Merge pull request 'Merge argoless branch into master' (#30) from argoless into master
Reviewed-on: ZeroDownTime/kubezero#30
This commit is contained in:
commit
a570431940
14
Makefile
Normal file
14
Makefile
Normal file
@ -0,0 +1,14 @@
|
|||||||
|
BUCKET ?= zero-downtime
|
||||||
|
BUCKET_PREFIX ?= /cloudbender/distfiles
|
||||||
|
FILES ?= distfiles.txt
|
||||||
|
|
||||||
|
.PHONY: clean update
|
||||||
|
|
||||||
|
all: update
|
||||||
|
|
||||||
|
|
||||||
|
clean:
|
||||||
|
rm -f kube*.tgz
|
||||||
|
|
||||||
|
update:
|
||||||
|
./script/update_helm.sh
|
@ -1 +0,0 @@
|
|||||||
../../helm-charts/charts/fluent-bit
|
|
13
charts/kubeadm/Chart.yaml
Normal file
13
charts/kubeadm/Chart.yaml
Normal file
@ -0,0 +1,13 @@
|
|||||||
|
apiVersion: v2
|
||||||
|
name: kubeadm
|
||||||
|
description: KubeZero Kubeadm golden config
|
||||||
|
type: application
|
||||||
|
version: 1.18.14
|
||||||
|
home: https://kubezero.com
|
||||||
|
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
|
||||||
|
keywords:
|
||||||
|
- kubezero
|
||||||
|
- kubeadm
|
||||||
|
maintainers:
|
||||||
|
- name: Quarky9
|
||||||
|
kubeVersion: ">= 1.16.0"
|
28
charts/kubeadm/README.md.gotmpl
Normal file
28
charts/kubeadm/README.md.gotmpl
Normal file
@ -0,0 +1,28 @@
|
|||||||
|
{{ template "chart.header" . }}
|
||||||
|
{{ template "chart.deprecationWarning" . }}
|
||||||
|
|
||||||
|
{{ template "chart.versionBadge" . }}{{ template "chart.typeBadge" . }}{{ template "chart.appVersionBadge" . }}
|
||||||
|
|
||||||
|
{{ template "chart.description" . }}
|
||||||
|
|
||||||
|
Installs the Istio control plane
|
||||||
|
|
||||||
|
{{ template "chart.homepageLine" . }}
|
||||||
|
|
||||||
|
{{ template "chart.maintainersSection" . }}
|
||||||
|
|
||||||
|
{{ template "chart.sourcesSection" . }}
|
||||||
|
|
||||||
|
{{ template "chart.requirementsSection" . }}
|
||||||
|
|
||||||
|
{{ template "chart.valuesSection" . }}
|
||||||
|
|
||||||
|
## Resources
|
||||||
|
|
||||||
|
- https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/troubleshooting-kubeadm/
|
||||||
|
- https://godoc.org/k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/v1beta2
|
||||||
|
- https://github.com/kubernetes/kubernetes/blob/master/staging/src/k8s.io/kubelet/config/v1beta1/types.go
|
||||||
|
- https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/control-plane-flags/
|
||||||
|
- https://godoc.org/k8s.io/kube-proxy/config/v1alpha1#KubeProxyConfiguration
|
||||||
|
|
||||||
|
- https://github.com/awslabs/amazon-eks-ami
|
61
charts/kubeadm/templates/ClusterConfiguration.yaml
Normal file
61
charts/kubeadm/templates/ClusterConfiguration.yaml
Normal file
@ -0,0 +1,61 @@
|
|||||||
|
apiVersion: kubeadm.k8s.io/v1beta2
|
||||||
|
kind: ClusterConfiguration
|
||||||
|
metadata:
|
||||||
|
name: kubezero-clusterconfiguration
|
||||||
|
kubernetesVersion: {{ .Values.clusterVersion }}
|
||||||
|
clusterName: {{ .Values.clusterName }}
|
||||||
|
controlPlaneEndpoint: {{ .Values.apiEndpoint }}
|
||||||
|
networking:
|
||||||
|
podSubnet: 10.244.0.0/16
|
||||||
|
etcd:
|
||||||
|
local:
|
||||||
|
extraArgs:
|
||||||
|
listen-metrics-urls: "http://0.0.0.0:2381"
|
||||||
|
{{- with .Values.etcdExtraArgs }}
|
||||||
|
{{- toYaml . | nindent 6 }}
|
||||||
|
{{- end }}
|
||||||
|
controllerManager:
|
||||||
|
extraArgs:
|
||||||
|
profiling: "false"
|
||||||
|
bind-address: 0.0.0.0
|
||||||
|
terminated-pod-gc-threshold: "300"
|
||||||
|
leader-elect: {{ .Values.clusterHighAvailable | quote }}
|
||||||
|
# Default anyways but make kube-bench happy
|
||||||
|
feature-gates: "RotateKubeletServerCertificate=true"
|
||||||
|
scheduler:
|
||||||
|
extraArgs:
|
||||||
|
profiling: "false"
|
||||||
|
bind-address: 0.0.0.0
|
||||||
|
leader-elect: {{ .Values.clusterHighAvailable | quote }}
|
||||||
|
apiServer:
|
||||||
|
certSANs:
|
||||||
|
- {{ regexSplit ":" .Values.apiEndpoint -1 | first }}
|
||||||
|
extraArgs:
|
||||||
|
etcd-servers: {{ .Values.allEtcdEndpoints }}
|
||||||
|
profiling: "false"
|
||||||
|
feature-gates: "CSIMigration=true,CSIMigrationAWS=true,CSIMigrationAWSComplete=true"
|
||||||
|
audit-log-path: "/var/log/kubernetes/audit.log"
|
||||||
|
audit-policy-file: /etc/kubernetes/apiserver/audit-policy.yaml
|
||||||
|
audit-log-maxage: "7"
|
||||||
|
audit-log-maxsize: "100"
|
||||||
|
audit-log-maxbackup: "3"
|
||||||
|
tls-cipher-suites: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
|
||||||
|
admission-control-config-file: /etc/kubernetes/apiserver/admission-configuration.yaml
|
||||||
|
authentication-token-webhook-config-file: /etc/kubernetes/apiserver/aws-iam-authenticator.yaml
|
||||||
|
enable-admission-plugins: NodeRestriction,EventRateLimit
|
||||||
|
{{- if .Values.clusterHighAvailable }}
|
||||||
|
goaway-chance: ".001"
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.apiExtraArgs }}
|
||||||
|
{{- toYaml . | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
extraVolumes:
|
||||||
|
- name: kubezero-apiserver
|
||||||
|
hostPath: /etc/kubernetes/apiserver
|
||||||
|
mountPath: /etc/kubernetes/apiserver
|
||||||
|
readOnly: true
|
||||||
|
pathType: DirectoryOrCreate
|
||||||
|
- name: audit-log
|
||||||
|
hostPath: /var/log/kubernetes
|
||||||
|
mountPath: /var/log/kubernetes
|
||||||
|
pathType: DirectoryOrCreate
|
12
charts/kubeadm/templates/InitConfiguration.yaml
Normal file
12
charts/kubeadm/templates/InitConfiguration.yaml
Normal file
@ -0,0 +1,12 @@
|
|||||||
|
apiVersion: kubeadm.k8s.io/v1beta2
|
||||||
|
kind: InitConfiguration
|
||||||
|
metadata:
|
||||||
|
name: kubezero-initconfiguration
|
||||||
|
localAPIEndpoint:
|
||||||
|
bindPort: {{ regexSplit ":" .Values.apiEndpoint -1 | last }}
|
||||||
|
nodeRegistration:
|
||||||
|
ignorePreflightErrors:
|
||||||
|
- Swap
|
||||||
|
- DirAvailable--var-lib-etcd
|
||||||
|
kubeletExtraArgs:
|
||||||
|
node-labels: {{ .Values.nodeLabels | quote }}
|
18
charts/kubeadm/templates/JoinConfiguration.yaml
Normal file
18
charts/kubeadm/templates/JoinConfiguration.yaml
Normal file
@ -0,0 +1,18 @@
|
|||||||
|
apiVersion: kubeadm.k8s.io/v1beta2
|
||||||
|
kind: JoinConfiguration
|
||||||
|
metadata:
|
||||||
|
name: kubezero-joinconfiguration
|
||||||
|
discovery:
|
||||||
|
bootstrapToken:
|
||||||
|
apiServerEndpoint: {{ .Values.apiEndpoint }}
|
||||||
|
token: {{ .Values.joinToken }}
|
||||||
|
caCertHashes:
|
||||||
|
- "{{ .Values.caCertHash }}"
|
||||||
|
nodeRegistration:
|
||||||
|
ignorePreflightErrors:
|
||||||
|
- DirAvailable--var-lib-etcd
|
||||||
|
- Swap
|
||||||
|
controlPlane:
|
||||||
|
localAPIEndpoint:
|
||||||
|
advertiseAddress: {{ .Values.ipAddress }}
|
||||||
|
bindPort: {{ regexSplit ":" .Values.apiEndpoint -1 | last }}
|
6
charts/kubeadm/templates/KubeProxyConfiguration.yaml
Normal file
6
charts/kubeadm/templates/KubeProxyConfiguration.yaml
Normal file
@ -0,0 +1,6 @@
|
|||||||
|
apiVersion: kubeproxy.config.k8s.io/v1alpha1
|
||||||
|
kind: KubeProxyConfiguration
|
||||||
|
metadata:
|
||||||
|
name: kubezero-kubeproxyconfiguration
|
||||||
|
metricsBindAddress: "0.0.0.0:10249"
|
||||||
|
mode: ""
|
19
charts/kubeadm/templates/KubeletConfiguration.yaml
Normal file
19
charts/kubeadm/templates/KubeletConfiguration.yaml
Normal file
@ -0,0 +1,19 @@
|
|||||||
|
apiVersion: kubelet.config.k8s.io/v1beta1
|
||||||
|
kind: KubeletConfiguration
|
||||||
|
metadata:
|
||||||
|
name: kubezero-kubeletconfiguration
|
||||||
|
failSwapOn: false
|
||||||
|
hairpinMode: hairpin-veth
|
||||||
|
resolvConf: /run/systemd/resolve/resolv.conf
|
||||||
|
protectKernelDefaults: true
|
||||||
|
eventRecordQPS: 0
|
||||||
|
# Breaks kubelet at boot time
|
||||||
|
# tlsCertFile: /var/lib/kubelet/pki/kubelet.crt
|
||||||
|
# tlsPrivateKeyFile: /var/lib/kubelet/pki/kubelet.key
|
||||||
|
tlsCipherSuites: [TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256]
|
||||||
|
featureGates:
|
||||||
|
# Default anyways but make kube-bench happy
|
||||||
|
RotateKubeletServerCertificate: true
|
||||||
|
CSIMigration: true
|
||||||
|
CSIMigrationAWS: true
|
||||||
|
CSIMigrationAWSComplete: true
|
@ -0,0 +1,7 @@
|
|||||||
|
apiVersion: apiserver.config.k8s.io/v1
|
||||||
|
kind: AdmissionConfiguration
|
||||||
|
metadata:
|
||||||
|
name: kubezero-admissionconfiguration
|
||||||
|
plugins:
|
||||||
|
- name: EventRateLimit
|
||||||
|
path: /etc/kubernetes/apiserver/event-config.yaml
|
7
charts/kubeadm/templates/apiserver/audit-policy.yaml
Normal file
7
charts/kubeadm/templates/apiserver/audit-policy.yaml
Normal file
@ -0,0 +1,7 @@
|
|||||||
|
# Don't Log anything, but audit policy enabled
|
||||||
|
apiVersion: audit.k8s.io/v1
|
||||||
|
kind: Policy
|
||||||
|
metadata:
|
||||||
|
name: kubezero-auditpolicy
|
||||||
|
rules:
|
||||||
|
- level: None
|
13
charts/kubeadm/templates/apiserver/event-config.yaml
Normal file
13
charts/kubeadm/templates/apiserver/event-config.yaml
Normal file
@ -0,0 +1,13 @@
|
|||||||
|
apiVersion: eventratelimit.admission.k8s.io/v1alpha1
|
||||||
|
kind: Configuration
|
||||||
|
metadata:
|
||||||
|
name: kubezero-eventratelimits
|
||||||
|
limits:
|
||||||
|
- type: Namespace
|
||||||
|
qps: 50
|
||||||
|
burst: 100
|
||||||
|
cacheSize: 20
|
||||||
|
- type: User
|
||||||
|
qps: 10
|
||||||
|
burst: 50
|
||||||
|
cacheSize: 20
|
32
charts/kubeadm/templates/aws-iam-authenticator/crds.yaml
Normal file
32
charts/kubeadm/templates/aws-iam-authenticator/crds.yaml
Normal file
@ -0,0 +1,32 @@
|
|||||||
|
apiVersion: apiextensions.k8s.io/v1beta1
|
||||||
|
kind: CustomResourceDefinition
|
||||||
|
metadata:
|
||||||
|
name: iamidentitymappings.iamauthenticator.k8s.aws
|
||||||
|
spec:
|
||||||
|
group: iamauthenticator.k8s.aws
|
||||||
|
version: v1alpha1
|
||||||
|
scope: Cluster
|
||||||
|
names:
|
||||||
|
plural: iamidentitymappings
|
||||||
|
singular: iamidentitymapping
|
||||||
|
kind: IAMIdentityMapping
|
||||||
|
categories:
|
||||||
|
- all
|
||||||
|
subresources:
|
||||||
|
status: {}
|
||||||
|
validation:
|
||||||
|
openAPIV3Schema:
|
||||||
|
properties:
|
||||||
|
spec:
|
||||||
|
required:
|
||||||
|
- arn
|
||||||
|
- username
|
||||||
|
properties:
|
||||||
|
arn:
|
||||||
|
type: string
|
||||||
|
username:
|
||||||
|
type: string
|
||||||
|
groups:
|
||||||
|
type: array
|
||||||
|
items:
|
||||||
|
type: string
|
164
charts/kubeadm/templates/aws-iam-authenticator/deployment.yaml
Normal file
164
charts/kubeadm/templates/aws-iam-authenticator/deployment.yaml
Normal file
@ -0,0 +1,164 @@
|
|||||||
|
kind: ClusterRole
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
metadata:
|
||||||
|
name: aws-iam-authenticator
|
||||||
|
rules:
|
||||||
|
- apiGroups:
|
||||||
|
- iamauthenticator.k8s.aws
|
||||||
|
resources:
|
||||||
|
- iamidentitymappings
|
||||||
|
verbs:
|
||||||
|
- get
|
||||||
|
- list
|
||||||
|
- watch
|
||||||
|
- apiGroups:
|
||||||
|
- iamauthenticator.k8s.aws
|
||||||
|
resources:
|
||||||
|
- iamidentitymappings/status
|
||||||
|
verbs:
|
||||||
|
- patch
|
||||||
|
- update
|
||||||
|
- apiGroups:
|
||||||
|
- ""
|
||||||
|
resources:
|
||||||
|
- events
|
||||||
|
verbs:
|
||||||
|
- create
|
||||||
|
- update
|
||||||
|
- patch
|
||||||
|
- apiGroups:
|
||||||
|
- ""
|
||||||
|
resources:
|
||||||
|
- configmaps
|
||||||
|
verbs:
|
||||||
|
- list
|
||||||
|
- watch
|
||||||
|
- apiGroups:
|
||||||
|
- ""
|
||||||
|
resources:
|
||||||
|
- configmaps
|
||||||
|
resourceNames:
|
||||||
|
- aws-auth
|
||||||
|
verbs:
|
||||||
|
- get
|
||||||
|
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ServiceAccount
|
||||||
|
metadata:
|
||||||
|
name: aws-iam-authenticator
|
||||||
|
namespace: kube-system
|
||||||
|
|
||||||
|
---
|
||||||
|
kind: ClusterRoleBinding
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||||
|
metadata:
|
||||||
|
name: aws-iam-authenticator
|
||||||
|
namespace: kube-system
|
||||||
|
roleRef:
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: ClusterRole
|
||||||
|
name: aws-iam-authenticator
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: aws-iam-authenticator
|
||||||
|
namespace: kube-system
|
||||||
|
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ConfigMap
|
||||||
|
metadata:
|
||||||
|
namespace: kube-system
|
||||||
|
name: aws-iam-authenticator
|
||||||
|
labels:
|
||||||
|
k8s-app: aws-iam-authenticator
|
||||||
|
data:
|
||||||
|
config.yaml: |
|
||||||
|
clusterID: {{ .Values.clusterName }}
|
||||||
|
|
||||||
|
---
|
||||||
|
apiVersion: apps/v1
|
||||||
|
kind: DaemonSet
|
||||||
|
metadata:
|
||||||
|
namespace: kube-system
|
||||||
|
name: aws-iam-authenticator
|
||||||
|
labels:
|
||||||
|
k8s-app: aws-iam-authenticator
|
||||||
|
annotations:
|
||||||
|
seccomp.security.alpha.kubernetes.io/pod: runtime/default
|
||||||
|
spec:
|
||||||
|
selector:
|
||||||
|
matchLabels:
|
||||||
|
k8s-app: aws-iam-authenticator
|
||||||
|
updateStrategy:
|
||||||
|
type: RollingUpdate
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
annotations:
|
||||||
|
scheduler.alpha.kubernetes.io/critical-pod: ""
|
||||||
|
labels:
|
||||||
|
k8s-app: aws-iam-authenticator
|
||||||
|
spec:
|
||||||
|
# use service account with access to
|
||||||
|
serviceAccountName: aws-iam-authenticator
|
||||||
|
|
||||||
|
# run on the host network (don't depend on CNI)
|
||||||
|
hostNetwork: true
|
||||||
|
|
||||||
|
# run on each master node
|
||||||
|
nodeSelector:
|
||||||
|
node-role.kubernetes.io/master: ""
|
||||||
|
tolerations:
|
||||||
|
- effect: NoSchedule
|
||||||
|
key: node-role.kubernetes.io/master
|
||||||
|
- key: CriticalAddonsOnly
|
||||||
|
operator: Exists
|
||||||
|
|
||||||
|
containers:
|
||||||
|
- name: aws-iam-authenticator
|
||||||
|
image: public.ecr.aws/x8h8t2o1/aws-iam-authenticator:v0.5.2
|
||||||
|
args:
|
||||||
|
- server
|
||||||
|
- --backend-mode=CRD,MountedFile
|
||||||
|
- --config=/etc/aws-iam-authenticator/config.yaml
|
||||||
|
- --state-dir=/var/aws-iam-authenticator
|
||||||
|
- --kubeconfig-pregenerated=true
|
||||||
|
|
||||||
|
securityContext:
|
||||||
|
allowPrivilegeEscalation: false
|
||||||
|
capabilities:
|
||||||
|
drop:
|
||||||
|
- ALL
|
||||||
|
|
||||||
|
resources:
|
||||||
|
requests:
|
||||||
|
memory: 20Mi
|
||||||
|
cpu: 10m
|
||||||
|
limits:
|
||||||
|
memory: 20Mi
|
||||||
|
cpu: 100m
|
||||||
|
|
||||||
|
volumeMounts:
|
||||||
|
- name: config
|
||||||
|
mountPath: /etc/aws-iam-authenticator/
|
||||||
|
- name: state
|
||||||
|
mountPath: /var/aws-iam-authenticator/
|
||||||
|
|
||||||
|
volumes:
|
||||||
|
- name: config
|
||||||
|
configMap:
|
||||||
|
name: aws-iam-authenticator
|
||||||
|
- name: state
|
||||||
|
hostPath:
|
||||||
|
path: /var/aws-iam-authenticator/
|
||||||
|
---
|
||||||
|
apiVersion: iamauthenticator.k8s.aws/v1alpha1
|
||||||
|
kind: IAMIdentityMapping
|
||||||
|
metadata:
|
||||||
|
name: kubernetes-admin
|
||||||
|
spec:
|
||||||
|
# Arn of the User or Role to be allowed to authenticate
|
||||||
|
arn: {{ .Values.kubeAdminRole }}
|
||||||
|
username: kubernetes-admin
|
||||||
|
groups:
|
||||||
|
- system:masters
|
11
charts/kubeadm/values.yaml
Normal file
11
charts/kubeadm/values.yaml
Normal file
@ -0,0 +1,11 @@
|
|||||||
|
clusterVersion: 1.18.0
|
||||||
|
clusterName: pleasechangeme
|
||||||
|
apiEndpoint: kube-api.changeme.org:6443
|
||||||
|
etcdExtraArgs: {}
|
||||||
|
# Enable for > 1.18
|
||||||
|
# unsafe-no-fsync: "true"
|
||||||
|
apiExtraArgs: {}
|
||||||
|
clusterHighAvailable: false
|
||||||
|
allEtcdEndpoints: ""
|
||||||
|
joinToken: ""
|
||||||
|
caCertHash: ""
|
@ -1,26 +0,0 @@
|
|||||||
apiVersion: argoproj.io/v1alpha1
|
|
||||||
kind: Application
|
|
||||||
metadata:
|
|
||||||
name: kubezero
|
|
||||||
namespace: argocd
|
|
||||||
labels:
|
|
||||||
{{ include "kubezero-lib.labels" . | indent 4 }}
|
|
||||||
spec:
|
|
||||||
project: kubezero
|
|
||||||
source:
|
|
||||||
repoURL: {{ .Values.kubezero.global.defaultSource.repoURL }}
|
|
||||||
targetRevision: {{ .Values.kubezero.global.defaultSource.targetRevision }}
|
|
||||||
path: {{ .Values.kubezero.global.defaultSource.pathPrefix}}charts/kubezero
|
|
||||||
|
|
||||||
helm:
|
|
||||||
values: |
|
|
||||||
{{- toYaml .Values.kubezero | nindent 8 }}
|
|
||||||
|
|
||||||
destination:
|
|
||||||
server: {{ .Values.kubezero.global.defaultDestination.server }}
|
|
||||||
namespace: argocd
|
|
||||||
|
|
||||||
{{- if .Values.kubezero.global.syncPolicy }}
|
|
||||||
syncPolicy:
|
|
||||||
{{- toYaml .Values.kubezero.global.syncPolicy | nindent 4 }}
|
|
||||||
{{- end }}
|
|
@ -1,7 +1,7 @@
|
|||||||
apiVersion: v2
|
apiVersion: v2
|
||||||
description: KubeZero ArgoCD Helm chart to install ArgoCD itself and the KubeZero ArgoCD Application
|
description: KubeZero ArgoCD Helm chart to install ArgoCD itself and the KubeZero ArgoCD Application
|
||||||
name: kubezero-argo-cd
|
name: kubezero-argocd
|
||||||
version: 0.6.0
|
version: 0.6.1
|
||||||
home: https://kubezero.com
|
home: https://kubezero.com
|
||||||
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
|
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
|
||||||
keywords:
|
keywords:
|
||||||
@ -15,6 +15,6 @@ dependencies:
|
|||||||
version: ">= 0.1.3"
|
version: ">= 0.1.3"
|
||||||
repository: https://zero-down-time.github.io/kubezero/
|
repository: https://zero-down-time.github.io/kubezero/
|
||||||
- name: argo-cd
|
- name: argo-cd
|
||||||
version: 2.9.3
|
version: 2.9.5
|
||||||
repository: https://argoproj.github.io/argo-helm
|
repository: https://argoproj.github.io/argo-helm
|
||||||
kubeVersion: ">= 1.17.0"
|
kubeVersion: ">= 1.16.0"
|
@ -1,6 +1,6 @@
|
|||||||
# kubezero-argo-cd
|
# kubezero-argocd
|
||||||
|
|
||||||
![Version: 0.6.0](https://img.shields.io/badge/Version-0.6.0-informational?style=flat-square)
|
![Version: 0.6.1](https://img.shields.io/badge/Version-0.6.1-informational?style=flat-square)
|
||||||
|
|
||||||
KubeZero ArgoCD Helm chart to install ArgoCD itself and the KubeZero ArgoCD Application
|
KubeZero ArgoCD Helm chart to install ArgoCD itself and the KubeZero ArgoCD Application
|
||||||
|
|
||||||
@ -14,11 +14,11 @@ KubeZero ArgoCD Helm chart to install ArgoCD itself and the KubeZero ArgoCD Appl
|
|||||||
|
|
||||||
## Requirements
|
## Requirements
|
||||||
|
|
||||||
Kubernetes: `>= 1.17.0`
|
Kubernetes: `>= 1.16.0`
|
||||||
|
|
||||||
| Repository | Name | Version |
|
| Repository | Name | Version |
|
||||||
|------------|------|---------|
|
|------------|------|---------|
|
||||||
| https://argoproj.github.io/argo-helm | argo-cd | 2.9.3 |
|
| https://argoproj.github.io/argo-helm | argo-cd | 2.9.5 |
|
||||||
| https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 |
|
| https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 |
|
||||||
|
|
||||||
## Values
|
## Values
|
||||||
@ -32,20 +32,15 @@ Kubernetes: `>= 1.17.0`
|
|||||||
| argo-cd.controller.metrics.enabled | bool | `false` | |
|
| argo-cd.controller.metrics.enabled | bool | `false` | |
|
||||||
| argo-cd.controller.metrics.serviceMonitor.additionalLabels.release | string | `"metrics"` | |
|
| argo-cd.controller.metrics.serviceMonitor.additionalLabels.release | string | `"metrics"` | |
|
||||||
| argo-cd.controller.metrics.serviceMonitor.enabled | bool | `true` | |
|
| argo-cd.controller.metrics.serviceMonitor.enabled | bool | `true` | |
|
||||||
| argo-cd.controller.metrics.serviceMonitor.namespace | string | `"monitoring"` | |
|
|
||||||
| argo-cd.controller.resources.requests.cpu | string | `"100m"` | |
|
| argo-cd.controller.resources.requests.cpu | string | `"100m"` | |
|
||||||
| argo-cd.controller.resources.requests.memory | string | `"256Mi"` | |
|
| argo-cd.controller.resources.requests.memory | string | `"256Mi"` | |
|
||||||
| argo-cd.dex.enabled | bool | `false` | |
|
| argo-cd.dex.enabled | bool | `false` | |
|
||||||
| argo-cd.global.image.tag | string | `"v1.7.8"` | |
|
| argo-cd.global.image.tag | string | `"v1.7.10"` | |
|
||||||
| argo-cd.installCRDs | bool | `false` | |
|
| argo-cd.installCRDs | bool | `false` | |
|
||||||
| argo-cd.istio.enabled | bool | `false` | Deploy Istio VirtualService to expose ArgoCD |
|
|
||||||
| argo-cd.istio.gateway | string | `"istio-system/ingressgateway"` | Name of the Istio gateway to add the VirtualService to |
|
|
||||||
| argo-cd.istio.ipBlocks | list | `[]` | |
|
|
||||||
| argo-cd.repoServer.logFormat | string | `"json"` | |
|
| argo-cd.repoServer.logFormat | string | `"json"` | |
|
||||||
| argo-cd.repoServer.metrics.enabled | bool | `false` | |
|
| argo-cd.repoServer.metrics.enabled | bool | `false` | |
|
||||||
| argo-cd.repoServer.metrics.serviceMonitor.additionalLabels.release | string | `"metrics"` | |
|
| argo-cd.repoServer.metrics.serviceMonitor.additionalLabels.release | string | `"metrics"` | |
|
||||||
| argo-cd.repoServer.metrics.serviceMonitor.enabled | bool | `true` | |
|
| argo-cd.repoServer.metrics.serviceMonitor.enabled | bool | `true` | |
|
||||||
| argo-cd.repoServer.metrics.serviceMonitor.namespace | string | `"monitoring"` | |
|
|
||||||
| argo-cd.server.config."resource.customizations" | string | `"cert-manager.io/Certificate:\n # Lua script for customizing the health status assessment\n health.lua: |\n hs = {}\n if obj.status ~= nil then\n if obj.status.conditions ~= nil then\n for i, condition in ipairs(obj.status.conditions) do\n if condition.type == \"Ready\" and condition.status == \"False\" then\n hs.status = \"Degraded\"\n hs.message = condition.message\n return hs\n end\n if condition.type == \"Ready\" and condition.status == \"True\" then\n hs.status = \"Healthy\"\n hs.message = condition.message\n return hs\n end\n end\n end\n end\n hs.status = \"Progressing\"\n hs.message = \"Waiting for certificate\"\n return hs\n"` | |
|
| argo-cd.server.config."resource.customizations" | string | `"cert-manager.io/Certificate:\n # Lua script for customizing the health status assessment\n health.lua: |\n hs = {}\n if obj.status ~= nil then\n if obj.status.conditions ~= nil then\n for i, condition in ipairs(obj.status.conditions) do\n if condition.type == \"Ready\" and condition.status == \"False\" then\n hs.status = \"Degraded\"\n hs.message = condition.message\n return hs\n end\n if condition.type == \"Ready\" and condition.status == \"True\" then\n hs.status = \"Healthy\"\n hs.message = condition.message\n return hs\n end\n end\n end\n end\n hs.status = \"Progressing\"\n hs.message = \"Waiting for certificate\"\n return hs\n"` | |
|
||||||
| argo-cd.server.config.url | string | `"argocd.example.com"` | ArgoCD hostname to be exposed via Istio |
|
| argo-cd.server.config.url | string | `"argocd.example.com"` | ArgoCD hostname to be exposed via Istio |
|
||||||
| argo-cd.server.extraArgs[0] | string | `"--insecure"` | |
|
| argo-cd.server.extraArgs[0] | string | `"--insecure"` | |
|
||||||
@ -53,12 +48,16 @@ Kubernetes: `>= 1.17.0`
|
|||||||
| argo-cd.server.metrics.enabled | bool | `false` | |
|
| argo-cd.server.metrics.enabled | bool | `false` | |
|
||||||
| argo-cd.server.metrics.serviceMonitor.additionalLabels.release | string | `"metrics"` | |
|
| argo-cd.server.metrics.serviceMonitor.additionalLabels.release | string | `"metrics"` | |
|
||||||
| argo-cd.server.metrics.serviceMonitor.enabled | bool | `true` | |
|
| argo-cd.server.metrics.serviceMonitor.enabled | bool | `true` | |
|
||||||
| argo-cd.server.metrics.serviceMonitor.namespace | string | `"monitoring"` | |
|
|
||||||
| argo-cd.server.service.servicePortHttpsName | string | `"grpc"` | |
|
| argo-cd.server.service.servicePortHttpsName | string | `"grpc"` | |
|
||||||
| kubezero.global.defaultDestination | object | `{"server":"https://kubernetes.default.svc"}` | Destination cluster |
|
| istio.enabled | bool | `false` | Deploy Istio VirtualService to expose ArgoCD |
|
||||||
| kubezero.global.defaultSource.pathPrefix | string | `""` | optional path prefix within repoURL to support eg. remote subtrees |
|
| istio.gateway | string | `"istio-ingress/ingressgateway"` | Name of the Istio gateway to add the VirtualService to |
|
||||||
| kubezero.global.defaultSource.repoURL | string | `"https://github.com/zero-down-time/kubezero"` | default repository for argocd applications |
|
| istio.ipBlocks | list | `[]` | |
|
||||||
| kubezero.global.defaultSource.targetRevision | string | `"HEAD"` | default tracking of repoURL |
|
| kubezero.enabled | bool | `false` | |
|
||||||
|
| kubezero.path | string | `"charts/kubezero"` | path within repoURL |
|
||||||
|
| kubezero.repoURL | string | `"https://github.com/zero-down-time/kubezero"` | repository for kubezero argo applications |
|
||||||
|
| kubezero.server | string | `"https://kubernetes.default.svc"` | destination cluster |
|
||||||
|
| kubezero.targetRevision | string | `"HEAD"` | git branch to track |
|
||||||
|
| kubezero.valuesFiles[0] | string | `"values.yaml"` | |
|
||||||
|
|
||||||
## Resources
|
## Resources
|
||||||
- https://argoproj.github.io/argo-cd/operator-manual/metrics/
|
- https://argoproj.github.io/argo-cd/operator-manual/metrics/
|
@ -1,5 +1,5 @@
|
|||||||
{{- if index .Values "argo-cd" "istio" "enabled" }}
|
{{- if .Values.istio.enabled }}
|
||||||
{{- if index .Values "argo-cd" "istio" "ipBlocks" }}
|
{{- if .Values.istio.ipBlocks }}
|
||||||
apiVersion: security.istio.io/v1beta1
|
apiVersion: security.istio.io/v1beta1
|
||||||
kind: AuthorizationPolicy
|
kind: AuthorizationPolicy
|
||||||
metadata:
|
metadata:
|
||||||
@ -16,7 +16,7 @@ spec:
|
|||||||
- from:
|
- from:
|
||||||
- source:
|
- source:
|
||||||
notIpBlocks:
|
notIpBlocks:
|
||||||
{{- with index .Values "argo-cd" "istio" "ipBlocks" }}
|
{{- with .Values.istio.ipBlocks }}
|
||||||
{{- . | toYaml | nindent 8 }}
|
{{- . | toYaml | nindent 8 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
to:
|
to:
|
@ -1,4 +1,4 @@
|
|||||||
{{- if index .Values "argo-cd" "istio" "enabled" }}
|
{{- if .Values.istio.enabled }}
|
||||||
apiVersion: networking.istio.io/v1alpha3
|
apiVersion: networking.istio.io/v1alpha3
|
||||||
kind: VirtualService
|
kind: VirtualService
|
||||||
metadata:
|
metadata:
|
||||||
@ -7,7 +7,7 @@ metadata:
|
|||||||
{{ include "kubezero-lib.labels" . | indent 4 }}
|
{{ include "kubezero-lib.labels" . | indent 4 }}
|
||||||
spec:
|
spec:
|
||||||
gateways:
|
gateways:
|
||||||
- {{ index .Values "argo-cd" "istio" "gateway" }}
|
- {{ .Values.istio.gateway }}
|
||||||
hosts:
|
hosts:
|
||||||
- {{ index .Values "argo-cd" "server" "config" "url" }}
|
- {{ index .Values "argo-cd" "server" "config" "url" }}
|
||||||
http:
|
http:
|
||||||
@ -18,13 +18,13 @@ spec:
|
|||||||
prefix: argocd-client
|
prefix: argocd-client
|
||||||
route:
|
route:
|
||||||
- destination:
|
- destination:
|
||||||
host: {{ .Release.Name }}-argocd-server
|
host: argocd-server
|
||||||
port:
|
port:
|
||||||
number: 443
|
number: 443
|
||||||
- name: http
|
- name: http
|
||||||
route:
|
route:
|
||||||
- destination:
|
- destination:
|
||||||
host: {{ .Release.Name }}-argocd-server
|
host: argocd-server
|
||||||
port:
|
port:
|
||||||
number: 80
|
number: 80
|
||||||
{{- end }}
|
{{- end }}
|
@ -1,3 +1,4 @@
|
|||||||
|
{{- if .Values.kubezero.enabled }}
|
||||||
apiVersion: argoproj.io/v1alpha1
|
apiVersion: argoproj.io/v1alpha1
|
||||||
kind: AppProject
|
kind: AppProject
|
||||||
metadata:
|
metadata:
|
||||||
@ -12,7 +13,6 @@ spec:
|
|||||||
sourceRepos:
|
sourceRepos:
|
||||||
- '*'
|
- '*'
|
||||||
|
|
||||||
# Only permit applications to deploy to the guestbook namespace in the same cluster
|
|
||||||
destinations:
|
destinations:
|
||||||
- namespace: argocd
|
- namespace: argocd
|
||||||
server: https://kubernetes.default.svc
|
server: https://kubernetes.default.svc
|
||||||
@ -20,10 +20,10 @@ spec:
|
|||||||
server: https://kubernetes.default.svc
|
server: https://kubernetes.default.svc
|
||||||
- namespace: cert-manager
|
- namespace: cert-manager
|
||||||
server: https://kubernetes.default.svc
|
server: https://kubernetes.default.svc
|
||||||
- namespace: istio-operator
|
|
||||||
server: https://kubernetes.default.svc
|
|
||||||
- namespace: istio-system
|
- namespace: istio-system
|
||||||
server: https://kubernetes.default.svc
|
server: https://kubernetes.default.svc
|
||||||
|
- namespace: istio-ingress
|
||||||
|
server: https://kubernetes.default.svc
|
||||||
- namespace: monitoring
|
- namespace: monitoring
|
||||||
server: https://kubernetes.default.svc
|
server: https://kubernetes.default.svc
|
||||||
- namespace: elastic-system
|
- namespace: elastic-system
|
||||||
@ -34,3 +34,32 @@ spec:
|
|||||||
clusterResourceWhitelist:
|
clusterResourceWhitelist:
|
||||||
- group: '*'
|
- group: '*'
|
||||||
kind: '*'
|
kind: '*'
|
||||||
|
|
||||||
|
---
|
||||||
|
apiVersion: argoproj.io/v1alpha1
|
||||||
|
kind: Application
|
||||||
|
metadata:
|
||||||
|
name: kubezero
|
||||||
|
namespace: argocd
|
||||||
|
labels:
|
||||||
|
{{ include "kubezero-lib.labels" . | indent 4 }}
|
||||||
|
spec:
|
||||||
|
project: kubezero
|
||||||
|
source:
|
||||||
|
repoURL: {{ .Values.kubezero.repoURL }}
|
||||||
|
targetRevision: {{ .Values.kubezero.targetRevision }}
|
||||||
|
path: {{ .Values.kubezero.path }}
|
||||||
|
|
||||||
|
helm:
|
||||||
|
valueFiles:
|
||||||
|
{{- toYaml .Values.kubezero.valuesFiles | nindent 6 }}
|
||||||
|
|
||||||
|
destination:
|
||||||
|
server: {{ .Values.kubezero.server }}
|
||||||
|
namespace: argocd
|
||||||
|
|
||||||
|
{{- with .Values.kubezero.syncPolicy }}
|
||||||
|
syncPolicy:
|
||||||
|
{{- toYaml . | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
@ -1,24 +1,35 @@
|
|||||||
|
# Configure app of apps
|
||||||
kubezero:
|
kubezero:
|
||||||
global:
|
enabled: false
|
||||||
# kubezero.global.defaultDestination -- Destination cluster
|
|
||||||
defaultDestination:
|
|
||||||
server: https://kubernetes.default.svc
|
|
||||||
|
|
||||||
# This repoURL is used a base for all the repoURLs applications
|
# kubezero.server -- destination cluster
|
||||||
# Setting this to a eg. private git repo incl. the use of pathPrefix allows kubezero to be
|
server: https://kubernetes.default.svc
|
||||||
# integrated into any repository as a git subtree if for example public internet access is unavailable
|
|
||||||
defaultSource:
|
|
||||||
# kubezero.global.defaultSource.repoURL -- default repository for argocd applications
|
|
||||||
repoURL: https://github.com/zero-down-time/kubezero
|
|
||||||
# kubezero.global.defaultSource.targetRevision -- default tracking of repoURL
|
|
||||||
targetRevision: HEAD
|
|
||||||
# kubezero.global.defaultSource.pathPrefix -- optional path prefix within repoURL to support eg. remote subtrees
|
|
||||||
pathPrefix: ''
|
|
||||||
|
|
||||||
# syncPolicy, details see: https://argoproj.github.io/argo-cd/user-guide/auto_sync
|
# This repoURL is used a base for all the repoURLs applications
|
||||||
#syncPolicy:
|
# Setting this to a eg. private git repo incl. the use of pathPrefix allows kubezero to be
|
||||||
# automated:
|
# integrated into any repository as a git subtree if for example public internet access is unavailable
|
||||||
# prune: true
|
# kubezero.repoURL -- repository for kubezero argo applications
|
||||||
|
repoURL: https://github.com/zero-down-time/kubezero
|
||||||
|
# kubezero.targetRevision -- git branch to track
|
||||||
|
targetRevision: HEAD
|
||||||
|
# kubezero.path -- path within repoURL
|
||||||
|
path: 'charts/kubezero'
|
||||||
|
|
||||||
|
# syncPolicy, details see: https://argoproj.github.io/argo-cd/user-guide/auto_sync
|
||||||
|
#syncPolicy:
|
||||||
|
# automated:
|
||||||
|
# prune: true
|
||||||
|
|
||||||
|
valuesFiles:
|
||||||
|
- values.yaml
|
||||||
|
|
||||||
|
# Support for Istio Ingress for ArgoCD
|
||||||
|
istio:
|
||||||
|
# istio.enabled -- Deploy Istio VirtualService to expose ArgoCD
|
||||||
|
enabled: false
|
||||||
|
# istio.gateway -- Name of the Istio gateway to add the VirtualService to
|
||||||
|
gateway: istio-ingress/ingressgateway
|
||||||
|
ipBlocks: []
|
||||||
|
|
||||||
argo-cd:
|
argo-cd:
|
||||||
installCRDs: false
|
installCRDs: false
|
||||||
@ -31,7 +42,7 @@ argo-cd:
|
|||||||
|
|
||||||
global:
|
global:
|
||||||
image:
|
image:
|
||||||
tag: v1.7.8
|
tag: v1.7.10
|
||||||
|
|
||||||
controller:
|
controller:
|
||||||
args:
|
args:
|
||||||
@ -44,7 +55,6 @@ argo-cd:
|
|||||||
enabled: false
|
enabled: false
|
||||||
serviceMonitor:
|
serviceMonitor:
|
||||||
enabled: true
|
enabled: true
|
||||||
namespace: monitoring
|
|
||||||
additionalLabels:
|
additionalLabels:
|
||||||
release: metrics
|
release: metrics
|
||||||
|
|
||||||
@ -62,7 +72,6 @@ argo-cd:
|
|||||||
enabled: false
|
enabled: false
|
||||||
serviceMonitor:
|
serviceMonitor:
|
||||||
enabled: true
|
enabled: true
|
||||||
namespace: monitoring
|
|
||||||
additionalLabels:
|
additionalLabels:
|
||||||
release: metrics
|
release: metrics
|
||||||
|
|
||||||
@ -72,6 +81,9 @@ argo-cd:
|
|||||||
# argo-cd.server.config.url -- ArgoCD hostname to be exposed via Istio
|
# argo-cd.server.config.url -- ArgoCD hostname to be exposed via Istio
|
||||||
url: argocd.example.com
|
url: argocd.example.com
|
||||||
|
|
||||||
|
#repositories: |
|
||||||
|
# - url: https://zero-down-time.github.io/kubezero.git
|
||||||
|
|
||||||
resource.customizations: |
|
resource.customizations: |
|
||||||
cert-manager.io/Certificate:
|
cert-manager.io/Certificate:
|
||||||
# Lua script for customizing the health status assessment
|
# Lua script for customizing the health status assessment
|
||||||
@ -105,7 +117,6 @@ argo-cd:
|
|||||||
enabled: false
|
enabled: false
|
||||||
serviceMonitor:
|
serviceMonitor:
|
||||||
enabled: true
|
enabled: true
|
||||||
namespace: monitoring
|
|
||||||
additionalLabels:
|
additionalLabels:
|
||||||
release: metrics
|
release: metrics
|
||||||
|
|
||||||
@ -118,10 +129,3 @@ argo-cd:
|
|||||||
|
|
||||||
dex:
|
dex:
|
||||||
enabled: false
|
enabled: false
|
||||||
|
|
||||||
istio:
|
|
||||||
# argo-cd.istio.enabled -- Deploy Istio VirtualService to expose ArgoCD
|
|
||||||
enabled: false
|
|
||||||
# argo-cd.istio.gateway -- Name of the Istio gateway to add the VirtualService to
|
|
||||||
gateway: istio-system/ingressgateway
|
|
||||||
ipBlocks: []
|
|
@ -1 +0,0 @@
|
|||||||
git
|
|
@ -2,8 +2,8 @@ apiVersion: v2
|
|||||||
name: kubezero-aws-ebs-csi-driver
|
name: kubezero-aws-ebs-csi-driver
|
||||||
description: KubeZero Umbrella Chart for aws-ebs-csi-driver
|
description: KubeZero Umbrella Chart for aws-ebs-csi-driver
|
||||||
type: application
|
type: application
|
||||||
version: 0.3.2
|
version: 0.3.4
|
||||||
appVersion: 0.7.0
|
appVersion: 0.8.0
|
||||||
home: https://kubezero.com
|
home: https://kubezero.com
|
||||||
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
|
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
|
||||||
sources:
|
sources:
|
||||||
@ -17,6 +17,9 @@ keywords:
|
|||||||
maintainers:
|
maintainers:
|
||||||
- name: Quarky9
|
- name: Quarky9
|
||||||
dependencies:
|
dependencies:
|
||||||
|
- name: aws-ebs-csi-driver
|
||||||
|
version: 0.7.1
|
||||||
|
repository: https://kubernetes-sigs.github.io/aws-ebs-csi-driver
|
||||||
- name: kubezero-lib
|
- name: kubezero-lib
|
||||||
version: ">= 0.1.3"
|
version: ">= 0.1.3"
|
||||||
repository: https://zero-down-time.github.io/kubezero/
|
repository: https://zero-down-time.github.io/kubezero/
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
# kubezero-aws-ebs-csi-driver
|
# kubezero-aws-ebs-csi-driver
|
||||||
|
|
||||||
![Version: 0.3.2](https://img.shields.io/badge/Version-0.3.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.7.0](https://img.shields.io/badge/AppVersion-0.7.0-informational?style=flat-square)
|
![Version: 0.3.4](https://img.shields.io/badge/Version-0.3.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.8.0](https://img.shields.io/badge/AppVersion-0.8.0-informational?style=flat-square)
|
||||||
|
|
||||||
KubeZero Umbrella Chart for aws-ebs-csi-driver
|
KubeZero Umbrella Chart for aws-ebs-csi-driver
|
||||||
|
|
||||||
@ -23,6 +23,7 @@ Kubernetes: `>= 1.16.0`
|
|||||||
|
|
||||||
| Repository | Name | Version |
|
| Repository | Name | Version |
|
||||||
|------------|------|---------|
|
|------------|------|---------|
|
||||||
|
| https://kubernetes-sigs.github.io/aws-ebs-csi-driver | aws-ebs-csi-driver | 0.7.1 |
|
||||||
| https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 |
|
| https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 |
|
||||||
|
|
||||||
## IAM Role
|
## IAM Role
|
||||||
|
@ -1,16 +0,0 @@
|
|||||||
apiVersion: v1
|
|
||||||
appVersion: "0.7.0"
|
|
||||||
name: aws-ebs-csi-driver
|
|
||||||
description: A Helm chart for AWS EBS CSI Driver
|
|
||||||
version: 0.6.0
|
|
||||||
kubeVersion: ">=1.13.0-0"
|
|
||||||
home: https://github.com/kubernetes-sigs/aws-ebs-csi-driver
|
|
||||||
sources:
|
|
||||||
- https://github.com/kubernetes-sigs/aws-ebs-csi-driver
|
|
||||||
keywords:
|
|
||||||
- aws
|
|
||||||
- ebs
|
|
||||||
- csi
|
|
||||||
maintainers:
|
|
||||||
- name: leakingtapan
|
|
||||||
email: chengpan@amazon.com
|
|
@ -1,3 +0,0 @@
|
|||||||
To verify that aws-ebs-csi-driver has started, run:
|
|
||||||
|
|
||||||
kubectl get pod -n kube-system -l "app.kubernetes.io/name={{ include "aws-ebs-csi-driver.name" . }},app.kubernetes.io/instance={{ .Release.Name }}"
|
|
@ -1,20 +0,0 @@
|
|||||||
---
|
|
||||||
kind: ClusterRole
|
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
|
||||||
metadata:
|
|
||||||
name: ebs-external-attacher-role
|
|
||||||
labels:
|
|
||||||
{{- include "aws-ebs-csi-driver.labels" . | nindent 4 }}
|
|
||||||
rules:
|
|
||||||
- apiGroups: [""]
|
|
||||||
resources: ["persistentvolumes"]
|
|
||||||
verbs: ["get", "list", "watch", "update"]
|
|
||||||
- apiGroups: [""]
|
|
||||||
resources: ["nodes"]
|
|
||||||
verbs: ["get", "list", "watch"]
|
|
||||||
- apiGroups: ["csi.storage.k8s.io"]
|
|
||||||
resources: ["csinodeinfos"]
|
|
||||||
verbs: ["get", "list", "watch"]
|
|
||||||
- apiGroups: ["storage.k8s.io"]
|
|
||||||
resources: ["volumeattachments"]
|
|
||||||
verbs: ["get", "list", "watch", "update"]
|
|
@ -1,35 +0,0 @@
|
|||||||
---
|
|
||||||
kind: ClusterRole
|
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
|
||||||
metadata:
|
|
||||||
name: ebs-external-provisioner-role
|
|
||||||
labels:
|
|
||||||
{{- include "aws-ebs-csi-driver.labels" . | nindent 4 }}
|
|
||||||
rules:
|
|
||||||
- apiGroups: [""]
|
|
||||||
resources: ["persistentvolumes"]
|
|
||||||
verbs: ["get", "list", "watch", "create", "delete"]
|
|
||||||
- apiGroups: [""]
|
|
||||||
resources: ["persistentvolumeclaims"]
|
|
||||||
verbs: ["get", "list", "watch", "update"]
|
|
||||||
- apiGroups: ["storage.k8s.io"]
|
|
||||||
resources: ["storageclasses"]
|
|
||||||
verbs: ["get", "list", "watch"]
|
|
||||||
- apiGroups: [""]
|
|
||||||
resources: ["events"]
|
|
||||||
verbs: ["list", "watch", "create", "update", "patch"]
|
|
||||||
- apiGroups: ["snapshot.storage.k8s.io"]
|
|
||||||
resources: ["volumesnapshots"]
|
|
||||||
verbs: ["get", "list"]
|
|
||||||
- apiGroups: ["snapshot.storage.k8s.io"]
|
|
||||||
resources: ["volumesnapshotcontents"]
|
|
||||||
verbs: ["get", "list"]
|
|
||||||
- apiGroups: ["storage.k8s.io"]
|
|
||||||
resources: ["csinodes"]
|
|
||||||
verbs: ["get", "list", "watch"]
|
|
||||||
- apiGroups: [""]
|
|
||||||
resources: ["nodes"]
|
|
||||||
verbs: ["get", "list", "watch"]
|
|
||||||
- apiGroups: ["coordination.k8s.io"]
|
|
||||||
resources: ["leases"]
|
|
||||||
verbs: ["get", "watch", "list", "delete", "update", "create"]
|
|
@ -1,31 +0,0 @@
|
|||||||
{{- if .Values.enableVolumeResizing }}
|
|
||||||
---
|
|
||||||
kind: ClusterRole
|
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
|
||||||
metadata:
|
|
||||||
name: ebs-external-resizer-role
|
|
||||||
labels:
|
|
||||||
{{- include "aws-ebs-csi-driver.labels" . | nindent 4 }}
|
|
||||||
rules:
|
|
||||||
# The following rule should be uncommented for plugins that require secrets
|
|
||||||
# for provisioning.
|
|
||||||
# - apiGroups: [""]
|
|
||||||
# resources: ["secrets"]
|
|
||||||
# verbs: ["get", "list", "watch"]
|
|
||||||
- apiGroups: [""]
|
|
||||||
resources: ["persistentvolumes"]
|
|
||||||
verbs: ["get", "list", "watch", "update", "patch"]
|
|
||||||
- apiGroups: [""]
|
|
||||||
resources: ["persistentvolumeclaims"]
|
|
||||||
verbs: ["get", "list", "watch"]
|
|
||||||
- apiGroups: [""]
|
|
||||||
resources: ["persistentvolumeclaims/status"]
|
|
||||||
verbs: ["update", "patch"]
|
|
||||||
- apiGroups: ["storage.k8s.io"]
|
|
||||||
resources: ["storageclasses"]
|
|
||||||
verbs: ["get", "list", "watch"]
|
|
||||||
- apiGroups: [""]
|
|
||||||
resources: ["events"]
|
|
||||||
verbs: ["list", "watch", "create", "update", "patch"]
|
|
||||||
|
|
||||||
{{- end}}
|
|
@ -1,35 +0,0 @@
|
|||||||
{{- if .Values.enableVolumeSnapshot }}
|
|
||||||
---
|
|
||||||
kind: ClusterRole
|
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
|
||||||
metadata:
|
|
||||||
name: ebs-snapshot-controller-role
|
|
||||||
labels:
|
|
||||||
{{- include "aws-ebs-csi-driver.labels" . | nindent 4 }}
|
|
||||||
rules:
|
|
||||||
- apiGroups: [""]
|
|
||||||
resources: ["persistentvolumes"]
|
|
||||||
verbs: ["get", "list", "watch"]
|
|
||||||
- apiGroups: [""]
|
|
||||||
resources: ["persistentvolumeclaims"]
|
|
||||||
verbs: ["get", "list", "watch", "update"]
|
|
||||||
- apiGroups: ["storage.k8s.io"]
|
|
||||||
resources: ["storageclasses"]
|
|
||||||
verbs: ["get", "list", "watch"]
|
|
||||||
- apiGroups: [""]
|
|
||||||
resources: ["events"]
|
|
||||||
verbs: ["list", "watch", "create", "update", "patch"]
|
|
||||||
- apiGroups: ["snapshot.storage.k8s.io"]
|
|
||||||
resources: ["volumesnapshotclasses"]
|
|
||||||
verbs: ["get", "list", "watch"]
|
|
||||||
- apiGroups: ["snapshot.storage.k8s.io"]
|
|
||||||
resources: ["volumesnapshotcontents"]
|
|
||||||
verbs: ["create", "get", "list", "watch", "update", "delete"]
|
|
||||||
- apiGroups: ["snapshot.storage.k8s.io"]
|
|
||||||
resources: ["volumesnapshots"]
|
|
||||||
verbs: ["get", "list", "watch", "update"]
|
|
||||||
- apiGroups: ["snapshot.storage.k8s.io"]
|
|
||||||
resources: ["volumesnapshots/status"]
|
|
||||||
verbs: ["update"]
|
|
||||||
|
|
||||||
{{- end }}
|
|
@ -1,25 +0,0 @@
|
|||||||
{{- if .Values.enableVolumeSnapshot }}
|
|
||||||
---
|
|
||||||
kind: ClusterRole
|
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
|
||||||
metadata:
|
|
||||||
name: ebs-external-snapshotter-role
|
|
||||||
labels:
|
|
||||||
{{- include "aws-ebs-csi-driver.labels" . | nindent 4 }}
|
|
||||||
rules:
|
|
||||||
- apiGroups: [""]
|
|
||||||
resources: ["events"]
|
|
||||||
verbs: ["list", "watch", "create", "update", "patch"]
|
|
||||||
- apiGroups: [""]
|
|
||||||
resources: ["secrets"]
|
|
||||||
verbs: ["get", "list"]
|
|
||||||
- apiGroups: ["snapshot.storage.k8s.io"]
|
|
||||||
resources: ["volumesnapshotclasses"]
|
|
||||||
verbs: ["get", "list", "watch"]
|
|
||||||
- apiGroups: ["snapshot.storage.k8s.io"]
|
|
||||||
resources: ["volumesnapshotcontents"]
|
|
||||||
verbs: ["create", "get", "list", "watch", "update", "delete"]
|
|
||||||
- apiGroups: ["snapshot.storage.k8s.io"]
|
|
||||||
resources: ["volumesnapshotcontents/status"]
|
|
||||||
verbs: ["update"]
|
|
||||||
{{- end }}
|
|
@ -1,15 +0,0 @@
|
|||||||
---
|
|
||||||
kind: ClusterRoleBinding
|
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
|
||||||
metadata:
|
|
||||||
name: ebs-csi-attacher-binding
|
|
||||||
labels:
|
|
||||||
{{- include "aws-ebs-csi-driver.labels" . | nindent 4 }}
|
|
||||||
subjects:
|
|
||||||
- kind: ServiceAccount
|
|
||||||
name: ebs-csi-controller-sa
|
|
||||||
namespace: kube-system
|
|
||||||
roleRef:
|
|
||||||
kind: ClusterRole
|
|
||||||
name: ebs-external-attacher-role
|
|
||||||
apiGroup: rbac.authorization.k8s.io
|
|
@ -1,15 +0,0 @@
|
|||||||
---
|
|
||||||
kind: ClusterRoleBinding
|
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
|
||||||
metadata:
|
|
||||||
name: ebs-csi-provisioner-binding
|
|
||||||
labels:
|
|
||||||
{{- include "aws-ebs-csi-driver.labels" . | nindent 4 }}
|
|
||||||
subjects:
|
|
||||||
- kind: ServiceAccount
|
|
||||||
name: ebs-csi-controller-sa
|
|
||||||
namespace: kube-system
|
|
||||||
roleRef:
|
|
||||||
kind: ClusterRole
|
|
||||||
name: ebs-external-provisioner-role
|
|
||||||
apiGroup: rbac.authorization.k8s.io
|
|
@ -1,18 +0,0 @@
|
|||||||
{{- if .Values.enableVolumeResizing }}
|
|
||||||
---
|
|
||||||
kind: ClusterRoleBinding
|
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
|
||||||
metadata:
|
|
||||||
name: ebs-csi-resizer-binding
|
|
||||||
labels:
|
|
||||||
{{- include "aws-ebs-csi-driver.labels" . | nindent 4 }}
|
|
||||||
subjects:
|
|
||||||
- kind: ServiceAccount
|
|
||||||
name: ebs-csi-controller-sa
|
|
||||||
namespace: kube-system
|
|
||||||
roleRef:
|
|
||||||
kind: ClusterRole
|
|
||||||
name: ebs-external-resizer-role
|
|
||||||
apiGroup: rbac.authorization.k8s.io
|
|
||||||
|
|
||||||
{{- end}}
|
|
@ -1,18 +0,0 @@
|
|||||||
{{- if .Values.enableVolumeSnapshot }}
|
|
||||||
---
|
|
||||||
kind: ClusterRoleBinding
|
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
|
||||||
metadata:
|
|
||||||
name: ebs-csi-snapshot-controller-binding
|
|
||||||
labels:
|
|
||||||
{{- include "aws-ebs-csi-driver.labels" . | nindent 4 }}
|
|
||||||
subjects:
|
|
||||||
- kind: ServiceAccount
|
|
||||||
name: ebs-snapshot-controller
|
|
||||||
namespace: kube-system
|
|
||||||
roleRef:
|
|
||||||
kind: ClusterRole
|
|
||||||
name: ebs-snapshot-controller-role
|
|
||||||
apiGroup: rbac.authorization.k8s.io
|
|
||||||
|
|
||||||
{{- end }}
|
|
@ -1,18 +0,0 @@
|
|||||||
{{- if .Values.enableVolumeSnapshot }}
|
|
||||||
---
|
|
||||||
kind: ClusterRoleBinding
|
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
|
||||||
metadata:
|
|
||||||
name: ebs-csi-snapshotter-binding
|
|
||||||
labels:
|
|
||||||
{{- include "aws-ebs-csi-driver.labels" . | nindent 4 }}
|
|
||||||
subjects:
|
|
||||||
- kind: ServiceAccount
|
|
||||||
name: ebs-csi-controller-sa
|
|
||||||
namespace: kube-system
|
|
||||||
roleRef:
|
|
||||||
kind: ClusterRole
|
|
||||||
name: ebs-external-snapshotter-role
|
|
||||||
apiGroup: rbac.authorization.k8s.io
|
|
||||||
|
|
||||||
{{- end }}
|
|
@ -1,157 +0,0 @@
|
|||||||
# Controller Service
|
|
||||||
kind: Deployment
|
|
||||||
apiVersion: apps/v1
|
|
||||||
metadata:
|
|
||||||
name: ebs-csi-controller
|
|
||||||
namespace: kube-system
|
|
||||||
labels:
|
|
||||||
{{- include "aws-ebs-csi-driver.labels" . | nindent 4 }}
|
|
||||||
spec:
|
|
||||||
replicas: {{ .Values.replicaCount }}
|
|
||||||
selector:
|
|
||||||
matchLabels:
|
|
||||||
app: ebs-csi-controller
|
|
||||||
{{- include "aws-ebs-csi-driver.selectorLabels" . | nindent 6 }}
|
|
||||||
template:
|
|
||||||
metadata:
|
|
||||||
labels:
|
|
||||||
app: ebs-csi-controller
|
|
||||||
{{- include "aws-ebs-csi-driver.labels" . | nindent 8 }}
|
|
||||||
{{- if .Values.podAnnotations }}
|
|
||||||
annotations: {{ toYaml .Values.podAnnotations | nindent 8 }}
|
|
||||||
{{- end }}
|
|
||||||
spec:
|
|
||||||
nodeSelector:
|
|
||||||
kubernetes.io/os: linux
|
|
||||||
{{- with .Values.nodeSelector }}
|
|
||||||
{{ toYaml . | indent 8 }}
|
|
||||||
{{- end }}
|
|
||||||
serviceAccountName: ebs-csi-controller-sa
|
|
||||||
priorityClassName: system-cluster-critical
|
|
||||||
{{- with .Values.affinity }}
|
|
||||||
affinity: {{ toYaml . | nindent 8 }}
|
|
||||||
{{- end }}
|
|
||||||
tolerations:
|
|
||||||
- operator: Exists
|
|
||||||
{{- with .Values.tolerations }}
|
|
||||||
{{ toYaml . | indent 8 }}
|
|
||||||
{{- end }}
|
|
||||||
containers:
|
|
||||||
- name: ebs-plugin
|
|
||||||
image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
|
|
||||||
imagePullPolicy: {{ .Values.image.pullPolicy }}
|
|
||||||
args:
|
|
||||||
{{- if ne .Release.Name "kustomize" }}
|
|
||||||
- controller
|
|
||||||
{{- else }}
|
|
||||||
# - {all,controller,node} # specify the driver mode
|
|
||||||
{{- end }}
|
|
||||||
- --endpoint=$(CSI_ENDPOINT)
|
|
||||||
{{- if .Values.extraVolumeTags }}
|
|
||||||
{{- include "aws-ebs-csi-driver.extra-volume-tags" . | nindent 12 }}
|
|
||||||
{{- end }}
|
|
||||||
- --logtostderr
|
|
||||||
- --v=5
|
|
||||||
env:
|
|
||||||
- name: CSI_ENDPOINT
|
|
||||||
value: unix:///var/lib/csi/sockets/pluginproxy/csi.sock
|
|
||||||
- name: AWS_ACCESS_KEY_ID
|
|
||||||
valueFrom:
|
|
||||||
secretKeyRef:
|
|
||||||
name: aws-secret
|
|
||||||
key: key_id
|
|
||||||
optional: true
|
|
||||||
- name: AWS_SECRET_ACCESS_KEY
|
|
||||||
valueFrom:
|
|
||||||
secretKeyRef:
|
|
||||||
name: aws-secret
|
|
||||||
key: access_key
|
|
||||||
optional: true
|
|
||||||
{{- if .Values.region }}
|
|
||||||
- name: AWS_REGION
|
|
||||||
value: {{ .Values.region }}
|
|
||||||
{{- end }}
|
|
||||||
volumeMounts:
|
|
||||||
- name: socket-dir
|
|
||||||
mountPath: /var/lib/csi/sockets/pluginproxy/
|
|
||||||
ports:
|
|
||||||
- name: healthz
|
|
||||||
containerPort: 9808
|
|
||||||
protocol: TCP
|
|
||||||
livenessProbe:
|
|
||||||
httpGet:
|
|
||||||
path: /healthz
|
|
||||||
port: healthz
|
|
||||||
initialDelaySeconds: 10
|
|
||||||
timeoutSeconds: 3
|
|
||||||
periodSeconds: 10
|
|
||||||
failureThreshold: 5
|
|
||||||
{{- with .Values.resources }}
|
|
||||||
resources: {{ toYaml . | nindent 12 }}
|
|
||||||
{{- end }}
|
|
||||||
- name: csi-provisioner
|
|
||||||
image: {{ printf "%s:%s" .Values.sidecars.provisionerImage.repository .Values.sidecars.provisionerImage.tag }}
|
|
||||||
args:
|
|
||||||
- --csi-address=$(ADDRESS)
|
|
||||||
- --v=5
|
|
||||||
{{- if .Values.enableVolumeScheduling }}
|
|
||||||
- --feature-gates=Topology=true
|
|
||||||
{{- end}}
|
|
||||||
- --enable-leader-election
|
|
||||||
- --leader-election-type=leases
|
|
||||||
env:
|
|
||||||
- name: ADDRESS
|
|
||||||
value: /var/lib/csi/sockets/pluginproxy/csi.sock
|
|
||||||
volumeMounts:
|
|
||||||
- name: socket-dir
|
|
||||||
mountPath: /var/lib/csi/sockets/pluginproxy/
|
|
||||||
- name: csi-attacher
|
|
||||||
image: {{ printf "%s:%s" .Values.sidecars.attacherImage.repository .Values.sidecars.attacherImage.tag }}
|
|
||||||
args:
|
|
||||||
- --csi-address=$(ADDRESS)
|
|
||||||
- --v=5
|
|
||||||
- --leader-election=true
|
|
||||||
- --leader-election-type=leases
|
|
||||||
env:
|
|
||||||
- name: ADDRESS
|
|
||||||
value: /var/lib/csi/sockets/pluginproxy/csi.sock
|
|
||||||
volumeMounts:
|
|
||||||
- name: socket-dir
|
|
||||||
mountPath: /var/lib/csi/sockets/pluginproxy/
|
|
||||||
{{- if .Values.enableVolumeSnapshot }}
|
|
||||||
- name: csi-snapshotter
|
|
||||||
image: {{ printf "%s:%s" .Values.sidecars.snapshotterImage.repository .Values.sidecars.snapshotterImage.tag }}
|
|
||||||
args:
|
|
||||||
- --csi-address=$(ADDRESS)
|
|
||||||
- --leader-election=true
|
|
||||||
env:
|
|
||||||
- name: ADDRESS
|
|
||||||
value: /var/lib/csi/sockets/pluginproxy/csi.sock
|
|
||||||
volumeMounts:
|
|
||||||
- name: socket-dir
|
|
||||||
mountPath: /var/lib/csi/sockets/pluginproxy/
|
|
||||||
{{- end }}
|
|
||||||
{{- if .Values.enableVolumeResizing }}
|
|
||||||
- name: csi-resizer
|
|
||||||
image: {{ printf "%s:%s" .Values.sidecars.resizerImage.repository .Values.sidecars.resizerImage.tag }}
|
|
||||||
imagePullPolicy: Always
|
|
||||||
args:
|
|
||||||
- --csi-address=$(ADDRESS)
|
|
||||||
- --v=5
|
|
||||||
env:
|
|
||||||
- name: ADDRESS
|
|
||||||
value: /var/lib/csi/sockets/pluginproxy/csi.sock
|
|
||||||
volumeMounts:
|
|
||||||
- name: socket-dir
|
|
||||||
mountPath: /var/lib/csi/sockets/pluginproxy/
|
|
||||||
{{- end }}
|
|
||||||
- name: liveness-probe
|
|
||||||
image: {{ printf "%s:%s" .Values.sidecars.livenessProbeImage.repository .Values.sidecars.livenessProbeImage.tag }}
|
|
||||||
args:
|
|
||||||
- --csi-address=/csi/csi.sock
|
|
||||||
volumeMounts:
|
|
||||||
- name: socket-dir
|
|
||||||
mountPath: /csi
|
|
||||||
volumes:
|
|
||||||
- name: socket-dir
|
|
||||||
emptyDir: {}
|
|
@ -1,9 +0,0 @@
|
|||||||
apiVersion: storage.k8s.io/v1beta1
|
|
||||||
kind: CSIDriver
|
|
||||||
metadata:
|
|
||||||
name: ebs.csi.aws.com
|
|
||||||
labels:
|
|
||||||
{{- include "aws-ebs-csi-driver.labels" . | nindent 4 }}
|
|
||||||
spec:
|
|
||||||
attachRequired: true
|
|
||||||
podInfoOnMount: false
|
|
@ -1,117 +0,0 @@
|
|||||||
# Node Service
|
|
||||||
kind: DaemonSet
|
|
||||||
apiVersion: apps/v1
|
|
||||||
metadata:
|
|
||||||
name: ebs-csi-node
|
|
||||||
namespace: kube-system
|
|
||||||
labels:
|
|
||||||
{{- include "aws-ebs-csi-driver.labels" . | nindent 4 }}
|
|
||||||
spec:
|
|
||||||
selector:
|
|
||||||
matchLabels:
|
|
||||||
app: ebs-csi-node
|
|
||||||
{{- include "aws-ebs-csi-driver.selectorLabels" . | nindent 6 }}
|
|
||||||
template:
|
|
||||||
metadata:
|
|
||||||
labels:
|
|
||||||
app: ebs-csi-node
|
|
||||||
{{- include "aws-ebs-csi-driver.labels" . | nindent 8 }}
|
|
||||||
{{- if .Values.node.podAnnotations }}
|
|
||||||
annotations: {{ toYaml .Values.node.podAnnotations | nindent 8 }}
|
|
||||||
{{- end }}
|
|
||||||
spec:
|
|
||||||
affinity:
|
|
||||||
nodeAffinity:
|
|
||||||
requiredDuringSchedulingIgnoredDuringExecution:
|
|
||||||
nodeSelectorTerms:
|
|
||||||
- matchExpressions:
|
|
||||||
- key: eks.amazonaws.com/compute-type
|
|
||||||
operator: NotIn
|
|
||||||
values:
|
|
||||||
- fargate
|
|
||||||
nodeSelector:
|
|
||||||
kubernetes.io/os: linux
|
|
||||||
hostNetwork: true
|
|
||||||
priorityClassName: system-node-critical
|
|
||||||
tolerations:
|
|
||||||
- operator: Exists
|
|
||||||
{{- with .Values.node.tolerations }}
|
|
||||||
{{ toYaml . | indent 8 }}
|
|
||||||
{{- end }}
|
|
||||||
containers:
|
|
||||||
- name: ebs-plugin
|
|
||||||
securityContext:
|
|
||||||
privileged: true
|
|
||||||
image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
|
|
||||||
args:
|
|
||||||
- node
|
|
||||||
- --endpoint=$(CSI_ENDPOINT)
|
|
||||||
- --logtostderr
|
|
||||||
- --v=5
|
|
||||||
env:
|
|
||||||
- name: CSI_ENDPOINT
|
|
||||||
value: unix:/csi/csi.sock
|
|
||||||
volumeMounts:
|
|
||||||
- name: kubelet-dir
|
|
||||||
mountPath: /var/lib/kubelet
|
|
||||||
mountPropagation: "Bidirectional"
|
|
||||||
- name: plugin-dir
|
|
||||||
mountPath: /csi
|
|
||||||
- name: device-dir
|
|
||||||
mountPath: /dev
|
|
||||||
ports:
|
|
||||||
- name: healthz
|
|
||||||
containerPort: 9808
|
|
||||||
protocol: TCP
|
|
||||||
livenessProbe:
|
|
||||||
httpGet:
|
|
||||||
path: /healthz
|
|
||||||
port: healthz
|
|
||||||
initialDelaySeconds: 10
|
|
||||||
timeoutSeconds: 3
|
|
||||||
periodSeconds: 10
|
|
||||||
failureThreshold: 5
|
|
||||||
- name: node-driver-registrar
|
|
||||||
image: {{ printf "%s:%s" .Values.sidecars.nodeDriverRegistrarImage.repository .Values.sidecars.nodeDriverRegistrarImage.tag }}
|
|
||||||
args:
|
|
||||||
- --csi-address=$(ADDRESS)
|
|
||||||
- --kubelet-registration-path=$(DRIVER_REG_SOCK_PATH)
|
|
||||||
- --v=5
|
|
||||||
lifecycle:
|
|
||||||
preStop:
|
|
||||||
exec:
|
|
||||||
command: ["/bin/sh", "-c", "rm -rf /registration/ebs.csi.aws.com-reg.sock /csi/csi.sock"]
|
|
||||||
env:
|
|
||||||
- name: ADDRESS
|
|
||||||
value: /csi/csi.sock
|
|
||||||
- name: DRIVER_REG_SOCK_PATH
|
|
||||||
value: /var/lib/kubelet/plugins/ebs.csi.aws.com/csi.sock
|
|
||||||
volumeMounts:
|
|
||||||
- name: plugin-dir
|
|
||||||
mountPath: /csi
|
|
||||||
- name: registration-dir
|
|
||||||
mountPath: /registration
|
|
||||||
- name: liveness-probe
|
|
||||||
image: {{ printf "%s:%s" .Values.sidecars.livenessProbeImage.repository .Values.sidecars.livenessProbeImage.tag }}
|
|
||||||
args:
|
|
||||||
- --csi-address=/csi/csi.sock
|
|
||||||
volumeMounts:
|
|
||||||
- name: plugin-dir
|
|
||||||
mountPath: /csi
|
|
||||||
volumes:
|
|
||||||
- name: kubelet-dir
|
|
||||||
hostPath:
|
|
||||||
path: /var/lib/kubelet
|
|
||||||
type: Directory
|
|
||||||
- name: plugin-dir
|
|
||||||
hostPath:
|
|
||||||
path: /var/lib/kubelet/plugins/ebs.csi.aws.com/
|
|
||||||
type: DirectoryOrCreate
|
|
||||||
- name: registration-dir
|
|
||||||
hostPath:
|
|
||||||
path: /var/lib/kubelet/plugins_registry/
|
|
||||||
type: Directory
|
|
||||||
- name: device-dir
|
|
||||||
hostPath:
|
|
||||||
path: /dev
|
|
||||||
type: Directory
|
|
@ -1,15 +0,0 @@
|
|||||||
{{- if .Values.enableVolumeSnapshot }}
|
|
||||||
---
|
|
||||||
kind: Role
|
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
|
||||||
metadata:
|
|
||||||
name: ebs-snapshot-controller-leaderelection
|
|
||||||
namespace: kube-system
|
|
||||||
labels:
|
|
||||||
{{- include "aws-ebs-csi-driver.labels" . | nindent 4 }}
|
|
||||||
rules:
|
|
||||||
- apiGroups: ["coordination.k8s.io"]
|
|
||||||
resources: ["leases"]
|
|
||||||
verbs: ["get", "watch", "list", "delete", "update", "create"]
|
|
||||||
|
|
||||||
{{- end }}
|
|
@ -1,19 +0,0 @@
|
|||||||
{{- if .Values.enableVolumeSnapshot }}
|
|
||||||
---
|
|
||||||
kind: RoleBinding
|
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
|
||||||
metadata:
|
|
||||||
name: snapshot-controller-leaderelection
|
|
||||||
namespace: kube-system
|
|
||||||
labels:
|
|
||||||
{{- include "aws-ebs-csi-driver.labels" . | nindent 4 }}
|
|
||||||
subjects:
|
|
||||||
- kind: ServiceAccount
|
|
||||||
name: ebs-snapshot-controller
|
|
||||||
namespace: kube-system
|
|
||||||
roleRef:
|
|
||||||
kind: Role
|
|
||||||
name: snapshot-controller-leaderelection
|
|
||||||
apiGroup: rbac.authorization.k8s.io
|
|
||||||
|
|
||||||
{{- end }}
|
|
@ -1,15 +0,0 @@
|
|||||||
apiVersion: v1
|
|
||||||
kind: ServiceAccount
|
|
||||||
metadata:
|
|
||||||
name: ebs-csi-controller-sa
|
|
||||||
namespace: kube-system
|
|
||||||
labels:
|
|
||||||
{{- include "aws-ebs-csi-driver.labels" . | nindent 4 }}
|
|
||||||
{{- with .Values.serviceAccount.controller.annotations }}
|
|
||||||
annotations: {{ toYaml . | nindent 4 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if eq .Release.Name "kustomize" }}
|
|
||||||
#Enable if EKS IAM for SA is used
|
|
||||||
#annotations:
|
|
||||||
# eks.amazonaws.com/role-arn: arn:aws:iam::586565787010:role/ebs-csi-role
|
|
||||||
{{- end }}
|
|
@ -1,13 +0,0 @@
|
|||||||
{{- if .Values.enableVolumeSnapshot }}
|
|
||||||
---
|
|
||||||
apiVersion: v1
|
|
||||||
kind: ServiceAccount
|
|
||||||
metadata:
|
|
||||||
name: ebs-snapshot-controller
|
|
||||||
namespace: kube-system
|
|
||||||
labels:
|
|
||||||
{{- include "aws-ebs-csi-driver.labels" . | nindent 4 }}
|
|
||||||
{{- with .Values.serviceAccount.snapshot.annotations }}
|
|
||||||
annotations: {{ toYaml . | nindent 4 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
@ -1,30 +0,0 @@
|
|||||||
{{- if .Values.enableVolumeSnapshot }}
|
|
||||||
#Snapshot controller
|
|
||||||
kind: StatefulSet
|
|
||||||
apiVersion: apps/v1
|
|
||||||
metadata:
|
|
||||||
name: ebs-snapshot-controller
|
|
||||||
namespace: kube-system
|
|
||||||
labels:
|
|
||||||
{{- include "aws-ebs-csi-driver.labels" . | nindent 4 }}
|
|
||||||
spec:
|
|
||||||
serviceName: ebs-snapshot-controller
|
|
||||||
replicas: 1
|
|
||||||
selector:
|
|
||||||
matchLabels:
|
|
||||||
app: ebs-snapshot-controller
|
|
||||||
{{- include "aws-ebs-csi-driver.selectorLabels" . | nindent 6 }}
|
|
||||||
template:
|
|
||||||
metadata:
|
|
||||||
labels:
|
|
||||||
app: ebs-snapshot-controller
|
|
||||||
{{- include "aws-ebs-csi-driver.labels" . | nindent 8 }}
|
|
||||||
spec:
|
|
||||||
serviceAccountName: ebs-snapshot-controller
|
|
||||||
containers:
|
|
||||||
- name: snapshot-controller
|
|
||||||
image: quay.io/k8scsi/snapshot-controller:v2.1.1
|
|
||||||
args:
|
|
||||||
- --v=5
|
|
||||||
- --leader-election=false
|
|
||||||
{{- end }}
|
|
@ -1,86 +0,0 @@
|
|||||||
# Default values for aws-ebs-csi-driver.
|
|
||||||
# This is a YAML-formatted file.
|
|
||||||
# Declare variables to be passed into your templates.
|
|
||||||
|
|
||||||
replicaCount: 2
|
|
||||||
|
|
||||||
image:
|
|
||||||
repository: amazon/aws-ebs-csi-driver
|
|
||||||
tag: "v0.7.0"
|
|
||||||
pullPolicy: IfNotPresent
|
|
||||||
|
|
||||||
sidecars:
|
|
||||||
provisionerImage:
|
|
||||||
repository: quay.io/k8scsi/csi-provisioner
|
|
||||||
tag: "v1.5.0"
|
|
||||||
attacherImage:
|
|
||||||
repository: quay.io/k8scsi/csi-attacher
|
|
||||||
tag: "v1.2.0"
|
|
||||||
snapshotterImage:
|
|
||||||
repository: quay.io/k8scsi/csi-snapshotter
|
|
||||||
tag: "v2.1.1"
|
|
||||||
livenessProbeImage:
|
|
||||||
repository: quay.io/k8scsi/livenessprobe
|
|
||||||
tag: "v1.1.0"
|
|
||||||
resizerImage:
|
|
||||||
repository: quay.io/k8scsi/csi-resizer
|
|
||||||
tag: "v0.3.0"
|
|
||||||
nodeDriverRegistrarImage:
|
|
||||||
repository: quay.io/k8scsi/csi-node-driver-registrar
|
|
||||||
tag: "v1.1.0"
|
|
||||||
|
|
||||||
imagePullSecrets: []
|
|
||||||
nameOverride: ""
|
|
||||||
fullnameOverride: ""
|
|
||||||
|
|
||||||
podAnnotations: {}
|
|
||||||
|
|
||||||
# True if enable volume scheduling for dynamic volume provisioning
|
|
||||||
enableVolumeScheduling: false
|
|
||||||
|
|
||||||
# True if enable volume resizing
|
|
||||||
enableVolumeResizing: false
|
|
||||||
|
|
||||||
# True if enable volume snapshot
|
|
||||||
enableVolumeSnapshot: false
|
|
||||||
|
|
||||||
resources: {}
|
|
||||||
# We usually recommend not to specify default resources and to leave this as a conscious
|
|
||||||
# choice for the user. This also increases chances charts run on environments with little
|
|
||||||
# resources, such as Minikube. If you do want to specify resources, uncomment the following
|
|
||||||
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
|
|
||||||
# limits:
|
|
||||||
# cpu: 100m
|
|
||||||
# memory: 128Mi
|
|
||||||
# requests:
|
|
||||||
# cpu: 100m
|
|
||||||
# memory: 128Mi
|
|
||||||
|
|
||||||
nodeSelector: {}
|
|
||||||
|
|
||||||
tolerations: []
|
|
||||||
|
|
||||||
affinity: {}
|
|
||||||
|
|
||||||
# Extra volume tags to attach to each dynamically provisioned volume.
|
|
||||||
# ---
|
|
||||||
# extraVolumeTags:
|
|
||||||
# key1: value1
|
|
||||||
# key2: value2
|
|
||||||
extraVolumeTags: {}
|
|
||||||
|
|
||||||
# AWS region to use. If not specified then the region will be looked up via the AWS EC2 metadata
|
|
||||||
# service.
|
|
||||||
# ---
|
|
||||||
# region: us-east-1
|
|
||||||
region: ""
|
|
||||||
|
|
||||||
node:
|
|
||||||
podAnnotations: {}
|
|
||||||
tolerations: []
|
|
||||||
|
|
||||||
serviceAccount:
|
|
||||||
controller:
|
|
||||||
annotations: {}
|
|
||||||
snapshot:
|
|
||||||
annotations: {}
|
|
@ -4,6 +4,22 @@ apiVersion: storage.k8s.io/v1
|
|||||||
metadata:
|
metadata:
|
||||||
name: ebs-sc-gp2-xfs
|
name: ebs-sc-gp2-xfs
|
||||||
labels:
|
labels:
|
||||||
|
{{ include "kubezero-lib.labels" . | indent 4 }}
|
||||||
|
provisioner: ebs.csi.aws.com
|
||||||
|
volumeBindingMode: WaitForFirstConsumer
|
||||||
|
parameters:
|
||||||
|
csi.storage.k8s.io/fstype: xfs
|
||||||
|
type: gp2
|
||||||
|
encrypted: "true"
|
||||||
|
{{- if index .Values "aws-ebs-csi-driver" "enableVolumeResizing" }}
|
||||||
|
allowVolumeExpansion: true
|
||||||
|
{{- end }}
|
||||||
|
---
|
||||||
|
kind: StorageClass
|
||||||
|
apiVersion: storage.k8s.io/v1
|
||||||
|
metadata:
|
||||||
|
name: ebs-sc-gp3-xfs
|
||||||
|
labels:
|
||||||
{{ include "kubezero-lib.labels" . | indent 4 }}
|
{{ include "kubezero-lib.labels" . | indent 4 }}
|
||||||
{{- if .Values.StorageClass.default }}
|
{{- if .Values.StorageClass.default }}
|
||||||
annotations:
|
annotations:
|
||||||
@ -13,7 +29,7 @@ provisioner: ebs.csi.aws.com
|
|||||||
volumeBindingMode: WaitForFirstConsumer
|
volumeBindingMode: WaitForFirstConsumer
|
||||||
parameters:
|
parameters:
|
||||||
csi.storage.k8s.io/fstype: xfs
|
csi.storage.k8s.io/fstype: xfs
|
||||||
type: gp2
|
type: gp3
|
||||||
encrypted: "true"
|
encrypted: "true"
|
||||||
{{- if index .Values "aws-ebs-csi-driver" "enableVolumeResizing" }}
|
{{- if index .Values "aws-ebs-csi-driver" "enableVolumeResizing" }}
|
||||||
allowVolumeExpansion: true
|
allowVolumeExpansion: true
|
||||||
|
@ -1,14 +0,0 @@
|
|||||||
#!/bin/bash
|
|
||||||
set -ex
|
|
||||||
|
|
||||||
# Upstream doesnt have proper Helm repo yet so we just download latest release and stuff it into charts
|
|
||||||
|
|
||||||
REPO="kubernetes-sigs/aws-ebs-csi-driver"
|
|
||||||
[ -z "$RELEASE" ] && RELEASE=$(curl -sL -s https://api.github.com/repos/${REPO}/releases | grep '"tag_name":' | cut -d'"' -f4 | grep -v -E "(alpha|beta|rc)" | sort -t"." -k 1,1 -k 2,2 -k 3,3 -k 4,4 | tail -n 1)
|
|
||||||
|
|
||||||
rm -rf git
|
|
||||||
git clone https://github.com/$REPO.git git
|
|
||||||
cd git && git checkout $RELEASE && cd -
|
|
||||||
|
|
||||||
rm -rf charts/aws-ebs-csi-driver && mkdir -p charts/aws-ebs-csi-driver
|
|
||||||
mv git/aws-ebs-csi-driver/* charts/aws-ebs-csi-driver
|
|
@ -20,3 +20,5 @@
|
|||||||
.idea/
|
.idea/
|
||||||
*.tmproj
|
*.tmproj
|
||||||
.vscode/
|
.vscode/
|
||||||
|
|
||||||
|
git
|
@ -2,8 +2,8 @@ apiVersion: v2
|
|||||||
name: kubezero-calico
|
name: kubezero-calico
|
||||||
description: KubeZero Umbrella Chart for Calico
|
description: KubeZero Umbrella Chart for Calico
|
||||||
type: application
|
type: application
|
||||||
version: 0.2.0
|
version: 0.2.1
|
||||||
appVersion: v3.16.1
|
appVersion: v3.16.5
|
||||||
home: https://kubezero.com
|
home: https://kubezero.com
|
||||||
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
|
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
|
||||||
keywords:
|
keywords:
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
# kubezero-calico
|
# kubezero-calico
|
||||||
|
|
||||||
![Version: 0.2.0](https://img.shields.io/badge/Version-0.2.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v3.16.1](https://img.shields.io/badge/AppVersion-v3.16.1-informational?style=flat-square)
|
![Version: 0.2.1](https://img.shields.io/badge/Version-0.2.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v3.16.5](https://img.shields.io/badge/AppVersion-v3.16.5-informational?style=flat-square)
|
||||||
|
|
||||||
KubeZero Umbrella Chart for Calico
|
KubeZero Umbrella Chart for Calico
|
||||||
|
|
||||||
@ -47,7 +47,6 @@ The setup is based on the upstream calico-vxlan config from
|
|||||||
| Key | Type | Default | Description |
|
| Key | Type | Default | Description |
|
||||||
|-----|------|---------|-------------|
|
|-----|------|---------|-------------|
|
||||||
| image.tag | string | `""` | |
|
| image.tag | string | `""` | |
|
||||||
| installCRDs | bool | `false` | |
|
|
||||||
| loglevel | string | `"Warning"` | |
|
| loglevel | string | `"Warning"` | |
|
||||||
| mtu | int | `8941` | |
|
| mtu | int | `8941` | |
|
||||||
| network | string | `"vxlan"` | |
|
| network | string | `"vxlan"` | |
|
||||||
|
@ -1,101 +0,0 @@
|
|||||||
--- calico-vxlan.yaml 2020-07-03 15:32:40.740506882 +0100
|
|
||||||
+++ calico.yaml 2020-07-03 15:27:47.651499841 +0100
|
|
||||||
@@ -10,13 +10,13 @@
|
|
||||||
# Typha is disabled.
|
|
||||||
typha_service_name: "none"
|
|
||||||
# Configure the backend to use.
|
|
||||||
- calico_backend: "bird"
|
|
||||||
+ calico_backend: "vxlan"
|
|
||||||
# Configure the MTU to use for workload interfaces and tunnels.
|
|
||||||
# - If Wireguard is enabled, set to your network MTU - 60
|
|
||||||
# - Otherwise, if VXLAN or BPF mode is enabled, set to your network MTU - 50
|
|
||||||
# - Otherwise, if IPIP is enabled, set to your network MTU - 20
|
|
||||||
# - Otherwise, if not using any encapsulation, set to your network MTU.
|
|
||||||
- veth_mtu: "1410"
|
|
||||||
+ veth_mtu: "8941"
|
|
||||||
|
|
||||||
# The CNI network configuration to install on each node. The special
|
|
||||||
# values in this config will be automatically populated.
|
|
||||||
@@ -3451,29 +3451,6 @@
|
|
||||||
terminationGracePeriodSeconds: 0
|
|
||||||
priorityClassName: system-node-critical
|
|
||||||
initContainers:
|
|
||||||
- # This container performs upgrade from host-local IPAM to calico-ipam.
|
|
||||||
- # It can be deleted if this is a fresh installation, or if you have already
|
|
||||||
- # upgraded to use calico-ipam.
|
|
||||||
- - name: upgrade-ipam
|
|
||||||
- image: calico/cni:v3.15.0
|
|
||||||
- command: ["/opt/cni/bin/calico-ipam", "-upgrade"]
|
|
||||||
- env:
|
|
||||||
- - name: KUBERNETES_NODE_NAME
|
|
||||||
- valueFrom:
|
|
||||||
- fieldRef:
|
|
||||||
- fieldPath: spec.nodeName
|
|
||||||
- - name: CALICO_NETWORKING_BACKEND
|
|
||||||
- valueFrom:
|
|
||||||
- configMapKeyRef:
|
|
||||||
- name: calico-config
|
|
||||||
- key: calico_backend
|
|
||||||
- volumeMounts:
|
|
||||||
- - mountPath: /var/lib/cni/networks
|
|
||||||
- name: host-local-net-dir
|
|
||||||
- - mountPath: /host/opt/cni/bin
|
|
||||||
- name: cni-bin-dir
|
|
||||||
- securityContext:
|
|
||||||
- privileged: true
|
|
||||||
# This container installs the CNI binaries
|
|
||||||
# and CNI network config file on each node.
|
|
||||||
- name: install-cni
|
|
||||||
@@ -3545,7 +3522,7 @@
|
|
||||||
key: calico_backend
|
|
||||||
# Cluster type to identify the deployment type
|
|
||||||
- name: CLUSTER_TYPE
|
|
||||||
- value: "k8s,bgp"
|
|
||||||
+ value: "k8s,kubeadm"
|
|
||||||
# Auto-detect the BGP IP address.
|
|
||||||
- name: IP
|
|
||||||
value: "autodetect"
|
|
||||||
@@ -3554,7 +3531,7 @@
|
|
||||||
value: "Never"
|
|
||||||
# Enable or Disable VXLAN on the default IP pool.
|
|
||||||
- name: CALICO_IPV4POOL_VXLAN
|
|
||||||
- value: "CrossSubnet"
|
|
||||||
+ value: "Always"
|
|
||||||
# Set MTU for tunnel device used if ipip is enabled
|
|
||||||
- name: FELIX_IPINIPMTU
|
|
||||||
valueFrom:
|
|
||||||
@@ -3595,9 +3572,17 @@
|
|
||||||
value: "false"
|
|
||||||
# Set Felix logging to "info"
|
|
||||||
- name: FELIX_LOGSEVERITYSCREEN
|
|
||||||
- value: "info"
|
|
||||||
+ value: "Warning"
|
|
||||||
+ - name: FELIX_LOGSEVERITYFILE
|
|
||||||
+ value: "Warning"
|
|
||||||
+ - name: FELIX_LOGSEVERITYSYS
|
|
||||||
+ value: ""
|
|
||||||
- name: FELIX_HEALTHENABLED
|
|
||||||
value: "true"
|
|
||||||
+ - name: FELIX_PROMETHEUSGOMETRICSENABLED
|
|
||||||
+ value: "false"
|
|
||||||
+ - name: FELIX_PROMETHEUSMETRICSENABLED
|
|
||||||
+ value: "true"
|
|
||||||
securityContext:
|
|
||||||
privileged: true
|
|
||||||
resources:
|
|
||||||
@@ -3608,7 +3593,6 @@
|
|
||||||
command:
|
|
||||||
- /bin/calico-node
|
|
||||||
- -felix-live
|
|
||||||
- - -bird-live
|
|
||||||
periodSeconds: 10
|
|
||||||
initialDelaySeconds: 10
|
|
||||||
failureThreshold: 6
|
|
||||||
@@ -3617,7 +3601,6 @@
|
|
||||||
command:
|
|
||||||
- /bin/calico-node
|
|
||||||
- -felix-ready
|
|
||||||
- - -bird-ready
|
|
||||||
periodSeconds: 10
|
|
||||||
volumeMounts:
|
|
||||||
- mountPath: /lib/modules
|
|
3359
charts/kubezero-calico/calico-v3.16.5.patch
Normal file
3359
charts/kubezero-calico/calico-v3.16.5.patch
Normal file
File diff suppressed because it is too large
Load Diff
@ -1,3 +1,4 @@
|
|||||||
|
---
|
||||||
# Source: calico/templates/kdd-crds.yaml
|
# Source: calico/templates/kdd-crds.yaml
|
||||||
|
|
||||||
|
|
||||||
@ -192,6 +193,29 @@ spec:
|
|||||||
description: Selector for the nodes that should have this peering. When
|
description: Selector for the nodes that should have this peering. When
|
||||||
this is set, the Node field must be empty.
|
this is set, the Node field must be empty.
|
||||||
type: string
|
type: string
|
||||||
|
password:
|
||||||
|
description: Optional BGP password for the peerings generated by this
|
||||||
|
BGPPeer resource.
|
||||||
|
properties:
|
||||||
|
secretKeyRef:
|
||||||
|
description: Selects a key of a secret in the node pod's namespace.
|
||||||
|
properties:
|
||||||
|
key:
|
||||||
|
description: The key of the secret to select from. Must be
|
||||||
|
a valid secret key.
|
||||||
|
type: string
|
||||||
|
name:
|
||||||
|
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
|
||||||
|
TODO: Add other useful fields. apiVersion, kind, uid?'
|
||||||
|
type: string
|
||||||
|
optional:
|
||||||
|
description: Specify whether the Secret or its key must be
|
||||||
|
defined
|
||||||
|
type: boolean
|
||||||
|
required:
|
||||||
|
- key
|
||||||
|
type: object
|
||||||
|
type: object
|
||||||
peerIP:
|
peerIP:
|
||||||
description: The IP address of the peer followed by an optional port
|
description: The IP address of the peer followed by an optional port
|
||||||
number to peer with. If port number is given, format should be `[<IPv6>]:port`
|
number to peer with. If port number is given, format should be `[<IPv6>]:port`
|
||||||
@ -396,6 +420,16 @@ spec:
|
|||||||
spec:
|
spec:
|
||||||
description: FelixConfigurationSpec contains the values of the Felix configuration.
|
description: FelixConfigurationSpec contains the values of the Felix configuration.
|
||||||
properties:
|
properties:
|
||||||
|
allowIPIPPacketsFromWorkloads:
|
||||||
|
description: 'AllowIPIPPacketsFromWorkloads controls whether Felix
|
||||||
|
will add a rule to drop IPIP encapsulated traffic from workloads
|
||||||
|
[Default: false]'
|
||||||
|
type: boolean
|
||||||
|
allowVXLANPacketsFromWorkloads:
|
||||||
|
description: 'AllowVXLANPacketsFromWorkloads controls whether Felix
|
||||||
|
will add a rule to drop VXLAN encapsulated traffic from workloads
|
||||||
|
[Default: false]'
|
||||||
|
type: boolean
|
||||||
awsSrcDstCheck:
|
awsSrcDstCheck:
|
||||||
description: 'Set source-destination-check on AWS EC2 instances. Accepted
|
description: 'Set source-destination-check on AWS EC2 instances. Accepted
|
||||||
value must be one of "DoNothing", "Enabled" or "Disabled". [Default:
|
value must be one of "DoNothing", "Enabled" or "Disabled". [Default:
|
||||||
|
@ -1,6 +0,0 @@
|
|||||||
{{- if .Values.installCRDs }}
|
|
||||||
{{- range $path, $_ := .Files.Glob "crds/*.yaml" }}
|
|
||||||
{{ $.Files.Get $path }}
|
|
||||||
---
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
@ -1,5 +1,3 @@
|
|||||||
installCRDs: false
|
|
||||||
|
|
||||||
image:
|
image:
|
||||||
tag: ""
|
tag: ""
|
||||||
|
|
||||||
|
@ -2,7 +2,7 @@ apiVersion: v2
|
|||||||
name: kubezero-cert-manager
|
name: kubezero-cert-manager
|
||||||
description: KubeZero Umbrella Chart for cert-manager
|
description: KubeZero Umbrella Chart for cert-manager
|
||||||
type: application
|
type: application
|
||||||
version: 0.4.0
|
version: 0.4.1
|
||||||
home: https://kubezero.com
|
home: https://kubezero.com
|
||||||
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
|
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
|
||||||
keywords:
|
keywords:
|
||||||
@ -15,6 +15,7 @@ dependencies:
|
|||||||
version: ">= 0.1.3"
|
version: ">= 0.1.3"
|
||||||
repository: https://zero-down-time.github.io/kubezero/
|
repository: https://zero-down-time.github.io/kubezero/
|
||||||
- name: cert-manager
|
- name: cert-manager
|
||||||
version: 1.0.3
|
version: 1.1.0
|
||||||
repository: https://charts.jetstack.io
|
repository: https://charts.jetstack.io
|
||||||
|
condition: cert-manager.enabled
|
||||||
kubeVersion: ">= 1.16.0"
|
kubeVersion: ">= 1.16.0"
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
# kubezero-cert-manager
|
# kubezero-cert-manager
|
||||||
|
|
||||||
![Version: 0.4.0](https://img.shields.io/badge/Version-0.4.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
|
![Version: 0.4.1](https://img.shields.io/badge/Version-0.4.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
|
||||||
|
|
||||||
KubeZero Umbrella Chart for cert-manager
|
KubeZero Umbrella Chart for cert-manager
|
||||||
|
|
||||||
@ -18,7 +18,7 @@ Kubernetes: `>= 1.16.0`
|
|||||||
|
|
||||||
| Repository | Name | Version |
|
| Repository | Name | Version |
|
||||||
|------------|------|---------|
|
|------------|------|---------|
|
||||||
| https://charts.jetstack.io | cert-manager | 1.0.3 |
|
| https://charts.jetstack.io | cert-manager | 1.1.0 |
|
||||||
| https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 |
|
| https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 |
|
||||||
|
|
||||||
## AWS - IAM Role
|
## AWS - IAM Role
|
||||||
@ -38,12 +38,13 @@ If your resolvers need additional sercrets like CloudFlare API tokens etc. make
|
|||||||
| cert-manager.cainjector.nodeSelector."node-role.kubernetes.io/master" | string | `""` | |
|
| cert-manager.cainjector.nodeSelector."node-role.kubernetes.io/master" | string | `""` | |
|
||||||
| cert-manager.cainjector.tolerations[0].effect | string | `"NoSchedule"` | |
|
| cert-manager.cainjector.tolerations[0].effect | string | `"NoSchedule"` | |
|
||||||
| cert-manager.cainjector.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | |
|
| cert-manager.cainjector.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | |
|
||||||
|
| cert-manager.enabled | bool | `true` | |
|
||||||
| cert-manager.extraArgs[0] | string | `"--dns01-recursive-nameservers-only"` | |
|
| cert-manager.extraArgs[0] | string | `"--dns01-recursive-nameservers-only"` | |
|
||||||
|
| cert-manager.global.leaderElection.namespace | string | `"cert-manager"` | |
|
||||||
| cert-manager.ingressShim.defaultIssuerKind | string | `"ClusterIssuer"` | |
|
| cert-manager.ingressShim.defaultIssuerKind | string | `"ClusterIssuer"` | |
|
||||||
| cert-manager.ingressShim.defaultIssuerName | string | `"letsencrypt-dns-prod"` | |
|
| cert-manager.ingressShim.defaultIssuerName | string | `"letsencrypt-dns-prod"` | |
|
||||||
| cert-manager.installCRDs | bool | `true` | |
|
|
||||||
| cert-manager.nodeSelector."node-role.kubernetes.io/master" | string | `""` | |
|
| cert-manager.nodeSelector."node-role.kubernetes.io/master" | string | `""` | |
|
||||||
| cert-manager.podAnnotations | object | `{}` | "iam.amazonaws.com/roleIAM:" role ARN the cert-manager might use via kiam eg."arn:aws:iam::123456789012:role/certManagerRoleArn" |
|
| cert-manager.podAnnotations | object | `{}` | |
|
||||||
| cert-manager.prometheus.servicemonitor.enabled | bool | `false` | |
|
| cert-manager.prometheus.servicemonitor.enabled | bool | `false` | |
|
||||||
| cert-manager.tolerations[0].effect | string | `"NoSchedule"` | |
|
| cert-manager.tolerations[0].effect | string | `"NoSchedule"` | |
|
||||||
| cert-manager.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | |
|
| cert-manager.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | |
|
||||||
@ -51,5 +52,5 @@ If your resolvers need additional sercrets like CloudFlare API tokens etc. make
|
|||||||
| cert-manager.webhook.tolerations[0].effect | string | `"NoSchedule"` | |
|
| cert-manager.webhook.tolerations[0].effect | string | `"NoSchedule"` | |
|
||||||
| cert-manager.webhook.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | |
|
| cert-manager.webhook.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | |
|
||||||
| clusterIssuer | object | `{}` | |
|
| clusterIssuer | object | `{}` | |
|
||||||
| localCA.enabled | bool | `true` | |
|
| localCA.enabled | bool | `false` | |
|
||||||
| localCA.selfsigning | bool | `true` | |
|
| localCA.selfsigning | bool | `true` | |
|
||||||
|
@ -3,11 +3,11 @@
|
|||||||
|
|
||||||
# KubeZero / Local cluster CA
|
# KubeZero / Local cluster CA
|
||||||
# The resources are serialized via waves in Argo
|
# The resources are serialized via waves in Argo
|
||||||
apiVersion: cert-manager.io/v1alpha2
|
apiVersion: cert-manager.io/v1
|
||||||
kind: Issuer
|
kind: ClusterIssuer
|
||||||
metadata:
|
metadata:
|
||||||
name: kubezero-selfsigning-issuer
|
name: kubezero-selfsigning-issuer
|
||||||
namespace: kube-system
|
namespace: {{ .Release.Namespace }}
|
||||||
labels:
|
labels:
|
||||||
{{ include "kubezero-lib.labels" . | indent 4 }}
|
{{ include "kubezero-lib.labels" . | indent 4 }}
|
||||||
annotations:
|
annotations:
|
||||||
@ -15,11 +15,11 @@ metadata:
|
|||||||
spec:
|
spec:
|
||||||
selfSigned: {}
|
selfSigned: {}
|
||||||
---
|
---
|
||||||
apiVersion: cert-manager.io/v1alpha2
|
apiVersion: cert-manager.io/v1
|
||||||
kind: Certificate
|
kind: Certificate
|
||||||
metadata:
|
metadata:
|
||||||
name: kubezero-local-ca
|
name: kubezero-local-ca
|
||||||
namespace: kube-system
|
namespace: {{ .Release.Namespace }}
|
||||||
labels:
|
labels:
|
||||||
{{ include "kubezero-lib.labels" . | indent 4 }}
|
{{ include "kubezero-lib.labels" . | indent 4 }}
|
||||||
annotations:
|
annotations:
|
||||||
@ -30,6 +30,7 @@ spec:
|
|||||||
isCA: true
|
isCA: true
|
||||||
issuerRef:
|
issuerRef:
|
||||||
name: kubezero-selfsigning-issuer
|
name: kubezero-selfsigning-issuer
|
||||||
|
kind: ClusterIssuer
|
||||||
usages:
|
usages:
|
||||||
- "any"
|
- "any"
|
||||||
---
|
---
|
||||||
@ -39,7 +40,7 @@ apiVersion: v1
|
|||||||
kind: Secret
|
kind: Secret
|
||||||
metadata:
|
metadata:
|
||||||
name: kubezero-ca-tls
|
name: kubezero-ca-tls
|
||||||
namespace: kube-system
|
namespace: {{ .Release.Namespace }}
|
||||||
labels:
|
labels:
|
||||||
{{ include "kubezero-lib.labels" . | indent 4 }}
|
{{ include "kubezero-lib.labels" . | indent 4 }}
|
||||||
data:
|
data:
|
||||||
@ -48,11 +49,11 @@ data:
|
|||||||
---
|
---
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
|
||||||
apiVersion: cert-manager.io/v1alpha2
|
apiVersion: cert-manager.io/v1
|
||||||
kind: Issuer
|
kind: ClusterIssuer
|
||||||
metadata:
|
metadata:
|
||||||
name: kubezero-local-ca-issuer
|
name: kubezero-local-ca-issuer
|
||||||
namespace: kube-system
|
namespace: {{ .Release.Namespace }}
|
||||||
labels:
|
labels:
|
||||||
{{ include "kubezero-lib.labels" . | indent 4 }}
|
{{ include "kubezero-lib.labels" . | indent 4 }}
|
||||||
annotations:
|
annotations:
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
{{- if .Values.clusterIssuer.name }}
|
{{- if .Values.clusterIssuer.name }}
|
||||||
apiVersion: cert-manager.io/v1alpha2
|
apiVersion: cert-manager.io/v1
|
||||||
kind: ClusterIssuer
|
kind: ClusterIssuer
|
||||||
metadata:
|
metadata:
|
||||||
name: {{ .Values.clusterIssuer.name }}
|
name: {{ .Values.clusterIssuer.name }}
|
||||||
|
@ -9,7 +9,7 @@ clusterIssuer: {}
|
|||||||
# hostedZoneID: 1234567890
|
# hostedZoneID: 1234567890
|
||||||
|
|
||||||
localCA:
|
localCA:
|
||||||
enabled: true
|
enabled: false
|
||||||
# If selfsigning is false you must provide the ca key and crt below
|
# If selfsigning is false you must provide the ca key and crt below
|
||||||
selfsigning: true
|
selfsigning: true
|
||||||
#ca:
|
#ca:
|
||||||
@ -17,34 +17,45 @@ localCA:
|
|||||||
# crt: <pem-crt-material>
|
# crt: <pem-crt-material>
|
||||||
|
|
||||||
cert-manager:
|
cert-manager:
|
||||||
installCRDs: true
|
enabled: true
|
||||||
|
|
||||||
|
global:
|
||||||
|
leaderElection:
|
||||||
|
namespace: "cert-manager"
|
||||||
|
|
||||||
|
podAnnotations: {}
|
||||||
|
# iam.amazonaws.com/role: ""
|
||||||
|
|
||||||
tolerations:
|
tolerations:
|
||||||
- key: node-role.kubernetes.io/master
|
- key: node-role.kubernetes.io/master
|
||||||
effect: NoSchedule
|
effect: NoSchedule
|
||||||
nodeSelector:
|
nodeSelector:
|
||||||
node-role.kubernetes.io/master: ""
|
node-role.kubernetes.io/master: ""
|
||||||
|
|
||||||
ingressShim:
|
ingressShim:
|
||||||
defaultIssuerName: letsencrypt-dns-prod
|
defaultIssuerName: letsencrypt-dns-prod
|
||||||
defaultIssuerKind: ClusterIssuer
|
defaultIssuerKind: ClusterIssuer
|
||||||
|
|
||||||
webhook:
|
webhook:
|
||||||
tolerations:
|
tolerations:
|
||||||
- key: node-role.kubernetes.io/master
|
- key: node-role.kubernetes.io/master
|
||||||
effect: NoSchedule
|
effect: NoSchedule
|
||||||
nodeSelector:
|
nodeSelector:
|
||||||
node-role.kubernetes.io/master: ""
|
node-role.kubernetes.io/master: ""
|
||||||
|
|
||||||
cainjector:
|
cainjector:
|
||||||
tolerations:
|
tolerations:
|
||||||
- key: node-role.kubernetes.io/master
|
- key: node-role.kubernetes.io/master
|
||||||
effect: NoSchedule
|
effect: NoSchedule
|
||||||
nodeSelector:
|
nodeSelector:
|
||||||
node-role.kubernetes.io/master: ""
|
node-role.kubernetes.io/master: ""
|
||||||
|
|
||||||
extraArgs:
|
extraArgs:
|
||||||
- "--dns01-recursive-nameservers-only"
|
- "--dns01-recursive-nameservers-only"
|
||||||
# When this flag is enabled, secrets will be automatically removed when the certificate resource is deleted
|
# When this flag is enabled, secrets will be automatically removed when the certificate resource is deleted
|
||||||
# - --enable-certificate-owner-ref=true
|
# - --enable-certificate-owner-ref=true
|
||||||
|
|
||||||
prometheus:
|
prometheus:
|
||||||
servicemonitor:
|
servicemonitor:
|
||||||
enabled: false
|
enabled: false
|
||||||
# cert-manager.podAnnotations -- "iam.amazonaws.com/roleIAM:" role ARN the cert-manager might use via kiam eg."arn:aws:iam::123456789012:role/certManagerRoleArn"
|
# cert-manager.podAnnotations -- "iam.amazonaws.com/roleIAM:" role ARN the cert-manager might use via kiam eg."arn:aws:iam::123456789012:role/certManagerRoleArn"
|
||||||
podAnnotations: {}
|
|
||||||
# iam.amazonaws.com/role: ""
|
|
||||||
|
24
charts/kubezero-istio-ingress/Chart.yaml
Normal file
24
charts/kubezero-istio-ingress/Chart.yaml
Normal file
@ -0,0 +1,24 @@
|
|||||||
|
apiVersion: v2
|
||||||
|
name: kubezero-istio-ingress
|
||||||
|
description: KubeZero Umbrella Chart for Istio based Ingress
|
||||||
|
type: application
|
||||||
|
version: 0.1.1
|
||||||
|
appVersion: 1.8.1
|
||||||
|
home: https://kubezero.com
|
||||||
|
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
|
||||||
|
keywords:
|
||||||
|
- kubezero
|
||||||
|
- istio
|
||||||
|
maintainers:
|
||||||
|
- name: Quarky9
|
||||||
|
dependencies:
|
||||||
|
- name: kubezero-lib
|
||||||
|
version: ">= 0.1.3"
|
||||||
|
repository: https://zero-down-time.github.io/kubezero/
|
||||||
|
- name: istio-ingress
|
||||||
|
version: 1.1.0
|
||||||
|
condition: istio-ingress.enabled
|
||||||
|
- name: istio-private-ingress
|
||||||
|
version: 1.1.0
|
||||||
|
condition: istio-private-ingress.enabled
|
||||||
|
kubeVersion: ">= 1.16.0"
|
97
charts/kubezero-istio-ingress/README.md
Normal file
97
charts/kubezero-istio-ingress/README.md
Normal file
@ -0,0 +1,97 @@
|
|||||||
|
# kubezero-istio-ingress
|
||||||
|
|
||||||
|
![Version: 0.1.1](https://img.shields.io/badge/Version-0.1.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.8.1](https://img.shields.io/badge/AppVersion-1.8.1-informational?style=flat-square)
|
||||||
|
|
||||||
|
KubeZero Umbrella Chart for Istio based Ingress
|
||||||
|
|
||||||
|
Installs Istio Ingress Gateways, requires kubezero-istio to be installed !
|
||||||
|
|
||||||
|
**Homepage:** <https://kubezero.com>
|
||||||
|
|
||||||
|
## Maintainers
|
||||||
|
|
||||||
|
| Name | Email | Url |
|
||||||
|
| ---- | ------ | --- |
|
||||||
|
| Quarky9 | | |
|
||||||
|
|
||||||
|
## Requirements
|
||||||
|
|
||||||
|
Kubernetes: `>= 1.16.0`
|
||||||
|
|
||||||
|
| Repository | Name | Version |
|
||||||
|
|------------|------|---------|
|
||||||
|
| | istio-ingress | 1.1.0 |
|
||||||
|
| | istio-private-ingress | 1.1.0 |
|
||||||
|
| https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 |
|
||||||
|
|
||||||
|
## Values
|
||||||
|
|
||||||
|
| Key | Type | Default | Description |
|
||||||
|
|-----|------|---------|-------------|
|
||||||
|
| global.arch.amd64 | int | `2` | |
|
||||||
|
| global.defaultPodDisruptionBudget.enabled | bool | `false` | |
|
||||||
|
| global.hub | string | `"docker.io/istio"` | |
|
||||||
|
| global.jwtPolicy | string | `"first-party-jwt"` | |
|
||||||
|
| global.logAsJson | bool | `true` | |
|
||||||
|
| global.priorityClassName | string | `"system-cluster-critical"` | |
|
||||||
|
| global.tag | string | `"1.8.1"` | |
|
||||||
|
| istio-ingress.dnsNames | list | `[]` | |
|
||||||
|
| istio-ingress.enabled | bool | `false` | |
|
||||||
|
| istio-ingress.gateways.istio-ingressgateway.autoscaleEnabled | bool | `false` | |
|
||||||
|
| istio-ingress.gateways.istio-ingressgateway.env.TERMINATION_DRAIN_DURATION_SECONDS | string | `"\"60\""` | |
|
||||||
|
| istio-ingress.gateways.istio-ingressgateway.externalTrafficPolicy | string | `"Local"` | |
|
||||||
|
| istio-ingress.gateways.istio-ingressgateway.nodeSelector."node.kubernetes.io/ingress.public" | string | `"30080_30443"` | |
|
||||||
|
| istio-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].key | string | `"app"` | |
|
||||||
|
| istio-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].operator | string | `"In"` | |
|
||||||
|
| istio-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].topologyKey | string | `"kubernetes.io/hostname"` | |
|
||||||
|
| istio-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].values | string | `"istio-ingressgateway"` | |
|
||||||
|
| istio-ingress.gateways.istio-ingressgateway.ports[0].name | string | `"http-status"` | |
|
||||||
|
| istio-ingress.gateways.istio-ingressgateway.ports[0].nodePort | int | `30021` | |
|
||||||
|
| istio-ingress.gateways.istio-ingressgateway.ports[0].port | int | `15021` | |
|
||||||
|
| istio-ingress.gateways.istio-ingressgateway.ports[1].name | string | `"http2"` | |
|
||||||
|
| istio-ingress.gateways.istio-ingressgateway.ports[1].nodePort | int | `30080` | |
|
||||||
|
| istio-ingress.gateways.istio-ingressgateway.ports[1].port | int | `80` | |
|
||||||
|
| istio-ingress.gateways.istio-ingressgateway.ports[1].targetPort | int | `8080` | |
|
||||||
|
| istio-ingress.gateways.istio-ingressgateway.ports[2].name | string | `"https"` | |
|
||||||
|
| istio-ingress.gateways.istio-ingressgateway.ports[2].nodePort | int | `30443` | |
|
||||||
|
| istio-ingress.gateways.istio-ingressgateway.ports[2].port | int | `443` | |
|
||||||
|
| istio-ingress.gateways.istio-ingressgateway.ports[2].targetPort | int | `8443` | |
|
||||||
|
| istio-ingress.gateways.istio-ingressgateway.replicaCount | int | `1` | |
|
||||||
|
| istio-ingress.gateways.istio-ingressgateway.resources.limits.memory | string | `"256Mi"` | |
|
||||||
|
| istio-ingress.gateways.istio-ingressgateway.resources.requests.memory | string | `"64Mi"` | |
|
||||||
|
| istio-ingress.gateways.istio-ingressgateway.type | string | `"NodePort"` | |
|
||||||
|
| istio-private-ingress.dnsNames | list | `[]` | |
|
||||||
|
| istio-private-ingress.enabled | bool | `false` | |
|
||||||
|
| istio-private-ingress.gateways.istio-ingressgateway.autoscaleEnabled | bool | `false` | |
|
||||||
|
| istio-private-ingress.gateways.istio-ingressgateway.env.TERMINATION_DRAIN_DURATION_SECONDS | string | `"\"60\""` | |
|
||||||
|
| istio-private-ingress.gateways.istio-ingressgateway.externalTrafficPolicy | string | `"Local"` | |
|
||||||
|
| istio-private-ingress.gateways.istio-ingressgateway.labels.app | string | `"istio-private-ingressgateway"` | |
|
||||||
|
| istio-private-ingress.gateways.istio-ingressgateway.labels.istio | string | `"private-ingressgateway"` | |
|
||||||
|
| istio-private-ingress.gateways.istio-ingressgateway.name | string | `"istio-private-ingressgateway"` | |
|
||||||
|
| istio-private-ingress.gateways.istio-ingressgateway.nodeSelector."node.kubernetes.io/ingress.private" | string | `"31080_31443"` | |
|
||||||
|
| istio-private-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].key | string | `"app"` | |
|
||||||
|
| istio-private-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].operator | string | `"In"` | |
|
||||||
|
| istio-private-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].topologyKey | string | `"kubernetes.io/hostname"` | |
|
||||||
|
| istio-private-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].values | string | `"istio-private-ingressgateway"` | |
|
||||||
|
| istio-private-ingress.gateways.istio-ingressgateway.ports[0].name | string | `"http-status"` | |
|
||||||
|
| istio-private-ingress.gateways.istio-ingressgateway.ports[0].nodePort | int | `31021` | |
|
||||||
|
| istio-private-ingress.gateways.istio-ingressgateway.ports[0].port | int | `15021` | |
|
||||||
|
| istio-private-ingress.gateways.istio-ingressgateway.ports[1].name | string | `"http2"` | |
|
||||||
|
| istio-private-ingress.gateways.istio-ingressgateway.ports[1].nodePort | int | `31080` | |
|
||||||
|
| istio-private-ingress.gateways.istio-ingressgateway.ports[1].port | int | `80` | |
|
||||||
|
| istio-private-ingress.gateways.istio-ingressgateway.ports[1].targetPort | int | `8080` | |
|
||||||
|
| istio-private-ingress.gateways.istio-ingressgateway.ports[2].name | string | `"https"` | |
|
||||||
|
| istio-private-ingress.gateways.istio-ingressgateway.ports[2].nodePort | int | `31443` | |
|
||||||
|
| istio-private-ingress.gateways.istio-ingressgateway.ports[2].port | int | `443` | |
|
||||||
|
| istio-private-ingress.gateways.istio-ingressgateway.ports[2].targetPort | int | `8443` | |
|
||||||
|
| istio-private-ingress.gateways.istio-ingressgateway.replicaCount | int | `1` | |
|
||||||
|
| istio-private-ingress.gateways.istio-ingressgateway.resources.limits.memory | string | `"256Mi"` | |
|
||||||
|
| istio-private-ingress.gateways.istio-ingressgateway.resources.requests.cpu | string | `"100m"` | |
|
||||||
|
| istio-private-ingress.gateways.istio-ingressgateway.resources.requests.memory | string | `"64Mi"` | |
|
||||||
|
| istio-private-ingress.gateways.istio-ingressgateway.type | string | `"NodePort"` | |
|
||||||
|
|
||||||
|
## Resources
|
||||||
|
|
||||||
|
- https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#IstioOperatorSpec
|
||||||
|
- https://github.com/istio/istio/blob/master/manifests/profiles/default.yaml
|
||||||
|
- https://istio.io/latest/docs/setup/install/standalone-operator/
|
24
charts/kubezero-istio-ingress/README.md.gotmpl
Normal file
24
charts/kubezero-istio-ingress/README.md.gotmpl
Normal file
@ -0,0 +1,24 @@
|
|||||||
|
{{ template "chart.header" . }}
|
||||||
|
{{ template "chart.deprecationWarning" . }}
|
||||||
|
|
||||||
|
{{ template "chart.versionBadge" . }}{{ template "chart.typeBadge" . }}{{ template "chart.appVersionBadge" . }}
|
||||||
|
|
||||||
|
{{ template "chart.description" . }}
|
||||||
|
|
||||||
|
Installs Istio Ingress Gateways, requires kubezero-istio to be installed !
|
||||||
|
|
||||||
|
{{ template "chart.homepageLine" . }}
|
||||||
|
|
||||||
|
{{ template "chart.maintainersSection" . }}
|
||||||
|
|
||||||
|
{{ template "chart.sourcesSection" . }}
|
||||||
|
|
||||||
|
{{ template "chart.requirementsSection" . }}
|
||||||
|
|
||||||
|
{{ template "chart.valuesSection" . }}
|
||||||
|
|
||||||
|
## Resources
|
||||||
|
|
||||||
|
- https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#IstioOperatorSpec
|
||||||
|
- https://github.com/istio/istio/blob/master/manifests/profiles/default.yaml
|
||||||
|
- https://istio.io/latest/docs/setup/install/standalone-operator/
|
@ -0,0 +1,13 @@
|
|||||||
|
apiVersion: v1
|
||||||
|
name: istio-ingress
|
||||||
|
version: 1.1.0
|
||||||
|
tillerVersion: ">=2.7.2"
|
||||||
|
description: Helm chart for deploying Istio gateways
|
||||||
|
keywords:
|
||||||
|
- istio
|
||||||
|
- ingressgateway
|
||||||
|
- gateways
|
||||||
|
sources:
|
||||||
|
- http://github.com/istio/istio
|
||||||
|
engine: gotpl
|
||||||
|
icon: https://istio.io/latest/favicons/android-192x192.png
|
43
charts/kubezero-istio-ingress/charts/istio-ingress/NOTES.txt
Normal file
43
charts/kubezero-istio-ingress/charts/istio-ingress/NOTES.txt
Normal file
@ -0,0 +1,43 @@
|
|||||||
|
|
||||||
|
Changes:
|
||||||
|
- separate namespace allows:
|
||||||
|
-- easier reconfig of just the gateway
|
||||||
|
-- TLS secrets and domain name management is isolated, for better security
|
||||||
|
-- simplified configuration
|
||||||
|
-- multiple versions of the ingress can be used, to minimize upgrade risks
|
||||||
|
|
||||||
|
- the new chart uses the default namespace service account, and doesn't require
|
||||||
|
additional RBAC permissions.
|
||||||
|
|
||||||
|
- simplified label and chart structure.
|
||||||
|
- ability to run a pilot dedicated for the gateway, isolated from the main pilot. This is more robust, safer on upgrades
|
||||||
|
and allows a bit more flexibility.
|
||||||
|
- the dedicated pilot-per-ingress is required if the gateway needs to support k8s-style ingress.
|
||||||
|
|
||||||
|
# Port and basic host configuration
|
||||||
|
|
||||||
|
In order to configure the Service object, the install/upgrade needs to provide a list of all ports.
|
||||||
|
In the past, this was done when installing/upgrading full istio, and involved some duplication - ports configured
|
||||||
|
both in upgrade, Gateway and VirtualService.
|
||||||
|
|
||||||
|
The new Ingress chart uses a 'values.yaml' (see user-example-ingress), which auto-generates Service ports,
|
||||||
|
Gateways and basic VirtualService. It is still possible to only configure the ports in Service, and do manual
|
||||||
|
config for the rest.
|
||||||
|
|
||||||
|
All internal services ( telemetry, pilot debug ports, mesh expansion ) can now be configured via the new mechanism.
|
||||||
|
|
||||||
|
# Migration from istio-system
|
||||||
|
|
||||||
|
Istio 1.0 includes the gateways in istio-system. Since the external IP is associated
|
||||||
|
with the Service and bound to the namespace, it is recommended to:
|
||||||
|
|
||||||
|
1. Install the new gateway in a new namespace.
|
||||||
|
2. Copy any TLS certificate to the new namespace, and configure the domains.
|
||||||
|
3. Checking the new gateway work - for example by overriding the IP in /etc/hosts
|
||||||
|
4. Modify the DNS server to add the A record of the new namespace
|
||||||
|
5. Check traffic
|
||||||
|
6. Delete the A record corresponding to the gateway in istio-system
|
||||||
|
7. Upgrade istio-system, disabling the ingressgateway
|
||||||
|
8. Delete the domain TLS certs from istio-system.
|
||||||
|
|
||||||
|
If using certmanager, all Certificate and associated configs must be moved as well.
|
@ -0,0 +1,93 @@
|
|||||||
|
{{/* affinity - https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ */}}
|
||||||
|
|
||||||
|
{{- define "nodeaffinity" }}
|
||||||
|
nodeAffinity:
|
||||||
|
requiredDuringSchedulingIgnoredDuringExecution:
|
||||||
|
{{- include "nodeAffinityRequiredDuringScheduling" . }}
|
||||||
|
preferredDuringSchedulingIgnoredDuringExecution:
|
||||||
|
{{- include "nodeAffinityPreferredDuringScheduling" . }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{- define "nodeAffinityRequiredDuringScheduling" }}
|
||||||
|
nodeSelectorTerms:
|
||||||
|
- matchExpressions:
|
||||||
|
- key: kubernetes.io/arch
|
||||||
|
operator: In
|
||||||
|
values:
|
||||||
|
{{- range $key, $val := .global.arch }}
|
||||||
|
{{- if gt ($val | int) 0 }}
|
||||||
|
- {{ $key | quote }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- $nodeSelector := default .global.defaultNodeSelector .nodeSelector -}}
|
||||||
|
{{- range $key, $val := $nodeSelector }}
|
||||||
|
- key: {{ $key }}
|
||||||
|
operator: In
|
||||||
|
values:
|
||||||
|
- {{ $val | quote }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{- define "nodeAffinityPreferredDuringScheduling" }}
|
||||||
|
{{- range $key, $val := .global.arch }}
|
||||||
|
{{- if gt ($val | int) 0 }}
|
||||||
|
- weight: {{ $val | int }}
|
||||||
|
preference:
|
||||||
|
matchExpressions:
|
||||||
|
- key: kubernetes.io/arch
|
||||||
|
operator: In
|
||||||
|
values:
|
||||||
|
- {{ $key | quote }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{- define "podAntiAffinity" }}
|
||||||
|
{{- if or .podAntiAffinityLabelSelector .podAntiAffinityTermLabelSelector}}
|
||||||
|
podAntiAffinity:
|
||||||
|
{{- if .podAntiAffinityLabelSelector }}
|
||||||
|
requiredDuringSchedulingIgnoredDuringExecution:
|
||||||
|
{{- include "podAntiAffinityRequiredDuringScheduling" . }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .podAntiAffinityTermLabelSelector }}
|
||||||
|
preferredDuringSchedulingIgnoredDuringExecution:
|
||||||
|
{{- include "podAntiAffinityPreferredDuringScheduling" . }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{- define "podAntiAffinityRequiredDuringScheduling" }}
|
||||||
|
{{- range $index, $item := .podAntiAffinityLabelSelector }}
|
||||||
|
- labelSelector:
|
||||||
|
matchExpressions:
|
||||||
|
- key: {{ $item.key }}
|
||||||
|
operator: {{ $item.operator }}
|
||||||
|
{{- if $item.values }}
|
||||||
|
values:
|
||||||
|
{{- $vals := split "," $item.values }}
|
||||||
|
{{- range $i, $v := $vals }}
|
||||||
|
- {{ $v | quote }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
topologyKey: {{ $item.topologyKey }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{- define "podAntiAffinityPreferredDuringScheduling" }}
|
||||||
|
{{- range $index, $item := .podAntiAffinityTermLabelSelector }}
|
||||||
|
- podAffinityTerm:
|
||||||
|
labelSelector:
|
||||||
|
matchExpressions:
|
||||||
|
- key: {{ $item.key }}
|
||||||
|
operator: {{ $item.operator }}
|
||||||
|
{{- if $item.values }}
|
||||||
|
values:
|
||||||
|
{{- $vals := split "," $item.values }}
|
||||||
|
{{- range $i, $v := $vals }}
|
||||||
|
- {{ $v | quote }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
topologyKey: {{ $item.topologyKey }}
|
||||||
|
weight: 100
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
@ -0,0 +1,27 @@
|
|||||||
|
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
|
||||||
|
{{- if and $gateway.autoscaleEnabled $gateway.autoscaleMin $gateway.autoscaleMax }}
|
||||||
|
apiVersion: autoscaling/v2beta1
|
||||||
|
kind: HorizontalPodAutoscaler
|
||||||
|
metadata:
|
||||||
|
name: {{ $gateway.name | default "istio-ingressgateway" }}
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
labels:
|
||||||
|
{{ $gateway.labels | toYaml | indent 4 }}
|
||||||
|
release: {{ .Release.Name }}
|
||||||
|
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||||
|
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||||
|
operator.istio.io/component: "IngressGateways"
|
||||||
|
spec:
|
||||||
|
maxReplicas: {{ $gateway.autoscaleMax }}
|
||||||
|
minReplicas: {{ $gateway.autoscaleMin }}
|
||||||
|
scaleTargetRef:
|
||||||
|
apiVersion: apps/v1
|
||||||
|
kind: Deployment
|
||||||
|
name: {{ $gateway.name | default "istio-ingressgateway" }}
|
||||||
|
metrics:
|
||||||
|
- type: Resource
|
||||||
|
resource:
|
||||||
|
name: cpu
|
||||||
|
targetAverageUtilization: {{ $gateway.cpu.targetAverageUtilization }}
|
||||||
|
---
|
||||||
|
{{- end }}
|
@ -0,0 +1,346 @@
|
|||||||
|
{{- $gateway := index .Values "gateways" "istio-ingressgateway" }}
|
||||||
|
apiVersion: apps/v1
|
||||||
|
kind: Deployment
|
||||||
|
metadata:
|
||||||
|
name: {{ $gateway.name | default "istio-ingressgateway" }}
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
labels:
|
||||||
|
{{ $gateway.labels | toYaml | indent 4 }}
|
||||||
|
release: {{ .Release.Name }}
|
||||||
|
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||||
|
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||||
|
operator.istio.io/component: "IngressGateways"
|
||||||
|
spec:
|
||||||
|
{{- if not $gateway.autoscaleEnabled }}
|
||||||
|
{{- if $gateway.replicaCount }}
|
||||||
|
replicas: {{ $gateway.replicaCount }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
selector:
|
||||||
|
matchLabels:
|
||||||
|
{{ $gateway.labels | toYaml | indent 6 }}
|
||||||
|
strategy:
|
||||||
|
rollingUpdate:
|
||||||
|
maxSurge: {{ $gateway.rollingMaxSurge }}
|
||||||
|
maxUnavailable: {{ $gateway.rollingMaxUnavailable }}
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
{{ $gateway.labels | toYaml | indent 8 }}
|
||||||
|
{{- if eq .Release.Namespace "istio-system"}}
|
||||||
|
heritage: Tiller
|
||||||
|
release: istio
|
||||||
|
chart: gateways
|
||||||
|
{{- end }}
|
||||||
|
service.istio.io/canonical-name: {{ $gateway.name | default "istio-ingressgateway" }}
|
||||||
|
{{- if not (eq .Values.revision "") }}
|
||||||
|
service.istio.io/canonical-revision: {{ .Values.revision }}
|
||||||
|
{{- else}}
|
||||||
|
service.istio.io/canonical-revision: latest
|
||||||
|
{{- end }}
|
||||||
|
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||||
|
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||||
|
operator.istio.io/component: "IngressGateways"
|
||||||
|
annotations:
|
||||||
|
{{- if .Values.meshConfig.enablePrometheusMerge }}
|
||||||
|
prometheus.io/port: "15020"
|
||||||
|
prometheus.io/scrape: "true"
|
||||||
|
prometheus.io/path: "/stats/prometheus"
|
||||||
|
{{- end }}
|
||||||
|
sidecar.istio.io/inject: "false"
|
||||||
|
{{- if $gateway.podAnnotations }}
|
||||||
|
{{ toYaml $gateway.podAnnotations | indent 8 }}
|
||||||
|
{{ end }}
|
||||||
|
spec:
|
||||||
|
{{- if not $gateway.runAsRoot }}
|
||||||
|
securityContext:
|
||||||
|
runAsUser: 1337
|
||||||
|
runAsGroup: 1337
|
||||||
|
runAsNonRoot: true
|
||||||
|
fsGroup: 1337
|
||||||
|
{{- end }}
|
||||||
|
serviceAccountName: {{ $gateway.name | default "istio-ingressgateway" }}-service-account
|
||||||
|
{{- if .Values.global.priorityClassName }}
|
||||||
|
priorityClassName: "{{ .Values.global.priorityClassName }}"
|
||||||
|
{{- end }}
|
||||||
|
terminationGracePeriodSeconds: 90
|
||||||
|
{{- if .Values.global.proxy.enableCoreDump }}
|
||||||
|
initContainers:
|
||||||
|
- name: enable-core-dump
|
||||||
|
{{- if contains "/" .Values.global.proxy.image }}
|
||||||
|
image: "{{ .Values.global.proxy.image }}"
|
||||||
|
{{- else }}
|
||||||
|
image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image | default "proxyv2" }}:{{ .Values.global.tag }}"
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.global.imagePullPolicy }}
|
||||||
|
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
|
||||||
|
{{- end }}
|
||||||
|
command:
|
||||||
|
- /bin/sh
|
||||||
|
args:
|
||||||
|
- -c
|
||||||
|
- sysctl -w kernel.core_pattern=/var/lib/istio/data/core.proxy && ulimit -c unlimited
|
||||||
|
securityContext:
|
||||||
|
runAsUser: 0
|
||||||
|
runAsGroup: 0
|
||||||
|
runAsNonRoot: false
|
||||||
|
privileged: true
|
||||||
|
{{- end }}
|
||||||
|
containers:
|
||||||
|
- name: istio-proxy
|
||||||
|
{{- if contains "/" .Values.global.proxy.image }}
|
||||||
|
image: "{{ .Values.global.proxy.image }}"
|
||||||
|
{{- else }}
|
||||||
|
image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image | default "proxyv2" }}:{{ .Values.global.tag }}"
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.global.imagePullPolicy }}
|
||||||
|
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
|
||||||
|
{{- end }}
|
||||||
|
ports:
|
||||||
|
{{- range $key, $val := $gateway.ports }}
|
||||||
|
- containerPort: {{ $val.targetPort | default $val.port }}
|
||||||
|
protocol: {{ $val.protocol | default "TCP" }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if $.Values.global.meshExpansion.enabled }}
|
||||||
|
{{- range $key, $val := $gateway.meshExpansionPorts }}
|
||||||
|
- containerPort: {{ $val.targetPort | default $val.port }}
|
||||||
|
protocol: {{ $val.protocol | default "TCP" }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
- containerPort: 15090
|
||||||
|
protocol: TCP
|
||||||
|
name: http-envoy-prom
|
||||||
|
args:
|
||||||
|
- proxy
|
||||||
|
- router
|
||||||
|
- --domain
|
||||||
|
- $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
|
||||||
|
{{- if .Values.global.proxy.logLevel }}
|
||||||
|
- --proxyLogLevel={{ .Values.global.proxy.logLevel }}
|
||||||
|
{{- end}}
|
||||||
|
{{- if .Values.global.proxy.componentLogLevel }}
|
||||||
|
- --proxyComponentLogLevel={{ .Values.global.proxy.componentLogLevel }}
|
||||||
|
{{- end}}
|
||||||
|
{{- if .Values.global.logging.level }}
|
||||||
|
- --log_output_level={{ .Values.global.logging.level }}
|
||||||
|
{{- end}}
|
||||||
|
{{- if .Values.global.logAsJson }}
|
||||||
|
- --log_as_json
|
||||||
|
{{- end }}
|
||||||
|
- --serviceCluster
|
||||||
|
- {{ $gateway.name | default "istio-ingressgateway" }}
|
||||||
|
{{- if .Values.global.sts.servicePort }}
|
||||||
|
- --stsPort={{ .Values.global.sts.servicePort }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if not $gateway.runAsRoot }}
|
||||||
|
securityContext:
|
||||||
|
allowPrivilegeEscalation: false
|
||||||
|
capabilities:
|
||||||
|
drop:
|
||||||
|
- ALL
|
||||||
|
privileged: false
|
||||||
|
readOnlyRootFilesystem: true
|
||||||
|
{{- end }}
|
||||||
|
readinessProbe:
|
||||||
|
failureThreshold: 30
|
||||||
|
httpGet:
|
||||||
|
path: /healthz/ready
|
||||||
|
port: 15021
|
||||||
|
scheme: HTTP
|
||||||
|
initialDelaySeconds: 1
|
||||||
|
periodSeconds: 2
|
||||||
|
successThreshold: 1
|
||||||
|
timeoutSeconds: 1
|
||||||
|
resources:
|
||||||
|
{{- if $gateway.resources }}
|
||||||
|
{{ toYaml $gateway.resources | indent 12 }}
|
||||||
|
{{- else }}
|
||||||
|
{{ toYaml .Values.global.defaultResources | indent 12 }}
|
||||||
|
{{- end }}
|
||||||
|
env:
|
||||||
|
- name: JWT_POLICY
|
||||||
|
value: {{ .Values.global.jwtPolicy }}
|
||||||
|
- name: PILOT_CERT_PROVIDER
|
||||||
|
value: {{ .Values.global.pilotCertProvider }}
|
||||||
|
- name: CA_ADDR
|
||||||
|
{{- if .Values.global.caAddress }}
|
||||||
|
value: {{ .Values.global.caAddress }}
|
||||||
|
{{- else }}
|
||||||
|
value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
|
||||||
|
{{- end }}
|
||||||
|
- name: NODE_NAME
|
||||||
|
valueFrom:
|
||||||
|
fieldRef:
|
||||||
|
apiVersion: v1
|
||||||
|
fieldPath: spec.nodeName
|
||||||
|
- name: POD_NAME
|
||||||
|
valueFrom:
|
||||||
|
fieldRef:
|
||||||
|
apiVersion: v1
|
||||||
|
fieldPath: metadata.name
|
||||||
|
- name: POD_NAMESPACE
|
||||||
|
valueFrom:
|
||||||
|
fieldRef:
|
||||||
|
apiVersion: v1
|
||||||
|
fieldPath: metadata.namespace
|
||||||
|
- name: INSTANCE_IP
|
||||||
|
valueFrom:
|
||||||
|
fieldRef:
|
||||||
|
apiVersion: v1
|
||||||
|
fieldPath: status.podIP
|
||||||
|
- name: HOST_IP
|
||||||
|
valueFrom:
|
||||||
|
fieldRef:
|
||||||
|
apiVersion: v1
|
||||||
|
fieldPath: status.hostIP
|
||||||
|
- name: SERVICE_ACCOUNT
|
||||||
|
valueFrom:
|
||||||
|
fieldRef:
|
||||||
|
fieldPath: spec.serviceAccountName
|
||||||
|
- name: CANONICAL_SERVICE
|
||||||
|
valueFrom:
|
||||||
|
fieldRef:
|
||||||
|
fieldPath: metadata.labels['service.istio.io/canonical-name']
|
||||||
|
- name: CANONICAL_REVISION
|
||||||
|
valueFrom:
|
||||||
|
fieldRef:
|
||||||
|
fieldPath: metadata.labels['service.istio.io/canonical-revision']
|
||||||
|
- name: ISTIO_META_WORKLOAD_NAME
|
||||||
|
value: {{ $gateway.name | default "istio-ingressgateway" }}
|
||||||
|
- name: ISTIO_META_OWNER
|
||||||
|
value: kubernetes://apis/apps/v1/namespaces/{{ .Release.Namespace }}/deployments/{{ $gateway.name | default "istio-ingressgateway" }}
|
||||||
|
{{- if $.Values.global.meshID }}
|
||||||
|
- name: ISTIO_META_MESH_ID
|
||||||
|
value: "{{ $.Values.global.meshID }}"
|
||||||
|
{{- else if $.Values.global.trustDomain | default (index .Values.meshConfig "trustDomain") }}
|
||||||
|
- name: ISTIO_META_MESH_ID
|
||||||
|
value: "{{ $.Values.global.trustDomain | default (index .Values.meshConfig "trustDomain") }}"
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.global.trustDomain | default (index .Values.meshConfig "trustDomain") }}
|
||||||
|
- name: TRUST_DOMAIN
|
||||||
|
value: "{{ .Values.global.trustDomain | default (index .Values.meshConfig "trustDomain") }}"
|
||||||
|
{{- end }}
|
||||||
|
{{- range $key, $val := $gateway.env }}
|
||||||
|
- name: {{ $key }}
|
||||||
|
value: {{ $val }}
|
||||||
|
{{- end }}
|
||||||
|
{{- range $key, $value := .Values.meshConfig.defaultConfig.proxyMetadata }}
|
||||||
|
- name: {{ $key }}
|
||||||
|
value: "{{ $value }}"
|
||||||
|
{{- end }}
|
||||||
|
{{ $network_set := index $gateway.env "ISTIO_META_NETWORK" }}
|
||||||
|
{{- if and (not $network_set) .Values.global.network }}
|
||||||
|
- name: ISTIO_META_NETWORK
|
||||||
|
value: {{ .Values.global.network }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if $gateway.podAnnotations }}
|
||||||
|
- name: "ISTIO_METAJSON_ANNOTATIONS"
|
||||||
|
value: |
|
||||||
|
{{ toJson $gateway.podAnnotations | indent 16}}
|
||||||
|
{{ end }}
|
||||||
|
- name: ISTIO_META_CLUSTER_ID
|
||||||
|
value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}"
|
||||||
|
volumeMounts:
|
||||||
|
- name: istio-envoy
|
||||||
|
mountPath: /etc/istio/proxy
|
||||||
|
- name: config-volume
|
||||||
|
mountPath: /etc/istio/config
|
||||||
|
{{- if eq .Values.global.pilotCertProvider "istiod" }}
|
||||||
|
- mountPath: /var/run/secrets/istio
|
||||||
|
name: istiod-ca-cert
|
||||||
|
{{- end }}
|
||||||
|
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
|
||||||
|
- name: istio-token
|
||||||
|
mountPath: /var/run/secrets/tokens
|
||||||
|
readOnly: true
|
||||||
|
{{- end }}
|
||||||
|
- name: gatewaysdsudspath
|
||||||
|
mountPath: /var/run/ingress_gateway
|
||||||
|
{{- if .Values.global.mountMtlsCerts }}
|
||||||
|
# Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
|
||||||
|
- name: istio-certs
|
||||||
|
mountPath: /etc/certs
|
||||||
|
readOnly: true
|
||||||
|
{{- end }}
|
||||||
|
- mountPath: /var/lib/istio/data
|
||||||
|
name: istio-data
|
||||||
|
- name: podinfo
|
||||||
|
mountPath: /etc/istio/pod
|
||||||
|
{{- range $gateway.secretVolumes }}
|
||||||
|
- name: {{ .name }}
|
||||||
|
mountPath: {{ .mountPath | quote }}
|
||||||
|
readOnly: true
|
||||||
|
{{- end }}
|
||||||
|
{{- range $gateway.configVolumes }}
|
||||||
|
{{- if .mountPath }}
|
||||||
|
- name: {{ .name }}
|
||||||
|
mountPath: {{ .mountPath | quote }}
|
||||||
|
readOnly: true
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if $gateway.additionalContainers }}
|
||||||
|
{{ toYaml $gateway.additionalContainers | indent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
volumes:
|
||||||
|
{{- if eq .Values.global.pilotCertProvider "istiod" }}
|
||||||
|
- name: istiod-ca-cert
|
||||||
|
configMap:
|
||||||
|
name: istio-ca-root-cert
|
||||||
|
{{- end }}
|
||||||
|
- name: podinfo
|
||||||
|
downwardAPI:
|
||||||
|
items:
|
||||||
|
- path: "labels"
|
||||||
|
fieldRef:
|
||||||
|
fieldPath: metadata.labels
|
||||||
|
- path: "annotations"
|
||||||
|
fieldRef:
|
||||||
|
fieldPath: metadata.annotations
|
||||||
|
- name: istio-envoy
|
||||||
|
emptyDir: {}
|
||||||
|
- name: gatewaysdsudspath
|
||||||
|
emptyDir: {}
|
||||||
|
- name: istio-data
|
||||||
|
emptyDir: {}
|
||||||
|
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
|
||||||
|
- name: istio-token
|
||||||
|
projected:
|
||||||
|
sources:
|
||||||
|
- serviceAccountToken:
|
||||||
|
path: istio-token
|
||||||
|
expirationSeconds: 43200
|
||||||
|
audience: {{ .Values.global.sds.token.aud }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.global.mountMtlsCerts }}
|
||||||
|
# Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
|
||||||
|
- name: istio-certs
|
||||||
|
secret:
|
||||||
|
secretName: istio.istio-ingressgateway-service-account
|
||||||
|
optional: true
|
||||||
|
{{- end }}
|
||||||
|
- name: config-volume
|
||||||
|
configMap:
|
||||||
|
name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
||||||
|
optional: true
|
||||||
|
{{- range $gateway.secretVolumes }}
|
||||||
|
- name: {{ .name }}
|
||||||
|
secret:
|
||||||
|
secretName: {{ .secretName | quote }}
|
||||||
|
optional: true
|
||||||
|
{{- end }}
|
||||||
|
{{- range $gateway.configVolumes }}
|
||||||
|
- name: {{ .name }}
|
||||||
|
configMap:
|
||||||
|
name: {{ .configMapName | quote }}
|
||||||
|
optional: true
|
||||||
|
{{- end }}
|
||||||
|
affinity:
|
||||||
|
{{- include "nodeaffinity" (dict "global" .Values.global "nodeSelector" $gateway.nodeSelector) | indent 6 }}
|
||||||
|
{{- include "podAntiAffinity" $gateway | indent 6 }}
|
||||||
|
{{- if $gateway.tolerations }}
|
||||||
|
tolerations:
|
||||||
|
{{ toYaml $gateway.tolerations | indent 6 }}
|
||||||
|
{{- else if .Values.global.defaultTolerations }}
|
||||||
|
tolerations:
|
||||||
|
{{ toYaml .Values.global.defaultTolerations | indent 6 }}
|
||||||
|
{{- end }}
|
@ -0,0 +1,79 @@
|
|||||||
|
{{- if .Values.global.meshExpansion.enabled }}
|
||||||
|
apiVersion: networking.istio.io/v1alpha3
|
||||||
|
kind: Gateway
|
||||||
|
metadata:
|
||||||
|
name: meshexpansion-gateway
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
labels:
|
||||||
|
release: {{ .Release.Name }}
|
||||||
|
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||||
|
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||||
|
operator.istio.io/component: "IngressGateways"
|
||||||
|
spec:
|
||||||
|
selector:
|
||||||
|
istio: ingressgateway
|
||||||
|
servers:
|
||||||
|
- port:
|
||||||
|
number: 15012
|
||||||
|
protocol: TCP
|
||||||
|
name: tcp-istiod
|
||||||
|
hosts:
|
||||||
|
- "*"
|
||||||
|
- port:
|
||||||
|
number: 15017
|
||||||
|
protocol: TCP
|
||||||
|
name: tcp-istiodwebhook
|
||||||
|
hosts:
|
||||||
|
- "*"
|
||||||
|
---
|
||||||
|
|
||||||
|
apiVersion: networking.istio.io/v1alpha3
|
||||||
|
kind: VirtualService
|
||||||
|
metadata:
|
||||||
|
name: meshexpansion-vs-istiod
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
labels:
|
||||||
|
release: {{ .Release.Name }}
|
||||||
|
spec:
|
||||||
|
hosts:
|
||||||
|
- istiod.{{ .Values.global.istioNamespace }}.svc.{{ .Values.global.proxy.clusterDomain }}
|
||||||
|
gateways:
|
||||||
|
- meshexpansion-gateway
|
||||||
|
tcp:
|
||||||
|
- match:
|
||||||
|
- port: 15012
|
||||||
|
route:
|
||||||
|
- destination:
|
||||||
|
host: istiod.{{ .Values.global.istioNamespace }}.svc.{{ .Values.global.proxy.clusterDomain }}
|
||||||
|
port:
|
||||||
|
number: 15012
|
||||||
|
- match:
|
||||||
|
- port: 15017
|
||||||
|
route:
|
||||||
|
- destination:
|
||||||
|
host: istiod.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }}
|
||||||
|
port:
|
||||||
|
number: 443
|
||||||
|
---
|
||||||
|
|
||||||
|
apiVersion: networking.istio.io/v1alpha3
|
||||||
|
kind: DestinationRule
|
||||||
|
metadata:
|
||||||
|
name: meshexpansion-dr-istiod
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
labels:
|
||||||
|
release: {{ .Release.Name }}
|
||||||
|
spec:
|
||||||
|
host: istiod.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }}
|
||||||
|
trafficPolicy:
|
||||||
|
portLevelSettings:
|
||||||
|
- port:
|
||||||
|
number: 15012
|
||||||
|
tls:
|
||||||
|
mode: DISABLE
|
||||||
|
- port:
|
||||||
|
number: 15017
|
||||||
|
tls:
|
||||||
|
mode: DISABLE
|
||||||
|
|
||||||
|
{{- end }}
|
@ -0,0 +1,19 @@
|
|||||||
|
{{- if .Values.global.defaultPodDisruptionBudget.enabled }}
|
||||||
|
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
|
||||||
|
apiVersion: policy/v1beta1
|
||||||
|
kind: PodDisruptionBudget
|
||||||
|
metadata:
|
||||||
|
name: {{ $gateway.name | default "istio-ingressgateway" }}
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
labels:
|
||||||
|
{{ $gateway.labels | toYaml | trim | indent 4 }}
|
||||||
|
release: {{ .Release.Name }}
|
||||||
|
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||||
|
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||||
|
operator.istio.io/component: "IngressGateways"
|
||||||
|
spec:
|
||||||
|
minAvailable: 1
|
||||||
|
selector:
|
||||||
|
matchLabels:
|
||||||
|
{{ $gateway.labels | toYaml | trim | indent 6 }}
|
||||||
|
{{- end }}
|
@ -0,0 +1,78 @@
|
|||||||
|
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
|
||||||
|
{{- if .Values.global.multiCluster.enabled }}
|
||||||
|
apiVersion: networking.istio.io/v1alpha3
|
||||||
|
kind: Gateway
|
||||||
|
metadata:
|
||||||
|
name: istio-multicluster-ingressgateway
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
labels:
|
||||||
|
{{ $gateway.labels | toYaml | indent 4 }}
|
||||||
|
release: {{ .Release.Name }}
|
||||||
|
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||||
|
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||||
|
operator.istio.io/component: "IngressGateways"
|
||||||
|
spec:
|
||||||
|
selector:
|
||||||
|
istio: ingressgateway
|
||||||
|
servers:
|
||||||
|
- hosts:
|
||||||
|
- "*.{{ .Values.global.multiCluster.globalDomainSuffix | trim }}"
|
||||||
|
port:
|
||||||
|
name: tls
|
||||||
|
number: 15443
|
||||||
|
protocol: TLS
|
||||||
|
tls:
|
||||||
|
mode: AUTO_PASSTHROUGH
|
||||||
|
---
|
||||||
|
{{- if .Values.global.multiCluster.includeEnvoyFilter }}
|
||||||
|
apiVersion: networking.istio.io/v1alpha3
|
||||||
|
kind: EnvoyFilter
|
||||||
|
metadata:
|
||||||
|
name: istio-multicluster-ingressgateway
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
labels:
|
||||||
|
{{ $gateway.labels | toYaml | indent 4 }}
|
||||||
|
release: {{ .Release.Name }}
|
||||||
|
spec:
|
||||||
|
workloadSelector:
|
||||||
|
labels:
|
||||||
|
istio: ingressgateway
|
||||||
|
configPatches:
|
||||||
|
- applyTo: NETWORK_FILTER
|
||||||
|
match:
|
||||||
|
context: GATEWAY
|
||||||
|
listener:
|
||||||
|
portNumber: 15443
|
||||||
|
filterChain:
|
||||||
|
filter:
|
||||||
|
name: "envoy.filters.network.sni_cluster"
|
||||||
|
patch:
|
||||||
|
operation: INSERT_AFTER
|
||||||
|
value:
|
||||||
|
name: "envoy.filters.network.tcp_cluster_rewrite"
|
||||||
|
typed_config:
|
||||||
|
"@type": "type.googleapis.com/istio.envoy.config.filter.network.tcp_cluster_rewrite.v2alpha1.TcpClusterRewrite"
|
||||||
|
cluster_pattern: "\\.{{ .Values.global.multiCluster.globalDomainSuffix | trim }}$"
|
||||||
|
cluster_replacement: ".svc.{{ .Values.global.proxy.clusterDomain }}"
|
||||||
|
---
|
||||||
|
{{- end }}
|
||||||
|
## To ensure all traffic to globalDomainSuffix is using mTLS
|
||||||
|
apiVersion: networking.istio.io/v1alpha3
|
||||||
|
kind: DestinationRule
|
||||||
|
metadata:
|
||||||
|
name: istio-multicluster-ingressgateway
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
labels:
|
||||||
|
{{ $gateway.labels | toYaml | indent 4 }}
|
||||||
|
release: {{ .Release.Name }}
|
||||||
|
spec:
|
||||||
|
host: "*.{{ .Values.global.multiCluster.globalDomainSuffix | trim }}"
|
||||||
|
{{- if .Values.global.defaultConfigVisibilitySettings }}
|
||||||
|
exportTo:
|
||||||
|
- '*'
|
||||||
|
{{- end }}
|
||||||
|
trafficPolicy:
|
||||||
|
tls:
|
||||||
|
mode: ISTIO_MUTUAL
|
||||||
|
---
|
||||||
|
{{- end }}
|
@ -0,0 +1,16 @@
|
|||||||
|
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: Role
|
||||||
|
metadata:
|
||||||
|
name: {{ $gateway.name | default "istio-ingressgateway" }}-sds
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
labels:
|
||||||
|
release: {{ .Release.Name }}
|
||||||
|
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||||
|
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||||
|
operator.istio.io/component: "IngressGateways"
|
||||||
|
rules:
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources: ["secrets"]
|
||||||
|
verbs: ["get", "watch", "list"]
|
||||||
|
---
|
@ -0,0 +1,19 @@
|
|||||||
|
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: RoleBinding
|
||||||
|
metadata:
|
||||||
|
name: {{ $gateway.name | default "istio-ingressgateway" }}-sds
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
labels:
|
||||||
|
release: {{ .Release.Name }}
|
||||||
|
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||||
|
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||||
|
operator.istio.io/component: "IngressGateways"
|
||||||
|
roleRef:
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: Role
|
||||||
|
name: {{ $gateway.name | default "istio-ingressgateway" }}-sds
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: {{ $gateway.name | default "istio-ingressgateway" }}-service-account
|
||||||
|
---
|
@ -0,0 +1,55 @@
|
|||||||
|
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
|
||||||
|
{{- if not $gateway.customService }}
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Service
|
||||||
|
metadata:
|
||||||
|
name: {{ $gateway.name | default "istio-ingressgateway" }}
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
annotations:
|
||||||
|
{{- range $key, $val := $gateway.serviceAnnotations }}
|
||||||
|
{{ $key }}: {{ $val | quote }}
|
||||||
|
{{- end }}
|
||||||
|
labels:
|
||||||
|
{{ $gateway.labels | toYaml | indent 4 }}
|
||||||
|
release: {{ .Release.Name }}
|
||||||
|
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||||
|
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||||
|
operator.istio.io/component: "IngressGateways"
|
||||||
|
spec:
|
||||||
|
{{- if $gateway.loadBalancerIP }}
|
||||||
|
loadBalancerIP: "{{ $gateway.loadBalancerIP }}"
|
||||||
|
{{- end }}
|
||||||
|
{{- if $gateway.loadBalancerSourceRanges }}
|
||||||
|
loadBalancerSourceRanges:
|
||||||
|
{{ toYaml $gateway.loadBalancerSourceRanges | indent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if $gateway.externalTrafficPolicy }}
|
||||||
|
externalTrafficPolicy: {{$gateway.externalTrafficPolicy }}
|
||||||
|
{{- end }}
|
||||||
|
type: {{ $gateway.type }}
|
||||||
|
selector:
|
||||||
|
{{ $gateway.labels | toYaml | indent 4 }}
|
||||||
|
ports:
|
||||||
|
|
||||||
|
{{- range $key, $val := $gateway.ports }}
|
||||||
|
-
|
||||||
|
{{- range $pkey, $pval := $val }}
|
||||||
|
{{ $pkey}}: {{ $pval }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{- if $.Values.global.meshExpansion.enabled }}
|
||||||
|
{{- range $key, $val := $gateway.meshExpansionPorts }}
|
||||||
|
-
|
||||||
|
{{- range $pkey, $pval := $val }}
|
||||||
|
{{ $pkey}}: {{ $pval }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{ range $app := $gateway.ingressPorts }}
|
||||||
|
-
|
||||||
|
port: {{ $app.port }}
|
||||||
|
name: {{ $app.name }}
|
||||||
|
{{- end }}
|
||||||
|
---
|
||||||
|
{{ end }}
|
@ -0,0 +1,18 @@
|
|||||||
|
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ServiceAccount
|
||||||
|
{{- if .Values.global.imagePullSecrets }}
|
||||||
|
imagePullSecrets:
|
||||||
|
{{- range .Values.global.imagePullSecrets }}
|
||||||
|
- name: {{ . }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
metadata:
|
||||||
|
name: {{ $gateway.name | default "istio-ingressgateway" }}-service-account
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
labels:
|
||||||
|
{{ $gateway.labels | toYaml | trim | indent 4 }}
|
||||||
|
release: {{ .Release.Name }}
|
||||||
|
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||||
|
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||||
|
operator.istio.io/component: "IngressGateways"
|
336
charts/kubezero-istio-ingress/charts/istio-ingress/values.yaml
Normal file
336
charts/kubezero-istio-ingress/charts/istio-ingress/values.yaml
Normal file
@ -0,0 +1,336 @@
|
|||||||
|
# A-la-carte istio ingress gateway.
|
||||||
|
# Must be installed in a separate namespace, to minimize access to secrets.
|
||||||
|
|
||||||
|
gateways:
|
||||||
|
istio-ingressgateway:
|
||||||
|
name: istio-ingressgateway
|
||||||
|
labels:
|
||||||
|
app: istio-ingressgateway
|
||||||
|
istio: ingressgateway
|
||||||
|
ports:
|
||||||
|
## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces.
|
||||||
|
# Note that AWS ELB will by default perform health checks on the first port
|
||||||
|
# on this list. Setting this to the health check port will ensure that health
|
||||||
|
# checks always work. https://github.com/istio/istio/issues/12503
|
||||||
|
- port: 15021
|
||||||
|
targetPort: 15021
|
||||||
|
name: status-port
|
||||||
|
protocol: TCP
|
||||||
|
- port: 80
|
||||||
|
targetPort: 8080
|
||||||
|
name: http2
|
||||||
|
protocol: TCP
|
||||||
|
- port: 443
|
||||||
|
targetPort: 8443
|
||||||
|
name: https
|
||||||
|
protocol: TCP
|
||||||
|
# This is the port where sni routing happens
|
||||||
|
- port: 15443
|
||||||
|
targetPort: 15443
|
||||||
|
name: tls
|
||||||
|
protocol: TCP
|
||||||
|
|
||||||
|
# Scalability tunning
|
||||||
|
# replicaCount: 1
|
||||||
|
rollingMaxSurge: 100%
|
||||||
|
rollingMaxUnavailable: 25%
|
||||||
|
autoscaleEnabled: true
|
||||||
|
autoscaleMin: 1
|
||||||
|
autoscaleMax: 5
|
||||||
|
|
||||||
|
cpu:
|
||||||
|
targetAverageUtilization: 80
|
||||||
|
|
||||||
|
resources:
|
||||||
|
requests:
|
||||||
|
cpu: 100m
|
||||||
|
memory: 128Mi
|
||||||
|
limits:
|
||||||
|
cpu: 2000m
|
||||||
|
memory: 1024Mi
|
||||||
|
|
||||||
|
loadBalancerIP: ""
|
||||||
|
loadBalancerSourceRanges: []
|
||||||
|
serviceAnnotations: {}
|
||||||
|
|
||||||
|
# Enable cross-cluster access using SNI matching
|
||||||
|
zvpn:
|
||||||
|
enabled: false
|
||||||
|
suffix: global
|
||||||
|
|
||||||
|
# To generate an internal load balancer:
|
||||||
|
# --set serviceAnnotations.cloud.google.com/load-balancer-type=internal
|
||||||
|
#serviceAnnotations:
|
||||||
|
# cloud.google.com/load-balancer-type: "internal"
|
||||||
|
|
||||||
|
podAnnotations: {}
|
||||||
|
type: LoadBalancer #change to NodePort, ClusterIP or LoadBalancer if need be
|
||||||
|
|
||||||
|
#### MESH EXPANSION PORTS ########
|
||||||
|
# Pilot and Citadel MTLS ports are enabled in gateway - but will only redirect
|
||||||
|
# to pilot/citadel if global.meshExpansion settings are enabled.
|
||||||
|
# Delete these ports if mesh expansion is not enabled, to avoid
|
||||||
|
# exposing unnecessary ports on the web.
|
||||||
|
# You can remove these ports if you are not using mesh expansion
|
||||||
|
meshExpansionPorts:
|
||||||
|
- port: 15012
|
||||||
|
targetPort: 15012
|
||||||
|
name: tcp-istiod
|
||||||
|
####### end MESH EXPANSION PORTS ######
|
||||||
|
|
||||||
|
##############
|
||||||
|
secretVolumes:
|
||||||
|
- name: ingressgateway-certs
|
||||||
|
secretName: istio-ingressgateway-certs
|
||||||
|
mountPath: /etc/istio/ingressgateway-certs
|
||||||
|
- name: ingressgateway-ca-certs
|
||||||
|
secretName: istio-ingressgateway-ca-certs
|
||||||
|
mountPath: /etc/istio/ingressgateway-ca-certs
|
||||||
|
|
||||||
|
customService: false
|
||||||
|
externalTrafficPolicy: ""
|
||||||
|
|
||||||
|
ingressPorts: []
|
||||||
|
additionalContainers: []
|
||||||
|
configVolumes: []
|
||||||
|
|
||||||
|
### Advanced options ############
|
||||||
|
env:
|
||||||
|
# A gateway with this mode ensures that pilot generates an additional
|
||||||
|
# set of clusters for internal services but without Istio mTLS, to
|
||||||
|
# enable cross cluster routing.
|
||||||
|
ISTIO_META_ROUTER_MODE: "sni-dnat"
|
||||||
|
|
||||||
|
nodeSelector: {}
|
||||||
|
tolerations: []
|
||||||
|
|
||||||
|
# Specify the pod anti-affinity that allows you to constrain which nodes
|
||||||
|
# your pod is eligible to be scheduled based on labels on pods that are
|
||||||
|
# already running on the node rather than based on labels on nodes.
|
||||||
|
# There are currently two types of anti-affinity:
|
||||||
|
# "requiredDuringSchedulingIgnoredDuringExecution"
|
||||||
|
# "preferredDuringSchedulingIgnoredDuringExecution"
|
||||||
|
# which denote "hard" vs. "soft" requirements, you can define your values
|
||||||
|
# in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector"
|
||||||
|
# correspondingly.
|
||||||
|
# For example:
|
||||||
|
# podAntiAffinityLabelSelector:
|
||||||
|
# - key: security
|
||||||
|
# operator: In
|
||||||
|
# values: S1,S2
|
||||||
|
# topologyKey: "kubernetes.io/hostname"
|
||||||
|
# This pod anti-affinity rule says that the pod requires not to be scheduled
|
||||||
|
# onto a node if that node is already running a pod with label having key
|
||||||
|
# "security" and value "S1".
|
||||||
|
podAntiAffinityLabelSelector: []
|
||||||
|
podAntiAffinityTermLabelSelector: []
|
||||||
|
|
||||||
|
# whether to run the gateway in a privileged container
|
||||||
|
runAsRoot: false
|
||||||
|
|
||||||
|
# Revision is set as 'version' label and part of the resource names when installing multiple control planes.
|
||||||
|
revision: ""
|
||||||
|
|
||||||
|
# For Helm compatibility.
|
||||||
|
ownerName: ""
|
||||||
|
|
||||||
|
global:
|
||||||
|
# set the default set of namespaces to which services, service entries, virtual services, destination
|
||||||
|
# rules should be exported to. Currently only one value can be provided in this list. This value
|
||||||
|
# should be one of the following two options:
|
||||||
|
# * implies these objects are visible to all namespaces, enabling any sidecar to talk to any other sidecar.
|
||||||
|
# . implies these objects are visible to only to sidecars in the same namespace, or if imported as a Sidecar.egress.host
|
||||||
|
defaultConfigVisibilitySettings: []
|
||||||
|
|
||||||
|
# enable pod disruption budget for the control plane, which is used to
|
||||||
|
# ensure Istio control plane components are gradually upgraded or recovered.
|
||||||
|
defaultPodDisruptionBudget:
|
||||||
|
enabled: true
|
||||||
|
|
||||||
|
# A minimal set of requested resources to applied to all deployments so that
|
||||||
|
# Horizontal Pod Autoscaler will be able to function (if set).
|
||||||
|
# Each component can overwrite these default values by adding its own resources
|
||||||
|
# block in the relevant section below and setting the desired resources values.
|
||||||
|
defaultResources:
|
||||||
|
requests:
|
||||||
|
cpu: 10m
|
||||||
|
# memory: 128Mi
|
||||||
|
# limits:
|
||||||
|
# cpu: 100m
|
||||||
|
# memory: 128Mi
|
||||||
|
|
||||||
|
# Default node tolerations to be applied to all deployments so that all pods can be
|
||||||
|
# scheduled to a particular nodes with matching taints. Each component can overwrite
|
||||||
|
# these default values by adding its tolerations block in the relevant section below
|
||||||
|
# and setting the desired values.
|
||||||
|
# Configure this field in case that all pods of Istio control plane are expected to
|
||||||
|
# be scheduled to particular nodes with specified taints.
|
||||||
|
defaultTolerations: []
|
||||||
|
|
||||||
|
# Default hub for Istio images.
|
||||||
|
# Releases are published to docker hub under 'istio' project.
|
||||||
|
# Dev builds from prow are on gcr.io
|
||||||
|
hub: gcr.io/istio-testing
|
||||||
|
|
||||||
|
# Default tag for Istio images.
|
||||||
|
tag: latest
|
||||||
|
|
||||||
|
# Specify image pull policy if default behavior isn't desired.
|
||||||
|
# Default behavior: latest images will be Always else IfNotPresent.
|
||||||
|
imagePullPolicy: ""
|
||||||
|
|
||||||
|
# ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace
|
||||||
|
# to use for pulling any images in pods that reference this ServiceAccount.
|
||||||
|
# For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing)
|
||||||
|
# ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects.
|
||||||
|
# Must be set for any cluster configured with private docker registry.
|
||||||
|
imagePullSecrets: []
|
||||||
|
# - private-registry-key
|
||||||
|
|
||||||
|
# To output all istio components logs in json format by adding --log_as_json argument to each container argument
|
||||||
|
logAsJson: false
|
||||||
|
|
||||||
|
# Specify pod scheduling arch(amd64, ppc64le, s390x) and weight as follows:
|
||||||
|
# 0 - Never scheduled
|
||||||
|
# 1 - Least preferred
|
||||||
|
# 2 - No preference
|
||||||
|
# 3 - Most preferred
|
||||||
|
arch:
|
||||||
|
amd64: 2
|
||||||
|
s390x: 2
|
||||||
|
ppc64le: 2
|
||||||
|
|
||||||
|
# Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>
|
||||||
|
# The control plane has different scopes depending on component, but can configure default log level across all components
|
||||||
|
# If empty, default scope and level will be used as configured in code
|
||||||
|
logging:
|
||||||
|
level: "default:info"
|
||||||
|
|
||||||
|
# If set to true, the pilot and citadel mtls will be exposed on the
|
||||||
|
# ingress gateway
|
||||||
|
meshExpansion:
|
||||||
|
enabled: false
|
||||||
|
# If set to true, the pilot and citadel mtls and the plain text pilot ports
|
||||||
|
# will be exposed on an internal gateway
|
||||||
|
useILB: false
|
||||||
|
|
||||||
|
# Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and
|
||||||
|
# system-node-critical, it is better to configure this in order to make sure your Istio pods
|
||||||
|
# will not be killed because of low priority class.
|
||||||
|
# Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
|
||||||
|
# for more detail.
|
||||||
|
priorityClassName: ""
|
||||||
|
|
||||||
|
proxy:
|
||||||
|
image: proxyv2
|
||||||
|
|
||||||
|
# CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value
|
||||||
|
# cluster domain. Default value is "cluster.local".
|
||||||
|
clusterDomain: "cluster.local"
|
||||||
|
|
||||||
|
# Per Component log level for proxy, applies to gateways and sidecars. If a component level is
|
||||||
|
# not set, then the global "logLevel" will be used.
|
||||||
|
componentLogLevel: "misc:error"
|
||||||
|
|
||||||
|
# If set, newly injected sidecars will have core dumps enabled.
|
||||||
|
enableCoreDump: false
|
||||||
|
|
||||||
|
# Log level for proxy, applies to gateways and sidecars.
|
||||||
|
# Expected values are: trace|debug|info|warning|error|critical|off
|
||||||
|
logLevel: warning
|
||||||
|
|
||||||
|
##############################################################################################
|
||||||
|
# The following values are found in other charts. To effectively modify these values, make #
|
||||||
|
# make sure they are consistent across your Istio helm charts #
|
||||||
|
##############################################################################################
|
||||||
|
|
||||||
|
# The customized CA address to retrieve certificates for the pods in the cluster.
|
||||||
|
# CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint.
|
||||||
|
caAddress: ""
|
||||||
|
|
||||||
|
# Used to locate istiod.
|
||||||
|
istioNamespace: istio-system
|
||||||
|
|
||||||
|
# Configure the policy for validating JWT.
|
||||||
|
# Currently, two options are supported: "third-party-jwt" and "first-party-jwt".
|
||||||
|
jwtPolicy: "third-party-jwt"
|
||||||
|
|
||||||
|
# Mesh ID means Mesh Identifier. It should be unique within the scope where
|
||||||
|
# meshes will interact with each other, but it is not required to be
|
||||||
|
# globally/universally unique. For example, if any of the following are true,
|
||||||
|
# then two meshes must have different Mesh IDs:
|
||||||
|
# - Meshes will have their telemetry aggregated in one place
|
||||||
|
# - Meshes will be federated together
|
||||||
|
# - Policy will be written referencing one mesh from the other
|
||||||
|
#
|
||||||
|
# If an administrator expects that any of these conditions may become true in
|
||||||
|
# the future, they should ensure their meshes have different Mesh IDs
|
||||||
|
# assigned.
|
||||||
|
#
|
||||||
|
# Within a multicluster mesh, each cluster must be (manually or auto)
|
||||||
|
# configured to have the same Mesh ID value. If an existing cluster 'joins' a
|
||||||
|
# multicluster mesh, it will need to be migrated to the new mesh ID. Details
|
||||||
|
# of migration TBD, and it may be a disruptive operation to change the Mesh
|
||||||
|
# ID post-install.
|
||||||
|
#
|
||||||
|
# If the mesh admin does not specify a value, Istio will use the value of the
|
||||||
|
# mesh's Trust Domain. The best practice is to select a proper Trust Domain
|
||||||
|
# value.
|
||||||
|
meshID: ""
|
||||||
|
|
||||||
|
# Use the user-specified, secret volume mounted key and certs for Pilot and workloads.
|
||||||
|
mountMtlsCerts: false
|
||||||
|
|
||||||
|
multiCluster:
|
||||||
|
# Set to true to connect two kubernetes clusters via their respective
|
||||||
|
# ingressgateway services when pods in each cluster cannot directly
|
||||||
|
# talk to one another. All clusters should be using Istio mTLS and must
|
||||||
|
# have a shared root CA for this model to work.
|
||||||
|
enabled: false
|
||||||
|
# Should be set to the name of the cluster this installation will run in. This is required for sidecar injection
|
||||||
|
# to properly label proxies
|
||||||
|
clusterName: ""
|
||||||
|
# The suffix for global service names
|
||||||
|
globalDomainSuffix: "global"
|
||||||
|
# Enable envoy filter to translate `globalDomainSuffix` to cluster local suffix for cross cluster communication
|
||||||
|
includeEnvoyFilter: true
|
||||||
|
|
||||||
|
# Network defines the network this cluster belong to. This name
|
||||||
|
# corresponds to the networks in the map of mesh networks.
|
||||||
|
network: ""
|
||||||
|
|
||||||
|
# Configure the certificate provider for control plane communication.
|
||||||
|
# Currently, two providers are supported: "kubernetes" and "istiod".
|
||||||
|
# As some platforms may not have kubernetes signing APIs,
|
||||||
|
# Istiod is the default
|
||||||
|
pilotCertProvider: istiod
|
||||||
|
|
||||||
|
sds:
|
||||||
|
# The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3.
|
||||||
|
# When a CSR is sent from Citadel Agent to the CA (e.g. Citadel), this aud is to make sure the
|
||||||
|
# JWT is intended for the CA.
|
||||||
|
token:
|
||||||
|
aud: istio-ca
|
||||||
|
|
||||||
|
sts:
|
||||||
|
# The service port used by Security Token Service (STS) server to handle token exchange requests.
|
||||||
|
# Setting this port to a non-zero value enables STS server.
|
||||||
|
servicePort: 0
|
||||||
|
|
||||||
|
# Deprecated, use meshConfig.trustDomain
|
||||||
|
# trustDomain: ""
|
||||||
|
|
||||||
|
meshConfig:
|
||||||
|
enablePrometheusMerge: true
|
||||||
|
# trustDomain: ""
|
||||||
|
defaultConfig:
|
||||||
|
proxyMetadata: {}
|
||||||
|
tracing:
|
||||||
|
# tlsSettings:
|
||||||
|
# mode: DISABLE # DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL
|
||||||
|
# clientCertificate: # example: /etc/istio/tracer/cert-chain.pem
|
||||||
|
# privateKey: # example: /etc/istio/tracer/key.pem
|
||||||
|
# caCertificates: # example: /etc/istio/tracer/root-cert.pem
|
||||||
|
# sni: # example: tracer.somedomain
|
||||||
|
# subjectAltNames: []
|
||||||
|
# - tracer.somedomain
|
@ -0,0 +1,13 @@
|
|||||||
|
apiVersion: v1
|
||||||
|
name: istio-private-ingress
|
||||||
|
version: 1.1.0
|
||||||
|
tillerVersion: ">=2.7.2"
|
||||||
|
description: Helm chart for deploying Istio gateways
|
||||||
|
keywords:
|
||||||
|
- istio
|
||||||
|
- ingressgateway
|
||||||
|
- gateways
|
||||||
|
sources:
|
||||||
|
- http://github.com/istio/istio
|
||||||
|
engine: gotpl
|
||||||
|
icon: https://istio.io/latest/favicons/android-192x192.png
|
@ -0,0 +1,43 @@
|
|||||||
|
|
||||||
|
Changes:
|
||||||
|
- separate namespace allows:
|
||||||
|
-- easier reconfig of just the gateway
|
||||||
|
-- TLS secrets and domain name management is isolated, for better security
|
||||||
|
-- simplified configuration
|
||||||
|
-- multiple versions of the ingress can be used, to minimize upgrade risks
|
||||||
|
|
||||||
|
- the new chart uses the default namespace service account, and doesn't require
|
||||||
|
additional RBAC permissions.
|
||||||
|
|
||||||
|
- simplified label and chart structure.
|
||||||
|
- ability to run a pilot dedicated for the gateway, isolated from the main pilot. This is more robust, safer on upgrades
|
||||||
|
and allows a bit more flexibility.
|
||||||
|
- the dedicated pilot-per-ingress is required if the gateway needs to support k8s-style ingress.
|
||||||
|
|
||||||
|
# Port and basic host configuration
|
||||||
|
|
||||||
|
In order to configure the Service object, the install/upgrade needs to provide a list of all ports.
|
||||||
|
In the past, this was done when installing/upgrading full istio, and involved some duplication - ports configured
|
||||||
|
both in upgrade, Gateway and VirtualService.
|
||||||
|
|
||||||
|
The new Ingress chart uses a 'values.yaml' (see user-example-ingress), which auto-generates Service ports,
|
||||||
|
Gateways and basic VirtualService. It is still possible to only configure the ports in Service, and do manual
|
||||||
|
config for the rest.
|
||||||
|
|
||||||
|
All internal services ( telemetry, pilot debug ports, mesh expansion ) can now be configured via the new mechanism.
|
||||||
|
|
||||||
|
# Migration from istio-system
|
||||||
|
|
||||||
|
Istio 1.0 includes the gateways in istio-system. Since the external IP is associated
|
||||||
|
with the Service and bound to the namespace, it is recommended to:
|
||||||
|
|
||||||
|
1. Install the new gateway in a new namespace.
|
||||||
|
2. Copy any TLS certificate to the new namespace, and configure the domains.
|
||||||
|
3. Checking the new gateway work - for example by overriding the IP in /etc/hosts
|
||||||
|
4. Modify the DNS server to add the A record of the new namespace
|
||||||
|
5. Check traffic
|
||||||
|
6. Delete the A record corresponding to the gateway in istio-system
|
||||||
|
7. Upgrade istio-system, disabling the ingressgateway
|
||||||
|
8. Delete the domain TLS certs from istio-system.
|
||||||
|
|
||||||
|
If using certmanager, all Certificate and associated configs must be moved as well.
|
@ -0,0 +1,93 @@
|
|||||||
|
{{/* affinity - https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ */}}
|
||||||
|
|
||||||
|
{{- define "nodeaffinity" }}
|
||||||
|
nodeAffinity:
|
||||||
|
requiredDuringSchedulingIgnoredDuringExecution:
|
||||||
|
{{- include "nodeAffinityRequiredDuringScheduling" . }}
|
||||||
|
preferredDuringSchedulingIgnoredDuringExecution:
|
||||||
|
{{- include "nodeAffinityPreferredDuringScheduling" . }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{- define "nodeAffinityRequiredDuringScheduling" }}
|
||||||
|
nodeSelectorTerms:
|
||||||
|
- matchExpressions:
|
||||||
|
- key: kubernetes.io/arch
|
||||||
|
operator: In
|
||||||
|
values:
|
||||||
|
{{- range $key, $val := .global.arch }}
|
||||||
|
{{- if gt ($val | int) 0 }}
|
||||||
|
- {{ $key | quote }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- $nodeSelector := default .global.defaultNodeSelector .nodeSelector -}}
|
||||||
|
{{- range $key, $val := $nodeSelector }}
|
||||||
|
- key: {{ $key }}
|
||||||
|
operator: In
|
||||||
|
values:
|
||||||
|
- {{ $val | quote }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{- define "nodeAffinityPreferredDuringScheduling" }}
|
||||||
|
{{- range $key, $val := .global.arch }}
|
||||||
|
{{- if gt ($val | int) 0 }}
|
||||||
|
- weight: {{ $val | int }}
|
||||||
|
preference:
|
||||||
|
matchExpressions:
|
||||||
|
- key: kubernetes.io/arch
|
||||||
|
operator: In
|
||||||
|
values:
|
||||||
|
- {{ $key | quote }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{- define "podAntiAffinity" }}
|
||||||
|
{{- if or .podAntiAffinityLabelSelector .podAntiAffinityTermLabelSelector}}
|
||||||
|
podAntiAffinity:
|
||||||
|
{{- if .podAntiAffinityLabelSelector }}
|
||||||
|
requiredDuringSchedulingIgnoredDuringExecution:
|
||||||
|
{{- include "podAntiAffinityRequiredDuringScheduling" . }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .podAntiAffinityTermLabelSelector }}
|
||||||
|
preferredDuringSchedulingIgnoredDuringExecution:
|
||||||
|
{{- include "podAntiAffinityPreferredDuringScheduling" . }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{- define "podAntiAffinityRequiredDuringScheduling" }}
|
||||||
|
{{- range $index, $item := .podAntiAffinityLabelSelector }}
|
||||||
|
- labelSelector:
|
||||||
|
matchExpressions:
|
||||||
|
- key: {{ $item.key }}
|
||||||
|
operator: {{ $item.operator }}
|
||||||
|
{{- if $item.values }}
|
||||||
|
values:
|
||||||
|
{{- $vals := split "," $item.values }}
|
||||||
|
{{- range $i, $v := $vals }}
|
||||||
|
- {{ $v | quote }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
topologyKey: {{ $item.topologyKey }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{- define "podAntiAffinityPreferredDuringScheduling" }}
|
||||||
|
{{- range $index, $item := .podAntiAffinityTermLabelSelector }}
|
||||||
|
- podAffinityTerm:
|
||||||
|
labelSelector:
|
||||||
|
matchExpressions:
|
||||||
|
- key: {{ $item.key }}
|
||||||
|
operator: {{ $item.operator }}
|
||||||
|
{{- if $item.values }}
|
||||||
|
values:
|
||||||
|
{{- $vals := split "," $item.values }}
|
||||||
|
{{- range $i, $v := $vals }}
|
||||||
|
- {{ $v | quote }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
topologyKey: {{ $item.topologyKey }}
|
||||||
|
weight: 100
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
@ -0,0 +1,27 @@
|
|||||||
|
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
|
||||||
|
{{- if and $gateway.autoscaleEnabled $gateway.autoscaleMin $gateway.autoscaleMax }}
|
||||||
|
apiVersion: autoscaling/v2beta1
|
||||||
|
kind: HorizontalPodAutoscaler
|
||||||
|
metadata:
|
||||||
|
name: {{ $gateway.name | default "istio-ingressgateway" }}
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
labels:
|
||||||
|
{{ $gateway.labels | toYaml | indent 4 }}
|
||||||
|
release: {{ .Release.Name }}
|
||||||
|
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||||
|
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||||
|
operator.istio.io/component: "IngressGateways"
|
||||||
|
spec:
|
||||||
|
maxReplicas: {{ $gateway.autoscaleMax }}
|
||||||
|
minReplicas: {{ $gateway.autoscaleMin }}
|
||||||
|
scaleTargetRef:
|
||||||
|
apiVersion: apps/v1
|
||||||
|
kind: Deployment
|
||||||
|
name: {{ $gateway.name | default "istio-ingressgateway" }}
|
||||||
|
metrics:
|
||||||
|
- type: Resource
|
||||||
|
resource:
|
||||||
|
name: cpu
|
||||||
|
targetAverageUtilization: {{ $gateway.cpu.targetAverageUtilization }}
|
||||||
|
---
|
||||||
|
{{- end }}
|
@ -0,0 +1,346 @@
|
|||||||
|
{{- $gateway := index .Values "gateways" "istio-ingressgateway" }}
|
||||||
|
apiVersion: apps/v1
|
||||||
|
kind: Deployment
|
||||||
|
metadata:
|
||||||
|
name: {{ $gateway.name | default "istio-ingressgateway" }}
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
labels:
|
||||||
|
{{ $gateway.labels | toYaml | indent 4 }}
|
||||||
|
release: {{ .Release.Name }}
|
||||||
|
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||||
|
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||||
|
operator.istio.io/component: "IngressGateways"
|
||||||
|
spec:
|
||||||
|
{{- if not $gateway.autoscaleEnabled }}
|
||||||
|
{{- if $gateway.replicaCount }}
|
||||||
|
replicas: {{ $gateway.replicaCount }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
selector:
|
||||||
|
matchLabels:
|
||||||
|
{{ $gateway.labels | toYaml | indent 6 }}
|
||||||
|
strategy:
|
||||||
|
rollingUpdate:
|
||||||
|
maxSurge: {{ $gateway.rollingMaxSurge }}
|
||||||
|
maxUnavailable: {{ $gateway.rollingMaxUnavailable }}
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
{{ $gateway.labels | toYaml | indent 8 }}
|
||||||
|
{{- if eq .Release.Namespace "istio-system"}}
|
||||||
|
heritage: Tiller
|
||||||
|
release: istio
|
||||||
|
chart: gateways
|
||||||
|
{{- end }}
|
||||||
|
service.istio.io/canonical-name: {{ $gateway.name | default "istio-ingressgateway" }}
|
||||||
|
{{- if not (eq .Values.revision "") }}
|
||||||
|
service.istio.io/canonical-revision: {{ .Values.revision }}
|
||||||
|
{{- else}}
|
||||||
|
service.istio.io/canonical-revision: latest
|
||||||
|
{{- end }}
|
||||||
|
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||||
|
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||||
|
operator.istio.io/component: "IngressGateways"
|
||||||
|
annotations:
|
||||||
|
{{- if .Values.meshConfig.enablePrometheusMerge }}
|
||||||
|
prometheus.io/port: "15020"
|
||||||
|
prometheus.io/scrape: "true"
|
||||||
|
prometheus.io/path: "/stats/prometheus"
|
||||||
|
{{- end }}
|
||||||
|
sidecar.istio.io/inject: "false"
|
||||||
|
{{- if $gateway.podAnnotations }}
|
||||||
|
{{ toYaml $gateway.podAnnotations | indent 8 }}
|
||||||
|
{{ end }}
|
||||||
|
spec:
|
||||||
|
{{- if not $gateway.runAsRoot }}
|
||||||
|
securityContext:
|
||||||
|
runAsUser: 1337
|
||||||
|
runAsGroup: 1337
|
||||||
|
runAsNonRoot: true
|
||||||
|
fsGroup: 1337
|
||||||
|
{{- end }}
|
||||||
|
serviceAccountName: {{ $gateway.name | default "istio-ingressgateway" }}-service-account
|
||||||
|
{{- if .Values.global.priorityClassName }}
|
||||||
|
priorityClassName: "{{ .Values.global.priorityClassName }}"
|
||||||
|
{{- end }}
|
||||||
|
terminationGracePeriodSeconds: 90
|
||||||
|
{{- if .Values.global.proxy.enableCoreDump }}
|
||||||
|
initContainers:
|
||||||
|
- name: enable-core-dump
|
||||||
|
{{- if contains "/" .Values.global.proxy.image }}
|
||||||
|
image: "{{ .Values.global.proxy.image }}"
|
||||||
|
{{- else }}
|
||||||
|
image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image | default "proxyv2" }}:{{ .Values.global.tag }}"
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.global.imagePullPolicy }}
|
||||||
|
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
|
||||||
|
{{- end }}
|
||||||
|
command:
|
||||||
|
- /bin/sh
|
||||||
|
args:
|
||||||
|
- -c
|
||||||
|
- sysctl -w kernel.core_pattern=/var/lib/istio/data/core.proxy && ulimit -c unlimited
|
||||||
|
securityContext:
|
||||||
|
runAsUser: 0
|
||||||
|
runAsGroup: 0
|
||||||
|
runAsNonRoot: false
|
||||||
|
privileged: true
|
||||||
|
{{- end }}
|
||||||
|
containers:
|
||||||
|
- name: istio-proxy
|
||||||
|
{{- if contains "/" .Values.global.proxy.image }}
|
||||||
|
image: "{{ .Values.global.proxy.image }}"
|
||||||
|
{{- else }}
|
||||||
|
image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image | default "proxyv2" }}:{{ .Values.global.tag }}"
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.global.imagePullPolicy }}
|
||||||
|
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
|
||||||
|
{{- end }}
|
||||||
|
ports:
|
||||||
|
{{- range $key, $val := $gateway.ports }}
|
||||||
|
- containerPort: {{ $val.targetPort | default $val.port }}
|
||||||
|
protocol: {{ $val.protocol | default "TCP" }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if $.Values.global.meshExpansion.enabled }}
|
||||||
|
{{- range $key, $val := $gateway.meshExpansionPorts }}
|
||||||
|
- containerPort: {{ $val.targetPort | default $val.port }}
|
||||||
|
protocol: {{ $val.protocol | default "TCP" }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
- containerPort: 15090
|
||||||
|
protocol: TCP
|
||||||
|
name: http-envoy-prom
|
||||||
|
args:
|
||||||
|
- proxy
|
||||||
|
- router
|
||||||
|
- --domain
|
||||||
|
- $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
|
||||||
|
{{- if .Values.global.proxy.logLevel }}
|
||||||
|
- --proxyLogLevel={{ .Values.global.proxy.logLevel }}
|
||||||
|
{{- end}}
|
||||||
|
{{- if .Values.global.proxy.componentLogLevel }}
|
||||||
|
- --proxyComponentLogLevel={{ .Values.global.proxy.componentLogLevel }}
|
||||||
|
{{- end}}
|
||||||
|
{{- if .Values.global.logging.level }}
|
||||||
|
- --log_output_level={{ .Values.global.logging.level }}
|
||||||
|
{{- end}}
|
||||||
|
{{- if .Values.global.logAsJson }}
|
||||||
|
- --log_as_json
|
||||||
|
{{- end }}
|
||||||
|
- --serviceCluster
|
||||||
|
- {{ $gateway.name | default "istio-ingressgateway" }}
|
||||||
|
{{- if .Values.global.sts.servicePort }}
|
||||||
|
- --stsPort={{ .Values.global.sts.servicePort }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if not $gateway.runAsRoot }}
|
||||||
|
securityContext:
|
||||||
|
allowPrivilegeEscalation: false
|
||||||
|
capabilities:
|
||||||
|
drop:
|
||||||
|
- ALL
|
||||||
|
privileged: false
|
||||||
|
readOnlyRootFilesystem: true
|
||||||
|
{{- end }}
|
||||||
|
readinessProbe:
|
||||||
|
failureThreshold: 30
|
||||||
|
httpGet:
|
||||||
|
path: /healthz/ready
|
||||||
|
port: 15021
|
||||||
|
scheme: HTTP
|
||||||
|
initialDelaySeconds: 1
|
||||||
|
periodSeconds: 2
|
||||||
|
successThreshold: 1
|
||||||
|
timeoutSeconds: 1
|
||||||
|
resources:
|
||||||
|
{{- if $gateway.resources }}
|
||||||
|
{{ toYaml $gateway.resources | indent 12 }}
|
||||||
|
{{- else }}
|
||||||
|
{{ toYaml .Values.global.defaultResources | indent 12 }}
|
||||||
|
{{- end }}
|
||||||
|
env:
|
||||||
|
- name: JWT_POLICY
|
||||||
|
value: {{ .Values.global.jwtPolicy }}
|
||||||
|
- name: PILOT_CERT_PROVIDER
|
||||||
|
value: {{ .Values.global.pilotCertProvider }}
|
||||||
|
- name: CA_ADDR
|
||||||
|
{{- if .Values.global.caAddress }}
|
||||||
|
value: {{ .Values.global.caAddress }}
|
||||||
|
{{- else }}
|
||||||
|
value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
|
||||||
|
{{- end }}
|
||||||
|
- name: NODE_NAME
|
||||||
|
valueFrom:
|
||||||
|
fieldRef:
|
||||||
|
apiVersion: v1
|
||||||
|
fieldPath: spec.nodeName
|
||||||
|
- name: POD_NAME
|
||||||
|
valueFrom:
|
||||||
|
fieldRef:
|
||||||
|
apiVersion: v1
|
||||||
|
fieldPath: metadata.name
|
||||||
|
- name: POD_NAMESPACE
|
||||||
|
valueFrom:
|
||||||
|
fieldRef:
|
||||||
|
apiVersion: v1
|
||||||
|
fieldPath: metadata.namespace
|
||||||
|
- name: INSTANCE_IP
|
||||||
|
valueFrom:
|
||||||
|
fieldRef:
|
||||||
|
apiVersion: v1
|
||||||
|
fieldPath: status.podIP
|
||||||
|
- name: HOST_IP
|
||||||
|
valueFrom:
|
||||||
|
fieldRef:
|
||||||
|
apiVersion: v1
|
||||||
|
fieldPath: status.hostIP
|
||||||
|
- name: SERVICE_ACCOUNT
|
||||||
|
valueFrom:
|
||||||
|
fieldRef:
|
||||||
|
fieldPath: spec.serviceAccountName
|
||||||
|
- name: CANONICAL_SERVICE
|
||||||
|
valueFrom:
|
||||||
|
fieldRef:
|
||||||
|
fieldPath: metadata.labels['service.istio.io/canonical-name']
|
||||||
|
- name: CANONICAL_REVISION
|
||||||
|
valueFrom:
|
||||||
|
fieldRef:
|
||||||
|
fieldPath: metadata.labels['service.istio.io/canonical-revision']
|
||||||
|
- name: ISTIO_META_WORKLOAD_NAME
|
||||||
|
value: {{ $gateway.name | default "istio-ingressgateway" }}
|
||||||
|
- name: ISTIO_META_OWNER
|
||||||
|
value: kubernetes://apis/apps/v1/namespaces/{{ .Release.Namespace }}/deployments/{{ $gateway.name | default "istio-ingressgateway" }}
|
||||||
|
{{- if $.Values.global.meshID }}
|
||||||
|
- name: ISTIO_META_MESH_ID
|
||||||
|
value: "{{ $.Values.global.meshID }}"
|
||||||
|
{{- else if $.Values.global.trustDomain | default (index .Values.meshConfig "trustDomain") }}
|
||||||
|
- name: ISTIO_META_MESH_ID
|
||||||
|
value: "{{ $.Values.global.trustDomain | default (index .Values.meshConfig "trustDomain") }}"
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.global.trustDomain | default (index .Values.meshConfig "trustDomain") }}
|
||||||
|
- name: TRUST_DOMAIN
|
||||||
|
value: "{{ .Values.global.trustDomain | default (index .Values.meshConfig "trustDomain") }}"
|
||||||
|
{{- end }}
|
||||||
|
{{- range $key, $val := $gateway.env }}
|
||||||
|
- name: {{ $key }}
|
||||||
|
value: {{ $val }}
|
||||||
|
{{- end }}
|
||||||
|
{{- range $key, $value := .Values.meshConfig.defaultConfig.proxyMetadata }}
|
||||||
|
- name: {{ $key }}
|
||||||
|
value: "{{ $value }}"
|
||||||
|
{{- end }}
|
||||||
|
{{ $network_set := index $gateway.env "ISTIO_META_NETWORK" }}
|
||||||
|
{{- if and (not $network_set) .Values.global.network }}
|
||||||
|
- name: ISTIO_META_NETWORK
|
||||||
|
value: {{ .Values.global.network }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if $gateway.podAnnotations }}
|
||||||
|
- name: "ISTIO_METAJSON_ANNOTATIONS"
|
||||||
|
value: |
|
||||||
|
{{ toJson $gateway.podAnnotations | indent 16}}
|
||||||
|
{{ end }}
|
||||||
|
- name: ISTIO_META_CLUSTER_ID
|
||||||
|
value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}"
|
||||||
|
volumeMounts:
|
||||||
|
- name: istio-envoy
|
||||||
|
mountPath: /etc/istio/proxy
|
||||||
|
- name: config-volume
|
||||||
|
mountPath: /etc/istio/config
|
||||||
|
{{- if eq .Values.global.pilotCertProvider "istiod" }}
|
||||||
|
- mountPath: /var/run/secrets/istio
|
||||||
|
name: istiod-ca-cert
|
||||||
|
{{- end }}
|
||||||
|
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
|
||||||
|
- name: istio-token
|
||||||
|
mountPath: /var/run/secrets/tokens
|
||||||
|
readOnly: true
|
||||||
|
{{- end }}
|
||||||
|
- name: gatewaysdsudspath
|
||||||
|
mountPath: /var/run/ingress_gateway
|
||||||
|
{{- if .Values.global.mountMtlsCerts }}
|
||||||
|
# Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
|
||||||
|
- name: istio-certs
|
||||||
|
mountPath: /etc/certs
|
||||||
|
readOnly: true
|
||||||
|
{{- end }}
|
||||||
|
- mountPath: /var/lib/istio/data
|
||||||
|
name: istio-data
|
||||||
|
- name: podinfo
|
||||||
|
mountPath: /etc/istio/pod
|
||||||
|
{{- range $gateway.secretVolumes }}
|
||||||
|
- name: {{ .name }}
|
||||||
|
mountPath: {{ .mountPath | quote }}
|
||||||
|
readOnly: true
|
||||||
|
{{- end }}
|
||||||
|
{{- range $gateway.configVolumes }}
|
||||||
|
{{- if .mountPath }}
|
||||||
|
- name: {{ .name }}
|
||||||
|
mountPath: {{ .mountPath | quote }}
|
||||||
|
readOnly: true
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if $gateway.additionalContainers }}
|
||||||
|
{{ toYaml $gateway.additionalContainers | indent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
volumes:
|
||||||
|
{{- if eq .Values.global.pilotCertProvider "istiod" }}
|
||||||
|
- name: istiod-ca-cert
|
||||||
|
configMap:
|
||||||
|
name: istio-ca-root-cert
|
||||||
|
{{- end }}
|
||||||
|
- name: podinfo
|
||||||
|
downwardAPI:
|
||||||
|
items:
|
||||||
|
- path: "labels"
|
||||||
|
fieldRef:
|
||||||
|
fieldPath: metadata.labels
|
||||||
|
- path: "annotations"
|
||||||
|
fieldRef:
|
||||||
|
fieldPath: metadata.annotations
|
||||||
|
- name: istio-envoy
|
||||||
|
emptyDir: {}
|
||||||
|
- name: gatewaysdsudspath
|
||||||
|
emptyDir: {}
|
||||||
|
- name: istio-data
|
||||||
|
emptyDir: {}
|
||||||
|
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
|
||||||
|
- name: istio-token
|
||||||
|
projected:
|
||||||
|
sources:
|
||||||
|
- serviceAccountToken:
|
||||||
|
path: istio-token
|
||||||
|
expirationSeconds: 43200
|
||||||
|
audience: {{ .Values.global.sds.token.aud }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.global.mountMtlsCerts }}
|
||||||
|
# Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
|
||||||
|
- name: istio-certs
|
||||||
|
secret:
|
||||||
|
secretName: istio.istio-ingressgateway-service-account
|
||||||
|
optional: true
|
||||||
|
{{- end }}
|
||||||
|
- name: config-volume
|
||||||
|
configMap:
|
||||||
|
name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
||||||
|
optional: true
|
||||||
|
{{- range $gateway.secretVolumes }}
|
||||||
|
- name: {{ .name }}
|
||||||
|
secret:
|
||||||
|
secretName: {{ .secretName | quote }}
|
||||||
|
optional: true
|
||||||
|
{{- end }}
|
||||||
|
{{- range $gateway.configVolumes }}
|
||||||
|
- name: {{ .name }}
|
||||||
|
configMap:
|
||||||
|
name: {{ .configMapName | quote }}
|
||||||
|
optional: true
|
||||||
|
{{- end }}
|
||||||
|
affinity:
|
||||||
|
{{- include "nodeaffinity" (dict "global" .Values.global "nodeSelector" $gateway.nodeSelector) | indent 6 }}
|
||||||
|
{{- include "podAntiAffinity" $gateway | indent 6 }}
|
||||||
|
{{- if $gateway.tolerations }}
|
||||||
|
tolerations:
|
||||||
|
{{ toYaml $gateway.tolerations | indent 6 }}
|
||||||
|
{{- else if .Values.global.defaultTolerations }}
|
||||||
|
tolerations:
|
||||||
|
{{ toYaml .Values.global.defaultTolerations | indent 6 }}
|
||||||
|
{{- end }}
|
@ -0,0 +1,79 @@
|
|||||||
|
{{- if .Values.global.meshExpansion.enabled }}
|
||||||
|
apiVersion: networking.istio.io/v1alpha3
|
||||||
|
kind: Gateway
|
||||||
|
metadata:
|
||||||
|
name: meshexpansion-gateway
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
labels:
|
||||||
|
release: {{ .Release.Name }}
|
||||||
|
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||||
|
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||||
|
operator.istio.io/component: "IngressGateways"
|
||||||
|
spec:
|
||||||
|
selector:
|
||||||
|
istio: ingressgateway
|
||||||
|
servers:
|
||||||
|
- port:
|
||||||
|
number: 15012
|
||||||
|
protocol: TCP
|
||||||
|
name: tcp-istiod
|
||||||
|
hosts:
|
||||||
|
- "*"
|
||||||
|
- port:
|
||||||
|
number: 15017
|
||||||
|
protocol: TCP
|
||||||
|
name: tcp-istiodwebhook
|
||||||
|
hosts:
|
||||||
|
- "*"
|
||||||
|
---
|
||||||
|
|
||||||
|
apiVersion: networking.istio.io/v1alpha3
|
||||||
|
kind: VirtualService
|
||||||
|
metadata:
|
||||||
|
name: meshexpansion-vs-istiod
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
labels:
|
||||||
|
release: {{ .Release.Name }}
|
||||||
|
spec:
|
||||||
|
hosts:
|
||||||
|
- istiod.{{ .Values.global.istioNamespace }}.svc.{{ .Values.global.proxy.clusterDomain }}
|
||||||
|
gateways:
|
||||||
|
- meshexpansion-gateway
|
||||||
|
tcp:
|
||||||
|
- match:
|
||||||
|
- port: 15012
|
||||||
|
route:
|
||||||
|
- destination:
|
||||||
|
host: istiod.{{ .Values.global.istioNamespace }}.svc.{{ .Values.global.proxy.clusterDomain }}
|
||||||
|
port:
|
||||||
|
number: 15012
|
||||||
|
- match:
|
||||||
|
- port: 15017
|
||||||
|
route:
|
||||||
|
- destination:
|
||||||
|
host: istiod.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }}
|
||||||
|
port:
|
||||||
|
number: 443
|
||||||
|
---
|
||||||
|
|
||||||
|
apiVersion: networking.istio.io/v1alpha3
|
||||||
|
kind: DestinationRule
|
||||||
|
metadata:
|
||||||
|
name: meshexpansion-dr-istiod
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
labels:
|
||||||
|
release: {{ .Release.Name }}
|
||||||
|
spec:
|
||||||
|
host: istiod.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }}
|
||||||
|
trafficPolicy:
|
||||||
|
portLevelSettings:
|
||||||
|
- port:
|
||||||
|
number: 15012
|
||||||
|
tls:
|
||||||
|
mode: DISABLE
|
||||||
|
- port:
|
||||||
|
number: 15017
|
||||||
|
tls:
|
||||||
|
mode: DISABLE
|
||||||
|
|
||||||
|
{{- end }}
|
@ -0,0 +1,19 @@
|
|||||||
|
{{- if .Values.global.defaultPodDisruptionBudget.enabled }}
|
||||||
|
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
|
||||||
|
apiVersion: policy/v1beta1
|
||||||
|
kind: PodDisruptionBudget
|
||||||
|
metadata:
|
||||||
|
name: {{ $gateway.name | default "istio-ingressgateway" }}
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
labels:
|
||||||
|
{{ $gateway.labels | toYaml | trim | indent 4 }}
|
||||||
|
release: {{ .Release.Name }}
|
||||||
|
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||||
|
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||||
|
operator.istio.io/component: "IngressGateways"
|
||||||
|
spec:
|
||||||
|
minAvailable: 1
|
||||||
|
selector:
|
||||||
|
matchLabels:
|
||||||
|
{{ $gateway.labels | toYaml | trim | indent 6 }}
|
||||||
|
{{- end }}
|
@ -0,0 +1,78 @@
|
|||||||
|
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
|
||||||
|
{{- if .Values.global.multiCluster.enabled }}
|
||||||
|
apiVersion: networking.istio.io/v1alpha3
|
||||||
|
kind: Gateway
|
||||||
|
metadata:
|
||||||
|
name: istio-multicluster-ingressgateway
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
labels:
|
||||||
|
{{ $gateway.labels | toYaml | indent 4 }}
|
||||||
|
release: {{ .Release.Name }}
|
||||||
|
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||||
|
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||||
|
operator.istio.io/component: "IngressGateways"
|
||||||
|
spec:
|
||||||
|
selector:
|
||||||
|
istio: ingressgateway
|
||||||
|
servers:
|
||||||
|
- hosts:
|
||||||
|
- "*.{{ .Values.global.multiCluster.globalDomainSuffix | trim }}"
|
||||||
|
port:
|
||||||
|
name: tls
|
||||||
|
number: 15443
|
||||||
|
protocol: TLS
|
||||||
|
tls:
|
||||||
|
mode: AUTO_PASSTHROUGH
|
||||||
|
---
|
||||||
|
{{- if .Values.global.multiCluster.includeEnvoyFilter }}
|
||||||
|
apiVersion: networking.istio.io/v1alpha3
|
||||||
|
kind: EnvoyFilter
|
||||||
|
metadata:
|
||||||
|
name: istio-multicluster-ingressgateway
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
labels:
|
||||||
|
{{ $gateway.labels | toYaml | indent 4 }}
|
||||||
|
release: {{ .Release.Name }}
|
||||||
|
spec:
|
||||||
|
workloadSelector:
|
||||||
|
labels:
|
||||||
|
istio: ingressgateway
|
||||||
|
configPatches:
|
||||||
|
- applyTo: NETWORK_FILTER
|
||||||
|
match:
|
||||||
|
context: GATEWAY
|
||||||
|
listener:
|
||||||
|
portNumber: 15443
|
||||||
|
filterChain:
|
||||||
|
filter:
|
||||||
|
name: "envoy.filters.network.sni_cluster"
|
||||||
|
patch:
|
||||||
|
operation: INSERT_AFTER
|
||||||
|
value:
|
||||||
|
name: "envoy.filters.network.tcp_cluster_rewrite"
|
||||||
|
typed_config:
|
||||||
|
"@type": "type.googleapis.com/istio.envoy.config.filter.network.tcp_cluster_rewrite.v2alpha1.TcpClusterRewrite"
|
||||||
|
cluster_pattern: "\\.{{ .Values.global.multiCluster.globalDomainSuffix | trim }}$"
|
||||||
|
cluster_replacement: ".svc.{{ .Values.global.proxy.clusterDomain }}"
|
||||||
|
---
|
||||||
|
{{- end }}
|
||||||
|
## To ensure all traffic to globalDomainSuffix is using mTLS
|
||||||
|
apiVersion: networking.istio.io/v1alpha3
|
||||||
|
kind: DestinationRule
|
||||||
|
metadata:
|
||||||
|
name: istio-multicluster-ingressgateway
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
labels:
|
||||||
|
{{ $gateway.labels | toYaml | indent 4 }}
|
||||||
|
release: {{ .Release.Name }}
|
||||||
|
spec:
|
||||||
|
host: "*.{{ .Values.global.multiCluster.globalDomainSuffix | trim }}"
|
||||||
|
{{- if .Values.global.defaultConfigVisibilitySettings }}
|
||||||
|
exportTo:
|
||||||
|
- '*'
|
||||||
|
{{- end }}
|
||||||
|
trafficPolicy:
|
||||||
|
tls:
|
||||||
|
mode: ISTIO_MUTUAL
|
||||||
|
---
|
||||||
|
{{- end }}
|
@ -0,0 +1,16 @@
|
|||||||
|
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: Role
|
||||||
|
metadata:
|
||||||
|
name: {{ $gateway.name | default "istio-ingressgateway" }}-sds
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
labels:
|
||||||
|
release: {{ .Release.Name }}
|
||||||
|
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||||
|
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||||
|
operator.istio.io/component: "IngressGateways"
|
||||||
|
rules:
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources: ["secrets"]
|
||||||
|
verbs: ["get", "watch", "list"]
|
||||||
|
---
|
@ -0,0 +1,19 @@
|
|||||||
|
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: RoleBinding
|
||||||
|
metadata:
|
||||||
|
name: {{ $gateway.name | default "istio-ingressgateway" }}-sds
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
labels:
|
||||||
|
release: {{ .Release.Name }}
|
||||||
|
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||||
|
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||||
|
operator.istio.io/component: "IngressGateways"
|
||||||
|
roleRef:
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: Role
|
||||||
|
name: {{ $gateway.name | default "istio-ingressgateway" }}-sds
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: {{ $gateway.name | default "istio-ingressgateway" }}-service-account
|
||||||
|
---
|
@ -0,0 +1,55 @@
|
|||||||
|
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
|
||||||
|
{{- if not $gateway.customService }}
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Service
|
||||||
|
metadata:
|
||||||
|
name: {{ $gateway.name | default "istio-ingressgateway" }}
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
annotations:
|
||||||
|
{{- range $key, $val := $gateway.serviceAnnotations }}
|
||||||
|
{{ $key }}: {{ $val | quote }}
|
||||||
|
{{- end }}
|
||||||
|
labels:
|
||||||
|
{{ $gateway.labels | toYaml | indent 4 }}
|
||||||
|
release: {{ .Release.Name }}
|
||||||
|
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||||
|
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||||
|
operator.istio.io/component: "IngressGateways"
|
||||||
|
spec:
|
||||||
|
{{- if $gateway.loadBalancerIP }}
|
||||||
|
loadBalancerIP: "{{ $gateway.loadBalancerIP }}"
|
||||||
|
{{- end }}
|
||||||
|
{{- if $gateway.loadBalancerSourceRanges }}
|
||||||
|
loadBalancerSourceRanges:
|
||||||
|
{{ toYaml $gateway.loadBalancerSourceRanges | indent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if $gateway.externalTrafficPolicy }}
|
||||||
|
externalTrafficPolicy: {{$gateway.externalTrafficPolicy }}
|
||||||
|
{{- end }}
|
||||||
|
type: {{ $gateway.type }}
|
||||||
|
selector:
|
||||||
|
{{ $gateway.labels | toYaml | indent 4 }}
|
||||||
|
ports:
|
||||||
|
|
||||||
|
{{- range $key, $val := $gateway.ports }}
|
||||||
|
-
|
||||||
|
{{- range $pkey, $pval := $val }}
|
||||||
|
{{ $pkey}}: {{ $pval }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{- if $.Values.global.meshExpansion.enabled }}
|
||||||
|
{{- range $key, $val := $gateway.meshExpansionPorts }}
|
||||||
|
-
|
||||||
|
{{- range $pkey, $pval := $val }}
|
||||||
|
{{ $pkey}}: {{ $pval }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{ range $app := $gateway.ingressPorts }}
|
||||||
|
-
|
||||||
|
port: {{ $app.port }}
|
||||||
|
name: {{ $app.name }}
|
||||||
|
{{- end }}
|
||||||
|
---
|
||||||
|
{{ end }}
|
@ -0,0 +1,18 @@
|
|||||||
|
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ServiceAccount
|
||||||
|
{{- if .Values.global.imagePullSecrets }}
|
||||||
|
imagePullSecrets:
|
||||||
|
{{- range .Values.global.imagePullSecrets }}
|
||||||
|
- name: {{ . }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
metadata:
|
||||||
|
name: {{ $gateway.name | default "istio-ingressgateway" }}-service-account
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
labels:
|
||||||
|
{{ $gateway.labels | toYaml | trim | indent 4 }}
|
||||||
|
release: {{ .Release.Name }}
|
||||||
|
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||||
|
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||||
|
operator.istio.io/component: "IngressGateways"
|
@ -0,0 +1,336 @@
|
|||||||
|
# A-la-carte istio ingress gateway.
|
||||||
|
# Must be installed in a separate namespace, to minimize access to secrets.
|
||||||
|
|
||||||
|
gateways:
|
||||||
|
istio-ingressgateway:
|
||||||
|
name: istio-ingressgateway
|
||||||
|
labels:
|
||||||
|
app: istio-ingressgateway
|
||||||
|
istio: ingressgateway
|
||||||
|
ports:
|
||||||
|
## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces.
|
||||||
|
# Note that AWS ELB will by default perform health checks on the first port
|
||||||
|
# on this list. Setting this to the health check port will ensure that health
|
||||||
|
# checks always work. https://github.com/istio/istio/issues/12503
|
||||||
|
- port: 15021
|
||||||
|
targetPort: 15021
|
||||||
|
name: status-port
|
||||||
|
protocol: TCP
|
||||||
|
- port: 80
|
||||||
|
targetPort: 8080
|
||||||
|
name: http2
|
||||||
|
protocol: TCP
|
||||||
|
- port: 443
|
||||||
|
targetPort: 8443
|
||||||
|
name: https
|
||||||
|
protocol: TCP
|
||||||
|
# This is the port where sni routing happens
|
||||||
|
- port: 15443
|
||||||
|
targetPort: 15443
|
||||||
|
name: tls
|
||||||
|
protocol: TCP
|
||||||
|
|
||||||
|
# Scalability tunning
|
||||||
|
# replicaCount: 1
|
||||||
|
rollingMaxSurge: 100%
|
||||||
|
rollingMaxUnavailable: 25%
|
||||||
|
autoscaleEnabled: true
|
||||||
|
autoscaleMin: 1
|
||||||
|
autoscaleMax: 5
|
||||||
|
|
||||||
|
cpu:
|
||||||
|
targetAverageUtilization: 80
|
||||||
|
|
||||||
|
resources:
|
||||||
|
requests:
|
||||||
|
cpu: 100m
|
||||||
|
memory: 128Mi
|
||||||
|
limits:
|
||||||
|
cpu: 2000m
|
||||||
|
memory: 1024Mi
|
||||||
|
|
||||||
|
loadBalancerIP: ""
|
||||||
|
loadBalancerSourceRanges: []
|
||||||
|
serviceAnnotations: {}
|
||||||
|
|
||||||
|
# Enable cross-cluster access using SNI matching
|
||||||
|
zvpn:
|
||||||
|
enabled: false
|
||||||
|
suffix: global
|
||||||
|
|
||||||
|
# To generate an internal load balancer:
|
||||||
|
# --set serviceAnnotations.cloud.google.com/load-balancer-type=internal
|
||||||
|
#serviceAnnotations:
|
||||||
|
# cloud.google.com/load-balancer-type: "internal"
|
||||||
|
|
||||||
|
podAnnotations: {}
|
||||||
|
type: LoadBalancer #change to NodePort, ClusterIP or LoadBalancer if need be
|
||||||
|
|
||||||
|
#### MESH EXPANSION PORTS ########
|
||||||
|
# Pilot and Citadel MTLS ports are enabled in gateway - but will only redirect
|
||||||
|
# to pilot/citadel if global.meshExpansion settings are enabled.
|
||||||
|
# Delete these ports if mesh expansion is not enabled, to avoid
|
||||||
|
# exposing unnecessary ports on the web.
|
||||||
|
# You can remove these ports if you are not using mesh expansion
|
||||||
|
meshExpansionPorts:
|
||||||
|
- port: 15012
|
||||||
|
targetPort: 15012
|
||||||
|
name: tcp-istiod
|
||||||
|
####### end MESH EXPANSION PORTS ######
|
||||||
|
|
||||||
|
##############
|
||||||
|
secretVolumes:
|
||||||
|
- name: ingressgateway-certs
|
||||||
|
secretName: istio-ingressgateway-certs
|
||||||
|
mountPath: /etc/istio/ingressgateway-certs
|
||||||
|
- name: ingressgateway-ca-certs
|
||||||
|
secretName: istio-ingressgateway-ca-certs
|
||||||
|
mountPath: /etc/istio/ingressgateway-ca-certs
|
||||||
|
|
||||||
|
customService: false
|
||||||
|
externalTrafficPolicy: ""
|
||||||
|
|
||||||
|
ingressPorts: []
|
||||||
|
additionalContainers: []
|
||||||
|
configVolumes: []
|
||||||
|
|
||||||
|
### Advanced options ############
|
||||||
|
env:
|
||||||
|
# A gateway with this mode ensures that pilot generates an additional
|
||||||
|
# set of clusters for internal services but without Istio mTLS, to
|
||||||
|
# enable cross cluster routing.
|
||||||
|
ISTIO_META_ROUTER_MODE: "sni-dnat"
|
||||||
|
|
||||||
|
nodeSelector: {}
|
||||||
|
tolerations: []
|
||||||
|
|
||||||
|
# Specify the pod anti-affinity that allows you to constrain which nodes
|
||||||
|
# your pod is eligible to be scheduled based on labels on pods that are
|
||||||
|
# already running on the node rather than based on labels on nodes.
|
||||||
|
# There are currently two types of anti-affinity:
|
||||||
|
# "requiredDuringSchedulingIgnoredDuringExecution"
|
||||||
|
# "preferredDuringSchedulingIgnoredDuringExecution"
|
||||||
|
# which denote "hard" vs. "soft" requirements, you can define your values
|
||||||
|
# in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector"
|
||||||
|
# correspondingly.
|
||||||
|
# For example:
|
||||||
|
# podAntiAffinityLabelSelector:
|
||||||
|
# - key: security
|
||||||
|
# operator: In
|
||||||
|
# values: S1,S2
|
||||||
|
# topologyKey: "kubernetes.io/hostname"
|
||||||
|
# This pod anti-affinity rule says that the pod requires not to be scheduled
|
||||||
|
# onto a node if that node is already running a pod with label having key
|
||||||
|
# "security" and value "S1".
|
||||||
|
podAntiAffinityLabelSelector: []
|
||||||
|
podAntiAffinityTermLabelSelector: []
|
||||||
|
|
||||||
|
# whether to run the gateway in a privileged container
|
||||||
|
runAsRoot: false
|
||||||
|
|
||||||
|
# Revision is set as 'version' label and part of the resource names when installing multiple control planes.
|
||||||
|
revision: ""
|
||||||
|
|
||||||
|
# For Helm compatibility.
|
||||||
|
ownerName: ""
|
||||||
|
|
||||||
|
global:
|
||||||
|
# set the default set of namespaces to which services, service entries, virtual services, destination
|
||||||
|
# rules should be exported to. Currently only one value can be provided in this list. This value
|
||||||
|
# should be one of the following two options:
|
||||||
|
# * implies these objects are visible to all namespaces, enabling any sidecar to talk to any other sidecar.
|
||||||
|
# . implies these objects are visible to only to sidecars in the same namespace, or if imported as a Sidecar.egress.host
|
||||||
|
defaultConfigVisibilitySettings: []
|
||||||
|
|
||||||
|
# enable pod disruption budget for the control plane, which is used to
|
||||||
|
# ensure Istio control plane components are gradually upgraded or recovered.
|
||||||
|
defaultPodDisruptionBudget:
|
||||||
|
enabled: true
|
||||||
|
|
||||||
|
# A minimal set of requested resources to applied to all deployments so that
|
||||||
|
# Horizontal Pod Autoscaler will be able to function (if set).
|
||||||
|
# Each component can overwrite these default values by adding its own resources
|
||||||
|
# block in the relevant section below and setting the desired resources values.
|
||||||
|
defaultResources:
|
||||||
|
requests:
|
||||||
|
cpu: 10m
|
||||||
|
# memory: 128Mi
|
||||||
|
# limits:
|
||||||
|
# cpu: 100m
|
||||||
|
# memory: 128Mi
|
||||||
|
|
||||||
|
# Default node tolerations to be applied to all deployments so that all pods can be
|
||||||
|
# scheduled to a particular nodes with matching taints. Each component can overwrite
|
||||||
|
# these default values by adding its tolerations block in the relevant section below
|
||||||
|
# and setting the desired values.
|
||||||
|
# Configure this field in case that all pods of Istio control plane are expected to
|
||||||
|
# be scheduled to particular nodes with specified taints.
|
||||||
|
defaultTolerations: []
|
||||||
|
|
||||||
|
# Default hub for Istio images.
|
||||||
|
# Releases are published to docker hub under 'istio' project.
|
||||||
|
# Dev builds from prow are on gcr.io
|
||||||
|
hub: gcr.io/istio-testing
|
||||||
|
|
||||||
|
# Default tag for Istio images.
|
||||||
|
tag: latest
|
||||||
|
|
||||||
|
# Specify image pull policy if default behavior isn't desired.
|
||||||
|
# Default behavior: latest images will be Always else IfNotPresent.
|
||||||
|
imagePullPolicy: ""
|
||||||
|
|
||||||
|
# ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace
|
||||||
|
# to use for pulling any images in pods that reference this ServiceAccount.
|
||||||
|
# For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing)
|
||||||
|
# ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects.
|
||||||
|
# Must be set for any cluster configured with private docker registry.
|
||||||
|
imagePullSecrets: []
|
||||||
|
# - private-registry-key
|
||||||
|
|
||||||
|
# To output all istio components logs in json format by adding --log_as_json argument to each container argument
|
||||||
|
logAsJson: false
|
||||||
|
|
||||||
|
# Specify pod scheduling arch(amd64, ppc64le, s390x) and weight as follows:
|
||||||
|
# 0 - Never scheduled
|
||||||
|
# 1 - Least preferred
|
||||||
|
# 2 - No preference
|
||||||
|
# 3 - Most preferred
|
||||||
|
arch:
|
||||||
|
amd64: 2
|
||||||
|
s390x: 2
|
||||||
|
ppc64le: 2
|
||||||
|
|
||||||
|
# Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>
|
||||||
|
# The control plane has different scopes depending on component, but can configure default log level across all components
|
||||||
|
# If empty, default scope and level will be used as configured in code
|
||||||
|
logging:
|
||||||
|
level: "default:info"
|
||||||
|
|
||||||
|
# If set to true, the pilot and citadel mtls will be exposed on the
|
||||||
|
# ingress gateway
|
||||||
|
meshExpansion:
|
||||||
|
enabled: false
|
||||||
|
# If set to true, the pilot and citadel mtls and the plain text pilot ports
|
||||||
|
# will be exposed on an internal gateway
|
||||||
|
useILB: false
|
||||||
|
|
||||||
|
# Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and
|
||||||
|
# system-node-critical, it is better to configure this in order to make sure your Istio pods
|
||||||
|
# will not be killed because of low priority class.
|
||||||
|
# Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
|
||||||
|
# for more detail.
|
||||||
|
priorityClassName: ""
|
||||||
|
|
||||||
|
proxy:
|
||||||
|
image: proxyv2
|
||||||
|
|
||||||
|
# CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value
|
||||||
|
# cluster domain. Default value is "cluster.local".
|
||||||
|
clusterDomain: "cluster.local"
|
||||||
|
|
||||||
|
# Per Component log level for proxy, applies to gateways and sidecars. If a component level is
|
||||||
|
# not set, then the global "logLevel" will be used.
|
||||||
|
componentLogLevel: "misc:error"
|
||||||
|
|
||||||
|
# If set, newly injected sidecars will have core dumps enabled.
|
||||||
|
enableCoreDump: false
|
||||||
|
|
||||||
|
# Log level for proxy, applies to gateways and sidecars.
|
||||||
|
# Expected values are: trace|debug|info|warning|error|critical|off
|
||||||
|
logLevel: warning
|
||||||
|
|
||||||
|
##############################################################################################
|
||||||
|
# The following values are found in other charts. To effectively modify these values, make #
|
||||||
|
# make sure they are consistent across your Istio helm charts #
|
||||||
|
##############################################################################################
|
||||||
|
|
||||||
|
# The customized CA address to retrieve certificates for the pods in the cluster.
|
||||||
|
# CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint.
|
||||||
|
caAddress: ""
|
||||||
|
|
||||||
|
# Used to locate istiod.
|
||||||
|
istioNamespace: istio-system
|
||||||
|
|
||||||
|
# Configure the policy for validating JWT.
|
||||||
|
# Currently, two options are supported: "third-party-jwt" and "first-party-jwt".
|
||||||
|
jwtPolicy: "third-party-jwt"
|
||||||
|
|
||||||
|
# Mesh ID means Mesh Identifier. It should be unique within the scope where
|
||||||
|
# meshes will interact with each other, but it is not required to be
|
||||||
|
# globally/universally unique. For example, if any of the following are true,
|
||||||
|
# then two meshes must have different Mesh IDs:
|
||||||
|
# - Meshes will have their telemetry aggregated in one place
|
||||||
|
# - Meshes will be federated together
|
||||||
|
# - Policy will be written referencing one mesh from the other
|
||||||
|
#
|
||||||
|
# If an administrator expects that any of these conditions may become true in
|
||||||
|
# the future, they should ensure their meshes have different Mesh IDs
|
||||||
|
# assigned.
|
||||||
|
#
|
||||||
|
# Within a multicluster mesh, each cluster must be (manually or auto)
|
||||||
|
# configured to have the same Mesh ID value. If an existing cluster 'joins' a
|
||||||
|
# multicluster mesh, it will need to be migrated to the new mesh ID. Details
|
||||||
|
# of migration TBD, and it may be a disruptive operation to change the Mesh
|
||||||
|
# ID post-install.
|
||||||
|
#
|
||||||
|
# If the mesh admin does not specify a value, Istio will use the value of the
|
||||||
|
# mesh's Trust Domain. The best practice is to select a proper Trust Domain
|
||||||
|
# value.
|
||||||
|
meshID: ""
|
||||||
|
|
||||||
|
# Use the user-specified, secret volume mounted key and certs for Pilot and workloads.
|
||||||
|
mountMtlsCerts: false
|
||||||
|
|
||||||
|
multiCluster:
|
||||||
|
# Set to true to connect two kubernetes clusters via their respective
|
||||||
|
# ingressgateway services when pods in each cluster cannot directly
|
||||||
|
# talk to one another. All clusters should be using Istio mTLS and must
|
||||||
|
# have a shared root CA for this model to work.
|
||||||
|
enabled: false
|
||||||
|
# Should be set to the name of the cluster this installation will run in. This is required for sidecar injection
|
||||||
|
# to properly label proxies
|
||||||
|
clusterName: ""
|
||||||
|
# The suffix for global service names
|
||||||
|
globalDomainSuffix: "global"
|
||||||
|
# Enable envoy filter to translate `globalDomainSuffix` to cluster local suffix for cross cluster communication
|
||||||
|
includeEnvoyFilter: true
|
||||||
|
|
||||||
|
# Network defines the network this cluster belong to. This name
|
||||||
|
# corresponds to the networks in the map of mesh networks.
|
||||||
|
network: ""
|
||||||
|
|
||||||
|
# Configure the certificate provider for control plane communication.
|
||||||
|
# Currently, two providers are supported: "kubernetes" and "istiod".
|
||||||
|
# As some platforms may not have kubernetes signing APIs,
|
||||||
|
# Istiod is the default
|
||||||
|
pilotCertProvider: istiod
|
||||||
|
|
||||||
|
sds:
|
||||||
|
# The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3.
|
||||||
|
# When a CSR is sent from Citadel Agent to the CA (e.g. Citadel), this aud is to make sure the
|
||||||
|
# JWT is intended for the CA.
|
||||||
|
token:
|
||||||
|
aud: istio-ca
|
||||||
|
|
||||||
|
sts:
|
||||||
|
# The service port used by Security Token Service (STS) server to handle token exchange requests.
|
||||||
|
# Setting this port to a non-zero value enables STS server.
|
||||||
|
servicePort: 0
|
||||||
|
|
||||||
|
# Deprecated, use meshConfig.trustDomain
|
||||||
|
# trustDomain: ""
|
||||||
|
|
||||||
|
meshConfig:
|
||||||
|
enablePrometheusMerge: true
|
||||||
|
# trustDomain: ""
|
||||||
|
defaultConfig:
|
||||||
|
proxyMetadata: {}
|
||||||
|
tracing:
|
||||||
|
# tlsSettings:
|
||||||
|
# mode: DISABLE # DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL
|
||||||
|
# clientCertificate: # example: /etc/istio/tracer/cert-chain.pem
|
||||||
|
# privateKey: # example: /etc/istio/tracer/key.pem
|
||||||
|
# caCertificates: # example: /etc/istio/tracer/root-cert.pem
|
||||||
|
# sni: # example: tracer.somedomain
|
||||||
|
# subjectAltNames: []
|
||||||
|
# - tracer.somedomain
|
@ -1,8 +1,9 @@
|
|||||||
|
{{- if index .Values "istio-ingress" "enabled" }}
|
||||||
apiVersion: networking.istio.io/v1alpha3
|
apiVersion: networking.istio.io/v1alpha3
|
||||||
kind: EnvoyFilter
|
kind: EnvoyFilter
|
||||||
metadata:
|
metadata:
|
||||||
name: ingressgateway-listener-tcp-keepalive
|
name: ingressgateway-listener-tcp-keepalive
|
||||||
namespace: istio-system
|
namespace: {{ .Release.Namespace }}
|
||||||
spec:
|
spec:
|
||||||
workloadSelector:
|
workloadSelector:
|
||||||
labels:
|
labels:
|
||||||
@ -30,14 +31,15 @@ spec:
|
|||||||
name: 5
|
name: 5
|
||||||
int_value: 60
|
int_value: 60
|
||||||
state: STATE_LISTENING
|
state: STATE_LISTENING
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
{{- if .Values.ingress.private.enabled }}
|
{{- if index .Values "istio-private-ingress" "enabled" }}
|
||||||
---
|
---
|
||||||
apiVersion: networking.istio.io/v1alpha3
|
apiVersion: networking.istio.io/v1alpha3
|
||||||
kind: EnvoyFilter
|
kind: EnvoyFilter
|
||||||
metadata:
|
metadata:
|
||||||
name: private-ingressgateway-listener-tcp-keepalive
|
name: private-ingressgateway-listener-tcp-keepalive
|
||||||
namespace: istio-system
|
namespace: {{ .Release.Namespace }}
|
||||||
spec:
|
spec:
|
||||||
workloadSelector:
|
workloadSelector:
|
||||||
labels:
|
labels:
|
@ -0,0 +1,35 @@
|
|||||||
|
{{- if index .Values "istio-ingress" "dnsNames" }}
|
||||||
|
apiVersion: cert-manager.io/v1
|
||||||
|
kind: Certificate
|
||||||
|
metadata:
|
||||||
|
name: ingress-cert
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
labels:
|
||||||
|
{{ include "kubezero-lib.labels" . | indent 4 }}
|
||||||
|
spec:
|
||||||
|
secretName: ingress-cert
|
||||||
|
issuerRef:
|
||||||
|
name: letsencrypt-dns-prod
|
||||||
|
kind: ClusterIssuer
|
||||||
|
dnsNames:
|
||||||
|
{{ toYaml (index .Values "istio-ingress" "dnsNames") | indent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{- if index .Values "istio-private-ingress" "dnsNames" }}
|
||||||
|
---
|
||||||
|
apiVersion: cert-manager.io/v1
|
||||||
|
kind: Certificate
|
||||||
|
metadata:
|
||||||
|
name: private-ingress-cert
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
labels:
|
||||||
|
{{ include "kubezero-lib.labels" . | indent 4 }}
|
||||||
|
spec:
|
||||||
|
secretName: private-ingress-cert
|
||||||
|
issuerRef:
|
||||||
|
name: letsencrypt-dns-prod
|
||||||
|
kind: ClusterIssuer
|
||||||
|
dnsNames:
|
||||||
|
{{ toYaml (index .Values "istio-private-ingress" "dnsNames") | indent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
|
@ -1,8 +1,9 @@
|
|||||||
apiVersion: networking.istio.io/v1alpha3
|
{{- if and (index .Values "istio-ingress" "enabled") (index .Values "istio-ingress" "dnsNames") }}
|
||||||
|
apiVersion: networking.istio.io/v1beta1
|
||||||
kind: Gateway
|
kind: Gateway
|
||||||
metadata:
|
metadata:
|
||||||
name: ingressgateway
|
name: ingressgateway
|
||||||
namespace: istio-system
|
namespace: {{ .Release.Namespace }}
|
||||||
labels:
|
labels:
|
||||||
{{ include "kubezero-lib.labels" . | indent 4 }}
|
{{ include "kubezero-lib.labels" . | indent 4 }}
|
||||||
spec:
|
spec:
|
||||||
@ -14,7 +15,7 @@ spec:
|
|||||||
name: http
|
name: http
|
||||||
protocol: HTTP2
|
protocol: HTTP2
|
||||||
hosts:
|
hosts:
|
||||||
{{- toYaml .Values.ingress.dnsNames | nindent 4 }}
|
{{- toYaml (index .Values "istio-ingress" "dnsNames") | nindent 4 }}
|
||||||
tls:
|
tls:
|
||||||
httpsRedirect: true
|
httpsRedirect: true
|
||||||
- port:
|
- port:
|
||||||
@ -22,20 +23,21 @@ spec:
|
|||||||
name: https
|
name: https
|
||||||
protocol: HTTPS
|
protocol: HTTPS
|
||||||
hosts:
|
hosts:
|
||||||
{{- toYaml .Values.ingress.dnsNames | nindent 4 }}
|
{{- toYaml (index .Values "istio-ingress" "dnsNames") | nindent 4 }}
|
||||||
tls:
|
tls:
|
||||||
mode: SIMPLE
|
mode: SIMPLE
|
||||||
privateKey: /etc/istio/ingressgateway-certs/tls.key
|
privateKey: /etc/istio/ingressgateway-certs/tls.key
|
||||||
serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
|
serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
|
||||||
credentialName: public-ingress-cert
|
credentialName: ingress-cert
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
{{- if .Values.ingress.private.enabled }}
|
{{- if and (index .Values "istio-private-ingress" "enabled") (index .Values "istio-private-ingress" "dnsNames") }}
|
||||||
---
|
---
|
||||||
apiVersion: networking.istio.io/v1alpha3
|
apiVersion: networking.istio.io/v1beta1
|
||||||
kind: Gateway
|
kind: Gateway
|
||||||
metadata:
|
metadata:
|
||||||
name: private-ingressgateway
|
name: private-ingressgateway
|
||||||
namespace: istio-system
|
namespace: {{ .Release.Namespace }}
|
||||||
labels:
|
labels:
|
||||||
{{ include "kubezero-lib.labels" . | indent 4 }}
|
{{ include "kubezero-lib.labels" . | indent 4 }}
|
||||||
spec:
|
spec:
|
||||||
@ -47,7 +49,7 @@ spec:
|
|||||||
name: http
|
name: http
|
||||||
protocol: HTTP2
|
protocol: HTTP2
|
||||||
hosts:
|
hosts:
|
||||||
{{- toYaml .Values.ingress.dnsNames | nindent 4 }}
|
{{- toYaml (index .Values "istio-private-ingress" "dnsNames") | nindent 4 }}
|
||||||
tls:
|
tls:
|
||||||
httpsRedirect: true
|
httpsRedirect: true
|
||||||
- port:
|
- port:
|
||||||
@ -55,33 +57,45 @@ spec:
|
|||||||
name: https
|
name: https
|
||||||
protocol: HTTPS
|
protocol: HTTPS
|
||||||
hosts:
|
hosts:
|
||||||
{{- toYaml .Values.ingress.dnsNames | nindent 4 }}
|
{{- toYaml (index .Values "istio-private-ingress" "dnsNames") | nindent 4 }}
|
||||||
tls:
|
tls:
|
||||||
mode: SIMPLE
|
mode: SIMPLE
|
||||||
privateKey: /etc/istio/ingressgateway-certs/tls.key
|
privateKey: /etc/istio/ingressgateway-certs/tls.key
|
||||||
serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
|
serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
|
||||||
credentialName: public-ingress-cert
|
credentialName: private-ingress-cert
|
||||||
- port:
|
- port:
|
||||||
number: 5672
|
number: 5672
|
||||||
name: amqp
|
name: amqp
|
||||||
protocol: TCP
|
protocol: TCP
|
||||||
hosts:
|
hosts:
|
||||||
{{- toYaml .Values.ingress.dnsNames | nindent 4 }}
|
{{- toYaml (index .Values "istio-private-ingress" "dnsNames") | nindent 4 }}
|
||||||
- port:
|
- port:
|
||||||
number: 5671
|
number: 5671
|
||||||
name: amqps
|
name: amqps
|
||||||
protocol: TCP
|
protocol: TCP
|
||||||
hosts:
|
hosts:
|
||||||
{{- toYaml .Values.ingress.dnsNames | nindent 4 }}
|
{{- toYaml (index .Values "istio-private-ingress" "dnsNames") | nindent 4 }}
|
||||||
- port:
|
- port:
|
||||||
number: 24224
|
number: 24224
|
||||||
name: fluentd-forward
|
name: fluentd-forward
|
||||||
protocol: TLS
|
protocol: TLS
|
||||||
hosts:
|
hosts:
|
||||||
{{- toYaml .Values.ingress.dnsNames | nindent 4 }}
|
{{- toYaml (index .Values "istio-private-ingress" "dnsNames") | nindent 4 }}
|
||||||
tls:
|
tls:
|
||||||
mode: SIMPLE
|
mode: SIMPLE
|
||||||
privateKey: /etc/istio/ingressgateway-certs/tls.key
|
privateKey: /etc/istio/ingressgateway-certs/tls.key
|
||||||
serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
|
serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
|
||||||
credentialName: public-ingress-cert
|
credentialName: private-ingress-cert
|
||||||
|
- port:
|
||||||
|
number: 6379
|
||||||
|
name: redis
|
||||||
|
protocol: TCP
|
||||||
|
hosts:
|
||||||
|
{{- toYaml (index .Values "istio-private-ingress" "dnsNames") | nindent 4 }}
|
||||||
|
- port:
|
||||||
|
number: 6380
|
||||||
|
name: redis-1
|
||||||
|
protocol: TCP
|
||||||
|
hosts:
|
||||||
|
{{- toYaml (index .Values "istio-private-ingress" "dnsNames") | nindent 4 }}
|
||||||
{{- end }}
|
{{- end }}
|
122
charts/kubezero-istio-ingress/values.yaml
Normal file
122
charts/kubezero-istio-ingress/values.yaml
Normal file
@ -0,0 +1,122 @@
|
|||||||
|
# Make sure these values match kuberzero-istio !!!
|
||||||
|
global:
|
||||||
|
hub: docker.io/istio
|
||||||
|
tag: 1.8.1
|
||||||
|
|
||||||
|
logAsJson: true
|
||||||
|
jwtPolicy: first-party-jwt
|
||||||
|
|
||||||
|
priorityClassName: "system-cluster-critical"
|
||||||
|
|
||||||
|
defaultPodDisruptionBudget:
|
||||||
|
enabled: false
|
||||||
|
|
||||||
|
arch:
|
||||||
|
amd64: 2
|
||||||
|
|
||||||
|
istio-ingress:
|
||||||
|
enabled: false
|
||||||
|
|
||||||
|
gateways:
|
||||||
|
istio-ingressgateway:
|
||||||
|
autoscaleEnabled: false
|
||||||
|
replicaCount: 1
|
||||||
|
resources:
|
||||||
|
requests:
|
||||||
|
memory: 64Mi
|
||||||
|
limits:
|
||||||
|
# cpu: 100m
|
||||||
|
memory: 256Mi
|
||||||
|
externalTrafficPolicy: Local
|
||||||
|
podAntiAffinityLabelSelector:
|
||||||
|
- key: app
|
||||||
|
operator: In
|
||||||
|
topologyKey: kubernetes.io/hostname
|
||||||
|
values: istio-ingressgateway
|
||||||
|
type: NodePort
|
||||||
|
env:
|
||||||
|
TERMINATION_DRAIN_DURATION_SECONDS: '"60"'
|
||||||
|
# ISTIO_META_HTTP10: '"1"'
|
||||||
|
|
||||||
|
# The node selector is normally the list of nodeports, see CloudBender
|
||||||
|
nodeSelector:
|
||||||
|
node.kubernetes.io/ingress.public: "30080_30443"
|
||||||
|
ports:
|
||||||
|
- name: http-status
|
||||||
|
port: 15021
|
||||||
|
nodePort: 30021
|
||||||
|
- name: http2
|
||||||
|
port: 80
|
||||||
|
targetPort: 8080
|
||||||
|
nodePort: 30080
|
||||||
|
- name: https
|
||||||
|
port: 443
|
||||||
|
targetPort: 8443
|
||||||
|
nodePort: 30443
|
||||||
|
|
||||||
|
dnsNames: []
|
||||||
|
# - '*.example.com'
|
||||||
|
|
||||||
|
istio-private-ingress:
|
||||||
|
enabled: false
|
||||||
|
|
||||||
|
gateways:
|
||||||
|
istio-ingressgateway:
|
||||||
|
# name and labels make the ingress private
|
||||||
|
name: istio-private-ingressgateway
|
||||||
|
labels:
|
||||||
|
app: istio-private-ingressgateway
|
||||||
|
istio: private-ingressgateway
|
||||||
|
|
||||||
|
autoscaleEnabled: false
|
||||||
|
replicaCount: 1
|
||||||
|
resources:
|
||||||
|
requests:
|
||||||
|
cpu: 100m
|
||||||
|
memory: 64Mi
|
||||||
|
limits:
|
||||||
|
# cpu: 100m
|
||||||
|
memory: 256Mi
|
||||||
|
externalTrafficPolicy: Local
|
||||||
|
podAntiAffinityLabelSelector:
|
||||||
|
- key: app
|
||||||
|
operator: In
|
||||||
|
topologyKey: kubernetes.io/hostname
|
||||||
|
values: istio-private-ingressgateway
|
||||||
|
type: NodePort
|
||||||
|
env:
|
||||||
|
TERMINATION_DRAIN_DURATION_SECONDS: '"60"'
|
||||||
|
# ISTIO_META_HTTP10: '"1"'
|
||||||
|
|
||||||
|
nodeSelector:
|
||||||
|
node.kubernetes.io/ingress.private: "31080_31443"
|
||||||
|
#nodeSelector: "31080_31443_31671_31672_31224"
|
||||||
|
|
||||||
|
ports:
|
||||||
|
- name: http-status
|
||||||
|
port: 15021
|
||||||
|
nodePort: 31021
|
||||||
|
- name: http2
|
||||||
|
port: 80
|
||||||
|
targetPort: 8080
|
||||||
|
nodePort: 31080
|
||||||
|
- name: https
|
||||||
|
port: 443
|
||||||
|
targetPort: 8443
|
||||||
|
nodePort: 31443
|
||||||
|
#- name: fluentd-forward
|
||||||
|
# port: 24224
|
||||||
|
# nodePort: 31224
|
||||||
|
#- name: amqps
|
||||||
|
# port: 5671
|
||||||
|
# nodePort: 31671
|
||||||
|
#- name: amqp
|
||||||
|
# port: 5672
|
||||||
|
# nodePort: 31672
|
||||||
|
#- name: redis
|
||||||
|
# port: 6379
|
||||||
|
# nodePort: 31379
|
||||||
|
|
||||||
|
dnsNames: []
|
||||||
|
# - '*.example.com'
|
||||||
|
|
2
charts/kubezero-istio/.gitignore
vendored
2
charts/kubezero-istio/.gitignore
vendored
@ -1,2 +1,2 @@
|
|||||||
istioctl
|
istioctl
|
||||||
istio-*
|
istio-?.?.?
|
||||||
|
2
charts/kubezero-istio/.helmignore
Normal file
2
charts/kubezero-istio/.helmignore
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
istioctl
|
||||||
|
istio-?.?.?
|
@ -2,8 +2,8 @@ apiVersion: v2
|
|||||||
name: kubezero-istio
|
name: kubezero-istio
|
||||||
description: KubeZero Umbrella Chart for Istio
|
description: KubeZero Umbrella Chart for Istio
|
||||||
type: application
|
type: application
|
||||||
version: 0.3.4
|
version: 0.4.1
|
||||||
appVersion: 1.7.3
|
appVersion: 1.8.1
|
||||||
home: https://kubezero.com
|
home: https://kubezero.com
|
||||||
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
|
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
|
||||||
keywords:
|
keywords:
|
||||||
@ -15,6 +15,8 @@ dependencies:
|
|||||||
- name: kubezero-lib
|
- name: kubezero-lib
|
||||||
version: ">= 0.1.3"
|
version: ">= 0.1.3"
|
||||||
repository: https://zero-down-time.github.io/kubezero/
|
repository: https://zero-down-time.github.io/kubezero/
|
||||||
- name: istio-operator
|
- name: base
|
||||||
version: ">= 1.7"
|
version: 1.1.0
|
||||||
|
- name: istio-discovery
|
||||||
|
version: 1.2.0
|
||||||
kubeVersion: ">= 1.16.0"
|
kubeVersion: ">= 1.16.0"
|
||||||
|
@ -1,10 +1,10 @@
|
|||||||
# kubezero-istio
|
# kubezero-istio
|
||||||
|
|
||||||
![Version: 0.3.4](https://img.shields.io/badge/Version-0.3.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.7.3](https://img.shields.io/badge/AppVersion-1.7.3-informational?style=flat-square)
|
![Version: 0.4.1](https://img.shields.io/badge/Version-0.4.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.8.1](https://img.shields.io/badge/AppVersion-1.8.1-informational?style=flat-square)
|
||||||
|
|
||||||
KubeZero Umbrella Chart for Istio
|
KubeZero Umbrella Chart for Istio
|
||||||
|
|
||||||
Installs Istio Operator and KubeZero Istio profile
|
Installs the Istio control plane
|
||||||
|
|
||||||
**Homepage:** <https://kubezero.com>
|
**Homepage:** <https://kubezero.com>
|
||||||
|
|
||||||
@ -20,26 +20,33 @@ Kubernetes: `>= 1.16.0`
|
|||||||
|
|
||||||
| Repository | Name | Version |
|
| Repository | Name | Version |
|
||||||
|------------|------|---------|
|
|------------|------|---------|
|
||||||
| | istio-operator | >= 1.7 |
|
| | base | 1.1.0 |
|
||||||
|
| | istio-discovery | 1.2.0 |
|
||||||
| https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 |
|
| https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 |
|
||||||
|
|
||||||
## KubeZero default configuration
|
|
||||||
- mapped istio-operator to run on the controller nodes only
|
|
||||||
|
|
||||||
## Values
|
## Values
|
||||||
|
|
||||||
| Key | Type | Default | Description |
|
| Key | Type | Default | Description |
|
||||||
|-----|------|---------|-------------|
|
|-----|------|---------|-------------|
|
||||||
| ingress.autoscaleEnabled | bool | `false` | |
|
| global.defaultPodDisruptionBudget.enabled | bool | `false` | |
|
||||||
| ingress.dnsNames[0] | string | `"*"` | |
|
| global.hub | string | `"docker.io/istio"` | |
|
||||||
| ingress.private.enabled | bool | `true` | |
|
| global.jwtPolicy | string | `"first-party-jwt"` | |
|
||||||
| ingress.private.nodeSelector | string | `"31080_31443_31671_31672_31224"` | |
|
| global.logAsJson | bool | `true` | |
|
||||||
| ingress.replicaCount | int | `2` | |
|
| global.priorityClassName | string | `"system-cluster-critical"` | |
|
||||||
| ingress.type | string | `"NodePort"` | |
|
| global.tag | string | `"1.8.0"` | |
|
||||||
| istio-operator.hub | string | `"docker.io/istio"` | |
|
| istio-discovery.meshConfig.accessLogEncoding | string | `"JSON"` | |
|
||||||
| istio-operator.tag | string | `"1.7.3"` | |
|
| istio-discovery.meshConfig.accessLogFile | string | `"/dev/stdout"` | |
|
||||||
| istiod.autoscaleEnabled | bool | `false` | |
|
| istio-discovery.meshConfig.h2UpgradePolicy | string | `"DO_NOT_UPGRADE"` | |
|
||||||
| istiod.replicaCount | int | `1` | |
|
| istio-discovery.meshConfig.tcpKeepalive.interval | string | `"30s"` | |
|
||||||
|
| istio-discovery.meshConfig.tcpKeepalive.time | string | `"60s"` | |
|
||||||
|
| istio-discovery.pilot.autoscaleEnabled | bool | `false` | |
|
||||||
|
| istio-discovery.pilot.nodeSelector."node-role.kubernetes.io/master" | string | `""` | |
|
||||||
|
| istio-discovery.pilot.replicaCount | int | `1` | |
|
||||||
|
| istio-discovery.pilot.resources.requests.cpu | string | `"100m"` | |
|
||||||
|
| istio-discovery.pilot.resources.requests.memory | string | `"128Mi"` | |
|
||||||
|
| istio-discovery.pilot.tolerations[0].effect | string | `"NoSchedule"` | |
|
||||||
|
| istio-discovery.pilot.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | |
|
||||||
|
| istio-discovery.telemetry.enabled | bool | `false` | |
|
||||||
|
|
||||||
## Resources
|
## Resources
|
||||||
|
|
||||||
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user