Merge pull request 'Merge argoless branch into master' (#30) from argoless into master

Reviewed-on: ZeroDownTime/kubezero#30
This commit is contained in:
Stefan Reimer 2021-01-12 15:03:35 +00:00
commit a570431940
523 changed files with 100596 additions and 15498 deletions

14
Makefile Normal file
View File

@ -0,0 +1,14 @@
BUCKET ?= zero-downtime
BUCKET_PREFIX ?= /cloudbender/distfiles
FILES ?= distfiles.txt
.PHONY: clean update
all: update
clean:
rm -f kube*.tgz
update:
./script/update_helm.sh

View File

@ -1 +0,0 @@
../../helm-charts/charts/fluent-bit

13
charts/kubeadm/Chart.yaml Normal file
View File

@ -0,0 +1,13 @@
apiVersion: v2
name: kubeadm
description: KubeZero Kubeadm golden config
type: application
version: 1.18.14
home: https://kubezero.com
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
keywords:
- kubezero
- kubeadm
maintainers:
- name: Quarky9
kubeVersion: ">= 1.16.0"

View File

@ -0,0 +1,28 @@
{{ template "chart.header" . }}
{{ template "chart.deprecationWarning" . }}
{{ template "chart.versionBadge" . }}{{ template "chart.typeBadge" . }}{{ template "chart.appVersionBadge" . }}
{{ template "chart.description" . }}
Installs the Istio control plane
{{ template "chart.homepageLine" . }}
{{ template "chart.maintainersSection" . }}
{{ template "chart.sourcesSection" . }}
{{ template "chart.requirementsSection" . }}
{{ template "chart.valuesSection" . }}
## Resources
- https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/troubleshooting-kubeadm/
- https://godoc.org/k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/v1beta2
- https://github.com/kubernetes/kubernetes/blob/master/staging/src/k8s.io/kubelet/config/v1beta1/types.go
- https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/control-plane-flags/
- https://godoc.org/k8s.io/kube-proxy/config/v1alpha1#KubeProxyConfiguration
- https://github.com/awslabs/amazon-eks-ami

View File

@ -0,0 +1,61 @@
apiVersion: kubeadm.k8s.io/v1beta2
kind: ClusterConfiguration
metadata:
name: kubezero-clusterconfiguration
kubernetesVersion: {{ .Values.clusterVersion }}
clusterName: {{ .Values.clusterName }}
controlPlaneEndpoint: {{ .Values.apiEndpoint }}
networking:
podSubnet: 10.244.0.0/16
etcd:
local:
extraArgs:
listen-metrics-urls: "http://0.0.0.0:2381"
{{- with .Values.etcdExtraArgs }}
{{- toYaml . | nindent 6 }}
{{- end }}
controllerManager:
extraArgs:
profiling: "false"
bind-address: 0.0.0.0
terminated-pod-gc-threshold: "300"
leader-elect: {{ .Values.clusterHighAvailable | quote }}
# Default anyways but make kube-bench happy
feature-gates: "RotateKubeletServerCertificate=true"
scheduler:
extraArgs:
profiling: "false"
bind-address: 0.0.0.0
leader-elect: {{ .Values.clusterHighAvailable | quote }}
apiServer:
certSANs:
- {{ regexSplit ":" .Values.apiEndpoint -1 | first }}
extraArgs:
etcd-servers: {{ .Values.allEtcdEndpoints }}
profiling: "false"
feature-gates: "CSIMigration=true,CSIMigrationAWS=true,CSIMigrationAWSComplete=true"
audit-log-path: "/var/log/kubernetes/audit.log"
audit-policy-file: /etc/kubernetes/apiserver/audit-policy.yaml
audit-log-maxage: "7"
audit-log-maxsize: "100"
audit-log-maxbackup: "3"
tls-cipher-suites: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
admission-control-config-file: /etc/kubernetes/apiserver/admission-configuration.yaml
authentication-token-webhook-config-file: /etc/kubernetes/apiserver/aws-iam-authenticator.yaml
enable-admission-plugins: NodeRestriction,EventRateLimit
{{- if .Values.clusterHighAvailable }}
goaway-chance: ".001"
{{- end }}
{{- with .Values.apiExtraArgs }}
{{- toYaml . | nindent 4 }}
{{- end }}
extraVolumes:
- name: kubezero-apiserver
hostPath: /etc/kubernetes/apiserver
mountPath: /etc/kubernetes/apiserver
readOnly: true
pathType: DirectoryOrCreate
- name: audit-log
hostPath: /var/log/kubernetes
mountPath: /var/log/kubernetes
pathType: DirectoryOrCreate

View File

@ -0,0 +1,12 @@
apiVersion: kubeadm.k8s.io/v1beta2
kind: InitConfiguration
metadata:
name: kubezero-initconfiguration
localAPIEndpoint:
bindPort: {{ regexSplit ":" .Values.apiEndpoint -1 | last }}
nodeRegistration:
ignorePreflightErrors:
- Swap
- DirAvailable--var-lib-etcd
kubeletExtraArgs:
node-labels: {{ .Values.nodeLabels | quote }}

View File

@ -0,0 +1,18 @@
apiVersion: kubeadm.k8s.io/v1beta2
kind: JoinConfiguration
metadata:
name: kubezero-joinconfiguration
discovery:
bootstrapToken:
apiServerEndpoint: {{ .Values.apiEndpoint }}
token: {{ .Values.joinToken }}
caCertHashes:
- "{{ .Values.caCertHash }}"
nodeRegistration:
ignorePreflightErrors:
- DirAvailable--var-lib-etcd
- Swap
controlPlane:
localAPIEndpoint:
advertiseAddress: {{ .Values.ipAddress }}
bindPort: {{ regexSplit ":" .Values.apiEndpoint -1 | last }}

View File

@ -0,0 +1,6 @@
apiVersion: kubeproxy.config.k8s.io/v1alpha1
kind: KubeProxyConfiguration
metadata:
name: kubezero-kubeproxyconfiguration
metricsBindAddress: "0.0.0.0:10249"
mode: ""

View File

@ -0,0 +1,19 @@
apiVersion: kubelet.config.k8s.io/v1beta1
kind: KubeletConfiguration
metadata:
name: kubezero-kubeletconfiguration
failSwapOn: false
hairpinMode: hairpin-veth
resolvConf: /run/systemd/resolve/resolv.conf
protectKernelDefaults: true
eventRecordQPS: 0
# Breaks kubelet at boot time
# tlsCertFile: /var/lib/kubelet/pki/kubelet.crt
# tlsPrivateKeyFile: /var/lib/kubelet/pki/kubelet.key
tlsCipherSuites: [TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256]
featureGates:
# Default anyways but make kube-bench happy
RotateKubeletServerCertificate: true
CSIMigration: true
CSIMigrationAWS: true
CSIMigrationAWSComplete: true

View File

@ -0,0 +1,7 @@
apiVersion: apiserver.config.k8s.io/v1
kind: AdmissionConfiguration
metadata:
name: kubezero-admissionconfiguration
plugins:
- name: EventRateLimit
path: /etc/kubernetes/apiserver/event-config.yaml

View File

@ -0,0 +1,7 @@
# Don't Log anything, but audit policy enabled
apiVersion: audit.k8s.io/v1
kind: Policy
metadata:
name: kubezero-auditpolicy
rules:
- level: None

View File

@ -0,0 +1,13 @@
apiVersion: eventratelimit.admission.k8s.io/v1alpha1
kind: Configuration
metadata:
name: kubezero-eventratelimits
limits:
- type: Namespace
qps: 50
burst: 100
cacheSize: 20
- type: User
qps: 10
burst: 50
cacheSize: 20

View File

@ -0,0 +1,32 @@
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: iamidentitymappings.iamauthenticator.k8s.aws
spec:
group: iamauthenticator.k8s.aws
version: v1alpha1
scope: Cluster
names:
plural: iamidentitymappings
singular: iamidentitymapping
kind: IAMIdentityMapping
categories:
- all
subresources:
status: {}
validation:
openAPIV3Schema:
properties:
spec:
required:
- arn
- username
properties:
arn:
type: string
username:
type: string
groups:
type: array
items:
type: string

View File

@ -0,0 +1,164 @@
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: aws-iam-authenticator
rules:
- apiGroups:
- iamauthenticator.k8s.aws
resources:
- iamidentitymappings
verbs:
- get
- list
- watch
- apiGroups:
- iamauthenticator.k8s.aws
resources:
- iamidentitymappings/status
verbs:
- patch
- update
- apiGroups:
- ""
resources:
- events
verbs:
- create
- update
- patch
- apiGroups:
- ""
resources:
- configmaps
verbs:
- list
- watch
- apiGroups:
- ""
resources:
- configmaps
resourceNames:
- aws-auth
verbs:
- get
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: aws-iam-authenticator
namespace: kube-system
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: aws-iam-authenticator
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: aws-iam-authenticator
subjects:
- kind: ServiceAccount
name: aws-iam-authenticator
namespace: kube-system
---
apiVersion: v1
kind: ConfigMap
metadata:
namespace: kube-system
name: aws-iam-authenticator
labels:
k8s-app: aws-iam-authenticator
data:
config.yaml: |
clusterID: {{ .Values.clusterName }}
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
namespace: kube-system
name: aws-iam-authenticator
labels:
k8s-app: aws-iam-authenticator
annotations:
seccomp.security.alpha.kubernetes.io/pod: runtime/default
spec:
selector:
matchLabels:
k8s-app: aws-iam-authenticator
updateStrategy:
type: RollingUpdate
template:
metadata:
annotations:
scheduler.alpha.kubernetes.io/critical-pod: ""
labels:
k8s-app: aws-iam-authenticator
spec:
# use service account with access to
serviceAccountName: aws-iam-authenticator
# run on the host network (don't depend on CNI)
hostNetwork: true
# run on each master node
nodeSelector:
node-role.kubernetes.io/master: ""
tolerations:
- effect: NoSchedule
key: node-role.kubernetes.io/master
- key: CriticalAddonsOnly
operator: Exists
containers:
- name: aws-iam-authenticator
image: public.ecr.aws/x8h8t2o1/aws-iam-authenticator:v0.5.2
args:
- server
- --backend-mode=CRD,MountedFile
- --config=/etc/aws-iam-authenticator/config.yaml
- --state-dir=/var/aws-iam-authenticator
- --kubeconfig-pregenerated=true
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
resources:
requests:
memory: 20Mi
cpu: 10m
limits:
memory: 20Mi
cpu: 100m
volumeMounts:
- name: config
mountPath: /etc/aws-iam-authenticator/
- name: state
mountPath: /var/aws-iam-authenticator/
volumes:
- name: config
configMap:
name: aws-iam-authenticator
- name: state
hostPath:
path: /var/aws-iam-authenticator/
---
apiVersion: iamauthenticator.k8s.aws/v1alpha1
kind: IAMIdentityMapping
metadata:
name: kubernetes-admin
spec:
# Arn of the User or Role to be allowed to authenticate
arn: {{ .Values.kubeAdminRole }}
username: kubernetes-admin
groups:
- system:masters

View File

@ -0,0 +1,11 @@
clusterVersion: 1.18.0
clusterName: pleasechangeme
apiEndpoint: kube-api.changeme.org:6443
etcdExtraArgs: {}
# Enable for > 1.18
# unsafe-no-fsync: "true"
apiExtraArgs: {}
clusterHighAvailable: false
allEtcdEndpoints: ""
joinToken: ""
caCertHash: ""

View File

@ -1,26 +0,0 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: kubezero
namespace: argocd
labels:
{{ include "kubezero-lib.labels" . | indent 4 }}
spec:
project: kubezero
source:
repoURL: {{ .Values.kubezero.global.defaultSource.repoURL }}
targetRevision: {{ .Values.kubezero.global.defaultSource.targetRevision }}
path: {{ .Values.kubezero.global.defaultSource.pathPrefix}}charts/kubezero
helm:
values: |
{{- toYaml .Values.kubezero | nindent 8 }}
destination:
server: {{ .Values.kubezero.global.defaultDestination.server }}
namespace: argocd
{{- if .Values.kubezero.global.syncPolicy }}
syncPolicy:
{{- toYaml .Values.kubezero.global.syncPolicy | nindent 4 }}
{{- end }}

View File

@ -1,7 +1,7 @@
apiVersion: v2 apiVersion: v2
description: KubeZero ArgoCD Helm chart to install ArgoCD itself and the KubeZero ArgoCD Application description: KubeZero ArgoCD Helm chart to install ArgoCD itself and the KubeZero ArgoCD Application
name: kubezero-argo-cd name: kubezero-argocd
version: 0.6.0 version: 0.6.1
home: https://kubezero.com home: https://kubezero.com
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
keywords: keywords:
@ -15,6 +15,6 @@ dependencies:
version: ">= 0.1.3" version: ">= 0.1.3"
repository: https://zero-down-time.github.io/kubezero/ repository: https://zero-down-time.github.io/kubezero/
- name: argo-cd - name: argo-cd
version: 2.9.3 version: 2.9.5
repository: https://argoproj.github.io/argo-helm repository: https://argoproj.github.io/argo-helm
kubeVersion: ">= 1.17.0" kubeVersion: ">= 1.16.0"

View File

@ -1,6 +1,6 @@
# kubezero-argo-cd # kubezero-argocd
![Version: 0.6.0](https://img.shields.io/badge/Version-0.6.0-informational?style=flat-square) ![Version: 0.6.1](https://img.shields.io/badge/Version-0.6.1-informational?style=flat-square)
KubeZero ArgoCD Helm chart to install ArgoCD itself and the KubeZero ArgoCD Application KubeZero ArgoCD Helm chart to install ArgoCD itself and the KubeZero ArgoCD Application
@ -14,11 +14,11 @@ KubeZero ArgoCD Helm chart to install ArgoCD itself and the KubeZero ArgoCD Appl
## Requirements ## Requirements
Kubernetes: `>= 1.17.0` Kubernetes: `>= 1.16.0`
| Repository | Name | Version | | Repository | Name | Version |
|------------|------|---------| |------------|------|---------|
| https://argoproj.github.io/argo-helm | argo-cd | 2.9.3 | | https://argoproj.github.io/argo-helm | argo-cd | 2.9.5 |
| https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 | | https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 |
## Values ## Values
@ -32,20 +32,15 @@ Kubernetes: `>= 1.17.0`
| argo-cd.controller.metrics.enabled | bool | `false` | | | argo-cd.controller.metrics.enabled | bool | `false` | |
| argo-cd.controller.metrics.serviceMonitor.additionalLabels.release | string | `"metrics"` | | | argo-cd.controller.metrics.serviceMonitor.additionalLabels.release | string | `"metrics"` | |
| argo-cd.controller.metrics.serviceMonitor.enabled | bool | `true` | | | argo-cd.controller.metrics.serviceMonitor.enabled | bool | `true` | |
| argo-cd.controller.metrics.serviceMonitor.namespace | string | `"monitoring"` | |
| argo-cd.controller.resources.requests.cpu | string | `"100m"` | | | argo-cd.controller.resources.requests.cpu | string | `"100m"` | |
| argo-cd.controller.resources.requests.memory | string | `"256Mi"` | | | argo-cd.controller.resources.requests.memory | string | `"256Mi"` | |
| argo-cd.dex.enabled | bool | `false` | | | argo-cd.dex.enabled | bool | `false` | |
| argo-cd.global.image.tag | string | `"v1.7.8"` | | | argo-cd.global.image.tag | string | `"v1.7.10"` | |
| argo-cd.installCRDs | bool | `false` | | | argo-cd.installCRDs | bool | `false` | |
| argo-cd.istio.enabled | bool | `false` | Deploy Istio VirtualService to expose ArgoCD |
| argo-cd.istio.gateway | string | `"istio-system/ingressgateway"` | Name of the Istio gateway to add the VirtualService to |
| argo-cd.istio.ipBlocks | list | `[]` | |
| argo-cd.repoServer.logFormat | string | `"json"` | | | argo-cd.repoServer.logFormat | string | `"json"` | |
| argo-cd.repoServer.metrics.enabled | bool | `false` | | | argo-cd.repoServer.metrics.enabled | bool | `false` | |
| argo-cd.repoServer.metrics.serviceMonitor.additionalLabels.release | string | `"metrics"` | | | argo-cd.repoServer.metrics.serviceMonitor.additionalLabels.release | string | `"metrics"` | |
| argo-cd.repoServer.metrics.serviceMonitor.enabled | bool | `true` | | | argo-cd.repoServer.metrics.serviceMonitor.enabled | bool | `true` | |
| argo-cd.repoServer.metrics.serviceMonitor.namespace | string | `"monitoring"` | |
| argo-cd.server.config."resource.customizations" | string | `"cert-manager.io/Certificate:\n # Lua script for customizing the health status assessment\n health.lua: |\n hs = {}\n if obj.status ~= nil then\n if obj.status.conditions ~= nil then\n for i, condition in ipairs(obj.status.conditions) do\n if condition.type == \"Ready\" and condition.status == \"False\" then\n hs.status = \"Degraded\"\n hs.message = condition.message\n return hs\n end\n if condition.type == \"Ready\" and condition.status == \"True\" then\n hs.status = \"Healthy\"\n hs.message = condition.message\n return hs\n end\n end\n end\n end\n hs.status = \"Progressing\"\n hs.message = \"Waiting for certificate\"\n return hs\n"` | | | argo-cd.server.config."resource.customizations" | string | `"cert-manager.io/Certificate:\n # Lua script for customizing the health status assessment\n health.lua: |\n hs = {}\n if obj.status ~= nil then\n if obj.status.conditions ~= nil then\n for i, condition in ipairs(obj.status.conditions) do\n if condition.type == \"Ready\" and condition.status == \"False\" then\n hs.status = \"Degraded\"\n hs.message = condition.message\n return hs\n end\n if condition.type == \"Ready\" and condition.status == \"True\" then\n hs.status = \"Healthy\"\n hs.message = condition.message\n return hs\n end\n end\n end\n end\n hs.status = \"Progressing\"\n hs.message = \"Waiting for certificate\"\n return hs\n"` | |
| argo-cd.server.config.url | string | `"argocd.example.com"` | ArgoCD hostname to be exposed via Istio | | argo-cd.server.config.url | string | `"argocd.example.com"` | ArgoCD hostname to be exposed via Istio |
| argo-cd.server.extraArgs[0] | string | `"--insecure"` | | | argo-cd.server.extraArgs[0] | string | `"--insecure"` | |
@ -53,12 +48,16 @@ Kubernetes: `>= 1.17.0`
| argo-cd.server.metrics.enabled | bool | `false` | | | argo-cd.server.metrics.enabled | bool | `false` | |
| argo-cd.server.metrics.serviceMonitor.additionalLabels.release | string | `"metrics"` | | | argo-cd.server.metrics.serviceMonitor.additionalLabels.release | string | `"metrics"` | |
| argo-cd.server.metrics.serviceMonitor.enabled | bool | `true` | | | argo-cd.server.metrics.serviceMonitor.enabled | bool | `true` | |
| argo-cd.server.metrics.serviceMonitor.namespace | string | `"monitoring"` | |
| argo-cd.server.service.servicePortHttpsName | string | `"grpc"` | | | argo-cd.server.service.servicePortHttpsName | string | `"grpc"` | |
| kubezero.global.defaultDestination | object | `{"server":"https://kubernetes.default.svc"}` | Destination cluster | | istio.enabled | bool | `false` | Deploy Istio VirtualService to expose ArgoCD |
| kubezero.global.defaultSource.pathPrefix | string | `""` | optional path prefix within repoURL to support eg. remote subtrees | | istio.gateway | string | `"istio-ingress/ingressgateway"` | Name of the Istio gateway to add the VirtualService to |
| kubezero.global.defaultSource.repoURL | string | `"https://github.com/zero-down-time/kubezero"` | default repository for argocd applications | | istio.ipBlocks | list | `[]` | |
| kubezero.global.defaultSource.targetRevision | string | `"HEAD"` | default tracking of repoURL | | kubezero.enabled | bool | `false` | |
| kubezero.path | string | `"charts/kubezero"` | path within repoURL |
| kubezero.repoURL | string | `"https://github.com/zero-down-time/kubezero"` | repository for kubezero argo applications |
| kubezero.server | string | `"https://kubernetes.default.svc"` | destination cluster |
| kubezero.targetRevision | string | `"HEAD"` | git branch to track |
| kubezero.valuesFiles[0] | string | `"values.yaml"` | |
## Resources ## Resources
- https://argoproj.github.io/argo-cd/operator-manual/metrics/ - https://argoproj.github.io/argo-cd/operator-manual/metrics/

View File

@ -1,5 +1,5 @@
{{- if index .Values "argo-cd" "istio" "enabled" }} {{- if .Values.istio.enabled }}
{{- if index .Values "argo-cd" "istio" "ipBlocks" }} {{- if .Values.istio.ipBlocks }}
apiVersion: security.istio.io/v1beta1 apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy kind: AuthorizationPolicy
metadata: metadata:
@ -16,7 +16,7 @@ spec:
- from: - from:
- source: - source:
notIpBlocks: notIpBlocks:
{{- with index .Values "argo-cd" "istio" "ipBlocks" }} {{- with .Values.istio.ipBlocks }}
{{- . | toYaml | nindent 8 }} {{- . | toYaml | nindent 8 }}
{{- end }} {{- end }}
to: to:

View File

@ -1,4 +1,4 @@
{{- if index .Values "argo-cd" "istio" "enabled" }} {{- if .Values.istio.enabled }}
apiVersion: networking.istio.io/v1alpha3 apiVersion: networking.istio.io/v1alpha3
kind: VirtualService kind: VirtualService
metadata: metadata:
@ -7,7 +7,7 @@ metadata:
{{ include "kubezero-lib.labels" . | indent 4 }} {{ include "kubezero-lib.labels" . | indent 4 }}
spec: spec:
gateways: gateways:
- {{ index .Values "argo-cd" "istio" "gateway" }} - {{ .Values.istio.gateway }}
hosts: hosts:
- {{ index .Values "argo-cd" "server" "config" "url" }} - {{ index .Values "argo-cd" "server" "config" "url" }}
http: http:
@ -18,13 +18,13 @@ spec:
prefix: argocd-client prefix: argocd-client
route: route:
- destination: - destination:
host: {{ .Release.Name }}-argocd-server host: argocd-server
port: port:
number: 443 number: 443
- name: http - name: http
route: route:
- destination: - destination:
host: {{ .Release.Name }}-argocd-server host: argocd-server
port: port:
number: 80 number: 80
{{- end }} {{- end }}

View File

@ -1,3 +1,4 @@
{{- if .Values.kubezero.enabled }}
apiVersion: argoproj.io/v1alpha1 apiVersion: argoproj.io/v1alpha1
kind: AppProject kind: AppProject
metadata: metadata:
@ -12,7 +13,6 @@ spec:
sourceRepos: sourceRepos:
- '*' - '*'
# Only permit applications to deploy to the guestbook namespace in the same cluster
destinations: destinations:
- namespace: argocd - namespace: argocd
server: https://kubernetes.default.svc server: https://kubernetes.default.svc
@ -20,10 +20,10 @@ spec:
server: https://kubernetes.default.svc server: https://kubernetes.default.svc
- namespace: cert-manager - namespace: cert-manager
server: https://kubernetes.default.svc server: https://kubernetes.default.svc
- namespace: istio-operator
server: https://kubernetes.default.svc
- namespace: istio-system - namespace: istio-system
server: https://kubernetes.default.svc server: https://kubernetes.default.svc
- namespace: istio-ingress
server: https://kubernetes.default.svc
- namespace: monitoring - namespace: monitoring
server: https://kubernetes.default.svc server: https://kubernetes.default.svc
- namespace: elastic-system - namespace: elastic-system
@ -34,3 +34,32 @@ spec:
clusterResourceWhitelist: clusterResourceWhitelist:
- group: '*' - group: '*'
kind: '*' kind: '*'
---
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: kubezero
namespace: argocd
labels:
{{ include "kubezero-lib.labels" . | indent 4 }}
spec:
project: kubezero
source:
repoURL: {{ .Values.kubezero.repoURL }}
targetRevision: {{ .Values.kubezero.targetRevision }}
path: {{ .Values.kubezero.path }}
helm:
valueFiles:
{{- toYaml .Values.kubezero.valuesFiles | nindent 6 }}
destination:
server: {{ .Values.kubezero.server }}
namespace: argocd
{{- with .Values.kubezero.syncPolicy }}
syncPolicy:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}

View File

@ -1,24 +1,35 @@
# Configure app of apps
kubezero: kubezero:
global: enabled: false
# kubezero.global.defaultDestination -- Destination cluster
defaultDestination:
server: https://kubernetes.default.svc
# This repoURL is used a base for all the repoURLs applications # kubezero.server -- destination cluster
# Setting this to a eg. private git repo incl. the use of pathPrefix allows kubezero to be server: https://kubernetes.default.svc
# integrated into any repository as a git subtree if for example public internet access is unavailable
defaultSource:
# kubezero.global.defaultSource.repoURL -- default repository for argocd applications
repoURL: https://github.com/zero-down-time/kubezero
# kubezero.global.defaultSource.targetRevision -- default tracking of repoURL
targetRevision: HEAD
# kubezero.global.defaultSource.pathPrefix -- optional path prefix within repoURL to support eg. remote subtrees
pathPrefix: ''
# syncPolicy, details see: https://argoproj.github.io/argo-cd/user-guide/auto_sync # This repoURL is used a base for all the repoURLs applications
#syncPolicy: # Setting this to a eg. private git repo incl. the use of pathPrefix allows kubezero to be
# automated: # integrated into any repository as a git subtree if for example public internet access is unavailable
# prune: true # kubezero.repoURL -- repository for kubezero argo applications
repoURL: https://github.com/zero-down-time/kubezero
# kubezero.targetRevision -- git branch to track
targetRevision: HEAD
# kubezero.path -- path within repoURL
path: 'charts/kubezero'
# syncPolicy, details see: https://argoproj.github.io/argo-cd/user-guide/auto_sync
#syncPolicy:
# automated:
# prune: true
valuesFiles:
- values.yaml
# Support for Istio Ingress for ArgoCD
istio:
# istio.enabled -- Deploy Istio VirtualService to expose ArgoCD
enabled: false
# istio.gateway -- Name of the Istio gateway to add the VirtualService to
gateway: istio-ingress/ingressgateway
ipBlocks: []
argo-cd: argo-cd:
installCRDs: false installCRDs: false
@ -31,7 +42,7 @@ argo-cd:
global: global:
image: image:
tag: v1.7.8 tag: v1.7.10
controller: controller:
args: args:
@ -44,7 +55,6 @@ argo-cd:
enabled: false enabled: false
serviceMonitor: serviceMonitor:
enabled: true enabled: true
namespace: monitoring
additionalLabels: additionalLabels:
release: metrics release: metrics
@ -62,7 +72,6 @@ argo-cd:
enabled: false enabled: false
serviceMonitor: serviceMonitor:
enabled: true enabled: true
namespace: monitoring
additionalLabels: additionalLabels:
release: metrics release: metrics
@ -72,6 +81,9 @@ argo-cd:
# argo-cd.server.config.url -- ArgoCD hostname to be exposed via Istio # argo-cd.server.config.url -- ArgoCD hostname to be exposed via Istio
url: argocd.example.com url: argocd.example.com
#repositories: |
# - url: https://zero-down-time.github.io/kubezero.git
resource.customizations: | resource.customizations: |
cert-manager.io/Certificate: cert-manager.io/Certificate:
# Lua script for customizing the health status assessment # Lua script for customizing the health status assessment
@ -105,7 +117,6 @@ argo-cd:
enabled: false enabled: false
serviceMonitor: serviceMonitor:
enabled: true enabled: true
namespace: monitoring
additionalLabels: additionalLabels:
release: metrics release: metrics
@ -118,10 +129,3 @@ argo-cd:
dex: dex:
enabled: false enabled: false
istio:
# argo-cd.istio.enabled -- Deploy Istio VirtualService to expose ArgoCD
enabled: false
# argo-cd.istio.gateway -- Name of the Istio gateway to add the VirtualService to
gateway: istio-system/ingressgateway
ipBlocks: []

View File

@ -1 +0,0 @@
git

View File

@ -2,8 +2,8 @@ apiVersion: v2
name: kubezero-aws-ebs-csi-driver name: kubezero-aws-ebs-csi-driver
description: KubeZero Umbrella Chart for aws-ebs-csi-driver description: KubeZero Umbrella Chart for aws-ebs-csi-driver
type: application type: application
version: 0.3.2 version: 0.3.4
appVersion: 0.7.0 appVersion: 0.8.0
home: https://kubezero.com home: https://kubezero.com
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
sources: sources:
@ -17,6 +17,9 @@ keywords:
maintainers: maintainers:
- name: Quarky9 - name: Quarky9
dependencies: dependencies:
- name: aws-ebs-csi-driver
version: 0.7.1
repository: https://kubernetes-sigs.github.io/aws-ebs-csi-driver
- name: kubezero-lib - name: kubezero-lib
version: ">= 0.1.3" version: ">= 0.1.3"
repository: https://zero-down-time.github.io/kubezero/ repository: https://zero-down-time.github.io/kubezero/

View File

@ -1,6 +1,6 @@
# kubezero-aws-ebs-csi-driver # kubezero-aws-ebs-csi-driver
![Version: 0.3.2](https://img.shields.io/badge/Version-0.3.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.7.0](https://img.shields.io/badge/AppVersion-0.7.0-informational?style=flat-square) ![Version: 0.3.4](https://img.shields.io/badge/Version-0.3.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.8.0](https://img.shields.io/badge/AppVersion-0.8.0-informational?style=flat-square)
KubeZero Umbrella Chart for aws-ebs-csi-driver KubeZero Umbrella Chart for aws-ebs-csi-driver
@ -23,6 +23,7 @@ Kubernetes: `>= 1.16.0`
| Repository | Name | Version | | Repository | Name | Version |
|------------|------|---------| |------------|------|---------|
| https://kubernetes-sigs.github.io/aws-ebs-csi-driver | aws-ebs-csi-driver | 0.7.1 |
| https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 | | https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 |
## IAM Role ## IAM Role

View File

@ -1,16 +0,0 @@
apiVersion: v1
appVersion: "0.7.0"
name: aws-ebs-csi-driver
description: A Helm chart for AWS EBS CSI Driver
version: 0.6.0
kubeVersion: ">=1.13.0-0"
home: https://github.com/kubernetes-sigs/aws-ebs-csi-driver
sources:
- https://github.com/kubernetes-sigs/aws-ebs-csi-driver
keywords:
- aws
- ebs
- csi
maintainers:
- name: leakingtapan
email: chengpan@amazon.com

View File

@ -1,3 +0,0 @@
To verify that aws-ebs-csi-driver has started, run:
kubectl get pod -n kube-system -l "app.kubernetes.io/name={{ include "aws-ebs-csi-driver.name" . }},app.kubernetes.io/instance={{ .Release.Name }}"

View File

@ -1,20 +0,0 @@
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: ebs-external-attacher-role
labels:
{{- include "aws-ebs-csi-driver.labels" . | nindent 4 }}
rules:
- apiGroups: [""]
resources: ["persistentvolumes"]
verbs: ["get", "list", "watch", "update"]
- apiGroups: [""]
resources: ["nodes"]
verbs: ["get", "list", "watch"]
- apiGroups: ["csi.storage.k8s.io"]
resources: ["csinodeinfos"]
verbs: ["get", "list", "watch"]
- apiGroups: ["storage.k8s.io"]
resources: ["volumeattachments"]
verbs: ["get", "list", "watch", "update"]

View File

@ -1,35 +0,0 @@
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: ebs-external-provisioner-role
labels:
{{- include "aws-ebs-csi-driver.labels" . | nindent 4 }}
rules:
- apiGroups: [""]
resources: ["persistentvolumes"]
verbs: ["get", "list", "watch", "create", "delete"]
- apiGroups: [""]
resources: ["persistentvolumeclaims"]
verbs: ["get", "list", "watch", "update"]
- apiGroups: ["storage.k8s.io"]
resources: ["storageclasses"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["events"]
verbs: ["list", "watch", "create", "update", "patch"]
- apiGroups: ["snapshot.storage.k8s.io"]
resources: ["volumesnapshots"]
verbs: ["get", "list"]
- apiGroups: ["snapshot.storage.k8s.io"]
resources: ["volumesnapshotcontents"]
verbs: ["get", "list"]
- apiGroups: ["storage.k8s.io"]
resources: ["csinodes"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["nodes"]
verbs: ["get", "list", "watch"]
- apiGroups: ["coordination.k8s.io"]
resources: ["leases"]
verbs: ["get", "watch", "list", "delete", "update", "create"]

View File

@ -1,31 +0,0 @@
{{- if .Values.enableVolumeResizing }}
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: ebs-external-resizer-role
labels:
{{- include "aws-ebs-csi-driver.labels" . | nindent 4 }}
rules:
# The following rule should be uncommented for plugins that require secrets
# for provisioning.
# - apiGroups: [""]
# resources: ["secrets"]
# verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["persistentvolumes"]
verbs: ["get", "list", "watch", "update", "patch"]
- apiGroups: [""]
resources: ["persistentvolumeclaims"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["persistentvolumeclaims/status"]
verbs: ["update", "patch"]
- apiGroups: ["storage.k8s.io"]
resources: ["storageclasses"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["events"]
verbs: ["list", "watch", "create", "update", "patch"]
{{- end}}

View File

@ -1,35 +0,0 @@
{{- if .Values.enableVolumeSnapshot }}
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: ebs-snapshot-controller-role
labels:
{{- include "aws-ebs-csi-driver.labels" . | nindent 4 }}
rules:
- apiGroups: [""]
resources: ["persistentvolumes"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["persistentvolumeclaims"]
verbs: ["get", "list", "watch", "update"]
- apiGroups: ["storage.k8s.io"]
resources: ["storageclasses"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["events"]
verbs: ["list", "watch", "create", "update", "patch"]
- apiGroups: ["snapshot.storage.k8s.io"]
resources: ["volumesnapshotclasses"]
verbs: ["get", "list", "watch"]
- apiGroups: ["snapshot.storage.k8s.io"]
resources: ["volumesnapshotcontents"]
verbs: ["create", "get", "list", "watch", "update", "delete"]
- apiGroups: ["snapshot.storage.k8s.io"]
resources: ["volumesnapshots"]
verbs: ["get", "list", "watch", "update"]
- apiGroups: ["snapshot.storage.k8s.io"]
resources: ["volumesnapshots/status"]
verbs: ["update"]
{{- end }}

View File

@ -1,25 +0,0 @@
{{- if .Values.enableVolumeSnapshot }}
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: ebs-external-snapshotter-role
labels:
{{- include "aws-ebs-csi-driver.labels" . | nindent 4 }}
rules:
- apiGroups: [""]
resources: ["events"]
verbs: ["list", "watch", "create", "update", "patch"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list"]
- apiGroups: ["snapshot.storage.k8s.io"]
resources: ["volumesnapshotclasses"]
verbs: ["get", "list", "watch"]
- apiGroups: ["snapshot.storage.k8s.io"]
resources: ["volumesnapshotcontents"]
verbs: ["create", "get", "list", "watch", "update", "delete"]
- apiGroups: ["snapshot.storage.k8s.io"]
resources: ["volumesnapshotcontents/status"]
verbs: ["update"]
{{- end }}

View File

@ -1,15 +0,0 @@
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: ebs-csi-attacher-binding
labels:
{{- include "aws-ebs-csi-driver.labels" . | nindent 4 }}
subjects:
- kind: ServiceAccount
name: ebs-csi-controller-sa
namespace: kube-system
roleRef:
kind: ClusterRole
name: ebs-external-attacher-role
apiGroup: rbac.authorization.k8s.io

View File

@ -1,15 +0,0 @@
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: ebs-csi-provisioner-binding
labels:
{{- include "aws-ebs-csi-driver.labels" . | nindent 4 }}
subjects:
- kind: ServiceAccount
name: ebs-csi-controller-sa
namespace: kube-system
roleRef:
kind: ClusterRole
name: ebs-external-provisioner-role
apiGroup: rbac.authorization.k8s.io

View File

@ -1,18 +0,0 @@
{{- if .Values.enableVolumeResizing }}
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: ebs-csi-resizer-binding
labels:
{{- include "aws-ebs-csi-driver.labels" . | nindent 4 }}
subjects:
- kind: ServiceAccount
name: ebs-csi-controller-sa
namespace: kube-system
roleRef:
kind: ClusterRole
name: ebs-external-resizer-role
apiGroup: rbac.authorization.k8s.io
{{- end}}

View File

@ -1,18 +0,0 @@
{{- if .Values.enableVolumeSnapshot }}
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: ebs-csi-snapshot-controller-binding
labels:
{{- include "aws-ebs-csi-driver.labels" . | nindent 4 }}
subjects:
- kind: ServiceAccount
name: ebs-snapshot-controller
namespace: kube-system
roleRef:
kind: ClusterRole
name: ebs-snapshot-controller-role
apiGroup: rbac.authorization.k8s.io
{{- end }}

View File

@ -1,18 +0,0 @@
{{- if .Values.enableVolumeSnapshot }}
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: ebs-csi-snapshotter-binding
labels:
{{- include "aws-ebs-csi-driver.labels" . | nindent 4 }}
subjects:
- kind: ServiceAccount
name: ebs-csi-controller-sa
namespace: kube-system
roleRef:
kind: ClusterRole
name: ebs-external-snapshotter-role
apiGroup: rbac.authorization.k8s.io
{{- end }}

View File

@ -1,157 +0,0 @@
# Controller Service
kind: Deployment
apiVersion: apps/v1
metadata:
name: ebs-csi-controller
namespace: kube-system
labels:
{{- include "aws-ebs-csi-driver.labels" . | nindent 4 }}
spec:
replicas: {{ .Values.replicaCount }}
selector:
matchLabels:
app: ebs-csi-controller
{{- include "aws-ebs-csi-driver.selectorLabels" . | nindent 6 }}
template:
metadata:
labels:
app: ebs-csi-controller
{{- include "aws-ebs-csi-driver.labels" . | nindent 8 }}
{{- if .Values.podAnnotations }}
annotations: {{ toYaml .Values.podAnnotations | nindent 8 }}
{{- end }}
spec:
nodeSelector:
kubernetes.io/os: linux
{{- with .Values.nodeSelector }}
{{ toYaml . | indent 8 }}
{{- end }}
serviceAccountName: ebs-csi-controller-sa
priorityClassName: system-cluster-critical
{{- with .Values.affinity }}
affinity: {{ toYaml . | nindent 8 }}
{{- end }}
tolerations:
- operator: Exists
{{- with .Values.tolerations }}
{{ toYaml . | indent 8 }}
{{- end }}
containers:
- name: ebs-plugin
image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
args:
{{- if ne .Release.Name "kustomize" }}
- controller
{{- else }}
# - {all,controller,node} # specify the driver mode
{{- end }}
- --endpoint=$(CSI_ENDPOINT)
{{- if .Values.extraVolumeTags }}
{{- include "aws-ebs-csi-driver.extra-volume-tags" . | nindent 12 }}
{{- end }}
- --logtostderr
- --v=5
env:
- name: CSI_ENDPOINT
value: unix:///var/lib/csi/sockets/pluginproxy/csi.sock
- name: AWS_ACCESS_KEY_ID
valueFrom:
secretKeyRef:
name: aws-secret
key: key_id
optional: true
- name: AWS_SECRET_ACCESS_KEY
valueFrom:
secretKeyRef:
name: aws-secret
key: access_key
optional: true
{{- if .Values.region }}
- name: AWS_REGION
value: {{ .Values.region }}
{{- end }}
volumeMounts:
- name: socket-dir
mountPath: /var/lib/csi/sockets/pluginproxy/
ports:
- name: healthz
containerPort: 9808
protocol: TCP
livenessProbe:
httpGet:
path: /healthz
port: healthz
initialDelaySeconds: 10
timeoutSeconds: 3
periodSeconds: 10
failureThreshold: 5
{{- with .Values.resources }}
resources: {{ toYaml . | nindent 12 }}
{{- end }}
- name: csi-provisioner
image: {{ printf "%s:%s" .Values.sidecars.provisionerImage.repository .Values.sidecars.provisionerImage.tag }}
args:
- --csi-address=$(ADDRESS)
- --v=5
{{- if .Values.enableVolumeScheduling }}
- --feature-gates=Topology=true
{{- end}}
- --enable-leader-election
- --leader-election-type=leases
env:
- name: ADDRESS
value: /var/lib/csi/sockets/pluginproxy/csi.sock
volumeMounts:
- name: socket-dir
mountPath: /var/lib/csi/sockets/pluginproxy/
- name: csi-attacher
image: {{ printf "%s:%s" .Values.sidecars.attacherImage.repository .Values.sidecars.attacherImage.tag }}
args:
- --csi-address=$(ADDRESS)
- --v=5
- --leader-election=true
- --leader-election-type=leases
env:
- name: ADDRESS
value: /var/lib/csi/sockets/pluginproxy/csi.sock
volumeMounts:
- name: socket-dir
mountPath: /var/lib/csi/sockets/pluginproxy/
{{- if .Values.enableVolumeSnapshot }}
- name: csi-snapshotter
image: {{ printf "%s:%s" .Values.sidecars.snapshotterImage.repository .Values.sidecars.snapshotterImage.tag }}
args:
- --csi-address=$(ADDRESS)
- --leader-election=true
env:
- name: ADDRESS
value: /var/lib/csi/sockets/pluginproxy/csi.sock
volumeMounts:
- name: socket-dir
mountPath: /var/lib/csi/sockets/pluginproxy/
{{- end }}
{{- if .Values.enableVolumeResizing }}
- name: csi-resizer
image: {{ printf "%s:%s" .Values.sidecars.resizerImage.repository .Values.sidecars.resizerImage.tag }}
imagePullPolicy: Always
args:
- --csi-address=$(ADDRESS)
- --v=5
env:
- name: ADDRESS
value: /var/lib/csi/sockets/pluginproxy/csi.sock
volumeMounts:
- name: socket-dir
mountPath: /var/lib/csi/sockets/pluginproxy/
{{- end }}
- name: liveness-probe
image: {{ printf "%s:%s" .Values.sidecars.livenessProbeImage.repository .Values.sidecars.livenessProbeImage.tag }}
args:
- --csi-address=/csi/csi.sock
volumeMounts:
- name: socket-dir
mountPath: /csi
volumes:
- name: socket-dir
emptyDir: {}

View File

@ -1,9 +0,0 @@
apiVersion: storage.k8s.io/v1beta1
kind: CSIDriver
metadata:
name: ebs.csi.aws.com
labels:
{{- include "aws-ebs-csi-driver.labels" . | nindent 4 }}
spec:
attachRequired: true
podInfoOnMount: false

View File

@ -1,117 +0,0 @@
# Node Service
kind: DaemonSet
apiVersion: apps/v1
metadata:
name: ebs-csi-node
namespace: kube-system
labels:
{{- include "aws-ebs-csi-driver.labels" . | nindent 4 }}
spec:
selector:
matchLabels:
app: ebs-csi-node
{{- include "aws-ebs-csi-driver.selectorLabels" . | nindent 6 }}
template:
metadata:
labels:
app: ebs-csi-node
{{- include "aws-ebs-csi-driver.labels" . | nindent 8 }}
{{- if .Values.node.podAnnotations }}
annotations: {{ toYaml .Values.node.podAnnotations | nindent 8 }}
{{- end }}
spec:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: eks.amazonaws.com/compute-type
operator: NotIn
values:
- fargate
nodeSelector:
kubernetes.io/os: linux
hostNetwork: true
priorityClassName: system-node-critical
tolerations:
- operator: Exists
{{- with .Values.node.tolerations }}
{{ toYaml . | indent 8 }}
{{- end }}
containers:
- name: ebs-plugin
securityContext:
privileged: true
image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
args:
- node
- --endpoint=$(CSI_ENDPOINT)
- --logtostderr
- --v=5
env:
- name: CSI_ENDPOINT
value: unix:/csi/csi.sock
volumeMounts:
- name: kubelet-dir
mountPath: /var/lib/kubelet
mountPropagation: "Bidirectional"
- name: plugin-dir
mountPath: /csi
- name: device-dir
mountPath: /dev
ports:
- name: healthz
containerPort: 9808
protocol: TCP
livenessProbe:
httpGet:
path: /healthz
port: healthz
initialDelaySeconds: 10
timeoutSeconds: 3
periodSeconds: 10
failureThreshold: 5
- name: node-driver-registrar
image: {{ printf "%s:%s" .Values.sidecars.nodeDriverRegistrarImage.repository .Values.sidecars.nodeDriverRegistrarImage.tag }}
args:
- --csi-address=$(ADDRESS)
- --kubelet-registration-path=$(DRIVER_REG_SOCK_PATH)
- --v=5
lifecycle:
preStop:
exec:
command: ["/bin/sh", "-c", "rm -rf /registration/ebs.csi.aws.com-reg.sock /csi/csi.sock"]
env:
- name: ADDRESS
value: /csi/csi.sock
- name: DRIVER_REG_SOCK_PATH
value: /var/lib/kubelet/plugins/ebs.csi.aws.com/csi.sock
volumeMounts:
- name: plugin-dir
mountPath: /csi
- name: registration-dir
mountPath: /registration
- name: liveness-probe
image: {{ printf "%s:%s" .Values.sidecars.livenessProbeImage.repository .Values.sidecars.livenessProbeImage.tag }}
args:
- --csi-address=/csi/csi.sock
volumeMounts:
- name: plugin-dir
mountPath: /csi
volumes:
- name: kubelet-dir
hostPath:
path: /var/lib/kubelet
type: Directory
- name: plugin-dir
hostPath:
path: /var/lib/kubelet/plugins/ebs.csi.aws.com/
type: DirectoryOrCreate
- name: registration-dir
hostPath:
path: /var/lib/kubelet/plugins_registry/
type: Directory
- name: device-dir
hostPath:
path: /dev
type: Directory

View File

@ -1,15 +0,0 @@
{{- if .Values.enableVolumeSnapshot }}
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: ebs-snapshot-controller-leaderelection
namespace: kube-system
labels:
{{- include "aws-ebs-csi-driver.labels" . | nindent 4 }}
rules:
- apiGroups: ["coordination.k8s.io"]
resources: ["leases"]
verbs: ["get", "watch", "list", "delete", "update", "create"]
{{- end }}

View File

@ -1,19 +0,0 @@
{{- if .Values.enableVolumeSnapshot }}
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: snapshot-controller-leaderelection
namespace: kube-system
labels:
{{- include "aws-ebs-csi-driver.labels" . | nindent 4 }}
subjects:
- kind: ServiceAccount
name: ebs-snapshot-controller
namespace: kube-system
roleRef:
kind: Role
name: snapshot-controller-leaderelection
apiGroup: rbac.authorization.k8s.io
{{- end }}

View File

@ -1,15 +0,0 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: ebs-csi-controller-sa
namespace: kube-system
labels:
{{- include "aws-ebs-csi-driver.labels" . | nindent 4 }}
{{- with .Values.serviceAccount.controller.annotations }}
annotations: {{ toYaml . | nindent 4 }}
{{- end }}
{{- if eq .Release.Name "kustomize" }}
#Enable if EKS IAM for SA is used
#annotations:
# eks.amazonaws.com/role-arn: arn:aws:iam::586565787010:role/ebs-csi-role
{{- end }}

View File

@ -1,13 +0,0 @@
{{- if .Values.enableVolumeSnapshot }}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: ebs-snapshot-controller
namespace: kube-system
labels:
{{- include "aws-ebs-csi-driver.labels" . | nindent 4 }}
{{- with .Values.serviceAccount.snapshot.annotations }}
annotations: {{ toYaml . | nindent 4 }}
{{- end }}
{{- end }}

View File

@ -1,30 +0,0 @@
{{- if .Values.enableVolumeSnapshot }}
#Snapshot controller
kind: StatefulSet
apiVersion: apps/v1
metadata:
name: ebs-snapshot-controller
namespace: kube-system
labels:
{{- include "aws-ebs-csi-driver.labels" . | nindent 4 }}
spec:
serviceName: ebs-snapshot-controller
replicas: 1
selector:
matchLabels:
app: ebs-snapshot-controller
{{- include "aws-ebs-csi-driver.selectorLabels" . | nindent 6 }}
template:
metadata:
labels:
app: ebs-snapshot-controller
{{- include "aws-ebs-csi-driver.labels" . | nindent 8 }}
spec:
serviceAccountName: ebs-snapshot-controller
containers:
- name: snapshot-controller
image: quay.io/k8scsi/snapshot-controller:v2.1.1
args:
- --v=5
- --leader-election=false
{{- end }}

View File

@ -1,86 +0,0 @@
# Default values for aws-ebs-csi-driver.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
replicaCount: 2
image:
repository: amazon/aws-ebs-csi-driver
tag: "v0.7.0"
pullPolicy: IfNotPresent
sidecars:
provisionerImage:
repository: quay.io/k8scsi/csi-provisioner
tag: "v1.5.0"
attacherImage:
repository: quay.io/k8scsi/csi-attacher
tag: "v1.2.0"
snapshotterImage:
repository: quay.io/k8scsi/csi-snapshotter
tag: "v2.1.1"
livenessProbeImage:
repository: quay.io/k8scsi/livenessprobe
tag: "v1.1.0"
resizerImage:
repository: quay.io/k8scsi/csi-resizer
tag: "v0.3.0"
nodeDriverRegistrarImage:
repository: quay.io/k8scsi/csi-node-driver-registrar
tag: "v1.1.0"
imagePullSecrets: []
nameOverride: ""
fullnameOverride: ""
podAnnotations: {}
# True if enable volume scheduling for dynamic volume provisioning
enableVolumeScheduling: false
# True if enable volume resizing
enableVolumeResizing: false
# True if enable volume snapshot
enableVolumeSnapshot: false
resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
nodeSelector: {}
tolerations: []
affinity: {}
# Extra volume tags to attach to each dynamically provisioned volume.
# ---
# extraVolumeTags:
# key1: value1
# key2: value2
extraVolumeTags: {}
# AWS region to use. If not specified then the region will be looked up via the AWS EC2 metadata
# service.
# ---
# region: us-east-1
region: ""
node:
podAnnotations: {}
tolerations: []
serviceAccount:
controller:
annotations: {}
snapshot:
annotations: {}

View File

@ -4,6 +4,22 @@ apiVersion: storage.k8s.io/v1
metadata: metadata:
name: ebs-sc-gp2-xfs name: ebs-sc-gp2-xfs
labels: labels:
{{ include "kubezero-lib.labels" . | indent 4 }}
provisioner: ebs.csi.aws.com
volumeBindingMode: WaitForFirstConsumer
parameters:
csi.storage.k8s.io/fstype: xfs
type: gp2
encrypted: "true"
{{- if index .Values "aws-ebs-csi-driver" "enableVolumeResizing" }}
allowVolumeExpansion: true
{{- end }}
---
kind: StorageClass
apiVersion: storage.k8s.io/v1
metadata:
name: ebs-sc-gp3-xfs
labels:
{{ include "kubezero-lib.labels" . | indent 4 }} {{ include "kubezero-lib.labels" . | indent 4 }}
{{- if .Values.StorageClass.default }} {{- if .Values.StorageClass.default }}
annotations: annotations:
@ -13,7 +29,7 @@ provisioner: ebs.csi.aws.com
volumeBindingMode: WaitForFirstConsumer volumeBindingMode: WaitForFirstConsumer
parameters: parameters:
csi.storage.k8s.io/fstype: xfs csi.storage.k8s.io/fstype: xfs
type: gp2 type: gp3
encrypted: "true" encrypted: "true"
{{- if index .Values "aws-ebs-csi-driver" "enableVolumeResizing" }} {{- if index .Values "aws-ebs-csi-driver" "enableVolumeResizing" }}
allowVolumeExpansion: true allowVolumeExpansion: true

View File

@ -1,14 +0,0 @@
#!/bin/bash
set -ex
# Upstream doesnt have proper Helm repo yet so we just download latest release and stuff it into charts
REPO="kubernetes-sigs/aws-ebs-csi-driver"
[ -z "$RELEASE" ] && RELEASE=$(curl -sL -s https://api.github.com/repos/${REPO}/releases | grep '"tag_name":' | cut -d'"' -f4 | grep -v -E "(alpha|beta|rc)" | sort -t"." -k 1,1 -k 2,2 -k 3,3 -k 4,4 | tail -n 1)
rm -rf git
git clone https://github.com/$REPO.git git
cd git && git checkout $RELEASE && cd -
rm -rf charts/aws-ebs-csi-driver && mkdir -p charts/aws-ebs-csi-driver
mv git/aws-ebs-csi-driver/* charts/aws-ebs-csi-driver

View File

@ -20,3 +20,5 @@
.idea/ .idea/
*.tmproj *.tmproj
.vscode/ .vscode/
git

View File

@ -2,8 +2,8 @@ apiVersion: v2
name: kubezero-calico name: kubezero-calico
description: KubeZero Umbrella Chart for Calico description: KubeZero Umbrella Chart for Calico
type: application type: application
version: 0.2.0 version: 0.2.1
appVersion: v3.16.1 appVersion: v3.16.5
home: https://kubezero.com home: https://kubezero.com
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
keywords: keywords:

View File

@ -1,6 +1,6 @@
# kubezero-calico # kubezero-calico
![Version: 0.2.0](https://img.shields.io/badge/Version-0.2.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v3.16.1](https://img.shields.io/badge/AppVersion-v3.16.1-informational?style=flat-square) ![Version: 0.2.1](https://img.shields.io/badge/Version-0.2.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v3.16.5](https://img.shields.io/badge/AppVersion-v3.16.5-informational?style=flat-square)
KubeZero Umbrella Chart for Calico KubeZero Umbrella Chart for Calico
@ -47,7 +47,6 @@ The setup is based on the upstream calico-vxlan config from
| Key | Type | Default | Description | | Key | Type | Default | Description |
|-----|------|---------|-------------| |-----|------|---------|-------------|
| image.tag | string | `""` | | | image.tag | string | `""` | |
| installCRDs | bool | `false` | |
| loglevel | string | `"Warning"` | | | loglevel | string | `"Warning"` | |
| mtu | int | `8941` | | | mtu | int | `8941` | |
| network | string | `"vxlan"` | | | network | string | `"vxlan"` | |

View File

@ -1,101 +0,0 @@
--- calico-vxlan.yaml 2020-07-03 15:32:40.740506882 +0100
+++ calico.yaml 2020-07-03 15:27:47.651499841 +0100
@@ -10,13 +10,13 @@
# Typha is disabled.
typha_service_name: "none"
# Configure the backend to use.
- calico_backend: "bird"
+ calico_backend: "vxlan"
# Configure the MTU to use for workload interfaces and tunnels.
# - If Wireguard is enabled, set to your network MTU - 60
# - Otherwise, if VXLAN or BPF mode is enabled, set to your network MTU - 50
# - Otherwise, if IPIP is enabled, set to your network MTU - 20
# - Otherwise, if not using any encapsulation, set to your network MTU.
- veth_mtu: "1410"
+ veth_mtu: "8941"
# The CNI network configuration to install on each node. The special
# values in this config will be automatically populated.
@@ -3451,29 +3451,6 @@
terminationGracePeriodSeconds: 0
priorityClassName: system-node-critical
initContainers:
- # This container performs upgrade from host-local IPAM to calico-ipam.
- # It can be deleted if this is a fresh installation, or if you have already
- # upgraded to use calico-ipam.
- - name: upgrade-ipam
- image: calico/cni:v3.15.0
- command: ["/opt/cni/bin/calico-ipam", "-upgrade"]
- env:
- - name: KUBERNETES_NODE_NAME
- valueFrom:
- fieldRef:
- fieldPath: spec.nodeName
- - name: CALICO_NETWORKING_BACKEND
- valueFrom:
- configMapKeyRef:
- name: calico-config
- key: calico_backend
- volumeMounts:
- - mountPath: /var/lib/cni/networks
- name: host-local-net-dir
- - mountPath: /host/opt/cni/bin
- name: cni-bin-dir
- securityContext:
- privileged: true
# This container installs the CNI binaries
# and CNI network config file on each node.
- name: install-cni
@@ -3545,7 +3522,7 @@
key: calico_backend
# Cluster type to identify the deployment type
- name: CLUSTER_TYPE
- value: "k8s,bgp"
+ value: "k8s,kubeadm"
# Auto-detect the BGP IP address.
- name: IP
value: "autodetect"
@@ -3554,7 +3531,7 @@
value: "Never"
# Enable or Disable VXLAN on the default IP pool.
- name: CALICO_IPV4POOL_VXLAN
- value: "CrossSubnet"
+ value: "Always"
# Set MTU for tunnel device used if ipip is enabled
- name: FELIX_IPINIPMTU
valueFrom:
@@ -3595,9 +3572,17 @@
value: "false"
# Set Felix logging to "info"
- name: FELIX_LOGSEVERITYSCREEN
- value: "info"
+ value: "Warning"
+ - name: FELIX_LOGSEVERITYFILE
+ value: "Warning"
+ - name: FELIX_LOGSEVERITYSYS
+ value: ""
- name: FELIX_HEALTHENABLED
value: "true"
+ - name: FELIX_PROMETHEUSGOMETRICSENABLED
+ value: "false"
+ - name: FELIX_PROMETHEUSMETRICSENABLED
+ value: "true"
securityContext:
privileged: true
resources:
@@ -3608,7 +3593,6 @@
command:
- /bin/calico-node
- -felix-live
- - -bird-live
periodSeconds: 10
initialDelaySeconds: 10
failureThreshold: 6
@@ -3617,7 +3601,6 @@
command:
- /bin/calico-node
- -felix-ready
- - -bird-ready
periodSeconds: 10
volumeMounts:
- mountPath: /lib/modules

File diff suppressed because it is too large Load Diff

View File

@ -1,3 +1,4 @@
---
# Source: calico/templates/kdd-crds.yaml # Source: calico/templates/kdd-crds.yaml
@ -192,6 +193,29 @@ spec:
description: Selector for the nodes that should have this peering. When description: Selector for the nodes that should have this peering. When
this is set, the Node field must be empty. this is set, the Node field must be empty.
type: string type: string
password:
description: Optional BGP password for the peerings generated by this
BGPPeer resource.
properties:
secretKeyRef:
description: Selects a key of a secret in the node pod's namespace.
properties:
key:
description: The key of the secret to select from. Must be
a valid secret key.
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
optional:
description: Specify whether the Secret or its key must be
defined
type: boolean
required:
- key
type: object
type: object
peerIP: peerIP:
description: The IP address of the peer followed by an optional port description: The IP address of the peer followed by an optional port
number to peer with. If port number is given, format should be `[<IPv6>]:port` number to peer with. If port number is given, format should be `[<IPv6>]:port`
@ -396,6 +420,16 @@ spec:
spec: spec:
description: FelixConfigurationSpec contains the values of the Felix configuration. description: FelixConfigurationSpec contains the values of the Felix configuration.
properties: properties:
allowIPIPPacketsFromWorkloads:
description: 'AllowIPIPPacketsFromWorkloads controls whether Felix
will add a rule to drop IPIP encapsulated traffic from workloads
[Default: false]'
type: boolean
allowVXLANPacketsFromWorkloads:
description: 'AllowVXLANPacketsFromWorkloads controls whether Felix
will add a rule to drop VXLAN encapsulated traffic from workloads
[Default: false]'
type: boolean
awsSrcDstCheck: awsSrcDstCheck:
description: 'Set source-destination-check on AWS EC2 instances. Accepted description: 'Set source-destination-check on AWS EC2 instances. Accepted
value must be one of "DoNothing", "Enabled" or "Disabled". [Default: value must be one of "DoNothing", "Enabled" or "Disabled". [Default:

View File

@ -1,6 +0,0 @@
{{- if .Values.installCRDs }}
{{- range $path, $_ := .Files.Glob "crds/*.yaml" }}
{{ $.Files.Get $path }}
---
{{- end }}
{{- end }}

View File

@ -1,5 +1,3 @@
installCRDs: false
image: image:
tag: "" tag: ""

View File

@ -2,7 +2,7 @@ apiVersion: v2
name: kubezero-cert-manager name: kubezero-cert-manager
description: KubeZero Umbrella Chart for cert-manager description: KubeZero Umbrella Chart for cert-manager
type: application type: application
version: 0.4.0 version: 0.4.1
home: https://kubezero.com home: https://kubezero.com
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
keywords: keywords:
@ -15,6 +15,7 @@ dependencies:
version: ">= 0.1.3" version: ">= 0.1.3"
repository: https://zero-down-time.github.io/kubezero/ repository: https://zero-down-time.github.io/kubezero/
- name: cert-manager - name: cert-manager
version: 1.0.3 version: 1.1.0
repository: https://charts.jetstack.io repository: https://charts.jetstack.io
condition: cert-manager.enabled
kubeVersion: ">= 1.16.0" kubeVersion: ">= 1.16.0"

View File

@ -1,6 +1,6 @@
# kubezero-cert-manager # kubezero-cert-manager
![Version: 0.4.0](https://img.shields.io/badge/Version-0.4.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![Version: 0.4.1](https://img.shields.io/badge/Version-0.4.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
KubeZero Umbrella Chart for cert-manager KubeZero Umbrella Chart for cert-manager
@ -18,7 +18,7 @@ Kubernetes: `>= 1.16.0`
| Repository | Name | Version | | Repository | Name | Version |
|------------|------|---------| |------------|------|---------|
| https://charts.jetstack.io | cert-manager | 1.0.3 | | https://charts.jetstack.io | cert-manager | 1.1.0 |
| https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 | | https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 |
## AWS - IAM Role ## AWS - IAM Role
@ -38,12 +38,13 @@ If your resolvers need additional sercrets like CloudFlare API tokens etc. make
| cert-manager.cainjector.nodeSelector."node-role.kubernetes.io/master" | string | `""` | | | cert-manager.cainjector.nodeSelector."node-role.kubernetes.io/master" | string | `""` | |
| cert-manager.cainjector.tolerations[0].effect | string | `"NoSchedule"` | | | cert-manager.cainjector.tolerations[0].effect | string | `"NoSchedule"` | |
| cert-manager.cainjector.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | | | cert-manager.cainjector.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | |
| cert-manager.enabled | bool | `true` | |
| cert-manager.extraArgs[0] | string | `"--dns01-recursive-nameservers-only"` | | | cert-manager.extraArgs[0] | string | `"--dns01-recursive-nameservers-only"` | |
| cert-manager.global.leaderElection.namespace | string | `"cert-manager"` | |
| cert-manager.ingressShim.defaultIssuerKind | string | `"ClusterIssuer"` | | | cert-manager.ingressShim.defaultIssuerKind | string | `"ClusterIssuer"` | |
| cert-manager.ingressShim.defaultIssuerName | string | `"letsencrypt-dns-prod"` | | | cert-manager.ingressShim.defaultIssuerName | string | `"letsencrypt-dns-prod"` | |
| cert-manager.installCRDs | bool | `true` | |
| cert-manager.nodeSelector."node-role.kubernetes.io/master" | string | `""` | | | cert-manager.nodeSelector."node-role.kubernetes.io/master" | string | `""` | |
| cert-manager.podAnnotations | object | `{}` | "iam.amazonaws.com/roleIAM:" role ARN the cert-manager might use via kiam eg."arn:aws:iam::123456789012:role/certManagerRoleArn" | | cert-manager.podAnnotations | object | `{}` | |
| cert-manager.prometheus.servicemonitor.enabled | bool | `false` | | | cert-manager.prometheus.servicemonitor.enabled | bool | `false` | |
| cert-manager.tolerations[0].effect | string | `"NoSchedule"` | | | cert-manager.tolerations[0].effect | string | `"NoSchedule"` | |
| cert-manager.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | | | cert-manager.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | |
@ -51,5 +52,5 @@ If your resolvers need additional sercrets like CloudFlare API tokens etc. make
| cert-manager.webhook.tolerations[0].effect | string | `"NoSchedule"` | | | cert-manager.webhook.tolerations[0].effect | string | `"NoSchedule"` | |
| cert-manager.webhook.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | | | cert-manager.webhook.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | |
| clusterIssuer | object | `{}` | | | clusterIssuer | object | `{}` | |
| localCA.enabled | bool | `true` | | | localCA.enabled | bool | `false` | |
| localCA.selfsigning | bool | `true` | | | localCA.selfsigning | bool | `true` | |

View File

@ -3,11 +3,11 @@
# KubeZero / Local cluster CA # KubeZero / Local cluster CA
# The resources are serialized via waves in Argo # The resources are serialized via waves in Argo
apiVersion: cert-manager.io/v1alpha2 apiVersion: cert-manager.io/v1
kind: Issuer kind: ClusterIssuer
metadata: metadata:
name: kubezero-selfsigning-issuer name: kubezero-selfsigning-issuer
namespace: kube-system namespace: {{ .Release.Namespace }}
labels: labels:
{{ include "kubezero-lib.labels" . | indent 4 }} {{ include "kubezero-lib.labels" . | indent 4 }}
annotations: annotations:
@ -15,11 +15,11 @@ metadata:
spec: spec:
selfSigned: {} selfSigned: {}
--- ---
apiVersion: cert-manager.io/v1alpha2 apiVersion: cert-manager.io/v1
kind: Certificate kind: Certificate
metadata: metadata:
name: kubezero-local-ca name: kubezero-local-ca
namespace: kube-system namespace: {{ .Release.Namespace }}
labels: labels:
{{ include "kubezero-lib.labels" . | indent 4 }} {{ include "kubezero-lib.labels" . | indent 4 }}
annotations: annotations:
@ -30,6 +30,7 @@ spec:
isCA: true isCA: true
issuerRef: issuerRef:
name: kubezero-selfsigning-issuer name: kubezero-selfsigning-issuer
kind: ClusterIssuer
usages: usages:
- "any" - "any"
--- ---
@ -39,7 +40,7 @@ apiVersion: v1
kind: Secret kind: Secret
metadata: metadata:
name: kubezero-ca-tls name: kubezero-ca-tls
namespace: kube-system namespace: {{ .Release.Namespace }}
labels: labels:
{{ include "kubezero-lib.labels" . | indent 4 }} {{ include "kubezero-lib.labels" . | indent 4 }}
data: data:
@ -48,11 +49,11 @@ data:
--- ---
{{- end }} {{- end }}
apiVersion: cert-manager.io/v1alpha2 apiVersion: cert-manager.io/v1
kind: Issuer kind: ClusterIssuer
metadata: metadata:
name: kubezero-local-ca-issuer name: kubezero-local-ca-issuer
namespace: kube-system namespace: {{ .Release.Namespace }}
labels: labels:
{{ include "kubezero-lib.labels" . | indent 4 }} {{ include "kubezero-lib.labels" . | indent 4 }}
annotations: annotations:

View File

@ -1,5 +1,5 @@
{{- if .Values.clusterIssuer.name }} {{- if .Values.clusterIssuer.name }}
apiVersion: cert-manager.io/v1alpha2 apiVersion: cert-manager.io/v1
kind: ClusterIssuer kind: ClusterIssuer
metadata: metadata:
name: {{ .Values.clusterIssuer.name }} name: {{ .Values.clusterIssuer.name }}

View File

@ -9,7 +9,7 @@ clusterIssuer: {}
# hostedZoneID: 1234567890 # hostedZoneID: 1234567890
localCA: localCA:
enabled: true enabled: false
# If selfsigning is false you must provide the ca key and crt below # If selfsigning is false you must provide the ca key and crt below
selfsigning: true selfsigning: true
#ca: #ca:
@ -17,34 +17,45 @@ localCA:
# crt: <pem-crt-material> # crt: <pem-crt-material>
cert-manager: cert-manager:
installCRDs: true enabled: true
global:
leaderElection:
namespace: "cert-manager"
podAnnotations: {}
# iam.amazonaws.com/role: ""
tolerations: tolerations:
- key: node-role.kubernetes.io/master - key: node-role.kubernetes.io/master
effect: NoSchedule effect: NoSchedule
nodeSelector: nodeSelector:
node-role.kubernetes.io/master: "" node-role.kubernetes.io/master: ""
ingressShim: ingressShim:
defaultIssuerName: letsencrypt-dns-prod defaultIssuerName: letsencrypt-dns-prod
defaultIssuerKind: ClusterIssuer defaultIssuerKind: ClusterIssuer
webhook: webhook:
tolerations: tolerations:
- key: node-role.kubernetes.io/master - key: node-role.kubernetes.io/master
effect: NoSchedule effect: NoSchedule
nodeSelector: nodeSelector:
node-role.kubernetes.io/master: "" node-role.kubernetes.io/master: ""
cainjector: cainjector:
tolerations: tolerations:
- key: node-role.kubernetes.io/master - key: node-role.kubernetes.io/master
effect: NoSchedule effect: NoSchedule
nodeSelector: nodeSelector:
node-role.kubernetes.io/master: "" node-role.kubernetes.io/master: ""
extraArgs: extraArgs:
- "--dns01-recursive-nameservers-only" - "--dns01-recursive-nameservers-only"
# When this flag is enabled, secrets will be automatically removed when the certificate resource is deleted # When this flag is enabled, secrets will be automatically removed when the certificate resource is deleted
# - --enable-certificate-owner-ref=true # - --enable-certificate-owner-ref=true
prometheus: prometheus:
servicemonitor: servicemonitor:
enabled: false enabled: false
# cert-manager.podAnnotations -- "iam.amazonaws.com/roleIAM:" role ARN the cert-manager might use via kiam eg."arn:aws:iam::123456789012:role/certManagerRoleArn" # cert-manager.podAnnotations -- "iam.amazonaws.com/roleIAM:" role ARN the cert-manager might use via kiam eg."arn:aws:iam::123456789012:role/certManagerRoleArn"
podAnnotations: {}
# iam.amazonaws.com/role: ""

View File

@ -0,0 +1,24 @@
apiVersion: v2
name: kubezero-istio-ingress
description: KubeZero Umbrella Chart for Istio based Ingress
type: application
version: 0.1.1
appVersion: 1.8.1
home: https://kubezero.com
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
keywords:
- kubezero
- istio
maintainers:
- name: Quarky9
dependencies:
- name: kubezero-lib
version: ">= 0.1.3"
repository: https://zero-down-time.github.io/kubezero/
- name: istio-ingress
version: 1.1.0
condition: istio-ingress.enabled
- name: istio-private-ingress
version: 1.1.0
condition: istio-private-ingress.enabled
kubeVersion: ">= 1.16.0"

View File

@ -0,0 +1,97 @@
# kubezero-istio-ingress
![Version: 0.1.1](https://img.shields.io/badge/Version-0.1.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.8.1](https://img.shields.io/badge/AppVersion-1.8.1-informational?style=flat-square)
KubeZero Umbrella Chart for Istio based Ingress
Installs Istio Ingress Gateways, requires kubezero-istio to be installed !
**Homepage:** <https://kubezero.com>
## Maintainers
| Name | Email | Url |
| ---- | ------ | --- |
| Quarky9 | | |
## Requirements
Kubernetes: `>= 1.16.0`
| Repository | Name | Version |
|------------|------|---------|
| | istio-ingress | 1.1.0 |
| | istio-private-ingress | 1.1.0 |
| https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 |
## Values
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| global.arch.amd64 | int | `2` | |
| global.defaultPodDisruptionBudget.enabled | bool | `false` | |
| global.hub | string | `"docker.io/istio"` | |
| global.jwtPolicy | string | `"first-party-jwt"` | |
| global.logAsJson | bool | `true` | |
| global.priorityClassName | string | `"system-cluster-critical"` | |
| global.tag | string | `"1.8.1"` | |
| istio-ingress.dnsNames | list | `[]` | |
| istio-ingress.enabled | bool | `false` | |
| istio-ingress.gateways.istio-ingressgateway.autoscaleEnabled | bool | `false` | |
| istio-ingress.gateways.istio-ingressgateway.env.TERMINATION_DRAIN_DURATION_SECONDS | string | `"\"60\""` | |
| istio-ingress.gateways.istio-ingressgateway.externalTrafficPolicy | string | `"Local"` | |
| istio-ingress.gateways.istio-ingressgateway.nodeSelector."node.kubernetes.io/ingress.public" | string | `"30080_30443"` | |
| istio-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].key | string | `"app"` | |
| istio-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].operator | string | `"In"` | |
| istio-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].topologyKey | string | `"kubernetes.io/hostname"` | |
| istio-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].values | string | `"istio-ingressgateway"` | |
| istio-ingress.gateways.istio-ingressgateway.ports[0].name | string | `"http-status"` | |
| istio-ingress.gateways.istio-ingressgateway.ports[0].nodePort | int | `30021` | |
| istio-ingress.gateways.istio-ingressgateway.ports[0].port | int | `15021` | |
| istio-ingress.gateways.istio-ingressgateway.ports[1].name | string | `"http2"` | |
| istio-ingress.gateways.istio-ingressgateway.ports[1].nodePort | int | `30080` | |
| istio-ingress.gateways.istio-ingressgateway.ports[1].port | int | `80` | |
| istio-ingress.gateways.istio-ingressgateway.ports[1].targetPort | int | `8080` | |
| istio-ingress.gateways.istio-ingressgateway.ports[2].name | string | `"https"` | |
| istio-ingress.gateways.istio-ingressgateway.ports[2].nodePort | int | `30443` | |
| istio-ingress.gateways.istio-ingressgateway.ports[2].port | int | `443` | |
| istio-ingress.gateways.istio-ingressgateway.ports[2].targetPort | int | `8443` | |
| istio-ingress.gateways.istio-ingressgateway.replicaCount | int | `1` | |
| istio-ingress.gateways.istio-ingressgateway.resources.limits.memory | string | `"256Mi"` | |
| istio-ingress.gateways.istio-ingressgateway.resources.requests.memory | string | `"64Mi"` | |
| istio-ingress.gateways.istio-ingressgateway.type | string | `"NodePort"` | |
| istio-private-ingress.dnsNames | list | `[]` | |
| istio-private-ingress.enabled | bool | `false` | |
| istio-private-ingress.gateways.istio-ingressgateway.autoscaleEnabled | bool | `false` | |
| istio-private-ingress.gateways.istio-ingressgateway.env.TERMINATION_DRAIN_DURATION_SECONDS | string | `"\"60\""` | |
| istio-private-ingress.gateways.istio-ingressgateway.externalTrafficPolicy | string | `"Local"` | |
| istio-private-ingress.gateways.istio-ingressgateway.labels.app | string | `"istio-private-ingressgateway"` | |
| istio-private-ingress.gateways.istio-ingressgateway.labels.istio | string | `"private-ingressgateway"` | |
| istio-private-ingress.gateways.istio-ingressgateway.name | string | `"istio-private-ingressgateway"` | |
| istio-private-ingress.gateways.istio-ingressgateway.nodeSelector."node.kubernetes.io/ingress.private" | string | `"31080_31443"` | |
| istio-private-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].key | string | `"app"` | |
| istio-private-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].operator | string | `"In"` | |
| istio-private-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].topologyKey | string | `"kubernetes.io/hostname"` | |
| istio-private-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].values | string | `"istio-private-ingressgateway"` | |
| istio-private-ingress.gateways.istio-ingressgateway.ports[0].name | string | `"http-status"` | |
| istio-private-ingress.gateways.istio-ingressgateway.ports[0].nodePort | int | `31021` | |
| istio-private-ingress.gateways.istio-ingressgateway.ports[0].port | int | `15021` | |
| istio-private-ingress.gateways.istio-ingressgateway.ports[1].name | string | `"http2"` | |
| istio-private-ingress.gateways.istio-ingressgateway.ports[1].nodePort | int | `31080` | |
| istio-private-ingress.gateways.istio-ingressgateway.ports[1].port | int | `80` | |
| istio-private-ingress.gateways.istio-ingressgateway.ports[1].targetPort | int | `8080` | |
| istio-private-ingress.gateways.istio-ingressgateway.ports[2].name | string | `"https"` | |
| istio-private-ingress.gateways.istio-ingressgateway.ports[2].nodePort | int | `31443` | |
| istio-private-ingress.gateways.istio-ingressgateway.ports[2].port | int | `443` | |
| istio-private-ingress.gateways.istio-ingressgateway.ports[2].targetPort | int | `8443` | |
| istio-private-ingress.gateways.istio-ingressgateway.replicaCount | int | `1` | |
| istio-private-ingress.gateways.istio-ingressgateway.resources.limits.memory | string | `"256Mi"` | |
| istio-private-ingress.gateways.istio-ingressgateway.resources.requests.cpu | string | `"100m"` | |
| istio-private-ingress.gateways.istio-ingressgateway.resources.requests.memory | string | `"64Mi"` | |
| istio-private-ingress.gateways.istio-ingressgateway.type | string | `"NodePort"` | |
## Resources
- https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#IstioOperatorSpec
- https://github.com/istio/istio/blob/master/manifests/profiles/default.yaml
- https://istio.io/latest/docs/setup/install/standalone-operator/

View File

@ -0,0 +1,24 @@
{{ template "chart.header" . }}
{{ template "chart.deprecationWarning" . }}
{{ template "chart.versionBadge" . }}{{ template "chart.typeBadge" . }}{{ template "chart.appVersionBadge" . }}
{{ template "chart.description" . }}
Installs Istio Ingress Gateways, requires kubezero-istio to be installed !
{{ template "chart.homepageLine" . }}
{{ template "chart.maintainersSection" . }}
{{ template "chart.sourcesSection" . }}
{{ template "chart.requirementsSection" . }}
{{ template "chart.valuesSection" . }}
## Resources
- https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#IstioOperatorSpec
- https://github.com/istio/istio/blob/master/manifests/profiles/default.yaml
- https://istio.io/latest/docs/setup/install/standalone-operator/

View File

@ -0,0 +1,13 @@
apiVersion: v1
name: istio-ingress
version: 1.1.0
tillerVersion: ">=2.7.2"
description: Helm chart for deploying Istio gateways
keywords:
- istio
- ingressgateway
- gateways
sources:
- http://github.com/istio/istio
engine: gotpl
icon: https://istio.io/latest/favicons/android-192x192.png

View File

@ -0,0 +1,43 @@
Changes:
- separate namespace allows:
-- easier reconfig of just the gateway
-- TLS secrets and domain name management is isolated, for better security
-- simplified configuration
-- multiple versions of the ingress can be used, to minimize upgrade risks
- the new chart uses the default namespace service account, and doesn't require
additional RBAC permissions.
- simplified label and chart structure.
- ability to run a pilot dedicated for the gateway, isolated from the main pilot. This is more robust, safer on upgrades
and allows a bit more flexibility.
- the dedicated pilot-per-ingress is required if the gateway needs to support k8s-style ingress.
# Port and basic host configuration
In order to configure the Service object, the install/upgrade needs to provide a list of all ports.
In the past, this was done when installing/upgrading full istio, and involved some duplication - ports configured
both in upgrade, Gateway and VirtualService.
The new Ingress chart uses a 'values.yaml' (see user-example-ingress), which auto-generates Service ports,
Gateways and basic VirtualService. It is still possible to only configure the ports in Service, and do manual
config for the rest.
All internal services ( telemetry, pilot debug ports, mesh expansion ) can now be configured via the new mechanism.
# Migration from istio-system
Istio 1.0 includes the gateways in istio-system. Since the external IP is associated
with the Service and bound to the namespace, it is recommended to:
1. Install the new gateway in a new namespace.
2. Copy any TLS certificate to the new namespace, and configure the domains.
3. Checking the new gateway work - for example by overriding the IP in /etc/hosts
4. Modify the DNS server to add the A record of the new namespace
5. Check traffic
6. Delete the A record corresponding to the gateway in istio-system
7. Upgrade istio-system, disabling the ingressgateway
8. Delete the domain TLS certs from istio-system.
If using certmanager, all Certificate and associated configs must be moved as well.

View File

@ -0,0 +1,93 @@
{{/* affinity - https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ */}}
{{- define "nodeaffinity" }}
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
{{- include "nodeAffinityRequiredDuringScheduling" . }}
preferredDuringSchedulingIgnoredDuringExecution:
{{- include "nodeAffinityPreferredDuringScheduling" . }}
{{- end }}
{{- define "nodeAffinityRequiredDuringScheduling" }}
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/arch
operator: In
values:
{{- range $key, $val := .global.arch }}
{{- if gt ($val | int) 0 }}
- {{ $key | quote }}
{{- end }}
{{- end }}
{{- $nodeSelector := default .global.defaultNodeSelector .nodeSelector -}}
{{- range $key, $val := $nodeSelector }}
- key: {{ $key }}
operator: In
values:
- {{ $val | quote }}
{{- end }}
{{- end }}
{{- define "nodeAffinityPreferredDuringScheduling" }}
{{- range $key, $val := .global.arch }}
{{- if gt ($val | int) 0 }}
- weight: {{ $val | int }}
preference:
matchExpressions:
- key: kubernetes.io/arch
operator: In
values:
- {{ $key | quote }}
{{- end }}
{{- end }}
{{- end }}
{{- define "podAntiAffinity" }}
{{- if or .podAntiAffinityLabelSelector .podAntiAffinityTermLabelSelector}}
podAntiAffinity:
{{- if .podAntiAffinityLabelSelector }}
requiredDuringSchedulingIgnoredDuringExecution:
{{- include "podAntiAffinityRequiredDuringScheduling" . }}
{{- end }}
{{- if .podAntiAffinityTermLabelSelector }}
preferredDuringSchedulingIgnoredDuringExecution:
{{- include "podAntiAffinityPreferredDuringScheduling" . }}
{{- end }}
{{- end }}
{{- end }}
{{- define "podAntiAffinityRequiredDuringScheduling" }}
{{- range $index, $item := .podAntiAffinityLabelSelector }}
- labelSelector:
matchExpressions:
- key: {{ $item.key }}
operator: {{ $item.operator }}
{{- if $item.values }}
values:
{{- $vals := split "," $item.values }}
{{- range $i, $v := $vals }}
- {{ $v | quote }}
{{- end }}
{{- end }}
topologyKey: {{ $item.topologyKey }}
{{- end }}
{{- end }}
{{- define "podAntiAffinityPreferredDuringScheduling" }}
{{- range $index, $item := .podAntiAffinityTermLabelSelector }}
- podAffinityTerm:
labelSelector:
matchExpressions:
- key: {{ $item.key }}
operator: {{ $item.operator }}
{{- if $item.values }}
values:
{{- $vals := split "," $item.values }}
{{- range $i, $v := $vals }}
- {{ $v | quote }}
{{- end }}
{{- end }}
topologyKey: {{ $item.topologyKey }}
weight: 100
{{- end }}
{{- end }}

View File

@ -0,0 +1,27 @@
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
{{- if and $gateway.autoscaleEnabled $gateway.autoscaleMin $gateway.autoscaleMax }}
apiVersion: autoscaling/v2beta1
kind: HorizontalPodAutoscaler
metadata:
name: {{ $gateway.name | default "istio-ingressgateway" }}
namespace: {{ .Release.Namespace }}
labels:
{{ $gateway.labels | toYaml | indent 4 }}
release: {{ .Release.Name }}
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "IngressGateways"
spec:
maxReplicas: {{ $gateway.autoscaleMax }}
minReplicas: {{ $gateway.autoscaleMin }}
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: {{ $gateway.name | default "istio-ingressgateway" }}
metrics:
- type: Resource
resource:
name: cpu
targetAverageUtilization: {{ $gateway.cpu.targetAverageUtilization }}
---
{{- end }}

View File

@ -0,0 +1,346 @@
{{- $gateway := index .Values "gateways" "istio-ingressgateway" }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ $gateway.name | default "istio-ingressgateway" }}
namespace: {{ .Release.Namespace }}
labels:
{{ $gateway.labels | toYaml | indent 4 }}
release: {{ .Release.Name }}
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "IngressGateways"
spec:
{{- if not $gateway.autoscaleEnabled }}
{{- if $gateway.replicaCount }}
replicas: {{ $gateway.replicaCount }}
{{- end }}
{{- end }}
selector:
matchLabels:
{{ $gateway.labels | toYaml | indent 6 }}
strategy:
rollingUpdate:
maxSurge: {{ $gateway.rollingMaxSurge }}
maxUnavailable: {{ $gateway.rollingMaxUnavailable }}
template:
metadata:
labels:
{{ $gateway.labels | toYaml | indent 8 }}
{{- if eq .Release.Namespace "istio-system"}}
heritage: Tiller
release: istio
chart: gateways
{{- end }}
service.istio.io/canonical-name: {{ $gateway.name | default "istio-ingressgateway" }}
{{- if not (eq .Values.revision "") }}
service.istio.io/canonical-revision: {{ .Values.revision }}
{{- else}}
service.istio.io/canonical-revision: latest
{{- end }}
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "IngressGateways"
annotations:
{{- if .Values.meshConfig.enablePrometheusMerge }}
prometheus.io/port: "15020"
prometheus.io/scrape: "true"
prometheus.io/path: "/stats/prometheus"
{{- end }}
sidecar.istio.io/inject: "false"
{{- if $gateway.podAnnotations }}
{{ toYaml $gateway.podAnnotations | indent 8 }}
{{ end }}
spec:
{{- if not $gateway.runAsRoot }}
securityContext:
runAsUser: 1337
runAsGroup: 1337
runAsNonRoot: true
fsGroup: 1337
{{- end }}
serviceAccountName: {{ $gateway.name | default "istio-ingressgateway" }}-service-account
{{- if .Values.global.priorityClassName }}
priorityClassName: "{{ .Values.global.priorityClassName }}"
{{- end }}
terminationGracePeriodSeconds: 90
{{- if .Values.global.proxy.enableCoreDump }}
initContainers:
- name: enable-core-dump
{{- if contains "/" .Values.global.proxy.image }}
image: "{{ .Values.global.proxy.image }}"
{{- else }}
image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image | default "proxyv2" }}:{{ .Values.global.tag }}"
{{- end }}
{{- if .Values.global.imagePullPolicy }}
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
{{- end }}
command:
- /bin/sh
args:
- -c
- sysctl -w kernel.core_pattern=/var/lib/istio/data/core.proxy && ulimit -c unlimited
securityContext:
runAsUser: 0
runAsGroup: 0
runAsNonRoot: false
privileged: true
{{- end }}
containers:
- name: istio-proxy
{{- if contains "/" .Values.global.proxy.image }}
image: "{{ .Values.global.proxy.image }}"
{{- else }}
image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image | default "proxyv2" }}:{{ .Values.global.tag }}"
{{- end }}
{{- if .Values.global.imagePullPolicy }}
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
{{- end }}
ports:
{{- range $key, $val := $gateway.ports }}
- containerPort: {{ $val.targetPort | default $val.port }}
protocol: {{ $val.protocol | default "TCP" }}
{{- end }}
{{- if $.Values.global.meshExpansion.enabled }}
{{- range $key, $val := $gateway.meshExpansionPorts }}
- containerPort: {{ $val.targetPort | default $val.port }}
protocol: {{ $val.protocol | default "TCP" }}
{{- end }}
{{- end }}
- containerPort: 15090
protocol: TCP
name: http-envoy-prom
args:
- proxy
- router
- --domain
- $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
{{- if .Values.global.proxy.logLevel }}
- --proxyLogLevel={{ .Values.global.proxy.logLevel }}
{{- end}}
{{- if .Values.global.proxy.componentLogLevel }}
- --proxyComponentLogLevel={{ .Values.global.proxy.componentLogLevel }}
{{- end}}
{{- if .Values.global.logging.level }}
- --log_output_level={{ .Values.global.logging.level }}
{{- end}}
{{- if .Values.global.logAsJson }}
- --log_as_json
{{- end }}
- --serviceCluster
- {{ $gateway.name | default "istio-ingressgateway" }}
{{- if .Values.global.sts.servicePort }}
- --stsPort={{ .Values.global.sts.servicePort }}
{{- end }}
{{- if not $gateway.runAsRoot }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
{{- end }}
readinessProbe:
failureThreshold: 30
httpGet:
path: /healthz/ready
port: 15021
scheme: HTTP
initialDelaySeconds: 1
periodSeconds: 2
successThreshold: 1
timeoutSeconds: 1
resources:
{{- if $gateway.resources }}
{{ toYaml $gateway.resources | indent 12 }}
{{- else }}
{{ toYaml .Values.global.defaultResources | indent 12 }}
{{- end }}
env:
- name: JWT_POLICY
value: {{ .Values.global.jwtPolicy }}
- name: PILOT_CERT_PROVIDER
value: {{ .Values.global.pilotCertProvider }}
- name: CA_ADDR
{{- if .Values.global.caAddress }}
value: {{ .Values.global.caAddress }}
{{- else }}
value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
{{- end }}
- name: NODE_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.nodeName
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: INSTANCE_IP
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: status.podIP
- name: HOST_IP
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: status.hostIP
- name: SERVICE_ACCOUNT
valueFrom:
fieldRef:
fieldPath: spec.serviceAccountName
- name: CANONICAL_SERVICE
valueFrom:
fieldRef:
fieldPath: metadata.labels['service.istio.io/canonical-name']
- name: CANONICAL_REVISION
valueFrom:
fieldRef:
fieldPath: metadata.labels['service.istio.io/canonical-revision']
- name: ISTIO_META_WORKLOAD_NAME
value: {{ $gateway.name | default "istio-ingressgateway" }}
- name: ISTIO_META_OWNER
value: kubernetes://apis/apps/v1/namespaces/{{ .Release.Namespace }}/deployments/{{ $gateway.name | default "istio-ingressgateway" }}
{{- if $.Values.global.meshID }}
- name: ISTIO_META_MESH_ID
value: "{{ $.Values.global.meshID }}"
{{- else if $.Values.global.trustDomain | default (index .Values.meshConfig "trustDomain") }}
- name: ISTIO_META_MESH_ID
value: "{{ $.Values.global.trustDomain | default (index .Values.meshConfig "trustDomain") }}"
{{- end }}
{{- if .Values.global.trustDomain | default (index .Values.meshConfig "trustDomain") }}
- name: TRUST_DOMAIN
value: "{{ .Values.global.trustDomain | default (index .Values.meshConfig "trustDomain") }}"
{{- end }}
{{- range $key, $val := $gateway.env }}
- name: {{ $key }}
value: {{ $val }}
{{- end }}
{{- range $key, $value := .Values.meshConfig.defaultConfig.proxyMetadata }}
- name: {{ $key }}
value: "{{ $value }}"
{{- end }}
{{ $network_set := index $gateway.env "ISTIO_META_NETWORK" }}
{{- if and (not $network_set) .Values.global.network }}
- name: ISTIO_META_NETWORK
value: {{ .Values.global.network }}
{{- end }}
{{- if $gateway.podAnnotations }}
- name: "ISTIO_METAJSON_ANNOTATIONS"
value: |
{{ toJson $gateway.podAnnotations | indent 16}}
{{ end }}
- name: ISTIO_META_CLUSTER_ID
value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}"
volumeMounts:
- name: istio-envoy
mountPath: /etc/istio/proxy
- name: config-volume
mountPath: /etc/istio/config
{{- if eq .Values.global.pilotCertProvider "istiod" }}
- mountPath: /var/run/secrets/istio
name: istiod-ca-cert
{{- end }}
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
- name: istio-token
mountPath: /var/run/secrets/tokens
readOnly: true
{{- end }}
- name: gatewaysdsudspath
mountPath: /var/run/ingress_gateway
{{- if .Values.global.mountMtlsCerts }}
# Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
- name: istio-certs
mountPath: /etc/certs
readOnly: true
{{- end }}
- mountPath: /var/lib/istio/data
name: istio-data
- name: podinfo
mountPath: /etc/istio/pod
{{- range $gateway.secretVolumes }}
- name: {{ .name }}
mountPath: {{ .mountPath | quote }}
readOnly: true
{{- end }}
{{- range $gateway.configVolumes }}
{{- if .mountPath }}
- name: {{ .name }}
mountPath: {{ .mountPath | quote }}
readOnly: true
{{- end }}
{{- end }}
{{- if $gateway.additionalContainers }}
{{ toYaml $gateway.additionalContainers | indent 8 }}
{{- end }}
volumes:
{{- if eq .Values.global.pilotCertProvider "istiod" }}
- name: istiod-ca-cert
configMap:
name: istio-ca-root-cert
{{- end }}
- name: podinfo
downwardAPI:
items:
- path: "labels"
fieldRef:
fieldPath: metadata.labels
- path: "annotations"
fieldRef:
fieldPath: metadata.annotations
- name: istio-envoy
emptyDir: {}
- name: gatewaysdsudspath
emptyDir: {}
- name: istio-data
emptyDir: {}
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
- name: istio-token
projected:
sources:
- serviceAccountToken:
path: istio-token
expirationSeconds: 43200
audience: {{ .Values.global.sds.token.aud }}
{{- end }}
{{- if .Values.global.mountMtlsCerts }}
# Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
- name: istio-certs
secret:
secretName: istio.istio-ingressgateway-service-account
optional: true
{{- end }}
- name: config-volume
configMap:
name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
optional: true
{{- range $gateway.secretVolumes }}
- name: {{ .name }}
secret:
secretName: {{ .secretName | quote }}
optional: true
{{- end }}
{{- range $gateway.configVolumes }}
- name: {{ .name }}
configMap:
name: {{ .configMapName | quote }}
optional: true
{{- end }}
affinity:
{{- include "nodeaffinity" (dict "global" .Values.global "nodeSelector" $gateway.nodeSelector) | indent 6 }}
{{- include "podAntiAffinity" $gateway | indent 6 }}
{{- if $gateway.tolerations }}
tolerations:
{{ toYaml $gateway.tolerations | indent 6 }}
{{- else if .Values.global.defaultTolerations }}
tolerations:
{{ toYaml .Values.global.defaultTolerations | indent 6 }}
{{- end }}

View File

@ -0,0 +1,79 @@
{{- if .Values.global.meshExpansion.enabled }}
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: meshexpansion-gateway
namespace: {{ .Release.Namespace }}
labels:
release: {{ .Release.Name }}
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "IngressGateways"
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 15012
protocol: TCP
name: tcp-istiod
hosts:
- "*"
- port:
number: 15017
protocol: TCP
name: tcp-istiodwebhook
hosts:
- "*"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: meshexpansion-vs-istiod
namespace: {{ .Release.Namespace }}
labels:
release: {{ .Release.Name }}
spec:
hosts:
- istiod.{{ .Values.global.istioNamespace }}.svc.{{ .Values.global.proxy.clusterDomain }}
gateways:
- meshexpansion-gateway
tcp:
- match:
- port: 15012
route:
- destination:
host: istiod.{{ .Values.global.istioNamespace }}.svc.{{ .Values.global.proxy.clusterDomain }}
port:
number: 15012
- match:
- port: 15017
route:
- destination:
host: istiod.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }}
port:
number: 443
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: meshexpansion-dr-istiod
namespace: {{ .Release.Namespace }}
labels:
release: {{ .Release.Name }}
spec:
host: istiod.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }}
trafficPolicy:
portLevelSettings:
- port:
number: 15012
tls:
mode: DISABLE
- port:
number: 15017
tls:
mode: DISABLE
{{- end }}

View File

@ -0,0 +1,19 @@
{{- if .Values.global.defaultPodDisruptionBudget.enabled }}
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
apiVersion: policy/v1beta1
kind: PodDisruptionBudget
metadata:
name: {{ $gateway.name | default "istio-ingressgateway" }}
namespace: {{ .Release.Namespace }}
labels:
{{ $gateway.labels | toYaml | trim | indent 4 }}
release: {{ .Release.Name }}
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "IngressGateways"
spec:
minAvailable: 1
selector:
matchLabels:
{{ $gateway.labels | toYaml | trim | indent 6 }}
{{- end }}

View File

@ -0,0 +1,78 @@
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
{{- if .Values.global.multiCluster.enabled }}
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: istio-multicluster-ingressgateway
namespace: {{ .Release.Namespace }}
labels:
{{ $gateway.labels | toYaml | indent 4 }}
release: {{ .Release.Name }}
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "IngressGateways"
spec:
selector:
istio: ingressgateway
servers:
- hosts:
- "*.{{ .Values.global.multiCluster.globalDomainSuffix | trim }}"
port:
name: tls
number: 15443
protocol: TLS
tls:
mode: AUTO_PASSTHROUGH
---
{{- if .Values.global.multiCluster.includeEnvoyFilter }}
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: istio-multicluster-ingressgateway
namespace: {{ .Release.Namespace }}
labels:
{{ $gateway.labels | toYaml | indent 4 }}
release: {{ .Release.Name }}
spec:
workloadSelector:
labels:
istio: ingressgateway
configPatches:
- applyTo: NETWORK_FILTER
match:
context: GATEWAY
listener:
portNumber: 15443
filterChain:
filter:
name: "envoy.filters.network.sni_cluster"
patch:
operation: INSERT_AFTER
value:
name: "envoy.filters.network.tcp_cluster_rewrite"
typed_config:
"@type": "type.googleapis.com/istio.envoy.config.filter.network.tcp_cluster_rewrite.v2alpha1.TcpClusterRewrite"
cluster_pattern: "\\.{{ .Values.global.multiCluster.globalDomainSuffix | trim }}$"
cluster_replacement: ".svc.{{ .Values.global.proxy.clusterDomain }}"
---
{{- end }}
## To ensure all traffic to globalDomainSuffix is using mTLS
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: istio-multicluster-ingressgateway
namespace: {{ .Release.Namespace }}
labels:
{{ $gateway.labels | toYaml | indent 4 }}
release: {{ .Release.Name }}
spec:
host: "*.{{ .Values.global.multiCluster.globalDomainSuffix | trim }}"
{{- if .Values.global.defaultConfigVisibilitySettings }}
exportTo:
- '*'
{{- end }}
trafficPolicy:
tls:
mode: ISTIO_MUTUAL
---
{{- end }}

View File

@ -0,0 +1,16 @@
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ $gateway.name | default "istio-ingressgateway" }}-sds
namespace: {{ .Release.Namespace }}
labels:
release: {{ .Release.Name }}
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "IngressGateways"
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "watch", "list"]
---

View File

@ -0,0 +1,19 @@
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ $gateway.name | default "istio-ingressgateway" }}-sds
namespace: {{ .Release.Namespace }}
labels:
release: {{ .Release.Name }}
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "IngressGateways"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ $gateway.name | default "istio-ingressgateway" }}-sds
subjects:
- kind: ServiceAccount
name: {{ $gateway.name | default "istio-ingressgateway" }}-service-account
---

View File

@ -0,0 +1,55 @@
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
{{- if not $gateway.customService }}
apiVersion: v1
kind: Service
metadata:
name: {{ $gateway.name | default "istio-ingressgateway" }}
namespace: {{ .Release.Namespace }}
annotations:
{{- range $key, $val := $gateway.serviceAnnotations }}
{{ $key }}: {{ $val | quote }}
{{- end }}
labels:
{{ $gateway.labels | toYaml | indent 4 }}
release: {{ .Release.Name }}
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "IngressGateways"
spec:
{{- if $gateway.loadBalancerIP }}
loadBalancerIP: "{{ $gateway.loadBalancerIP }}"
{{- end }}
{{- if $gateway.loadBalancerSourceRanges }}
loadBalancerSourceRanges:
{{ toYaml $gateway.loadBalancerSourceRanges | indent 4 }}
{{- end }}
{{- if $gateway.externalTrafficPolicy }}
externalTrafficPolicy: {{$gateway.externalTrafficPolicy }}
{{- end }}
type: {{ $gateway.type }}
selector:
{{ $gateway.labels | toYaml | indent 4 }}
ports:
{{- range $key, $val := $gateway.ports }}
-
{{- range $pkey, $pval := $val }}
{{ $pkey}}: {{ $pval }}
{{- end }}
{{- end }}
{{- if $.Values.global.meshExpansion.enabled }}
{{- range $key, $val := $gateway.meshExpansionPorts }}
-
{{- range $pkey, $pval := $val }}
{{ $pkey}}: {{ $pval }}
{{- end }}
{{- end }}
{{- end }}
{{ range $app := $gateway.ingressPorts }}
-
port: {{ $app.port }}
name: {{ $app.name }}
{{- end }}
---
{{ end }}

View File

@ -0,0 +1,18 @@
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
apiVersion: v1
kind: ServiceAccount
{{- if .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
{{- end }}
{{- end }}
metadata:
name: {{ $gateway.name | default "istio-ingressgateway" }}-service-account
namespace: {{ .Release.Namespace }}
labels:
{{ $gateway.labels | toYaml | trim | indent 4 }}
release: {{ .Release.Name }}
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "IngressGateways"

View File

@ -0,0 +1,336 @@
# A-la-carte istio ingress gateway.
# Must be installed in a separate namespace, to minimize access to secrets.
gateways:
istio-ingressgateway:
name: istio-ingressgateway
labels:
app: istio-ingressgateway
istio: ingressgateway
ports:
## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces.
# Note that AWS ELB will by default perform health checks on the first port
# on this list. Setting this to the health check port will ensure that health
# checks always work. https://github.com/istio/istio/issues/12503
- port: 15021
targetPort: 15021
name: status-port
protocol: TCP
- port: 80
targetPort: 8080
name: http2
protocol: TCP
- port: 443
targetPort: 8443
name: https
protocol: TCP
# This is the port where sni routing happens
- port: 15443
targetPort: 15443
name: tls
protocol: TCP
# Scalability tunning
# replicaCount: 1
rollingMaxSurge: 100%
rollingMaxUnavailable: 25%
autoscaleEnabled: true
autoscaleMin: 1
autoscaleMax: 5
cpu:
targetAverageUtilization: 80
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 2000m
memory: 1024Mi
loadBalancerIP: ""
loadBalancerSourceRanges: []
serviceAnnotations: {}
# Enable cross-cluster access using SNI matching
zvpn:
enabled: false
suffix: global
# To generate an internal load balancer:
# --set serviceAnnotations.cloud.google.com/load-balancer-type=internal
#serviceAnnotations:
# cloud.google.com/load-balancer-type: "internal"
podAnnotations: {}
type: LoadBalancer #change to NodePort, ClusterIP or LoadBalancer if need be
#### MESH EXPANSION PORTS ########
# Pilot and Citadel MTLS ports are enabled in gateway - but will only redirect
# to pilot/citadel if global.meshExpansion settings are enabled.
# Delete these ports if mesh expansion is not enabled, to avoid
# exposing unnecessary ports on the web.
# You can remove these ports if you are not using mesh expansion
meshExpansionPorts:
- port: 15012
targetPort: 15012
name: tcp-istiod
####### end MESH EXPANSION PORTS ######
##############
secretVolumes:
- name: ingressgateway-certs
secretName: istio-ingressgateway-certs
mountPath: /etc/istio/ingressgateway-certs
- name: ingressgateway-ca-certs
secretName: istio-ingressgateway-ca-certs
mountPath: /etc/istio/ingressgateway-ca-certs
customService: false
externalTrafficPolicy: ""
ingressPorts: []
additionalContainers: []
configVolumes: []
### Advanced options ############
env:
# A gateway with this mode ensures that pilot generates an additional
# set of clusters for internal services but without Istio mTLS, to
# enable cross cluster routing.
ISTIO_META_ROUTER_MODE: "sni-dnat"
nodeSelector: {}
tolerations: []
# Specify the pod anti-affinity that allows you to constrain which nodes
# your pod is eligible to be scheduled based on labels on pods that are
# already running on the node rather than based on labels on nodes.
# There are currently two types of anti-affinity:
# "requiredDuringSchedulingIgnoredDuringExecution"
# "preferredDuringSchedulingIgnoredDuringExecution"
# which denote "hard" vs. "soft" requirements, you can define your values
# in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector"
# correspondingly.
# For example:
# podAntiAffinityLabelSelector:
# - key: security
# operator: In
# values: S1,S2
# topologyKey: "kubernetes.io/hostname"
# This pod anti-affinity rule says that the pod requires not to be scheduled
# onto a node if that node is already running a pod with label having key
# "security" and value "S1".
podAntiAffinityLabelSelector: []
podAntiAffinityTermLabelSelector: []
# whether to run the gateway in a privileged container
runAsRoot: false
# Revision is set as 'version' label and part of the resource names when installing multiple control planes.
revision: ""
# For Helm compatibility.
ownerName: ""
global:
# set the default set of namespaces to which services, service entries, virtual services, destination
# rules should be exported to. Currently only one value can be provided in this list. This value
# should be one of the following two options:
# * implies these objects are visible to all namespaces, enabling any sidecar to talk to any other sidecar.
# . implies these objects are visible to only to sidecars in the same namespace, or if imported as a Sidecar.egress.host
defaultConfigVisibilitySettings: []
# enable pod disruption budget for the control plane, which is used to
# ensure Istio control plane components are gradually upgraded or recovered.
defaultPodDisruptionBudget:
enabled: true
# A minimal set of requested resources to applied to all deployments so that
# Horizontal Pod Autoscaler will be able to function (if set).
# Each component can overwrite these default values by adding its own resources
# block in the relevant section below and setting the desired resources values.
defaultResources:
requests:
cpu: 10m
# memory: 128Mi
# limits:
# cpu: 100m
# memory: 128Mi
# Default node tolerations to be applied to all deployments so that all pods can be
# scheduled to a particular nodes with matching taints. Each component can overwrite
# these default values by adding its tolerations block in the relevant section below
# and setting the desired values.
# Configure this field in case that all pods of Istio control plane are expected to
# be scheduled to particular nodes with specified taints.
defaultTolerations: []
# Default hub for Istio images.
# Releases are published to docker hub under 'istio' project.
# Dev builds from prow are on gcr.io
hub: gcr.io/istio-testing
# Default tag for Istio images.
tag: latest
# Specify image pull policy if default behavior isn't desired.
# Default behavior: latest images will be Always else IfNotPresent.
imagePullPolicy: ""
# ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace
# to use for pulling any images in pods that reference this ServiceAccount.
# For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing)
# ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects.
# Must be set for any cluster configured with private docker registry.
imagePullSecrets: []
# - private-registry-key
# To output all istio components logs in json format by adding --log_as_json argument to each container argument
logAsJson: false
# Specify pod scheduling arch(amd64, ppc64le, s390x) and weight as follows:
# 0 - Never scheduled
# 1 - Least preferred
# 2 - No preference
# 3 - Most preferred
arch:
amd64: 2
s390x: 2
ppc64le: 2
# Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>
# The control plane has different scopes depending on component, but can configure default log level across all components
# If empty, default scope and level will be used as configured in code
logging:
level: "default:info"
# If set to true, the pilot and citadel mtls will be exposed on the
# ingress gateway
meshExpansion:
enabled: false
# If set to true, the pilot and citadel mtls and the plain text pilot ports
# will be exposed on an internal gateway
useILB: false
# Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and
# system-node-critical, it is better to configure this in order to make sure your Istio pods
# will not be killed because of low priority class.
# Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
# for more detail.
priorityClassName: ""
proxy:
image: proxyv2
# CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value
# cluster domain. Default value is "cluster.local".
clusterDomain: "cluster.local"
# Per Component log level for proxy, applies to gateways and sidecars. If a component level is
# not set, then the global "logLevel" will be used.
componentLogLevel: "misc:error"
# If set, newly injected sidecars will have core dumps enabled.
enableCoreDump: false
# Log level for proxy, applies to gateways and sidecars.
# Expected values are: trace|debug|info|warning|error|critical|off
logLevel: warning
##############################################################################################
# The following values are found in other charts. To effectively modify these values, make #
# make sure they are consistent across your Istio helm charts #
##############################################################################################
# The customized CA address to retrieve certificates for the pods in the cluster.
# CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint.
caAddress: ""
# Used to locate istiod.
istioNamespace: istio-system
# Configure the policy for validating JWT.
# Currently, two options are supported: "third-party-jwt" and "first-party-jwt".
jwtPolicy: "third-party-jwt"
# Mesh ID means Mesh Identifier. It should be unique within the scope where
# meshes will interact with each other, but it is not required to be
# globally/universally unique. For example, if any of the following are true,
# then two meshes must have different Mesh IDs:
# - Meshes will have their telemetry aggregated in one place
# - Meshes will be federated together
# - Policy will be written referencing one mesh from the other
#
# If an administrator expects that any of these conditions may become true in
# the future, they should ensure their meshes have different Mesh IDs
# assigned.
#
# Within a multicluster mesh, each cluster must be (manually or auto)
# configured to have the same Mesh ID value. If an existing cluster 'joins' a
# multicluster mesh, it will need to be migrated to the new mesh ID. Details
# of migration TBD, and it may be a disruptive operation to change the Mesh
# ID post-install.
#
# If the mesh admin does not specify a value, Istio will use the value of the
# mesh's Trust Domain. The best practice is to select a proper Trust Domain
# value.
meshID: ""
# Use the user-specified, secret volume mounted key and certs for Pilot and workloads.
mountMtlsCerts: false
multiCluster:
# Set to true to connect two kubernetes clusters via their respective
# ingressgateway services when pods in each cluster cannot directly
# talk to one another. All clusters should be using Istio mTLS and must
# have a shared root CA for this model to work.
enabled: false
# Should be set to the name of the cluster this installation will run in. This is required for sidecar injection
# to properly label proxies
clusterName: ""
# The suffix for global service names
globalDomainSuffix: "global"
# Enable envoy filter to translate `globalDomainSuffix` to cluster local suffix for cross cluster communication
includeEnvoyFilter: true
# Network defines the network this cluster belong to. This name
# corresponds to the networks in the map of mesh networks.
network: ""
# Configure the certificate provider for control plane communication.
# Currently, two providers are supported: "kubernetes" and "istiod".
# As some platforms may not have kubernetes signing APIs,
# Istiod is the default
pilotCertProvider: istiod
sds:
# The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3.
# When a CSR is sent from Citadel Agent to the CA (e.g. Citadel), this aud is to make sure the
# JWT is intended for the CA.
token:
aud: istio-ca
sts:
# The service port used by Security Token Service (STS) server to handle token exchange requests.
# Setting this port to a non-zero value enables STS server.
servicePort: 0
# Deprecated, use meshConfig.trustDomain
# trustDomain: ""
meshConfig:
enablePrometheusMerge: true
# trustDomain: ""
defaultConfig:
proxyMetadata: {}
tracing:
# tlsSettings:
# mode: DISABLE # DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL
# clientCertificate: # example: /etc/istio/tracer/cert-chain.pem
# privateKey: # example: /etc/istio/tracer/key.pem
# caCertificates: # example: /etc/istio/tracer/root-cert.pem
# sni: # example: tracer.somedomain
# subjectAltNames: []
# - tracer.somedomain

View File

@ -0,0 +1,13 @@
apiVersion: v1
name: istio-private-ingress
version: 1.1.0
tillerVersion: ">=2.7.2"
description: Helm chart for deploying Istio gateways
keywords:
- istio
- ingressgateway
- gateways
sources:
- http://github.com/istio/istio
engine: gotpl
icon: https://istio.io/latest/favicons/android-192x192.png

View File

@ -0,0 +1,43 @@
Changes:
- separate namespace allows:
-- easier reconfig of just the gateway
-- TLS secrets and domain name management is isolated, for better security
-- simplified configuration
-- multiple versions of the ingress can be used, to minimize upgrade risks
- the new chart uses the default namespace service account, and doesn't require
additional RBAC permissions.
- simplified label and chart structure.
- ability to run a pilot dedicated for the gateway, isolated from the main pilot. This is more robust, safer on upgrades
and allows a bit more flexibility.
- the dedicated pilot-per-ingress is required if the gateway needs to support k8s-style ingress.
# Port and basic host configuration
In order to configure the Service object, the install/upgrade needs to provide a list of all ports.
In the past, this was done when installing/upgrading full istio, and involved some duplication - ports configured
both in upgrade, Gateway and VirtualService.
The new Ingress chart uses a 'values.yaml' (see user-example-ingress), which auto-generates Service ports,
Gateways and basic VirtualService. It is still possible to only configure the ports in Service, and do manual
config for the rest.
All internal services ( telemetry, pilot debug ports, mesh expansion ) can now be configured via the new mechanism.
# Migration from istio-system
Istio 1.0 includes the gateways in istio-system. Since the external IP is associated
with the Service and bound to the namespace, it is recommended to:
1. Install the new gateway in a new namespace.
2. Copy any TLS certificate to the new namespace, and configure the domains.
3. Checking the new gateway work - for example by overriding the IP in /etc/hosts
4. Modify the DNS server to add the A record of the new namespace
5. Check traffic
6. Delete the A record corresponding to the gateway in istio-system
7. Upgrade istio-system, disabling the ingressgateway
8. Delete the domain TLS certs from istio-system.
If using certmanager, all Certificate and associated configs must be moved as well.

View File

@ -0,0 +1,93 @@
{{/* affinity - https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ */}}
{{- define "nodeaffinity" }}
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
{{- include "nodeAffinityRequiredDuringScheduling" . }}
preferredDuringSchedulingIgnoredDuringExecution:
{{- include "nodeAffinityPreferredDuringScheduling" . }}
{{- end }}
{{- define "nodeAffinityRequiredDuringScheduling" }}
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/arch
operator: In
values:
{{- range $key, $val := .global.arch }}
{{- if gt ($val | int) 0 }}
- {{ $key | quote }}
{{- end }}
{{- end }}
{{- $nodeSelector := default .global.defaultNodeSelector .nodeSelector -}}
{{- range $key, $val := $nodeSelector }}
- key: {{ $key }}
operator: In
values:
- {{ $val | quote }}
{{- end }}
{{- end }}
{{- define "nodeAffinityPreferredDuringScheduling" }}
{{- range $key, $val := .global.arch }}
{{- if gt ($val | int) 0 }}
- weight: {{ $val | int }}
preference:
matchExpressions:
- key: kubernetes.io/arch
operator: In
values:
- {{ $key | quote }}
{{- end }}
{{- end }}
{{- end }}
{{- define "podAntiAffinity" }}
{{- if or .podAntiAffinityLabelSelector .podAntiAffinityTermLabelSelector}}
podAntiAffinity:
{{- if .podAntiAffinityLabelSelector }}
requiredDuringSchedulingIgnoredDuringExecution:
{{- include "podAntiAffinityRequiredDuringScheduling" . }}
{{- end }}
{{- if .podAntiAffinityTermLabelSelector }}
preferredDuringSchedulingIgnoredDuringExecution:
{{- include "podAntiAffinityPreferredDuringScheduling" . }}
{{- end }}
{{- end }}
{{- end }}
{{- define "podAntiAffinityRequiredDuringScheduling" }}
{{- range $index, $item := .podAntiAffinityLabelSelector }}
- labelSelector:
matchExpressions:
- key: {{ $item.key }}
operator: {{ $item.operator }}
{{- if $item.values }}
values:
{{- $vals := split "," $item.values }}
{{- range $i, $v := $vals }}
- {{ $v | quote }}
{{- end }}
{{- end }}
topologyKey: {{ $item.topologyKey }}
{{- end }}
{{- end }}
{{- define "podAntiAffinityPreferredDuringScheduling" }}
{{- range $index, $item := .podAntiAffinityTermLabelSelector }}
- podAffinityTerm:
labelSelector:
matchExpressions:
- key: {{ $item.key }}
operator: {{ $item.operator }}
{{- if $item.values }}
values:
{{- $vals := split "," $item.values }}
{{- range $i, $v := $vals }}
- {{ $v | quote }}
{{- end }}
{{- end }}
topologyKey: {{ $item.topologyKey }}
weight: 100
{{- end }}
{{- end }}

View File

@ -0,0 +1,27 @@
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
{{- if and $gateway.autoscaleEnabled $gateway.autoscaleMin $gateway.autoscaleMax }}
apiVersion: autoscaling/v2beta1
kind: HorizontalPodAutoscaler
metadata:
name: {{ $gateway.name | default "istio-ingressgateway" }}
namespace: {{ .Release.Namespace }}
labels:
{{ $gateway.labels | toYaml | indent 4 }}
release: {{ .Release.Name }}
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "IngressGateways"
spec:
maxReplicas: {{ $gateway.autoscaleMax }}
minReplicas: {{ $gateway.autoscaleMin }}
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: {{ $gateway.name | default "istio-ingressgateway" }}
metrics:
- type: Resource
resource:
name: cpu
targetAverageUtilization: {{ $gateway.cpu.targetAverageUtilization }}
---
{{- end }}

View File

@ -0,0 +1,346 @@
{{- $gateway := index .Values "gateways" "istio-ingressgateway" }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ $gateway.name | default "istio-ingressgateway" }}
namespace: {{ .Release.Namespace }}
labels:
{{ $gateway.labels | toYaml | indent 4 }}
release: {{ .Release.Name }}
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "IngressGateways"
spec:
{{- if not $gateway.autoscaleEnabled }}
{{- if $gateway.replicaCount }}
replicas: {{ $gateway.replicaCount }}
{{- end }}
{{- end }}
selector:
matchLabels:
{{ $gateway.labels | toYaml | indent 6 }}
strategy:
rollingUpdate:
maxSurge: {{ $gateway.rollingMaxSurge }}
maxUnavailable: {{ $gateway.rollingMaxUnavailable }}
template:
metadata:
labels:
{{ $gateway.labels | toYaml | indent 8 }}
{{- if eq .Release.Namespace "istio-system"}}
heritage: Tiller
release: istio
chart: gateways
{{- end }}
service.istio.io/canonical-name: {{ $gateway.name | default "istio-ingressgateway" }}
{{- if not (eq .Values.revision "") }}
service.istio.io/canonical-revision: {{ .Values.revision }}
{{- else}}
service.istio.io/canonical-revision: latest
{{- end }}
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "IngressGateways"
annotations:
{{- if .Values.meshConfig.enablePrometheusMerge }}
prometheus.io/port: "15020"
prometheus.io/scrape: "true"
prometheus.io/path: "/stats/prometheus"
{{- end }}
sidecar.istio.io/inject: "false"
{{- if $gateway.podAnnotations }}
{{ toYaml $gateway.podAnnotations | indent 8 }}
{{ end }}
spec:
{{- if not $gateway.runAsRoot }}
securityContext:
runAsUser: 1337
runAsGroup: 1337
runAsNonRoot: true
fsGroup: 1337
{{- end }}
serviceAccountName: {{ $gateway.name | default "istio-ingressgateway" }}-service-account
{{- if .Values.global.priorityClassName }}
priorityClassName: "{{ .Values.global.priorityClassName }}"
{{- end }}
terminationGracePeriodSeconds: 90
{{- if .Values.global.proxy.enableCoreDump }}
initContainers:
- name: enable-core-dump
{{- if contains "/" .Values.global.proxy.image }}
image: "{{ .Values.global.proxy.image }}"
{{- else }}
image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image | default "proxyv2" }}:{{ .Values.global.tag }}"
{{- end }}
{{- if .Values.global.imagePullPolicy }}
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
{{- end }}
command:
- /bin/sh
args:
- -c
- sysctl -w kernel.core_pattern=/var/lib/istio/data/core.proxy && ulimit -c unlimited
securityContext:
runAsUser: 0
runAsGroup: 0
runAsNonRoot: false
privileged: true
{{- end }}
containers:
- name: istio-proxy
{{- if contains "/" .Values.global.proxy.image }}
image: "{{ .Values.global.proxy.image }}"
{{- else }}
image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image | default "proxyv2" }}:{{ .Values.global.tag }}"
{{- end }}
{{- if .Values.global.imagePullPolicy }}
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
{{- end }}
ports:
{{- range $key, $val := $gateway.ports }}
- containerPort: {{ $val.targetPort | default $val.port }}
protocol: {{ $val.protocol | default "TCP" }}
{{- end }}
{{- if $.Values.global.meshExpansion.enabled }}
{{- range $key, $val := $gateway.meshExpansionPorts }}
- containerPort: {{ $val.targetPort | default $val.port }}
protocol: {{ $val.protocol | default "TCP" }}
{{- end }}
{{- end }}
- containerPort: 15090
protocol: TCP
name: http-envoy-prom
args:
- proxy
- router
- --domain
- $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
{{- if .Values.global.proxy.logLevel }}
- --proxyLogLevel={{ .Values.global.proxy.logLevel }}
{{- end}}
{{- if .Values.global.proxy.componentLogLevel }}
- --proxyComponentLogLevel={{ .Values.global.proxy.componentLogLevel }}
{{- end}}
{{- if .Values.global.logging.level }}
- --log_output_level={{ .Values.global.logging.level }}
{{- end}}
{{- if .Values.global.logAsJson }}
- --log_as_json
{{- end }}
- --serviceCluster
- {{ $gateway.name | default "istio-ingressgateway" }}
{{- if .Values.global.sts.servicePort }}
- --stsPort={{ .Values.global.sts.servicePort }}
{{- end }}
{{- if not $gateway.runAsRoot }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
{{- end }}
readinessProbe:
failureThreshold: 30
httpGet:
path: /healthz/ready
port: 15021
scheme: HTTP
initialDelaySeconds: 1
periodSeconds: 2
successThreshold: 1
timeoutSeconds: 1
resources:
{{- if $gateway.resources }}
{{ toYaml $gateway.resources | indent 12 }}
{{- else }}
{{ toYaml .Values.global.defaultResources | indent 12 }}
{{- end }}
env:
- name: JWT_POLICY
value: {{ .Values.global.jwtPolicy }}
- name: PILOT_CERT_PROVIDER
value: {{ .Values.global.pilotCertProvider }}
- name: CA_ADDR
{{- if .Values.global.caAddress }}
value: {{ .Values.global.caAddress }}
{{- else }}
value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
{{- end }}
- name: NODE_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.nodeName
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: INSTANCE_IP
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: status.podIP
- name: HOST_IP
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: status.hostIP
- name: SERVICE_ACCOUNT
valueFrom:
fieldRef:
fieldPath: spec.serviceAccountName
- name: CANONICAL_SERVICE
valueFrom:
fieldRef:
fieldPath: metadata.labels['service.istio.io/canonical-name']
- name: CANONICAL_REVISION
valueFrom:
fieldRef:
fieldPath: metadata.labels['service.istio.io/canonical-revision']
- name: ISTIO_META_WORKLOAD_NAME
value: {{ $gateway.name | default "istio-ingressgateway" }}
- name: ISTIO_META_OWNER
value: kubernetes://apis/apps/v1/namespaces/{{ .Release.Namespace }}/deployments/{{ $gateway.name | default "istio-ingressgateway" }}
{{- if $.Values.global.meshID }}
- name: ISTIO_META_MESH_ID
value: "{{ $.Values.global.meshID }}"
{{- else if $.Values.global.trustDomain | default (index .Values.meshConfig "trustDomain") }}
- name: ISTIO_META_MESH_ID
value: "{{ $.Values.global.trustDomain | default (index .Values.meshConfig "trustDomain") }}"
{{- end }}
{{- if .Values.global.trustDomain | default (index .Values.meshConfig "trustDomain") }}
- name: TRUST_DOMAIN
value: "{{ .Values.global.trustDomain | default (index .Values.meshConfig "trustDomain") }}"
{{- end }}
{{- range $key, $val := $gateway.env }}
- name: {{ $key }}
value: {{ $val }}
{{- end }}
{{- range $key, $value := .Values.meshConfig.defaultConfig.proxyMetadata }}
- name: {{ $key }}
value: "{{ $value }}"
{{- end }}
{{ $network_set := index $gateway.env "ISTIO_META_NETWORK" }}
{{- if and (not $network_set) .Values.global.network }}
- name: ISTIO_META_NETWORK
value: {{ .Values.global.network }}
{{- end }}
{{- if $gateway.podAnnotations }}
- name: "ISTIO_METAJSON_ANNOTATIONS"
value: |
{{ toJson $gateway.podAnnotations | indent 16}}
{{ end }}
- name: ISTIO_META_CLUSTER_ID
value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}"
volumeMounts:
- name: istio-envoy
mountPath: /etc/istio/proxy
- name: config-volume
mountPath: /etc/istio/config
{{- if eq .Values.global.pilotCertProvider "istiod" }}
- mountPath: /var/run/secrets/istio
name: istiod-ca-cert
{{- end }}
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
- name: istio-token
mountPath: /var/run/secrets/tokens
readOnly: true
{{- end }}
- name: gatewaysdsudspath
mountPath: /var/run/ingress_gateway
{{- if .Values.global.mountMtlsCerts }}
# Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
- name: istio-certs
mountPath: /etc/certs
readOnly: true
{{- end }}
- mountPath: /var/lib/istio/data
name: istio-data
- name: podinfo
mountPath: /etc/istio/pod
{{- range $gateway.secretVolumes }}
- name: {{ .name }}
mountPath: {{ .mountPath | quote }}
readOnly: true
{{- end }}
{{- range $gateway.configVolumes }}
{{- if .mountPath }}
- name: {{ .name }}
mountPath: {{ .mountPath | quote }}
readOnly: true
{{- end }}
{{- end }}
{{- if $gateway.additionalContainers }}
{{ toYaml $gateway.additionalContainers | indent 8 }}
{{- end }}
volumes:
{{- if eq .Values.global.pilotCertProvider "istiod" }}
- name: istiod-ca-cert
configMap:
name: istio-ca-root-cert
{{- end }}
- name: podinfo
downwardAPI:
items:
- path: "labels"
fieldRef:
fieldPath: metadata.labels
- path: "annotations"
fieldRef:
fieldPath: metadata.annotations
- name: istio-envoy
emptyDir: {}
- name: gatewaysdsudspath
emptyDir: {}
- name: istio-data
emptyDir: {}
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
- name: istio-token
projected:
sources:
- serviceAccountToken:
path: istio-token
expirationSeconds: 43200
audience: {{ .Values.global.sds.token.aud }}
{{- end }}
{{- if .Values.global.mountMtlsCerts }}
# Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
- name: istio-certs
secret:
secretName: istio.istio-ingressgateway-service-account
optional: true
{{- end }}
- name: config-volume
configMap:
name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
optional: true
{{- range $gateway.secretVolumes }}
- name: {{ .name }}
secret:
secretName: {{ .secretName | quote }}
optional: true
{{- end }}
{{- range $gateway.configVolumes }}
- name: {{ .name }}
configMap:
name: {{ .configMapName | quote }}
optional: true
{{- end }}
affinity:
{{- include "nodeaffinity" (dict "global" .Values.global "nodeSelector" $gateway.nodeSelector) | indent 6 }}
{{- include "podAntiAffinity" $gateway | indent 6 }}
{{- if $gateway.tolerations }}
tolerations:
{{ toYaml $gateway.tolerations | indent 6 }}
{{- else if .Values.global.defaultTolerations }}
tolerations:
{{ toYaml .Values.global.defaultTolerations | indent 6 }}
{{- end }}

View File

@ -0,0 +1,79 @@
{{- if .Values.global.meshExpansion.enabled }}
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: meshexpansion-gateway
namespace: {{ .Release.Namespace }}
labels:
release: {{ .Release.Name }}
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "IngressGateways"
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 15012
protocol: TCP
name: tcp-istiod
hosts:
- "*"
- port:
number: 15017
protocol: TCP
name: tcp-istiodwebhook
hosts:
- "*"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: meshexpansion-vs-istiod
namespace: {{ .Release.Namespace }}
labels:
release: {{ .Release.Name }}
spec:
hosts:
- istiod.{{ .Values.global.istioNamespace }}.svc.{{ .Values.global.proxy.clusterDomain }}
gateways:
- meshexpansion-gateway
tcp:
- match:
- port: 15012
route:
- destination:
host: istiod.{{ .Values.global.istioNamespace }}.svc.{{ .Values.global.proxy.clusterDomain }}
port:
number: 15012
- match:
- port: 15017
route:
- destination:
host: istiod.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }}
port:
number: 443
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: meshexpansion-dr-istiod
namespace: {{ .Release.Namespace }}
labels:
release: {{ .Release.Name }}
spec:
host: istiod.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }}
trafficPolicy:
portLevelSettings:
- port:
number: 15012
tls:
mode: DISABLE
- port:
number: 15017
tls:
mode: DISABLE
{{- end }}

View File

@ -0,0 +1,19 @@
{{- if .Values.global.defaultPodDisruptionBudget.enabled }}
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
apiVersion: policy/v1beta1
kind: PodDisruptionBudget
metadata:
name: {{ $gateway.name | default "istio-ingressgateway" }}
namespace: {{ .Release.Namespace }}
labels:
{{ $gateway.labels | toYaml | trim | indent 4 }}
release: {{ .Release.Name }}
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "IngressGateways"
spec:
minAvailable: 1
selector:
matchLabels:
{{ $gateway.labels | toYaml | trim | indent 6 }}
{{- end }}

View File

@ -0,0 +1,78 @@
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
{{- if .Values.global.multiCluster.enabled }}
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: istio-multicluster-ingressgateway
namespace: {{ .Release.Namespace }}
labels:
{{ $gateway.labels | toYaml | indent 4 }}
release: {{ .Release.Name }}
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "IngressGateways"
spec:
selector:
istio: ingressgateway
servers:
- hosts:
- "*.{{ .Values.global.multiCluster.globalDomainSuffix | trim }}"
port:
name: tls
number: 15443
protocol: TLS
tls:
mode: AUTO_PASSTHROUGH
---
{{- if .Values.global.multiCluster.includeEnvoyFilter }}
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: istio-multicluster-ingressgateway
namespace: {{ .Release.Namespace }}
labels:
{{ $gateway.labels | toYaml | indent 4 }}
release: {{ .Release.Name }}
spec:
workloadSelector:
labels:
istio: ingressgateway
configPatches:
- applyTo: NETWORK_FILTER
match:
context: GATEWAY
listener:
portNumber: 15443
filterChain:
filter:
name: "envoy.filters.network.sni_cluster"
patch:
operation: INSERT_AFTER
value:
name: "envoy.filters.network.tcp_cluster_rewrite"
typed_config:
"@type": "type.googleapis.com/istio.envoy.config.filter.network.tcp_cluster_rewrite.v2alpha1.TcpClusterRewrite"
cluster_pattern: "\\.{{ .Values.global.multiCluster.globalDomainSuffix | trim }}$"
cluster_replacement: ".svc.{{ .Values.global.proxy.clusterDomain }}"
---
{{- end }}
## To ensure all traffic to globalDomainSuffix is using mTLS
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: istio-multicluster-ingressgateway
namespace: {{ .Release.Namespace }}
labels:
{{ $gateway.labels | toYaml | indent 4 }}
release: {{ .Release.Name }}
spec:
host: "*.{{ .Values.global.multiCluster.globalDomainSuffix | trim }}"
{{- if .Values.global.defaultConfigVisibilitySettings }}
exportTo:
- '*'
{{- end }}
trafficPolicy:
tls:
mode: ISTIO_MUTUAL
---
{{- end }}

View File

@ -0,0 +1,16 @@
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ $gateway.name | default "istio-ingressgateway" }}-sds
namespace: {{ .Release.Namespace }}
labels:
release: {{ .Release.Name }}
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "IngressGateways"
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "watch", "list"]
---

View File

@ -0,0 +1,19 @@
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ $gateway.name | default "istio-ingressgateway" }}-sds
namespace: {{ .Release.Namespace }}
labels:
release: {{ .Release.Name }}
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "IngressGateways"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ $gateway.name | default "istio-ingressgateway" }}-sds
subjects:
- kind: ServiceAccount
name: {{ $gateway.name | default "istio-ingressgateway" }}-service-account
---

View File

@ -0,0 +1,55 @@
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
{{- if not $gateway.customService }}
apiVersion: v1
kind: Service
metadata:
name: {{ $gateway.name | default "istio-ingressgateway" }}
namespace: {{ .Release.Namespace }}
annotations:
{{- range $key, $val := $gateway.serviceAnnotations }}
{{ $key }}: {{ $val | quote }}
{{- end }}
labels:
{{ $gateway.labels | toYaml | indent 4 }}
release: {{ .Release.Name }}
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "IngressGateways"
spec:
{{- if $gateway.loadBalancerIP }}
loadBalancerIP: "{{ $gateway.loadBalancerIP }}"
{{- end }}
{{- if $gateway.loadBalancerSourceRanges }}
loadBalancerSourceRanges:
{{ toYaml $gateway.loadBalancerSourceRanges | indent 4 }}
{{- end }}
{{- if $gateway.externalTrafficPolicy }}
externalTrafficPolicy: {{$gateway.externalTrafficPolicy }}
{{- end }}
type: {{ $gateway.type }}
selector:
{{ $gateway.labels | toYaml | indent 4 }}
ports:
{{- range $key, $val := $gateway.ports }}
-
{{- range $pkey, $pval := $val }}
{{ $pkey}}: {{ $pval }}
{{- end }}
{{- end }}
{{- if $.Values.global.meshExpansion.enabled }}
{{- range $key, $val := $gateway.meshExpansionPorts }}
-
{{- range $pkey, $pval := $val }}
{{ $pkey}}: {{ $pval }}
{{- end }}
{{- end }}
{{- end }}
{{ range $app := $gateway.ingressPorts }}
-
port: {{ $app.port }}
name: {{ $app.name }}
{{- end }}
---
{{ end }}

View File

@ -0,0 +1,18 @@
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
apiVersion: v1
kind: ServiceAccount
{{- if .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
{{- end }}
{{- end }}
metadata:
name: {{ $gateway.name | default "istio-ingressgateway" }}-service-account
namespace: {{ .Release.Namespace }}
labels:
{{ $gateway.labels | toYaml | trim | indent 4 }}
release: {{ .Release.Name }}
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "IngressGateways"

View File

@ -0,0 +1,336 @@
# A-la-carte istio ingress gateway.
# Must be installed in a separate namespace, to minimize access to secrets.
gateways:
istio-ingressgateway:
name: istio-ingressgateway
labels:
app: istio-ingressgateway
istio: ingressgateway
ports:
## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces.
# Note that AWS ELB will by default perform health checks on the first port
# on this list. Setting this to the health check port will ensure that health
# checks always work. https://github.com/istio/istio/issues/12503
- port: 15021
targetPort: 15021
name: status-port
protocol: TCP
- port: 80
targetPort: 8080
name: http2
protocol: TCP
- port: 443
targetPort: 8443
name: https
protocol: TCP
# This is the port where sni routing happens
- port: 15443
targetPort: 15443
name: tls
protocol: TCP
# Scalability tunning
# replicaCount: 1
rollingMaxSurge: 100%
rollingMaxUnavailable: 25%
autoscaleEnabled: true
autoscaleMin: 1
autoscaleMax: 5
cpu:
targetAverageUtilization: 80
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 2000m
memory: 1024Mi
loadBalancerIP: ""
loadBalancerSourceRanges: []
serviceAnnotations: {}
# Enable cross-cluster access using SNI matching
zvpn:
enabled: false
suffix: global
# To generate an internal load balancer:
# --set serviceAnnotations.cloud.google.com/load-balancer-type=internal
#serviceAnnotations:
# cloud.google.com/load-balancer-type: "internal"
podAnnotations: {}
type: LoadBalancer #change to NodePort, ClusterIP or LoadBalancer if need be
#### MESH EXPANSION PORTS ########
# Pilot and Citadel MTLS ports are enabled in gateway - but will only redirect
# to pilot/citadel if global.meshExpansion settings are enabled.
# Delete these ports if mesh expansion is not enabled, to avoid
# exposing unnecessary ports on the web.
# You can remove these ports if you are not using mesh expansion
meshExpansionPorts:
- port: 15012
targetPort: 15012
name: tcp-istiod
####### end MESH EXPANSION PORTS ######
##############
secretVolumes:
- name: ingressgateway-certs
secretName: istio-ingressgateway-certs
mountPath: /etc/istio/ingressgateway-certs
- name: ingressgateway-ca-certs
secretName: istio-ingressgateway-ca-certs
mountPath: /etc/istio/ingressgateway-ca-certs
customService: false
externalTrafficPolicy: ""
ingressPorts: []
additionalContainers: []
configVolumes: []
### Advanced options ############
env:
# A gateway with this mode ensures that pilot generates an additional
# set of clusters for internal services but without Istio mTLS, to
# enable cross cluster routing.
ISTIO_META_ROUTER_MODE: "sni-dnat"
nodeSelector: {}
tolerations: []
# Specify the pod anti-affinity that allows you to constrain which nodes
# your pod is eligible to be scheduled based on labels on pods that are
# already running on the node rather than based on labels on nodes.
# There are currently two types of anti-affinity:
# "requiredDuringSchedulingIgnoredDuringExecution"
# "preferredDuringSchedulingIgnoredDuringExecution"
# which denote "hard" vs. "soft" requirements, you can define your values
# in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector"
# correspondingly.
# For example:
# podAntiAffinityLabelSelector:
# - key: security
# operator: In
# values: S1,S2
# topologyKey: "kubernetes.io/hostname"
# This pod anti-affinity rule says that the pod requires not to be scheduled
# onto a node if that node is already running a pod with label having key
# "security" and value "S1".
podAntiAffinityLabelSelector: []
podAntiAffinityTermLabelSelector: []
# whether to run the gateway in a privileged container
runAsRoot: false
# Revision is set as 'version' label and part of the resource names when installing multiple control planes.
revision: ""
# For Helm compatibility.
ownerName: ""
global:
# set the default set of namespaces to which services, service entries, virtual services, destination
# rules should be exported to. Currently only one value can be provided in this list. This value
# should be one of the following two options:
# * implies these objects are visible to all namespaces, enabling any sidecar to talk to any other sidecar.
# . implies these objects are visible to only to sidecars in the same namespace, or if imported as a Sidecar.egress.host
defaultConfigVisibilitySettings: []
# enable pod disruption budget for the control plane, which is used to
# ensure Istio control plane components are gradually upgraded or recovered.
defaultPodDisruptionBudget:
enabled: true
# A minimal set of requested resources to applied to all deployments so that
# Horizontal Pod Autoscaler will be able to function (if set).
# Each component can overwrite these default values by adding its own resources
# block in the relevant section below and setting the desired resources values.
defaultResources:
requests:
cpu: 10m
# memory: 128Mi
# limits:
# cpu: 100m
# memory: 128Mi
# Default node tolerations to be applied to all deployments so that all pods can be
# scheduled to a particular nodes with matching taints. Each component can overwrite
# these default values by adding its tolerations block in the relevant section below
# and setting the desired values.
# Configure this field in case that all pods of Istio control plane are expected to
# be scheduled to particular nodes with specified taints.
defaultTolerations: []
# Default hub for Istio images.
# Releases are published to docker hub under 'istio' project.
# Dev builds from prow are on gcr.io
hub: gcr.io/istio-testing
# Default tag for Istio images.
tag: latest
# Specify image pull policy if default behavior isn't desired.
# Default behavior: latest images will be Always else IfNotPresent.
imagePullPolicy: ""
# ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace
# to use for pulling any images in pods that reference this ServiceAccount.
# For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing)
# ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects.
# Must be set for any cluster configured with private docker registry.
imagePullSecrets: []
# - private-registry-key
# To output all istio components logs in json format by adding --log_as_json argument to each container argument
logAsJson: false
# Specify pod scheduling arch(amd64, ppc64le, s390x) and weight as follows:
# 0 - Never scheduled
# 1 - Least preferred
# 2 - No preference
# 3 - Most preferred
arch:
amd64: 2
s390x: 2
ppc64le: 2
# Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>
# The control plane has different scopes depending on component, but can configure default log level across all components
# If empty, default scope and level will be used as configured in code
logging:
level: "default:info"
# If set to true, the pilot and citadel mtls will be exposed on the
# ingress gateway
meshExpansion:
enabled: false
# If set to true, the pilot and citadel mtls and the plain text pilot ports
# will be exposed on an internal gateway
useILB: false
# Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and
# system-node-critical, it is better to configure this in order to make sure your Istio pods
# will not be killed because of low priority class.
# Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
# for more detail.
priorityClassName: ""
proxy:
image: proxyv2
# CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value
# cluster domain. Default value is "cluster.local".
clusterDomain: "cluster.local"
# Per Component log level for proxy, applies to gateways and sidecars. If a component level is
# not set, then the global "logLevel" will be used.
componentLogLevel: "misc:error"
# If set, newly injected sidecars will have core dumps enabled.
enableCoreDump: false
# Log level for proxy, applies to gateways and sidecars.
# Expected values are: trace|debug|info|warning|error|critical|off
logLevel: warning
##############################################################################################
# The following values are found in other charts. To effectively modify these values, make #
# make sure they are consistent across your Istio helm charts #
##############################################################################################
# The customized CA address to retrieve certificates for the pods in the cluster.
# CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint.
caAddress: ""
# Used to locate istiod.
istioNamespace: istio-system
# Configure the policy for validating JWT.
# Currently, two options are supported: "third-party-jwt" and "first-party-jwt".
jwtPolicy: "third-party-jwt"
# Mesh ID means Mesh Identifier. It should be unique within the scope where
# meshes will interact with each other, but it is not required to be
# globally/universally unique. For example, if any of the following are true,
# then two meshes must have different Mesh IDs:
# - Meshes will have their telemetry aggregated in one place
# - Meshes will be federated together
# - Policy will be written referencing one mesh from the other
#
# If an administrator expects that any of these conditions may become true in
# the future, they should ensure their meshes have different Mesh IDs
# assigned.
#
# Within a multicluster mesh, each cluster must be (manually or auto)
# configured to have the same Mesh ID value. If an existing cluster 'joins' a
# multicluster mesh, it will need to be migrated to the new mesh ID. Details
# of migration TBD, and it may be a disruptive operation to change the Mesh
# ID post-install.
#
# If the mesh admin does not specify a value, Istio will use the value of the
# mesh's Trust Domain. The best practice is to select a proper Trust Domain
# value.
meshID: ""
# Use the user-specified, secret volume mounted key and certs for Pilot and workloads.
mountMtlsCerts: false
multiCluster:
# Set to true to connect two kubernetes clusters via their respective
# ingressgateway services when pods in each cluster cannot directly
# talk to one another. All clusters should be using Istio mTLS and must
# have a shared root CA for this model to work.
enabled: false
# Should be set to the name of the cluster this installation will run in. This is required for sidecar injection
# to properly label proxies
clusterName: ""
# The suffix for global service names
globalDomainSuffix: "global"
# Enable envoy filter to translate `globalDomainSuffix` to cluster local suffix for cross cluster communication
includeEnvoyFilter: true
# Network defines the network this cluster belong to. This name
# corresponds to the networks in the map of mesh networks.
network: ""
# Configure the certificate provider for control plane communication.
# Currently, two providers are supported: "kubernetes" and "istiod".
# As some platforms may not have kubernetes signing APIs,
# Istiod is the default
pilotCertProvider: istiod
sds:
# The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3.
# When a CSR is sent from Citadel Agent to the CA (e.g. Citadel), this aud is to make sure the
# JWT is intended for the CA.
token:
aud: istio-ca
sts:
# The service port used by Security Token Service (STS) server to handle token exchange requests.
# Setting this port to a non-zero value enables STS server.
servicePort: 0
# Deprecated, use meshConfig.trustDomain
# trustDomain: ""
meshConfig:
enablePrometheusMerge: true
# trustDomain: ""
defaultConfig:
proxyMetadata: {}
tracing:
# tlsSettings:
# mode: DISABLE # DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL
# clientCertificate: # example: /etc/istio/tracer/cert-chain.pem
# privateKey: # example: /etc/istio/tracer/key.pem
# caCertificates: # example: /etc/istio/tracer/root-cert.pem
# sni: # example: tracer.somedomain
# subjectAltNames: []
# - tracer.somedomain

View File

@ -1,8 +1,9 @@
{{- if index .Values "istio-ingress" "enabled" }}
apiVersion: networking.istio.io/v1alpha3 apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter kind: EnvoyFilter
metadata: metadata:
name: ingressgateway-listener-tcp-keepalive name: ingressgateway-listener-tcp-keepalive
namespace: istio-system namespace: {{ .Release.Namespace }}
spec: spec:
workloadSelector: workloadSelector:
labels: labels:
@ -30,14 +31,15 @@ spec:
name: 5 name: 5
int_value: 60 int_value: 60
state: STATE_LISTENING state: STATE_LISTENING
{{- end }}
{{- if .Values.ingress.private.enabled }} {{- if index .Values "istio-private-ingress" "enabled" }}
--- ---
apiVersion: networking.istio.io/v1alpha3 apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter kind: EnvoyFilter
metadata: metadata:
name: private-ingressgateway-listener-tcp-keepalive name: private-ingressgateway-listener-tcp-keepalive
namespace: istio-system namespace: {{ .Release.Namespace }}
spec: spec:
workloadSelector: workloadSelector:
labels: labels:

View File

@ -0,0 +1,35 @@
{{- if index .Values "istio-ingress" "dnsNames" }}
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: ingress-cert
namespace: {{ .Release.Namespace }}
labels:
{{ include "kubezero-lib.labels" . | indent 4 }}
spec:
secretName: ingress-cert
issuerRef:
name: letsencrypt-dns-prod
kind: ClusterIssuer
dnsNames:
{{ toYaml (index .Values "istio-ingress" "dnsNames") | indent 4 }}
{{- end }}
{{- if index .Values "istio-private-ingress" "dnsNames" }}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: private-ingress-cert
namespace: {{ .Release.Namespace }}
labels:
{{ include "kubezero-lib.labels" . | indent 4 }}
spec:
secretName: private-ingress-cert
issuerRef:
name: letsencrypt-dns-prod
kind: ClusterIssuer
dnsNames:
{{ toYaml (index .Values "istio-private-ingress" "dnsNames") | indent 4 }}
{{- end }}

View File

@ -1,8 +1,9 @@
apiVersion: networking.istio.io/v1alpha3 {{- if and (index .Values "istio-ingress" "enabled") (index .Values "istio-ingress" "dnsNames") }}
apiVersion: networking.istio.io/v1beta1
kind: Gateway kind: Gateway
metadata: metadata:
name: ingressgateway name: ingressgateway
namespace: istio-system namespace: {{ .Release.Namespace }}
labels: labels:
{{ include "kubezero-lib.labels" . | indent 4 }} {{ include "kubezero-lib.labels" . | indent 4 }}
spec: spec:
@ -14,7 +15,7 @@ spec:
name: http name: http
protocol: HTTP2 protocol: HTTP2
hosts: hosts:
{{- toYaml .Values.ingress.dnsNames | nindent 4 }} {{- toYaml (index .Values "istio-ingress" "dnsNames") | nindent 4 }}
tls: tls:
httpsRedirect: true httpsRedirect: true
- port: - port:
@ -22,20 +23,21 @@ spec:
name: https name: https
protocol: HTTPS protocol: HTTPS
hosts: hosts:
{{- toYaml .Values.ingress.dnsNames | nindent 4 }} {{- toYaml (index .Values "istio-ingress" "dnsNames") | nindent 4 }}
tls: tls:
mode: SIMPLE mode: SIMPLE
privateKey: /etc/istio/ingressgateway-certs/tls.key privateKey: /etc/istio/ingressgateway-certs/tls.key
serverCertificate: /etc/istio/ingressgateway-certs/tls.crt serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
credentialName: public-ingress-cert credentialName: ingress-cert
{{- end }}
{{- if .Values.ingress.private.enabled }} {{- if and (index .Values "istio-private-ingress" "enabled") (index .Values "istio-private-ingress" "dnsNames") }}
--- ---
apiVersion: networking.istio.io/v1alpha3 apiVersion: networking.istio.io/v1beta1
kind: Gateway kind: Gateway
metadata: metadata:
name: private-ingressgateway name: private-ingressgateway
namespace: istio-system namespace: {{ .Release.Namespace }}
labels: labels:
{{ include "kubezero-lib.labels" . | indent 4 }} {{ include "kubezero-lib.labels" . | indent 4 }}
spec: spec:
@ -47,7 +49,7 @@ spec:
name: http name: http
protocol: HTTP2 protocol: HTTP2
hosts: hosts:
{{- toYaml .Values.ingress.dnsNames | nindent 4 }} {{- toYaml (index .Values "istio-private-ingress" "dnsNames") | nindent 4 }}
tls: tls:
httpsRedirect: true httpsRedirect: true
- port: - port:
@ -55,33 +57,45 @@ spec:
name: https name: https
protocol: HTTPS protocol: HTTPS
hosts: hosts:
{{- toYaml .Values.ingress.dnsNames | nindent 4 }} {{- toYaml (index .Values "istio-private-ingress" "dnsNames") | nindent 4 }}
tls: tls:
mode: SIMPLE mode: SIMPLE
privateKey: /etc/istio/ingressgateway-certs/tls.key privateKey: /etc/istio/ingressgateway-certs/tls.key
serverCertificate: /etc/istio/ingressgateway-certs/tls.crt serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
credentialName: public-ingress-cert credentialName: private-ingress-cert
- port: - port:
number: 5672 number: 5672
name: amqp name: amqp
protocol: TCP protocol: TCP
hosts: hosts:
{{- toYaml .Values.ingress.dnsNames | nindent 4 }} {{- toYaml (index .Values "istio-private-ingress" "dnsNames") | nindent 4 }}
- port: - port:
number: 5671 number: 5671
name: amqps name: amqps
protocol: TCP protocol: TCP
hosts: hosts:
{{- toYaml .Values.ingress.dnsNames | nindent 4 }} {{- toYaml (index .Values "istio-private-ingress" "dnsNames") | nindent 4 }}
- port: - port:
number: 24224 number: 24224
name: fluentd-forward name: fluentd-forward
protocol: TLS protocol: TLS
hosts: hosts:
{{- toYaml .Values.ingress.dnsNames | nindent 4 }} {{- toYaml (index .Values "istio-private-ingress" "dnsNames") | nindent 4 }}
tls: tls:
mode: SIMPLE mode: SIMPLE
privateKey: /etc/istio/ingressgateway-certs/tls.key privateKey: /etc/istio/ingressgateway-certs/tls.key
serverCertificate: /etc/istio/ingressgateway-certs/tls.crt serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
credentialName: public-ingress-cert credentialName: private-ingress-cert
- port:
number: 6379
name: redis
protocol: TCP
hosts:
{{- toYaml (index .Values "istio-private-ingress" "dnsNames") | nindent 4 }}
- port:
number: 6380
name: redis-1
protocol: TCP
hosts:
{{- toYaml (index .Values "istio-private-ingress" "dnsNames") | nindent 4 }}
{{- end }} {{- end }}

View File

@ -0,0 +1,122 @@
# Make sure these values match kuberzero-istio !!!
global:
hub: docker.io/istio
tag: 1.8.1
logAsJson: true
jwtPolicy: first-party-jwt
priorityClassName: "system-cluster-critical"
defaultPodDisruptionBudget:
enabled: false
arch:
amd64: 2
istio-ingress:
enabled: false
gateways:
istio-ingressgateway:
autoscaleEnabled: false
replicaCount: 1
resources:
requests:
memory: 64Mi
limits:
# cpu: 100m
memory: 256Mi
externalTrafficPolicy: Local
podAntiAffinityLabelSelector:
- key: app
operator: In
topologyKey: kubernetes.io/hostname
values: istio-ingressgateway
type: NodePort
env:
TERMINATION_DRAIN_DURATION_SECONDS: '"60"'
# ISTIO_META_HTTP10: '"1"'
# The node selector is normally the list of nodeports, see CloudBender
nodeSelector:
node.kubernetes.io/ingress.public: "30080_30443"
ports:
- name: http-status
port: 15021
nodePort: 30021
- name: http2
port: 80
targetPort: 8080
nodePort: 30080
- name: https
port: 443
targetPort: 8443
nodePort: 30443
dnsNames: []
# - '*.example.com'
istio-private-ingress:
enabled: false
gateways:
istio-ingressgateway:
# name and labels make the ingress private
name: istio-private-ingressgateway
labels:
app: istio-private-ingressgateway
istio: private-ingressgateway
autoscaleEnabled: false
replicaCount: 1
resources:
requests:
cpu: 100m
memory: 64Mi
limits:
# cpu: 100m
memory: 256Mi
externalTrafficPolicy: Local
podAntiAffinityLabelSelector:
- key: app
operator: In
topologyKey: kubernetes.io/hostname
values: istio-private-ingressgateway
type: NodePort
env:
TERMINATION_DRAIN_DURATION_SECONDS: '"60"'
# ISTIO_META_HTTP10: '"1"'
nodeSelector:
node.kubernetes.io/ingress.private: "31080_31443"
#nodeSelector: "31080_31443_31671_31672_31224"
ports:
- name: http-status
port: 15021
nodePort: 31021
- name: http2
port: 80
targetPort: 8080
nodePort: 31080
- name: https
port: 443
targetPort: 8443
nodePort: 31443
#- name: fluentd-forward
# port: 24224
# nodePort: 31224
#- name: amqps
# port: 5671
# nodePort: 31671
#- name: amqp
# port: 5672
# nodePort: 31672
#- name: redis
# port: 6379
# nodePort: 31379
dnsNames: []
# - '*.example.com'

View File

@ -1,2 +1,2 @@
istioctl istioctl
istio-* istio-?.?.?

View File

@ -0,0 +1,2 @@
istioctl
istio-?.?.?

View File

@ -2,8 +2,8 @@ apiVersion: v2
name: kubezero-istio name: kubezero-istio
description: KubeZero Umbrella Chart for Istio description: KubeZero Umbrella Chart for Istio
type: application type: application
version: 0.3.4 version: 0.4.1
appVersion: 1.7.3 appVersion: 1.8.1
home: https://kubezero.com home: https://kubezero.com
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
keywords: keywords:
@ -15,6 +15,8 @@ dependencies:
- name: kubezero-lib - name: kubezero-lib
version: ">= 0.1.3" version: ">= 0.1.3"
repository: https://zero-down-time.github.io/kubezero/ repository: https://zero-down-time.github.io/kubezero/
- name: istio-operator - name: base
version: ">= 1.7" version: 1.1.0
- name: istio-discovery
version: 1.2.0
kubeVersion: ">= 1.16.0" kubeVersion: ">= 1.16.0"

View File

@ -1,10 +1,10 @@
# kubezero-istio # kubezero-istio
![Version: 0.3.4](https://img.shields.io/badge/Version-0.3.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.7.3](https://img.shields.io/badge/AppVersion-1.7.3-informational?style=flat-square) ![Version: 0.4.1](https://img.shields.io/badge/Version-0.4.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.8.1](https://img.shields.io/badge/AppVersion-1.8.1-informational?style=flat-square)
KubeZero Umbrella Chart for Istio KubeZero Umbrella Chart for Istio
Installs Istio Operator and KubeZero Istio profile Installs the Istio control plane
**Homepage:** <https://kubezero.com> **Homepage:** <https://kubezero.com>
@ -20,26 +20,33 @@ Kubernetes: `>= 1.16.0`
| Repository | Name | Version | | Repository | Name | Version |
|------------|------|---------| |------------|------|---------|
| | istio-operator | >= 1.7 | | | base | 1.1.0 |
| | istio-discovery | 1.2.0 |
| https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 | | https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 |
## KubeZero default configuration
- mapped istio-operator to run on the controller nodes only
## Values ## Values
| Key | Type | Default | Description | | Key | Type | Default | Description |
|-----|------|---------|-------------| |-----|------|---------|-------------|
| ingress.autoscaleEnabled | bool | `false` | | | global.defaultPodDisruptionBudget.enabled | bool | `false` | |
| ingress.dnsNames[0] | string | `"*"` | | | global.hub | string | `"docker.io/istio"` | |
| ingress.private.enabled | bool | `true` | | | global.jwtPolicy | string | `"first-party-jwt"` | |
| ingress.private.nodeSelector | string | `"31080_31443_31671_31672_31224"` | | | global.logAsJson | bool | `true` | |
| ingress.replicaCount | int | `2` | | | global.priorityClassName | string | `"system-cluster-critical"` | |
| ingress.type | string | `"NodePort"` | | | global.tag | string | `"1.8.0"` | |
| istio-operator.hub | string | `"docker.io/istio"` | | | istio-discovery.meshConfig.accessLogEncoding | string | `"JSON"` | |
| istio-operator.tag | string | `"1.7.3"` | | | istio-discovery.meshConfig.accessLogFile | string | `"/dev/stdout"` | |
| istiod.autoscaleEnabled | bool | `false` | | | istio-discovery.meshConfig.h2UpgradePolicy | string | `"DO_NOT_UPGRADE"` | |
| istiod.replicaCount | int | `1` | | | istio-discovery.meshConfig.tcpKeepalive.interval | string | `"30s"` | |
| istio-discovery.meshConfig.tcpKeepalive.time | string | `"60s"` | |
| istio-discovery.pilot.autoscaleEnabled | bool | `false` | |
| istio-discovery.pilot.nodeSelector."node-role.kubernetes.io/master" | string | `""` | |
| istio-discovery.pilot.replicaCount | int | `1` | |
| istio-discovery.pilot.resources.requests.cpu | string | `"100m"` | |
| istio-discovery.pilot.resources.requests.memory | string | `"128Mi"` | |
| istio-discovery.pilot.tolerations[0].effect | string | `"NoSchedule"` | |
| istio-discovery.pilot.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | |
| istio-discovery.telemetry.enabled | bool | `false` | |
## Resources ## Resources

Some files were not shown because too many files have changed in this diff Show More