charts #
##############################################################################################
# The customized CA address to retrieve certificates for the pods in the cluster.
# CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint.
caAddress: ""
# Used to locate istiod.
istioNamespace: istio-system
# Configure the policy for validating JWT.
# Currently, two options are supported: "third-party-jwt" and "first-party-jwt".
jwtPolicy: "third-party-jwt"
# Mesh ID means Mesh Identifier. It should be unique within the scope where
# meshes will interact with each other, but it is not required to be
# globally/universally unique. For example, if any of the following are true,
# then two meshes must have different Mesh IDs:
# - Meshes will have their telemetry aggregated in one place
# - Meshes will be federated together
# - Policy will be written referencing one mesh from the other
#
# If an administrator expects that any of these conditions may become true in
# the future, they should ensure their meshes have different Mesh IDs
# assigned.
#
# Within a multicluster mesh, each cluster must be (manually or auto)
# configured to have the same Mesh ID value. If an existing cluster 'joins' a
# multicluster mesh, it will need to be migrated to the new mesh ID. Details
# of migration TBD, and it may be a disruptive operation to change the Mesh
# ID post-install.
#
# If the mesh admin does not specify a value, Istio will use the value of the
# mesh's Trust Domain. The best practice is to select a proper Trust Domain
# value.
meshID: ""
# Use the user-specified, secret volume mounted key and certs for Pilot and workloads.
mountMtlsCerts: false
multiCluster:
# Set to true to connect two kubernetes clusters via their respective
# ingressgateway services when pods in each cluster cannot directly
# talk to one another. All clusters should be using Istio mTLS and must
# have a shared root CA for this model to work.
enabled: false
# Should be set to the name of the cluster this installation will run in. This is required for sidecar injection
# to properly label proxies
clusterName: ""
# The suffix for global service names
globalDomainSuffix: "global"
# Enable envoy filter to translate `globalDomainSuffix` to cluster local suffix for cross cluster communication
includeEnvoyFilter: true
# Network defines the network this cluster belong to. This name
# corresponds to the networks in the map of mesh networks.
network: ""
# Configure the certificate provider for control plane communication.
# Currently, two providers are supported: "kubernetes" and "istiod".
# As some platforms may not have kubernetes signing APIs,
# Istiod is the default
pilotCertProvider: istiod
sds:
# The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3.
# When a CSR is sent from Citadel Agent to the CA (e.g. Citadel), this aud is to make sure the
# JWT is intended for the CA.
token:
aud: istio-ca
sts:
# The service port used by Security Token Service (STS) server to handle token exchange requests.
# Setting this port to a non-zero value enables STS server.
servicePort: 0
# Deprecated, use meshConfig.trustDomain
# trustDomain: ""
meshConfig:
enablePrometheusMerge: true
# trustDomain: ""
defaultConfig:
proxyMetadata: {}
tracing:
# tlsSettings:
# mode: DISABLE # DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL
# clientCertificate: # example: /etc/istio/tracer/cert-chain.pem
# privateKey: # example: /etc/istio/tracer/key.pem
# caCertificates: # example: /etc/istio/tracer/root-cert.pem
# sni: # example: tracer.somedomain
# subjectAltNames: []
# - tracer.somedomain

8
charts/kubezero-istio/templates/envoyfilter.yaml → charts/kubezero-istio-ingress/templates/envoyfilter.yaml
View File

@ -1,8 +1,9 @@
{{- if index .Values "istio-ingress" "enabled" }}
apiVersion: networking.istio.io/v1alpha3 apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter kind: EnvoyFilter
metadata: metadata:
name: ingressgateway-listener-tcp-keepalive name: ingressgateway-listener-tcp-keepalive
namespace: istio-system namespace: {{ .Release.Namespace }}
spec: spec:
workloadSelector: workloadSelector:
labels: labels:
@ -30,14 +31,15 @@ spec:
name: 5 name: 5
int_value: 60 int_value: 60
state: STATE_LISTENING state: STATE_LISTENING
{{- end }}
{{- if .Values.ingress.private.enabled }} {{- if index .Values "istio-private-ingress" "enabled" }}
--- ---
apiVersion: networking.istio.io/v1alpha3 apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter kind: EnvoyFilter
metadata: metadata:
name: private-ingressgateway-listener-tcp-keepalive name: private-ingressgateway-listener-tcp-keepalive
namespace: istio-system namespace: {{ .Release.Namespace }}
spec: spec:
workloadSelector: workloadSelector:
labels: labels:

35
charts/kubezero-istio-ingress/templates/ingress-certificate.yaml Normal file
View File

@ -0,0 +1,35 @@
{{- if index .Values "istio-ingress" "dnsNames" }}
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: ingress-cert
namespace: {{ .Release.Namespace }}
labels:
{{ include "kubezero-lib.labels" . | indent 4 }}
spec:
secretName: ingress-cert
issuerRef:
name: letsencrypt-dns-prod
kind: ClusterIssuer
dnsNames:
{{ toYaml (index .Values "istio-ingress" "dnsNames") | indent 4 }}
{{- end }}
{{- if index .Values "istio-private-ingress" "dnsNames" }}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: private-ingress-cert
namespace: {{ .Release.Namespace }}
labels:
{{ include "kubezero-lib.labels" . | indent 4 }}
spec:
secretName: private-ingress-cert
issuerRef:
name: letsencrypt-dns-prod
kind: ClusterIssuer
dnsNames:
{{ toYaml (index .Values "istio-private-ingress" "dnsNames") | indent 4 }}
{{- end }}

44
charts/kubezero-istio/templates/ingress-gateway.yaml → charts/kubezero-istio-ingress/templates/ingress-gateway.yaml
View File

@ -1,8 +1,9 @@
apiVersion: networking.istio.io/v1alpha3 {{- if and (index .Values "istio-ingress" "enabled") (index .Values "istio-ingress" "dnsNames") }}
apiVersion: networking.istio.io/v1beta1
kind: Gateway kind: Gateway
metadata: metadata:
name: ingressgateway name: ingressgateway
namespace: istio-system namespace: {{ .Release.Namespace }}
labels: labels:
{{ include "kubezero-lib.labels" . | indent 4 }} {{ include "kubezero-lib.labels" . | indent 4 }}
spec: spec:
@ -14,7 +15,7 @@ spec:
name: http name: http
protocol: HTTP2 protocol: HTTP2
hosts: hosts:
{{- toYaml .Values.ingress.dnsNames | nindent 4 }} {{- toYaml (index .Values "istio-ingress" "dnsNames") | nindent 4 }}
tls: tls:
httpsRedirect: true httpsRedirect: true
- port: - port:
@ -22,20 +23,21 @@ spec:
name: https name: https
protocol: HTTPS protocol: HTTPS
hosts: hosts:
{{- toYaml .Values.ingress.dnsNames | nindent 4 }} {{- toYaml (index .Values "istio-ingress" "dnsNames") | nindent 4 }}
tls: tls:
mode: SIMPLE mode: SIMPLE
privateKey: /etc/istio/ingressgateway-certs/tls.key privateKey: /etc/istio/ingressgateway-certs/tls.key
serverCertificate: /etc/istio/ingressgateway-certs/tls.crt serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
credentialName: public-ingress-cert credentialName: ingress-cert
{{- end }}
{{- if .Values.ingress.private.enabled }} {{- if and (index .Values "istio-private-ingress" "enabled") (index .Values "istio-private-ingress" "dnsNames") }}
--- ---
apiVersion: networking.istio.io/v1alpha3 apiVersion: networking.istio.io/v1beta1
kind: Gateway kind: Gateway
metadata: metadata:
name: private-ingressgateway name: private-ingressgateway
namespace: istio-system namespace: {{ .Release.Namespace }}
labels: labels:
{{ include "kubezero-lib.labels" . | indent 4 }} {{ include "kubezero-lib.labels" . | indent 4 }}
spec: spec:
@ -47,7 +49,7 @@ spec:
name: http name: http
protocol: HTTP2 protocol: HTTP2
hosts: hosts:
{{- toYaml .Values.ingress.dnsNames | nindent 4 }} {{- toYaml (index .Values "istio-private-ingress" "dnsNames") | nindent 4 }}
tls: tls:
httpsRedirect: true httpsRedirect: true
- port: - port:
@ -55,33 +57,45 @@ spec:
name: https name: https
protocol: HTTPS protocol: HTTPS
hosts: hosts:
{{- toYaml .Values.ingress.dnsNames | nindent 4 }} {{- toYaml (index .Values "istio-private-ingress" "dnsNames") | nindent 4 }}
tls: tls:
mode: SIMPLE mode: SIMPLE
privateKey: /etc/istio/ingressgateway-certs/tls.key privateKey: /etc/istio/ingressgateway-certs/tls.key
serverCertificate: /etc/istio/ingressgateway-certs/tls.crt serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
credentialName: public-ingress-cert credentialName: private-ingress-cert
- port: - port:
number: 5672 number: 5672
name: amqp name: amqp
protocol: TCP protocol: TCP
hosts: hosts:
{{- toYaml .Values.ingress.dnsNames | nindent 4 }} {{- toYaml (index .Values "istio-private-ingress" "dnsNames") | nindent 4 }}
- port: - port:
number: 5671 number: 5671
name: amqps name: amqps
protocol: TCP protocol: TCP
hosts: hosts:
{{- toYaml .Values.ingress.dnsNames | nindent 4 }} {{- toYaml (index .Values "istio-private-ingress" "dnsNames") | nindent 4 }}
- port: - port:
number: 24224 number: 24224
name: fluentd-forward name: fluentd-forward
protocol: TLS protocol: TLS
hosts: hosts:
{{- toYaml .Values.ingress.dnsNames | nindent 4 }} {{- toYaml (index .Values "istio-private-ingress" "dnsNames") | nindent 4 }}
tls: tls:
mode: SIMPLE mode: SIMPLE
privateKey: /etc/istio/ingressgateway-certs/tls.key privateKey: /etc/istio/ingressgateway-certs/tls.key
serverCertificate: /etc/istio/ingressgateway-certs/tls.crt serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
credentialName: public-ingress-cert credentialName: private-ingress-cert
- port:
number: 6379
name: redis
protocol: TCP
hosts:
{{- toYaml (index .Values "istio-private-ingress" "dnsNames") | nindent 4 }}
- port:
number: 6380
name: redis-1
protocol: TCP
hosts:
{{- toYaml (index .Values "istio-private-ingress" "dnsNames") | nindent 4 }}
{{- end }} {{- end }}

122
charts/kubezero-istio-ingress/values.yaml Normal file
View File

@ -0,0 +1,122 @@
# Make sure these values match kuberzero-istio !!!
global:
hub: docker.io/istio
tag: 1.8.1
logAsJson: true
jwtPolicy: first-party-jwt
priorityClassName: "system-cluster-critical"
defaultPodDisruptionBudget:
enabled: false
arch:
amd64: 2
istio-ingress:
enabled: false
gateways:
istio-ingressgateway:
autoscaleEnabled: false
replicaCount: 1
resources:
requests:
memory: 64Mi
limits:
# cpu: 100m
memory: 256Mi
externalTrafficPolicy: Local
podAntiAffinityLabelSelector:
- key: app
operator: In
topologyKey: kubernetes.io/hostname
values: istio-ingressgateway
type: NodePort
env:
TERMINATION_DRAIN_DURATION_SECONDS: '"60"'
# ISTIO_META_HTTP10: '"1"'
# The node selector is normally the list of nodeports, see CloudBender
nodeSelector:
node.kubernetes.io/ingress.public: "30080_30443"
ports:
- name: http-status
port: 15021
nodePort: 30021
- name: http2
port: 80
targetPort: 8080
nodePort: 30080
- name: https
port: 443
targetPort: 8443
nodePort: 30443
dnsNames: []
# - '*.example.com'
istio-private-ingress:
enabled: false
gateways:
istio-ingressgateway:
# name and labels make the ingress private
name: istio-private-ingressgateway
labels:
app: istio-private-ingressgateway
istio: private-ingressgateway
autoscaleEnabled: false
replicaCount: 1
resources:
requests:
cpu: 100m
memory: 64Mi
limits:
# cpu: 100m
memory: 256Mi
externalTrafficPolicy: Local
podAntiAffinityLabelSelector:
- key: app
operator: In
topologyKey: kubernetes.io/hostname
values: istio-private-ingressgateway
type: NodePort
env:
TERMINATION_DRAIN_DURATION_SECONDS: '"60"'
# ISTIO_META_HTTP10: '"1"'
nodeSelector:
node.kubernetes.io/ingress.private: "31080_31443"
#nodeSelector: "31080_31443_31671_31672_31224"
ports:
- name: http-status
port: 15021
nodePort: 31021
- name: http2
port: 80
targetPort: 8080
nodePort: 31080
- name: https
port: 443
targetPort: 8443
nodePort: 31443
#- name: fluentd-forward
# port: 24224
# nodePort: 31224
#- name: amqps
# port: 5671
# nodePort: 31671
#- name: amqp
# port: 5672
# nodePort: 31672
#- name: redis
# port: 6379
# nodePort: 31379
dnsNames: []
# - '*.example.com'

2
charts/kubezero-istio/.gitignore vendored
View File

@ -1,2 +1,2 @@
istioctl istioctl
istio-* istio-?.?.?

2
charts/kubezero-istio/.helmignore Normal file
View File

@ -0,0 +1,2 @@
istioctl
istio-?.?.?

10
charts/kubezero-istio/Chart.yaml
View File

@ -2,8 +2,8 @@ apiVersion: v2
name: kubezero-istio name: kubezero-istio
description: KubeZero Umbrella Chart for Istio description: KubeZero Umbrella Chart for Istio
type: application type: application
version: 0.3.4 version: 0.4.1
appVersion: 1.7.3 appVersion: 1.8.1
home: https://kubezero.com home: https://kubezero.com
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
keywords: keywords:
@ -15,6 +15,8 @@ dependencies:
- name: kubezero-lib - name: kubezero-lib
version: ">= 0.1.3" version: ">= 0.1.3"
repository: https://zero-down-time.github.io/kubezero/ repository: https://zero-down-time.github.io/kubezero/
- name: istio-operator - name: base
version: ">= 1.7" version: 1.1.0
- name: istio-discovery
version: 1.2.0
kubeVersion: ">= 1.16.0" kubeVersion: ">= 1.16.0"

39
charts/kubezero-istio/README.md
View File

@ -1,10 +1,10 @@
# kubezero-istio # kubezero-istio
![Version: 0.3.4](https://img.shields.io/badge/Version-0.3.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.7.3](https://img.shields.io/badge/AppVersion-1.7.3-informational?style=flat-square) ![Version: 0.4.1](https://img.shields.io/badge/Version-0.4.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.8.1](https://img.shields.io/badge/AppVersion-1.8.1-informational?style=flat-square)
KubeZero Umbrella Chart for Istio KubeZero Umbrella Chart for Istio
Installs Istio Operator and KubeZero Istio profile Installs the Istio control plane
**Homepage:** <https://kubezero.com> **Homepage:** <https://kubezero.com>
@ -20,26 +20,33 @@ Kubernetes: `>= 1.16.0`
| Repository | Name | Version | | Repository | Name | Version |
|------------|------|---------| |------------|------|---------|
| | istio-operator | >= 1.7 | | | base | 1.1.0 |
| | istio-discovery | 1.2.0 |
| https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 | | https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 |
## KubeZero default configuration
- mapped istio-operator to run on the controller nodes only
## Values ## Values
| Key | Type | Default | Description | | Key | Type | Default | Description |
|-----|------|---------|-------------| |-----|------|---------|-------------|
| ingress.autoscaleEnabled | bool | `false` | | | global.defaultPodDisruptionBudget.enabled | bool | `false` | |
| ingress.dnsNames[0] | string | `"*"` | | | global.hub | string | `"docker.io/istio"` | |
| ingress.private.enabled | bool | `true` | | | global.jwtPolicy | string | `"first-party-jwt"` | |
| ingress.private.nodeSelector | string | `"31080_31443_31671_31672_31224"` | | | global.logAsJson | bool | `true` | |
| ingress.replicaCount | int | `2` | | | global.priorityClassName | string | `"system-cluster-critical"` | |
| ingress.type | string | `"NodePort"` | | | global.tag | string | `"1.8.0"` | |
| istio-operator.hub | string | `"docker.io/istio"` | | | istio-discovery.meshConfig.accessLogEncoding | string | `"JSON"` | |
| istio-operator.tag | string | `"1.7.3"` | | | istio-discovery.meshConfig.accessLogFile | string | `"/dev/stdout"` | |
| istiod.autoscaleEnabled | bool | `false` | | | istio-discovery.meshConfig.h2UpgradePolicy | string | `"DO_NOT_UPGRADE"` | |
| istiod.replicaCount | int | `1` | | | istio-discovery.meshConfig.tcpKeepalive.interval | string | `"30s"` | |
| istio-discovery.meshConfig.tcpKeepalive.time | string | `"60s"` | |
| istio-discovery.pilot.autoscaleEnabled | bool | `false` | |
| istio-discovery.pilot.nodeSelector."node-role.kubernetes.io/master" | string | `""` | |
| istio-discovery.pilot.replicaCount | int | `1` | |
| istio-discovery.pilot.resources.requests.cpu | string | `"100m"` | |
| istio-discovery.pilot.resources.requests.memory | string | `"128Mi"` | |
| istio-discovery.pilot.tolerations[0].effect | string | `"NoSchedule"` | |
| istio-discovery.pilot.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | |
| istio-discovery.telemetry.enabled | bool | `false` | |
## Resources ## Resources

Some files were not shown because too many files have changed in this diff Show More