Merge pull request 'Merge argoless branch into master' (#30) from argoless into master
Reviewed-on: ZeroDownTime/kubezero#30
This commit is contained in:
commit
a570431940
14
Makefile
Normal file
14
Makefile
Normal file
@ -0,0 +1,14 @@
|
||||
BUCKET ?= zero-downtime
|
||||
BUCKET_PREFIX ?= /cloudbender/distfiles
|
||||
FILES ?= distfiles.txt
|
||||
|
||||
.PHONY: clean update
|
||||
|
||||
all: update
|
||||
|
||||
|
||||
clean:
|
||||
rm -f kube*.tgz
|
||||
|
||||
update:
|
||||
./script/update_helm.sh
|
@ -1 +0,0 @@
|
||||
../../helm-charts/charts/fluent-bit
|
13
charts/kubeadm/Chart.yaml
Normal file
13
charts/kubeadm/Chart.yaml
Normal file
@ -0,0 +1,13 @@
|
||||
apiVersion: v2
|
||||
name: kubeadm
|
||||
description: KubeZero Kubeadm golden config
|
||||
type: application
|
||||
version: 1.18.14
|
||||
home: https://kubezero.com
|
||||
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
|
||||
keywords:
|
||||
- kubezero
|
||||
- kubeadm
|
||||
maintainers:
|
||||
- name: Quarky9
|
||||
kubeVersion: ">= 1.16.0"
|
28
charts/kubeadm/README.md.gotmpl
Normal file
28
charts/kubeadm/README.md.gotmpl
Normal file
@ -0,0 +1,28 @@
|
||||
{{ template "chart.header" . }}
|
||||
{{ template "chart.deprecationWarning" . }}
|
||||
|
||||
{{ template "chart.versionBadge" . }}{{ template "chart.typeBadge" . }}{{ template "chart.appVersionBadge" . }}
|
||||
|
||||
{{ template "chart.description" . }}
|
||||
|
||||
Installs the Istio control plane
|
||||
|
||||
{{ template "chart.homepageLine" . }}
|
||||
|
||||
{{ template "chart.maintainersSection" . }}
|
||||
|
||||
{{ template "chart.sourcesSection" . }}
|
||||
|
||||
{{ template "chart.requirementsSection" . }}
|
||||
|
||||
{{ template "chart.valuesSection" . }}
|
||||
|
||||
## Resources
|
||||
|
||||
- https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/troubleshooting-kubeadm/
|
||||
- https://godoc.org/k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/v1beta2
|
||||
- https://github.com/kubernetes/kubernetes/blob/master/staging/src/k8s.io/kubelet/config/v1beta1/types.go
|
||||
- https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/control-plane-flags/
|
||||
- https://godoc.org/k8s.io/kube-proxy/config/v1alpha1#KubeProxyConfiguration
|
||||
|
||||
- https://github.com/awslabs/amazon-eks-ami
|
61
charts/kubeadm/templates/ClusterConfiguration.yaml
Normal file
61
charts/kubeadm/templates/ClusterConfiguration.yaml
Normal file
@ -0,0 +1,61 @@
|
||||
apiVersion: kubeadm.k8s.io/v1beta2
|
||||
kind: ClusterConfiguration
|
||||
metadata:
|
||||
name: kubezero-clusterconfiguration
|
||||
kubernetesVersion: {{ .Values.clusterVersion }}
|
||||
clusterName: {{ .Values.clusterName }}
|
||||
controlPlaneEndpoint: {{ .Values.apiEndpoint }}
|
||||
networking:
|
||||
podSubnet: 10.244.0.0/16
|
||||
etcd:
|
||||
local:
|
||||
extraArgs:
|
||||
listen-metrics-urls: "http://0.0.0.0:2381"
|
||||
{{- with .Values.etcdExtraArgs }}
|
||||
{{- toYaml . | nindent 6 }}
|
||||
{{- end }}
|
||||
controllerManager:
|
||||
extraArgs:
|
||||
profiling: "false"
|
||||
bind-address: 0.0.0.0
|
||||
terminated-pod-gc-threshold: "300"
|
||||
leader-elect: {{ .Values.clusterHighAvailable | quote }}
|
||||
# Default anyways but make kube-bench happy
|
||||
feature-gates: "RotateKubeletServerCertificate=true"
|
||||
scheduler:
|
||||
extraArgs:
|
||||
profiling: "false"
|
||||
bind-address: 0.0.0.0
|
||||
leader-elect: {{ .Values.clusterHighAvailable | quote }}
|
||||
apiServer:
|
||||
certSANs:
|
||||
- {{ regexSplit ":" .Values.apiEndpoint -1 | first }}
|
||||
extraArgs:
|
||||
etcd-servers: {{ .Values.allEtcdEndpoints }}
|
||||
profiling: "false"
|
||||
feature-gates: "CSIMigration=true,CSIMigrationAWS=true,CSIMigrationAWSComplete=true"
|
||||
audit-log-path: "/var/log/kubernetes/audit.log"
|
||||
audit-policy-file: /etc/kubernetes/apiserver/audit-policy.yaml
|
||||
audit-log-maxage: "7"
|
||||
audit-log-maxsize: "100"
|
||||
audit-log-maxbackup: "3"
|
||||
tls-cipher-suites: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
|
||||
admission-control-config-file: /etc/kubernetes/apiserver/admission-configuration.yaml
|
||||
authentication-token-webhook-config-file: /etc/kubernetes/apiserver/aws-iam-authenticator.yaml
|
||||
enable-admission-plugins: NodeRestriction,EventRateLimit
|
||||
{{- if .Values.clusterHighAvailable }}
|
||||
goaway-chance: ".001"
|
||||
{{- end }}
|
||||
{{- with .Values.apiExtraArgs }}
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
extraVolumes:
|
||||
- name: kubezero-apiserver
|
||||
hostPath: /etc/kubernetes/apiserver
|
||||
mountPath: /etc/kubernetes/apiserver
|
||||
readOnly: true
|
||||
pathType: DirectoryOrCreate
|
||||
- name: audit-log
|
||||
hostPath: /var/log/kubernetes
|
||||
mountPath: /var/log/kubernetes
|
||||
pathType: DirectoryOrCreate
|
12
charts/kubeadm/templates/InitConfiguration.yaml
Normal file
12
charts/kubeadm/templates/InitConfiguration.yaml
Normal file
@ -0,0 +1,12 @@
|
||||
apiVersion: kubeadm.k8s.io/v1beta2
|
||||
kind: InitConfiguration
|
||||
metadata:
|
||||
name: kubezero-initconfiguration
|
||||
localAPIEndpoint:
|
||||
bindPort: {{ regexSplit ":" .Values.apiEndpoint -1 | last }}
|
||||
nodeRegistration:
|
||||
ignorePreflightErrors:
|
||||
- Swap
|
||||
- DirAvailable--var-lib-etcd
|
||||
kubeletExtraArgs:
|
||||
node-labels: {{ .Values.nodeLabels | quote }}
|
18
charts/kubeadm/templates/JoinConfiguration.yaml
Normal file
18
charts/kubeadm/templates/JoinConfiguration.yaml
Normal file
@ -0,0 +1,18 @@
|
||||
apiVersion: kubeadm.k8s.io/v1beta2
|
||||
kind: JoinConfiguration
|
||||
metadata:
|
||||
name: kubezero-joinconfiguration
|
||||
discovery:
|
||||
bootstrapToken:
|
||||
apiServerEndpoint: {{ .Values.apiEndpoint }}
|
||||
token: {{ .Values.joinToken }}
|
||||
caCertHashes:
|
||||
- "{{ .Values.caCertHash }}"
|
||||
nodeRegistration:
|
||||
ignorePreflightErrors:
|
||||
- DirAvailable--var-lib-etcd
|
||||
- Swap
|
||||
controlPlane:
|
||||
localAPIEndpoint:
|
||||
advertiseAddress: {{ .Values.ipAddress }}
|
||||
bindPort: {{ regexSplit ":" .Values.apiEndpoint -1 | last }}
|
6
charts/kubeadm/templates/KubeProxyConfiguration.yaml
Normal file
6
charts/kubeadm/templates/KubeProxyConfiguration.yaml
Normal file
@ -0,0 +1,6 @@
|
||||
apiVersion: kubeproxy.config.k8s.io/v1alpha1
|
||||
kind: KubeProxyConfiguration
|
||||
metadata:
|
||||
name: kubezero-kubeproxyconfiguration
|
||||
metricsBindAddress: "0.0.0.0:10249"
|
||||
mode: ""
|
19
charts/kubeadm/templates/KubeletConfiguration.yaml
Normal file
19
charts/kubeadm/templates/KubeletConfiguration.yaml
Normal file
@ -0,0 +1,19 @@
|
||||
apiVersion: kubelet.config.k8s.io/v1beta1
|
||||
kind: KubeletConfiguration
|
||||
metadata:
|
||||
name: kubezero-kubeletconfiguration
|
||||
failSwapOn: false
|
||||
hairpinMode: hairpin-veth
|
||||
resolvConf: /run/systemd/resolve/resolv.conf
|
||||
protectKernelDefaults: true
|
||||
eventRecordQPS: 0
|
||||
# Breaks kubelet at boot time
|
||||
# tlsCertFile: /var/lib/kubelet/pki/kubelet.crt
|
||||
# tlsPrivateKeyFile: /var/lib/kubelet/pki/kubelet.key
|
||||
tlsCipherSuites: [TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256]
|
||||
featureGates:
|
||||
# Default anyways but make kube-bench happy
|
||||
RotateKubeletServerCertificate: true
|
||||
CSIMigration: true
|
||||
CSIMigrationAWS: true
|
||||
CSIMigrationAWSComplete: true
|
@ -0,0 +1,7 @@
|
||||
apiVersion: apiserver.config.k8s.io/v1
|
||||
kind: AdmissionConfiguration
|
||||
metadata:
|
||||
name: kubezero-admissionconfiguration
|
||||
plugins:
|
||||
- name: EventRateLimit
|
||||
path: /etc/kubernetes/apiserver/event-config.yaml
|
7
charts/kubeadm/templates/apiserver/audit-policy.yaml
Normal file
7
charts/kubeadm/templates/apiserver/audit-policy.yaml
Normal file
@ -0,0 +1,7 @@
|
||||
# Don't Log anything, but audit policy enabled
|
||||
apiVersion: audit.k8s.io/v1
|
||||
kind: Policy
|
||||
metadata:
|
||||
name: kubezero-auditpolicy
|
||||
rules:
|
||||
- level: None
|
13
charts/kubeadm/templates/apiserver/event-config.yaml
Normal file
13
charts/kubeadm/templates/apiserver/event-config.yaml
Normal file
@ -0,0 +1,13 @@
|
||||
apiVersion: eventratelimit.admission.k8s.io/v1alpha1
|
||||
kind: Configuration
|
||||
metadata:
|
||||
name: kubezero-eventratelimits
|
||||
limits:
|
||||
- type: Namespace
|
||||
qps: 50
|
||||
burst: 100
|
||||
cacheSize: 20
|
||||
- type: User
|
||||
qps: 10
|
||||
burst: 50
|
||||
cacheSize: 20
|
32
charts/kubeadm/templates/aws-iam-authenticator/crds.yaml
Normal file
32
charts/kubeadm/templates/aws-iam-authenticator/crds.yaml
Normal file
@ -0,0 +1,32 @@
|
||||
apiVersion: apiextensions.k8s.io/v1beta1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
name: iamidentitymappings.iamauthenticator.k8s.aws
|
||||
spec:
|
||||
group: iamauthenticator.k8s.aws
|
||||
version: v1alpha1
|
||||
scope: Cluster
|
||||
names:
|
||||
plural: iamidentitymappings
|
||||
singular: iamidentitymapping
|
||||
kind: IAMIdentityMapping
|
||||
categories:
|
||||
- all
|
||||
subresources:
|
||||
status: {}
|
||||
validation:
|
||||
openAPIV3Schema:
|
||||
properties:
|
||||
spec:
|
||||
required:
|
||||
- arn
|
||||
- username
|
||||
properties:
|
||||
arn:
|
||||
type: string
|
||||
username:
|
||||
type: string
|
||||
groups:
|
||||
type: array
|
||||
items:
|
||||
type: string
|
164
charts/kubeadm/templates/aws-iam-authenticator/deployment.yaml
Normal file
164
charts/kubeadm/templates/aws-iam-authenticator/deployment.yaml
Normal file
@ -0,0 +1,164 @@
|
||||
kind: ClusterRole
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: aws-iam-authenticator
|
||||
rules:
|
||||
- apiGroups:
|
||||
- iamauthenticator.k8s.aws
|
||||
resources:
|
||||
- iamidentitymappings
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- apiGroups:
|
||||
- iamauthenticator.k8s.aws
|
||||
resources:
|
||||
- iamidentitymappings/status
|
||||
verbs:
|
||||
- patch
|
||||
- update
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- events
|
||||
verbs:
|
||||
- create
|
||||
- update
|
||||
- patch
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- configmaps
|
||||
verbs:
|
||||
- list
|
||||
- watch
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- configmaps
|
||||
resourceNames:
|
||||
- aws-auth
|
||||
verbs:
|
||||
- get
|
||||
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: aws-iam-authenticator
|
||||
namespace: kube-system
|
||||
|
||||
---
|
||||
kind: ClusterRoleBinding
|
||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||
metadata:
|
||||
name: aws-iam-authenticator
|
||||
namespace: kube-system
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: aws-iam-authenticator
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: aws-iam-authenticator
|
||||
namespace: kube-system
|
||||
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
namespace: kube-system
|
||||
name: aws-iam-authenticator
|
||||
labels:
|
||||
k8s-app: aws-iam-authenticator
|
||||
data:
|
||||
config.yaml: |
|
||||
clusterID: {{ .Values.clusterName }}
|
||||
|
||||
---
|
||||
apiVersion: apps/v1
|
||||
kind: DaemonSet
|
||||
metadata:
|
||||
namespace: kube-system
|
||||
name: aws-iam-authenticator
|
||||
labels:
|
||||
k8s-app: aws-iam-authenticator
|
||||
annotations:
|
||||
seccomp.security.alpha.kubernetes.io/pod: runtime/default
|
||||
spec:
|
||||
selector:
|
||||
matchLabels:
|
||||
k8s-app: aws-iam-authenticator
|
||||
updateStrategy:
|
||||
type: RollingUpdate
|
||||
template:
|
||||
metadata:
|
||||
annotations:
|
||||
scheduler.alpha.kubernetes.io/critical-pod: ""
|
||||
labels:
|
||||
k8s-app: aws-iam-authenticator
|
||||
spec:
|
||||
# use service account with access to
|
||||
serviceAccountName: aws-iam-authenticator
|
||||
|
||||
# run on the host network (don't depend on CNI)
|
||||
hostNetwork: true
|
||||
|
||||
# run on each master node
|
||||
nodeSelector:
|
||||
node-role.kubernetes.io/master: ""
|
||||
tolerations:
|
||||
- effect: NoSchedule
|
||||
key: node-role.kubernetes.io/master
|
||||
- key: CriticalAddonsOnly
|
||||
operator: Exists
|
||||
|
||||
containers:
|
||||
- name: aws-iam-authenticator
|
||||
image: public.ecr.aws/x8h8t2o1/aws-iam-authenticator:v0.5.2
|
||||
args:
|
||||
- server
|
||||
- --backend-mode=CRD,MountedFile
|
||||
- --config=/etc/aws-iam-authenticator/config.yaml
|
||||
- --state-dir=/var/aws-iam-authenticator
|
||||
- --kubeconfig-pregenerated=true
|
||||
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
|
||||
resources:
|
||||
requests:
|
||||
memory: 20Mi
|
||||
cpu: 10m
|
||||
limits:
|
||||
memory: 20Mi
|
||||
cpu: 100m
|
||||
|
||||
volumeMounts:
|
||||
- name: config
|
||||
mountPath: /etc/aws-iam-authenticator/
|
||||
- name: state
|
||||
mountPath: /var/aws-iam-authenticator/
|
||||
|
||||
volumes:
|
||||
- name: config
|
||||
configMap:
|
||||
name: aws-iam-authenticator
|
||||
- name: state
|
||||
hostPath:
|
||||
path: /var/aws-iam-authenticator/
|
||||
---
|
||||
apiVersion: iamauthenticator.k8s.aws/v1alpha1
|
||||
kind: IAMIdentityMapping
|
||||
metadata:
|
||||
name: kubernetes-admin
|
||||
spec:
|
||||
# Arn of the User or Role to be allowed to authenticate
|
||||
arn: {{ .Values.kubeAdminRole }}
|
||||
username: kubernetes-admin
|
||||
groups:
|
||||
- system:masters
|
11
charts/kubeadm/values.yaml
Normal file
11
charts/kubeadm/values.yaml
Normal file
@ -0,0 +1,11 @@
|
||||
clusterVersion: 1.18.0
|
||||
clusterName: pleasechangeme
|
||||
apiEndpoint: kube-api.changeme.org:6443
|
||||
etcdExtraArgs: {}
|
||||
# Enable for > 1.18
|
||||
# unsafe-no-fsync: "true"
|
||||
apiExtraArgs: {}
|
||||
clusterHighAvailable: false
|
||||
allEtcdEndpoints: ""
|
||||
joinToken: ""
|
||||
caCertHash: ""
|
@ -1,26 +0,0 @@
|
||||
apiVersion: argoproj.io/v1alpha1
|
||||
kind: Application
|
||||
metadata:
|
||||
name: kubezero
|
||||
namespace: argocd
|
||||
labels:
|
||||
{{ include "kubezero-lib.labels" . | indent 4 }}
|
||||
spec:
|
||||
project: kubezero
|
||||
source:
|
||||
repoURL: {{ .Values.kubezero.global.defaultSource.repoURL }}
|
||||
targetRevision: {{ .Values.kubezero.global.defaultSource.targetRevision }}
|
||||
path: {{ .Values.kubezero.global.defaultSource.pathPrefix}}charts/kubezero
|
||||
|
||||
helm:
|
||||
values: |
|
||||
{{- toYaml .Values.kubezero | nindent 8 }}
|
||||
|
||||
destination:
|
||||
server: {{ .Values.kubezero.global.defaultDestination.server }}
|
||||
namespace: argocd
|
||||
|
||||
{{- if .Values.kubezero.global.syncPolicy }}
|
||||
syncPolicy:
|
||||
{{- toYaml .Values.kubezero.global.syncPolicy | nindent 4 }}
|
||||
{{- end }}
|
@ -1,7 +1,7 @@
|
||||
apiVersion: v2
|
||||
description: KubeZero ArgoCD Helm chart to install ArgoCD itself and the KubeZero ArgoCD Application
|
||||
name: kubezero-argo-cd
|
||||
version: 0.6.0
|
||||
name: kubezero-argocd
|
||||
version: 0.6.1
|
||||
home: https://kubezero.com
|
||||
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
|
||||
keywords:
|
||||
@ -15,6 +15,6 @@ dependencies:
|
||||
version: ">= 0.1.3"
|
||||
repository: https://zero-down-time.github.io/kubezero/
|
||||
- name: argo-cd
|
||||
version: 2.9.3
|
||||
version: 2.9.5
|
||||
repository: https://argoproj.github.io/argo-helm
|
||||
kubeVersion: ">= 1.17.0"
|
||||
kubeVersion: ">= 1.16.0"
|
@ -1,6 +1,6 @@
|
||||
# kubezero-argo-cd
|
||||
# kubezero-argocd
|
||||
|
||||
![Version: 0.6.0](https://img.shields.io/badge/Version-0.6.0-informational?style=flat-square)
|
||||
![Version: 0.6.1](https://img.shields.io/badge/Version-0.6.1-informational?style=flat-square)
|
||||
|
||||
KubeZero ArgoCD Helm chart to install ArgoCD itself and the KubeZero ArgoCD Application
|
||||
|
||||
@ -14,11 +14,11 @@ KubeZero ArgoCD Helm chart to install ArgoCD itself and the KubeZero ArgoCD Appl
|
||||
|
||||
## Requirements
|
||||
|
||||
Kubernetes: `>= 1.17.0`
|
||||
Kubernetes: `>= 1.16.0`
|
||||
|
||||
| Repository | Name | Version |
|
||||
|------------|------|---------|
|
||||
| https://argoproj.github.io/argo-helm | argo-cd | 2.9.3 |
|
||||
| https://argoproj.github.io/argo-helm | argo-cd | 2.9.5 |
|
||||
| https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 |
|
||||
|
||||
## Values
|
||||
@ -32,20 +32,15 @@ Kubernetes: `>= 1.17.0`
|
||||
| argo-cd.controller.metrics.enabled | bool | `false` | |
|
||||
| argo-cd.controller.metrics.serviceMonitor.additionalLabels.release | string | `"metrics"` | |
|
||||
| argo-cd.controller.metrics.serviceMonitor.enabled | bool | `true` | |
|
||||
| argo-cd.controller.metrics.serviceMonitor.namespace | string | `"monitoring"` | |
|
||||
| argo-cd.controller.resources.requests.cpu | string | `"100m"` | |
|
||||
| argo-cd.controller.resources.requests.memory | string | `"256Mi"` | |
|
||||
| argo-cd.dex.enabled | bool | `false` | |
|
||||
| argo-cd.global.image.tag | string | `"v1.7.8"` | |
|
||||
| argo-cd.global.image.tag | string | `"v1.7.10"` | |
|
||||
| argo-cd.installCRDs | bool | `false` | |
|
||||
| argo-cd.istio.enabled | bool | `false` | Deploy Istio VirtualService to expose ArgoCD |
|
||||
| argo-cd.istio.gateway | string | `"istio-system/ingressgateway"` | Name of the Istio gateway to add the VirtualService to |
|
||||
| argo-cd.istio.ipBlocks | list | `[]` | |
|
||||
| argo-cd.repoServer.logFormat | string | `"json"` | |
|
||||
| argo-cd.repoServer.metrics.enabled | bool | `false` | |
|
||||
| argo-cd.repoServer.metrics.serviceMonitor.additionalLabels.release | string | `"metrics"` | |
|
||||
| argo-cd.repoServer.metrics.serviceMonitor.enabled | bool | `true` | |
|
||||
| argo-cd.repoServer.metrics.serviceMonitor.namespace | string | `"monitoring"` | |
|
||||
| argo-cd.server.config."resource.customizations" | string | `"cert-manager.io/Certificate:\n # Lua script for customizing the health status assessment\n health.lua: |\n hs = {}\n if obj.status ~= nil then\n if obj.status.conditions ~= nil then\n for i, condition in ipairs(obj.status.conditions) do\n if condition.type == \"Ready\" and condition.status == \"False\" then\n hs.status = \"Degraded\"\n hs.message = condition.message\n return hs\n end\n if condition.type == \"Ready\" and condition.status == \"True\" then\n hs.status = \"Healthy\"\n hs.message = condition.message\n return hs\n end\n end\n end\n end\n hs.status = \"Progressing\"\n hs.message = \"Waiting for certificate\"\n return hs\n"` | |
|
||||
| argo-cd.server.config.url | string | `"argocd.example.com"` | ArgoCD hostname to be exposed via Istio |
|
||||
| argo-cd.server.extraArgs[0] | string | `"--insecure"` | |
|
||||
@ -53,12 +48,16 @@ Kubernetes: `>= 1.17.0`
|
||||
| argo-cd.server.metrics.enabled | bool | `false` | |
|
||||
| argo-cd.server.metrics.serviceMonitor.additionalLabels.release | string | `"metrics"` | |
|
||||
| argo-cd.server.metrics.serviceMonitor.enabled | bool | `true` | |
|
||||
| argo-cd.server.metrics.serviceMonitor.namespace | string | `"monitoring"` | |
|
||||
| argo-cd.server.service.servicePortHttpsName | string | `"grpc"` | |
|
||||
| kubezero.global.defaultDestination | object | `{"server":"https://kubernetes.default.svc"}` | Destination cluster |
|
||||
| kubezero.global.defaultSource.pathPrefix | string | `""` | optional path prefix within repoURL to support eg. remote subtrees |
|
||||
| kubezero.global.defaultSource.repoURL | string | `"https://github.com/zero-down-time/kubezero"` | default repository for argocd applications |
|
||||
| kubezero.global.defaultSource.targetRevision | string | `"HEAD"` | default tracking of repoURL |
|
||||
| istio.enabled | bool | `false` | Deploy Istio VirtualService to expose ArgoCD |
|
||||
| istio.gateway | string | `"istio-ingress/ingressgateway"` | Name of the Istio gateway to add the VirtualService to |
|
||||
| istio.ipBlocks | list | `[]` | |
|
||||
| kubezero.enabled | bool | `false` | |
|
||||
| kubezero.path | string | `"charts/kubezero"` | path within repoURL |
|
||||
| kubezero.repoURL | string | `"https://github.com/zero-down-time/kubezero"` | repository for kubezero argo applications |
|
||||
| kubezero.server | string | `"https://kubernetes.default.svc"` | destination cluster |
|
||||
| kubezero.targetRevision | string | `"HEAD"` | git branch to track |
|
||||
| kubezero.valuesFiles[0] | string | `"values.yaml"` | |
|
||||
|
||||
## Resources
|
||||
- https://argoproj.github.io/argo-cd/operator-manual/metrics/
|
@ -1,5 +1,5 @@
|
||||
{{- if index .Values "argo-cd" "istio" "enabled" }}
|
||||
{{- if index .Values "argo-cd" "istio" "ipBlocks" }}
|
||||
{{- if .Values.istio.enabled }}
|
||||
{{- if .Values.istio.ipBlocks }}
|
||||
apiVersion: security.istio.io/v1beta1
|
||||
kind: AuthorizationPolicy
|
||||
metadata:
|
||||
@ -16,7 +16,7 @@ spec:
|
||||
- from:
|
||||
- source:
|
||||
notIpBlocks:
|
||||
{{- with index .Values "argo-cd" "istio" "ipBlocks" }}
|
||||
{{- with .Values.istio.ipBlocks }}
|
||||
{{- . | toYaml | nindent 8 }}
|
||||
{{- end }}
|
||||
to:
|
@ -1,4 +1,4 @@
|
||||
{{- if index .Values "argo-cd" "istio" "enabled" }}
|
||||
{{- if .Values.istio.enabled }}
|
||||
apiVersion: networking.istio.io/v1alpha3
|
||||
kind: VirtualService
|
||||
metadata:
|
||||
@ -7,7 +7,7 @@ metadata:
|
||||
{{ include "kubezero-lib.labels" . | indent 4 }}
|
||||
spec:
|
||||
gateways:
|
||||
- {{ index .Values "argo-cd" "istio" "gateway" }}
|
||||
- {{ .Values.istio.gateway }}
|
||||
hosts:
|
||||
- {{ index .Values "argo-cd" "server" "config" "url" }}
|
||||
http:
|
||||
@ -18,13 +18,13 @@ spec:
|
||||
prefix: argocd-client
|
||||
route:
|
||||
- destination:
|
||||
host: {{ .Release.Name }}-argocd-server
|
||||
host: argocd-server
|
||||
port:
|
||||
number: 443
|
||||
- name: http
|
||||
route:
|
||||
- destination:
|
||||
host: {{ .Release.Name }}-argocd-server
|
||||
host: argocd-server
|
||||
port:
|
||||
number: 80
|
||||
{{- end }}
|
@ -1,3 +1,4 @@
|
||||
{{- if .Values.kubezero.enabled }}
|
||||
apiVersion: argoproj.io/v1alpha1
|
||||
kind: AppProject
|
||||
metadata:
|
||||
@ -12,7 +13,6 @@ spec:
|
||||
sourceRepos:
|
||||
- '*'
|
||||
|
||||
# Only permit applications to deploy to the guestbook namespace in the same cluster
|
||||
destinations:
|
||||
- namespace: argocd
|
||||
server: https://kubernetes.default.svc
|
||||
@ -20,10 +20,10 @@ spec:
|
||||
server: https://kubernetes.default.svc
|
||||
- namespace: cert-manager
|
||||
server: https://kubernetes.default.svc
|
||||
- namespace: istio-operator
|
||||
server: https://kubernetes.default.svc
|
||||
- namespace: istio-system
|
||||
server: https://kubernetes.default.svc
|
||||
- namespace: istio-ingress
|
||||
server: https://kubernetes.default.svc
|
||||
- namespace: monitoring
|
||||
server: https://kubernetes.default.svc
|
||||
- namespace: elastic-system
|
||||
@ -34,3 +34,32 @@ spec:
|
||||
clusterResourceWhitelist:
|
||||
- group: '*'
|
||||
kind: '*'
|
||||
|
||||
---
|
||||
apiVersion: argoproj.io/v1alpha1
|
||||
kind: Application
|
||||
metadata:
|
||||
name: kubezero
|
||||
namespace: argocd
|
||||
labels:
|
||||
{{ include "kubezero-lib.labels" . | indent 4 }}
|
||||
spec:
|
||||
project: kubezero
|
||||
source:
|
||||
repoURL: {{ .Values.kubezero.repoURL }}
|
||||
targetRevision: {{ .Values.kubezero.targetRevision }}
|
||||
path: {{ .Values.kubezero.path }}
|
||||
|
||||
helm:
|
||||
valueFiles:
|
||||
{{- toYaml .Values.kubezero.valuesFiles | nindent 6 }}
|
||||
|
||||
destination:
|
||||
server: {{ .Values.kubezero.server }}
|
||||
namespace: argocd
|
||||
|
||||
{{- with .Values.kubezero.syncPolicy }}
|
||||
syncPolicy:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
@ -1,25 +1,36 @@
|
||||
# Configure app of apps
|
||||
kubezero:
|
||||
global:
|
||||
# kubezero.global.defaultDestination -- Destination cluster
|
||||
defaultDestination:
|
||||
enabled: false
|
||||
|
||||
# kubezero.server -- destination cluster
|
||||
server: https://kubernetes.default.svc
|
||||
|
||||
# This repoURL is used a base for all the repoURLs applications
|
||||
# Setting this to a eg. private git repo incl. the use of pathPrefix allows kubezero to be
|
||||
# integrated into any repository as a git subtree if for example public internet access is unavailable
|
||||
defaultSource:
|
||||
# kubezero.global.defaultSource.repoURL -- default repository for argocd applications
|
||||
# kubezero.repoURL -- repository for kubezero argo applications
|
||||
repoURL: https://github.com/zero-down-time/kubezero
|
||||
# kubezero.global.defaultSource.targetRevision -- default tracking of repoURL
|
||||
# kubezero.targetRevision -- git branch to track
|
||||
targetRevision: HEAD
|
||||
# kubezero.global.defaultSource.pathPrefix -- optional path prefix within repoURL to support eg. remote subtrees
|
||||
pathPrefix: ''
|
||||
# kubezero.path -- path within repoURL
|
||||
path: 'charts/kubezero'
|
||||
|
||||
# syncPolicy, details see: https://argoproj.github.io/argo-cd/user-guide/auto_sync
|
||||
#syncPolicy:
|
||||
# automated:
|
||||
# prune: true
|
||||
|
||||
valuesFiles:
|
||||
- values.yaml
|
||||
|
||||
# Support for Istio Ingress for ArgoCD
|
||||
istio:
|
||||
# istio.enabled -- Deploy Istio VirtualService to expose ArgoCD
|
||||
enabled: false
|
||||
# istio.gateway -- Name of the Istio gateway to add the VirtualService to
|
||||
gateway: istio-ingress/ingressgateway
|
||||
ipBlocks: []
|
||||
|
||||
argo-cd:
|
||||
installCRDs: false
|
||||
|
||||
@ -31,7 +42,7 @@ argo-cd:
|
||||
|
||||
global:
|
||||
image:
|
||||
tag: v1.7.8
|
||||
tag: v1.7.10
|
||||
|
||||
controller:
|
||||
args:
|
||||
@ -44,7 +55,6 @@ argo-cd:
|
||||
enabled: false
|
||||
serviceMonitor:
|
||||
enabled: true
|
||||
namespace: monitoring
|
||||
additionalLabels:
|
||||
release: metrics
|
||||
|
||||
@ -62,7 +72,6 @@ argo-cd:
|
||||
enabled: false
|
||||
serviceMonitor:
|
||||
enabled: true
|
||||
namespace: monitoring
|
||||
additionalLabels:
|
||||
release: metrics
|
||||
|
||||
@ -72,6 +81,9 @@ argo-cd:
|
||||
# argo-cd.server.config.url -- ArgoCD hostname to be exposed via Istio
|
||||
url: argocd.example.com
|
||||
|
||||
#repositories: |
|
||||
# - url: https://zero-down-time.github.io/kubezero.git
|
||||
|
||||
resource.customizations: |
|
||||
cert-manager.io/Certificate:
|
||||
# Lua script for customizing the health status assessment
|
||||
@ -105,7 +117,6 @@ argo-cd:
|
||||
enabled: false
|
||||
serviceMonitor:
|
||||
enabled: true
|
||||
namespace: monitoring
|
||||
additionalLabels:
|
||||
release: metrics
|
||||
|
||||
@ -118,10 +129,3 @@ argo-cd:
|
||||
|
||||
dex:
|
||||
enabled: false
|
||||
|
||||
istio:
|
||||
# argo-cd.istio.enabled -- Deploy Istio VirtualService to expose ArgoCD
|
||||
enabled: false
|
||||
# argo-cd.istio.gateway -- Name of the Istio gateway to add the VirtualService to
|
||||
gateway: istio-system/ingressgateway
|
||||
ipBlocks: []
|
@ -1 +0,0 @@
|
||||
git
|
@ -2,8 +2,8 @@ apiVersion: v2
|
||||
name: kubezero-aws-ebs-csi-driver
|
||||
description: KubeZero Umbrella Chart for aws-ebs-csi-driver
|
||||
type: application
|
||||
version: 0.3.2
|
||||
appVersion: 0.7.0
|
||||
version: 0.3.4
|
||||
appVersion: 0.8.0
|
||||
home: https://kubezero.com
|
||||
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
|
||||
sources:
|
||||
@ -17,6 +17,9 @@ keywords:
|
||||
maintainers:
|
||||
- name: Quarky9
|
||||
dependencies:
|
||||
- name: aws-ebs-csi-driver
|
||||
version: 0.7.1
|
||||
repository: https://kubernetes-sigs.github.io/aws-ebs-csi-driver
|
||||
- name: kubezero-lib
|
||||
version: ">= 0.1.3"
|
||||
repository: https://zero-down-time.github.io/kubezero/
|
||||
|
@ -1,6 +1,6 @@
|
||||
# kubezero-aws-ebs-csi-driver
|
||||
|
||||
![Version: 0.3.2](https://img.shields.io/badge/Version-0.3.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.7.0](https://img.shields.io/badge/AppVersion-0.7.0-informational?style=flat-square)
|
||||
![Version: 0.3.4](https://img.shields.io/badge/Version-0.3.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.8.0](https://img.shields.io/badge/AppVersion-0.8.0-informational?style=flat-square)
|
||||
|
||||
KubeZero Umbrella Chart for aws-ebs-csi-driver
|
||||
|
||||
@ -23,6 +23,7 @@ Kubernetes: `>= 1.16.0`
|
||||
|
||||
| Repository | Name | Version |
|
||||
|------------|------|---------|
|
||||
| https://kubernetes-sigs.github.io/aws-ebs-csi-driver | aws-ebs-csi-driver | 0.7.1 |
|
||||
| https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 |
|
||||
|
||||
## IAM Role
|
||||
|
@ -1,16 +0,0 @@
|
||||
apiVersion: v1
|
||||
appVersion: "0.7.0"
|
||||
name: aws-ebs-csi-driver
|
||||
description: A Helm chart for AWS EBS CSI Driver
|
||||
version: 0.6.0
|
||||
kubeVersion: ">=1.13.0-0"
|
||||
home: https://github.com/kubernetes-sigs/aws-ebs-csi-driver
|
||||
sources:
|
||||
- https://github.com/kubernetes-sigs/aws-ebs-csi-driver
|
||||
keywords:
|
||||
- aws
|
||||
- ebs
|
||||
- csi
|
||||
maintainers:
|
||||
- name: leakingtapan
|
||||
email: chengpan@amazon.com
|
@ -1,3 +0,0 @@
|
||||
To verify that aws-ebs-csi-driver has started, run:
|
||||
|
||||
kubectl get pod -n kube-system -l "app.kubernetes.io/name={{ include "aws-ebs-csi-driver.name" . }},app.kubernetes.io/instance={{ .Release.Name }}"
|
@ -1,20 +0,0 @@
|
||||
---
|
||||
kind: ClusterRole
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: ebs-external-attacher-role
|
||||
labels:
|
||||
{{- include "aws-ebs-csi-driver.labels" . | nindent 4 }}
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
resources: ["persistentvolumes"]
|
||||
verbs: ["get", "list", "watch", "update"]
|
||||
- apiGroups: [""]
|
||||
resources: ["nodes"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: ["csi.storage.k8s.io"]
|
||||
resources: ["csinodeinfos"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: ["storage.k8s.io"]
|
||||
resources: ["volumeattachments"]
|
||||
verbs: ["get", "list", "watch", "update"]
|
@ -1,35 +0,0 @@
|
||||
---
|
||||
kind: ClusterRole
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: ebs-external-provisioner-role
|
||||
labels:
|
||||
{{- include "aws-ebs-csi-driver.labels" . | nindent 4 }}
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
resources: ["persistentvolumes"]
|
||||
verbs: ["get", "list", "watch", "create", "delete"]
|
||||
- apiGroups: [""]
|
||||
resources: ["persistentvolumeclaims"]
|
||||
verbs: ["get", "list", "watch", "update"]
|
||||
- apiGroups: ["storage.k8s.io"]
|
||||
resources: ["storageclasses"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: [""]
|
||||
resources: ["events"]
|
||||
verbs: ["list", "watch", "create", "update", "patch"]
|
||||
- apiGroups: ["snapshot.storage.k8s.io"]
|
||||
resources: ["volumesnapshots"]
|
||||
verbs: ["get", "list"]
|
||||
- apiGroups: ["snapshot.storage.k8s.io"]
|
||||
resources: ["volumesnapshotcontents"]
|
||||
verbs: ["get", "list"]
|
||||
- apiGroups: ["storage.k8s.io"]
|
||||
resources: ["csinodes"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: [""]
|
||||
resources: ["nodes"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: ["coordination.k8s.io"]
|
||||
resources: ["leases"]
|
||||
verbs: ["get", "watch", "list", "delete", "update", "create"]
|
@ -1,31 +0,0 @@
|
||||
{{- if .Values.enableVolumeResizing }}
|
||||
---
|
||||
kind: ClusterRole
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: ebs-external-resizer-role
|
||||
labels:
|
||||
{{- include "aws-ebs-csi-driver.labels" . | nindent 4 }}
|
||||
rules:
|
||||
# The following rule should be uncommented for plugins that require secrets
|
||||
# for provisioning.
|
||||
# - apiGroups: [""]
|
||||
# resources: ["secrets"]
|
||||
# verbs: ["get", "list", "watch"]
|
||||
- apiGroups: [""]
|
||||
resources: ["persistentvolumes"]
|
||||
verbs: ["get", "list", "watch", "update", "patch"]
|
||||
- apiGroups: [""]
|
||||
resources: ["persistentvolumeclaims"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: [""]
|
||||
resources: ["persistentvolumeclaims/status"]
|
||||
verbs: ["update", "patch"]
|
||||
- apiGroups: ["storage.k8s.io"]
|
||||
resources: ["storageclasses"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: [""]
|
||||
resources: ["events"]
|
||||
verbs: ["list", "watch", "create", "update", "patch"]
|
||||
|
||||
{{- end}}
|
@ -1,35 +0,0 @@
|
||||
{{- if .Values.enableVolumeSnapshot }}
|
||||
---
|
||||
kind: ClusterRole
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: ebs-snapshot-controller-role
|
||||
labels:
|
||||
{{- include "aws-ebs-csi-driver.labels" . | nindent 4 }}
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
resources: ["persistentvolumes"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: [""]
|
||||
resources: ["persistentvolumeclaims"]
|
||||
verbs: ["get", "list", "watch", "update"]
|
||||
- apiGroups: ["storage.k8s.io"]
|
||||
resources: ["storageclasses"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: [""]
|
||||
resources: ["events"]
|
||||
verbs: ["list", "watch", "create", "update", "patch"]
|
||||
- apiGroups: ["snapshot.storage.k8s.io"]
|
||||
resources: ["volumesnapshotclasses"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: ["snapshot.storage.k8s.io"]
|
||||
resources: ["volumesnapshotcontents"]
|
||||
verbs: ["create", "get", "list", "watch", "update", "delete"]
|
||||
- apiGroups: ["snapshot.storage.k8s.io"]
|
||||
resources: ["volumesnapshots"]
|
||||
verbs: ["get", "list", "watch", "update"]
|
||||
- apiGroups: ["snapshot.storage.k8s.io"]
|
||||
resources: ["volumesnapshots/status"]
|
||||
verbs: ["update"]
|
||||
|
||||
{{- end }}
|
@ -1,25 +0,0 @@
|
||||
{{- if .Values.enableVolumeSnapshot }}
|
||||
---
|
||||
kind: ClusterRole
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: ebs-external-snapshotter-role
|
||||
labels:
|
||||
{{- include "aws-ebs-csi-driver.labels" . | nindent 4 }}
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
resources: ["events"]
|
||||
verbs: ["list", "watch", "create", "update", "patch"]
|
||||
- apiGroups: [""]
|
||||
resources: ["secrets"]
|
||||
verbs: ["get", "list"]
|
||||
- apiGroups: ["snapshot.storage.k8s.io"]
|
||||
resources: ["volumesnapshotclasses"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: ["snapshot.storage.k8s.io"]
|
||||
resources: ["volumesnapshotcontents"]
|
||||
verbs: ["create", "get", "list", "watch", "update", "delete"]
|
||||
- apiGroups: ["snapshot.storage.k8s.io"]
|
||||
resources: ["volumesnapshotcontents/status"]
|
||||
verbs: ["update"]
|
||||
{{- end }}
|
@ -1,15 +0,0 @@
|
||||
---
|
||||
kind: ClusterRoleBinding
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: ebs-csi-attacher-binding
|
||||
labels:
|
||||
{{- include "aws-ebs-csi-driver.labels" . | nindent 4 }}
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: ebs-csi-controller-sa
|
||||
namespace: kube-system
|
||||
roleRef:
|
||||
kind: ClusterRole
|
||||
name: ebs-external-attacher-role
|
||||
apiGroup: rbac.authorization.k8s.io
|
@ -1,15 +0,0 @@
|
||||
---
|
||||
kind: ClusterRoleBinding
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: ebs-csi-provisioner-binding
|
||||
labels:
|
||||
{{- include "aws-ebs-csi-driver.labels" . | nindent 4 }}
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: ebs-csi-controller-sa
|
||||
namespace: kube-system
|
||||
roleRef:
|
||||
kind: ClusterRole
|
||||
name: ebs-external-provisioner-role
|
||||
apiGroup: rbac.authorization.k8s.io
|
@ -1,18 +0,0 @@
|
||||
{{- if .Values.enableVolumeResizing }}
|
||||
---
|
||||
kind: ClusterRoleBinding
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: ebs-csi-resizer-binding
|
||||
labels:
|
||||
{{- include "aws-ebs-csi-driver.labels" . | nindent 4 }}
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: ebs-csi-controller-sa
|
||||
namespace: kube-system
|
||||
roleRef:
|
||||
kind: ClusterRole
|
||||
name: ebs-external-resizer-role
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
|
||||
{{- end}}
|
@ -1,18 +0,0 @@
|
||||
{{- if .Values.enableVolumeSnapshot }}
|
||||
---
|
||||
kind: ClusterRoleBinding
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: ebs-csi-snapshot-controller-binding
|
||||
labels:
|
||||
{{- include "aws-ebs-csi-driver.labels" . | nindent 4 }}
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: ebs-snapshot-controller
|
||||
namespace: kube-system
|
||||
roleRef:
|
||||
kind: ClusterRole
|
||||
name: ebs-snapshot-controller-role
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
|
||||
{{- end }}
|
@ -1,18 +0,0 @@
|
||||
{{- if .Values.enableVolumeSnapshot }}
|
||||
---
|
||||
kind: ClusterRoleBinding
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: ebs-csi-snapshotter-binding
|
||||
labels:
|
||||
{{- include "aws-ebs-csi-driver.labels" . | nindent 4 }}
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: ebs-csi-controller-sa
|
||||
namespace: kube-system
|
||||
roleRef:
|
||||
kind: ClusterRole
|
||||
name: ebs-external-snapshotter-role
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
|
||||
{{- end }}
|
@ -1,157 +0,0 @@
|
||||
# Controller Service
|
||||
kind: Deployment
|
||||
apiVersion: apps/v1
|
||||
metadata:
|
||||
name: ebs-csi-controller
|
||||
namespace: kube-system
|
||||
labels:
|
||||
{{- include "aws-ebs-csi-driver.labels" . | nindent 4 }}
|
||||
spec:
|
||||
replicas: {{ .Values.replicaCount }}
|
||||
selector:
|
||||
matchLabels:
|
||||
app: ebs-csi-controller
|
||||
{{- include "aws-ebs-csi-driver.selectorLabels" . | nindent 6 }}
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: ebs-csi-controller
|
||||
{{- include "aws-ebs-csi-driver.labels" . | nindent 8 }}
|
||||
{{- if .Values.podAnnotations }}
|
||||
annotations: {{ toYaml .Values.podAnnotations | nindent 8 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
nodeSelector:
|
||||
kubernetes.io/os: linux
|
||||
{{- with .Values.nodeSelector }}
|
||||
{{ toYaml . | indent 8 }}
|
||||
{{- end }}
|
||||
serviceAccountName: ebs-csi-controller-sa
|
||||
priorityClassName: system-cluster-critical
|
||||
{{- with .Values.affinity }}
|
||||
affinity: {{ toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
tolerations:
|
||||
- operator: Exists
|
||||
{{- with .Values.tolerations }}
|
||||
{{ toYaml . | indent 8 }}
|
||||
{{- end }}
|
||||
containers:
|
||||
- name: ebs-plugin
|
||||
image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
|
||||
imagePullPolicy: {{ .Values.image.pullPolicy }}
|
||||
args:
|
||||
{{- if ne .Release.Name "kustomize" }}
|
||||
- controller
|
||||
{{- else }}
|
||||
# - {all,controller,node} # specify the driver mode
|
||||
{{- end }}
|
||||
- --endpoint=$(CSI_ENDPOINT)
|
||||
{{- if .Values.extraVolumeTags }}
|
||||
{{- include "aws-ebs-csi-driver.extra-volume-tags" . | nindent 12 }}
|
||||
{{- end }}
|
||||
- --logtostderr
|
||||
- --v=5
|
||||
env:
|
||||
- name: CSI_ENDPOINT
|
||||
value: unix:///var/lib/csi/sockets/pluginproxy/csi.sock
|
||||
- name: AWS_ACCESS_KEY_ID
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: aws-secret
|
||||
key: key_id
|
||||
optional: true
|
||||
- name: AWS_SECRET_ACCESS_KEY
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: aws-secret
|
||||
key: access_key
|
||||
optional: true
|
||||
{{- if .Values.region }}
|
||||
- name: AWS_REGION
|
||||
value: {{ .Values.region }}
|
||||
{{- end }}
|
||||
volumeMounts:
|
||||
- name: socket-dir
|
||||
mountPath: /var/lib/csi/sockets/pluginproxy/
|
||||
ports:
|
||||
- name: healthz
|
||||
containerPort: 9808
|
||||
protocol: TCP
|
||||
livenessProbe:
|
||||
httpGet:
|
||||
path: /healthz
|
||||
port: healthz
|
||||
initialDelaySeconds: 10
|
||||
timeoutSeconds: 3
|
||||
periodSeconds: 10
|
||||
failureThreshold: 5
|
||||
{{- with .Values.resources }}
|
||||
resources: {{ toYaml . | nindent 12 }}
|
||||
{{- end }}
|
||||
- name: csi-provisioner
|
||||
image: {{ printf "%s:%s" .Values.sidecars.provisionerImage.repository .Values.sidecars.provisionerImage.tag }}
|
||||
args:
|
||||
- --csi-address=$(ADDRESS)
|
||||
- --v=5
|
||||
{{- if .Values.enableVolumeScheduling }}
|
||||
- --feature-gates=Topology=true
|
||||
{{- end}}
|
||||
- --enable-leader-election
|
||||
- --leader-election-type=leases
|
||||
env:
|
||||
- name: ADDRESS
|
||||
value: /var/lib/csi/sockets/pluginproxy/csi.sock
|
||||
volumeMounts:
|
||||
- name: socket-dir
|
||||
mountPath: /var/lib/csi/sockets/pluginproxy/
|
||||
- name: csi-attacher
|
||||
image: {{ printf "%s:%s" .Values.sidecars.attacherImage.repository .Values.sidecars.attacherImage.tag }}
|
||||
args:
|
||||
- --csi-address=$(ADDRESS)
|
||||
- --v=5
|
||||
- --leader-election=true
|
||||
- --leader-election-type=leases
|
||||
env:
|
||||
- name: ADDRESS
|
||||
value: /var/lib/csi/sockets/pluginproxy/csi.sock
|
||||
volumeMounts:
|
||||
- name: socket-dir
|
||||
mountPath: /var/lib/csi/sockets/pluginproxy/
|
||||
{{- if .Values.enableVolumeSnapshot }}
|
||||
- name: csi-snapshotter
|
||||
image: {{ printf "%s:%s" .Values.sidecars.snapshotterImage.repository .Values.sidecars.snapshotterImage.tag }}
|
||||
args:
|
||||
- --csi-address=$(ADDRESS)
|
||||
- --leader-election=true
|
||||
env:
|
||||
- name: ADDRESS
|
||||
value: /var/lib/csi/sockets/pluginproxy/csi.sock
|
||||
volumeMounts:
|
||||
- name: socket-dir
|
||||
mountPath: /var/lib/csi/sockets/pluginproxy/
|
||||
{{- end }}
|
||||
{{- if .Values.enableVolumeResizing }}
|
||||
- name: csi-resizer
|
||||
image: {{ printf "%s:%s" .Values.sidecars.resizerImage.repository .Values.sidecars.resizerImage.tag }}
|
||||
imagePullPolicy: Always
|
||||
args:
|
||||
- --csi-address=$(ADDRESS)
|
||||
- --v=5
|
||||
env:
|
||||
- name: ADDRESS
|
||||
value: /var/lib/csi/sockets/pluginproxy/csi.sock
|
||||
volumeMounts:
|
||||
- name: socket-dir
|
||||
mountPath: /var/lib/csi/sockets/pluginproxy/
|
||||
{{- end }}
|
||||
- name: liveness-probe
|
||||
image: {{ printf "%s:%s" .Values.sidecars.livenessProbeImage.repository .Values.sidecars.livenessProbeImage.tag }}
|
||||
args:
|
||||
- --csi-address=/csi/csi.sock
|
||||
volumeMounts:
|
||||
- name: socket-dir
|
||||
mountPath: /csi
|
||||
volumes:
|
||||
- name: socket-dir
|
||||
emptyDir: {}
|
@ -1,9 +0,0 @@
|
||||
apiVersion: storage.k8s.io/v1beta1
|
||||
kind: CSIDriver
|
||||
metadata:
|
||||
name: ebs.csi.aws.com
|
||||
labels:
|
||||
{{- include "aws-ebs-csi-driver.labels" . | nindent 4 }}
|
||||
spec:
|
||||
attachRequired: true
|
||||
podInfoOnMount: false
|
@ -1,117 +0,0 @@
|
||||
# Node Service
|
||||
kind: DaemonSet
|
||||
apiVersion: apps/v1
|
||||
metadata:
|
||||
name: ebs-csi-node
|
||||
namespace: kube-system
|
||||
labels:
|
||||
{{- include "aws-ebs-csi-driver.labels" . | nindent 4 }}
|
||||
spec:
|
||||
selector:
|
||||
matchLabels:
|
||||
app: ebs-csi-node
|
||||
{{- include "aws-ebs-csi-driver.selectorLabels" . | nindent 6 }}
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: ebs-csi-node
|
||||
{{- include "aws-ebs-csi-driver.labels" . | nindent 8 }}
|
||||
{{- if .Values.node.podAnnotations }}
|
||||
annotations: {{ toYaml .Values.node.podAnnotations | nindent 8 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
affinity:
|
||||
nodeAffinity:
|
||||
requiredDuringSchedulingIgnoredDuringExecution:
|
||||
nodeSelectorTerms:
|
||||
- matchExpressions:
|
||||
- key: eks.amazonaws.com/compute-type
|
||||
operator: NotIn
|
||||
values:
|
||||
- fargate
|
||||
nodeSelector:
|
||||
kubernetes.io/os: linux
|
||||
hostNetwork: true
|
||||
priorityClassName: system-node-critical
|
||||
tolerations:
|
||||
- operator: Exists
|
||||
{{- with .Values.node.tolerations }}
|
||||
{{ toYaml . | indent 8 }}
|
||||
{{- end }}
|
||||
containers:
|
||||
- name: ebs-plugin
|
||||
securityContext:
|
||||
privileged: true
|
||||
image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
|
||||
args:
|
||||
- node
|
||||
- --endpoint=$(CSI_ENDPOINT)
|
||||
- --logtostderr
|
||||
- --v=5
|
||||
env:
|
||||
- name: CSI_ENDPOINT
|
||||
value: unix:/csi/csi.sock
|
||||
volumeMounts:
|
||||
- name: kubelet-dir
|
||||
mountPath: /var/lib/kubelet
|
||||
mountPropagation: "Bidirectional"
|
||||
- name: plugin-dir
|
||||
mountPath: /csi
|
||||
- name: device-dir
|
||||
mountPath: /dev
|
||||
ports:
|
||||
- name: healthz
|
||||
containerPort: 9808
|
||||
protocol: TCP
|
||||
livenessProbe:
|
||||
httpGet:
|
||||
path: /healthz
|
||||
port: healthz
|
||||
initialDelaySeconds: 10
|
||||
timeoutSeconds: 3
|
||||
periodSeconds: 10
|
||||
failureThreshold: 5
|
||||
- name: node-driver-registrar
|
||||
image: {{ printf "%s:%s" .Values.sidecars.nodeDriverRegistrarImage.repository .Values.sidecars.nodeDriverRegistrarImage.tag }}
|
||||
args:
|
||||
- --csi-address=$(ADDRESS)
|
||||
- --kubelet-registration-path=$(DRIVER_REG_SOCK_PATH)
|
||||
- --v=5
|
||||
lifecycle:
|
||||
preStop:
|
||||
exec:
|
||||
command: ["/bin/sh", "-c", "rm -rf /registration/ebs.csi.aws.com-reg.sock /csi/csi.sock"]
|
||||
env:
|
||||
- name: ADDRESS
|
||||
value: /csi/csi.sock
|
||||
- name: DRIVER_REG_SOCK_PATH
|
||||
value: /var/lib/kubelet/plugins/ebs.csi.aws.com/csi.sock
|
||||
volumeMounts:
|
||||
- name: plugin-dir
|
||||
mountPath: /csi
|
||||
- name: registration-dir
|
||||
mountPath: /registration
|
||||
- name: liveness-probe
|
||||
image: {{ printf "%s:%s" .Values.sidecars.livenessProbeImage.repository .Values.sidecars.livenessProbeImage.tag }}
|
||||
args:
|
||||
- --csi-address=/csi/csi.sock
|
||||
volumeMounts:
|
||||
- name: plugin-dir
|
||||
mountPath: /csi
|
||||
volumes:
|
||||
- name: kubelet-dir
|
||||
hostPath:
|
||||
path: /var/lib/kubelet
|
||||
type: Directory
|
||||
- name: plugin-dir
|
||||
hostPath:
|
||||
path: /var/lib/kubelet/plugins/ebs.csi.aws.com/
|
||||
type: DirectoryOrCreate
|
||||
- name: registration-dir
|
||||
hostPath:
|
||||
path: /var/lib/kubelet/plugins_registry/
|
||||
type: Directory
|
||||
- name: device-dir
|
||||
hostPath:
|
||||
path: /dev
|
||||
type: Directory
|
@ -1,15 +0,0 @@
|
||||
{{- if .Values.enableVolumeSnapshot }}
|
||||
---
|
||||
kind: Role
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: ebs-snapshot-controller-leaderelection
|
||||
namespace: kube-system
|
||||
labels:
|
||||
{{- include "aws-ebs-csi-driver.labels" . | nindent 4 }}
|
||||
rules:
|
||||
- apiGroups: ["coordination.k8s.io"]
|
||||
resources: ["leases"]
|
||||
verbs: ["get", "watch", "list", "delete", "update", "create"]
|
||||
|
||||
{{- end }}
|
@ -1,19 +0,0 @@
|
||||
{{- if .Values.enableVolumeSnapshot }}
|
||||
---
|
||||
kind: RoleBinding
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: snapshot-controller-leaderelection
|
||||
namespace: kube-system
|
||||
labels:
|
||||
{{- include "aws-ebs-csi-driver.labels" . | nindent 4 }}
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: ebs-snapshot-controller
|
||||
namespace: kube-system
|
||||
roleRef:
|
||||
kind: Role
|
||||
name: snapshot-controller-leaderelection
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
|
||||
{{- end }}
|
@ -1,15 +0,0 @@
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: ebs-csi-controller-sa
|
||||
namespace: kube-system
|
||||
labels:
|
||||
{{- include "aws-ebs-csi-driver.labels" . | nindent 4 }}
|
||||
{{- with .Values.serviceAccount.controller.annotations }}
|
||||
annotations: {{ toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- if eq .Release.Name "kustomize" }}
|
||||
#Enable if EKS IAM for SA is used
|
||||
#annotations:
|
||||
# eks.amazonaws.com/role-arn: arn:aws:iam::586565787010:role/ebs-csi-role
|
||||
{{- end }}
|
@ -1,13 +0,0 @@
|
||||
{{- if .Values.enableVolumeSnapshot }}
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: ebs-snapshot-controller
|
||||
namespace: kube-system
|
||||
labels:
|
||||
{{- include "aws-ebs-csi-driver.labels" . | nindent 4 }}
|
||||
{{- with .Values.serviceAccount.snapshot.annotations }}
|
||||
annotations: {{ toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
@ -1,30 +0,0 @@
|
||||
{{- if .Values.enableVolumeSnapshot }}
|
||||
#Snapshot controller
|
||||
kind: StatefulSet
|
||||
apiVersion: apps/v1
|
||||
metadata:
|
||||
name: ebs-snapshot-controller
|
||||
namespace: kube-system
|
||||
labels:
|
||||
{{- include "aws-ebs-csi-driver.labels" . | nindent 4 }}
|
||||
spec:
|
||||
serviceName: ebs-snapshot-controller
|
||||
replicas: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
app: ebs-snapshot-controller
|
||||
{{- include "aws-ebs-csi-driver.selectorLabels" . | nindent 6 }}
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: ebs-snapshot-controller
|
||||
{{- include "aws-ebs-csi-driver.labels" . | nindent 8 }}
|
||||
spec:
|
||||
serviceAccountName: ebs-snapshot-controller
|
||||
containers:
|
||||
- name: snapshot-controller
|
||||
image: quay.io/k8scsi/snapshot-controller:v2.1.1
|
||||
args:
|
||||
- --v=5
|
||||
- --leader-election=false
|
||||
{{- end }}
|
@ -1,86 +0,0 @@
|
||||
# Default values for aws-ebs-csi-driver.
|
||||
# This is a YAML-formatted file.
|
||||
# Declare variables to be passed into your templates.
|
||||
|
||||
replicaCount: 2
|
||||
|
||||
image:
|
||||
repository: amazon/aws-ebs-csi-driver
|
||||
tag: "v0.7.0"
|
||||
pullPolicy: IfNotPresent
|
||||
|
||||
sidecars:
|
||||
provisionerImage:
|
||||
repository: quay.io/k8scsi/csi-provisioner
|
||||
tag: "v1.5.0"
|
||||
attacherImage:
|
||||
repository: quay.io/k8scsi/csi-attacher
|
||||
tag: "v1.2.0"
|
||||
snapshotterImage:
|
||||
repository: quay.io/k8scsi/csi-snapshotter
|
||||
tag: "v2.1.1"
|
||||
livenessProbeImage:
|
||||
repository: quay.io/k8scsi/livenessprobe
|
||||
tag: "v1.1.0"
|
||||
resizerImage:
|
||||
repository: quay.io/k8scsi/csi-resizer
|
||||
tag: "v0.3.0"
|
||||
nodeDriverRegistrarImage:
|
||||
repository: quay.io/k8scsi/csi-node-driver-registrar
|
||||
tag: "v1.1.0"
|
||||
|
||||
imagePullSecrets: []
|
||||
nameOverride: ""
|
||||
fullnameOverride: ""
|
||||
|
||||
podAnnotations: {}
|
||||
|
||||
# True if enable volume scheduling for dynamic volume provisioning
|
||||
enableVolumeScheduling: false
|
||||
|
||||
# True if enable volume resizing
|
||||
enableVolumeResizing: false
|
||||
|
||||
# True if enable volume snapshot
|
||||
enableVolumeSnapshot: false
|
||||
|
||||
resources: {}
|
||||
# We usually recommend not to specify default resources and to leave this as a conscious
|
||||
# choice for the user. This also increases chances charts run on environments with little
|
||||
# resources, such as Minikube. If you do want to specify resources, uncomment the following
|
||||
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
|
||||
# limits:
|
||||
# cpu: 100m
|
||||
# memory: 128Mi
|
||||
# requests:
|
||||
# cpu: 100m
|
||||
# memory: 128Mi
|
||||
|
||||
nodeSelector: {}
|
||||
|
||||
tolerations: []
|
||||
|
||||
affinity: {}
|
||||
|
||||
# Extra volume tags to attach to each dynamically provisioned volume.
|
||||
# ---
|
||||
# extraVolumeTags:
|
||||
# key1: value1
|
||||
# key2: value2
|
||||
extraVolumeTags: {}
|
||||
|
||||
# AWS region to use. If not specified then the region will be looked up via the AWS EC2 metadata
|
||||
# service.
|
||||
# ---
|
||||
# region: us-east-1
|
||||
region: ""
|
||||
|
||||
node:
|
||||
podAnnotations: {}
|
||||
tolerations: []
|
||||
|
||||
serviceAccount:
|
||||
controller:
|
||||
annotations: {}
|
||||
snapshot:
|
||||
annotations: {}
|
@ -4,6 +4,22 @@ apiVersion: storage.k8s.io/v1
|
||||
metadata:
|
||||
name: ebs-sc-gp2-xfs
|
||||
labels:
|
||||
{{ include "kubezero-lib.labels" . | indent 4 }}
|
||||
provisioner: ebs.csi.aws.com
|
||||
volumeBindingMode: WaitForFirstConsumer
|
||||
parameters:
|
||||
csi.storage.k8s.io/fstype: xfs
|
||||
type: gp2
|
||||
encrypted: "true"
|
||||
{{- if index .Values "aws-ebs-csi-driver" "enableVolumeResizing" }}
|
||||
allowVolumeExpansion: true
|
||||
{{- end }}
|
||||
---
|
||||
kind: StorageClass
|
||||
apiVersion: storage.k8s.io/v1
|
||||
metadata:
|
||||
name: ebs-sc-gp3-xfs
|
||||
labels:
|
||||
{{ include "kubezero-lib.labels" . | indent 4 }}
|
||||
{{- if .Values.StorageClass.default }}
|
||||
annotations:
|
||||
@ -13,7 +29,7 @@ provisioner: ebs.csi.aws.com
|
||||
volumeBindingMode: WaitForFirstConsumer
|
||||
parameters:
|
||||
csi.storage.k8s.io/fstype: xfs
|
||||
type: gp2
|
||||
type: gp3
|
||||
encrypted: "true"
|
||||
{{- if index .Values "aws-ebs-csi-driver" "enableVolumeResizing" }}
|
||||
allowVolumeExpansion: true
|
||||
|
@ -1,14 +0,0 @@
|
||||
#!/bin/bash
|
||||
set -ex
|
||||
|
||||
# Upstream doesnt have proper Helm repo yet so we just download latest release and stuff it into charts
|
||||
|
||||
REPO="kubernetes-sigs/aws-ebs-csi-driver"
|
||||
[ -z "$RELEASE" ] && RELEASE=$(curl -sL -s https://api.github.com/repos/${REPO}/releases | grep '"tag_name":' | cut -d'"' -f4 | grep -v -E "(alpha|beta|rc)" | sort -t"." -k 1,1 -k 2,2 -k 3,3 -k 4,4 | tail -n 1)
|
||||
|
||||
rm -rf git
|
||||
git clone https://github.com/$REPO.git git
|
||||
cd git && git checkout $RELEASE && cd -
|
||||
|
||||
rm -rf charts/aws-ebs-csi-driver && mkdir -p charts/aws-ebs-csi-driver
|
||||
mv git/aws-ebs-csi-driver/* charts/aws-ebs-csi-driver
|
@ -20,3 +20,5 @@
|
||||
.idea/
|
||||
*.tmproj
|
||||
.vscode/
|
||||
|
||||
git
|
@ -2,8 +2,8 @@ apiVersion: v2
|
||||
name: kubezero-calico
|
||||
description: KubeZero Umbrella Chart for Calico
|
||||
type: application
|
||||
version: 0.2.0
|
||||
appVersion: v3.16.1
|
||||
version: 0.2.1
|
||||
appVersion: v3.16.5
|
||||
home: https://kubezero.com
|
||||
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
|
||||
keywords:
|
||||
|
@ -1,6 +1,6 @@
|
||||
# kubezero-calico
|
||||
|
||||
![Version: 0.2.0](https://img.shields.io/badge/Version-0.2.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v3.16.1](https://img.shields.io/badge/AppVersion-v3.16.1-informational?style=flat-square)
|
||||
![Version: 0.2.1](https://img.shields.io/badge/Version-0.2.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v3.16.5](https://img.shields.io/badge/AppVersion-v3.16.5-informational?style=flat-square)
|
||||
|
||||
KubeZero Umbrella Chart for Calico
|
||||
|
||||
@ -47,7 +47,6 @@ The setup is based on the upstream calico-vxlan config from
|
||||
| Key | Type | Default | Description |
|
||||
|-----|------|---------|-------------|
|
||||
| image.tag | string | `""` | |
|
||||
| installCRDs | bool | `false` | |
|
||||
| loglevel | string | `"Warning"` | |
|
||||
| mtu | int | `8941` | |
|
||||
| network | string | `"vxlan"` | |
|
||||
|
@ -1,101 +0,0 @@
|
||||
--- calico-vxlan.yaml 2020-07-03 15:32:40.740506882 +0100
|
||||
+++ calico.yaml 2020-07-03 15:27:47.651499841 +0100
|
||||
@@ -10,13 +10,13 @@
|
||||
# Typha is disabled.
|
||||
typha_service_name: "none"
|
||||
# Configure the backend to use.
|
||||
- calico_backend: "bird"
|
||||
+ calico_backend: "vxlan"
|
||||
# Configure the MTU to use for workload interfaces and tunnels.
|
||||
# - If Wireguard is enabled, set to your network MTU - 60
|
||||
# - Otherwise, if VXLAN or BPF mode is enabled, set to your network MTU - 50
|
||||
# - Otherwise, if IPIP is enabled, set to your network MTU - 20
|
||||
# - Otherwise, if not using any encapsulation, set to your network MTU.
|
||||
- veth_mtu: "1410"
|
||||
+ veth_mtu: "8941"
|
||||
|
||||
# The CNI network configuration to install on each node. The special
|
||||
# values in this config will be automatically populated.
|
||||
@@ -3451,29 +3451,6 @@
|
||||
terminationGracePeriodSeconds: 0
|
||||
priorityClassName: system-node-critical
|
||||
initContainers:
|
||||
- # This container performs upgrade from host-local IPAM to calico-ipam.
|
||||
- # It can be deleted if this is a fresh installation, or if you have already
|
||||
- # upgraded to use calico-ipam.
|
||||
- - name: upgrade-ipam
|
||||
- image: calico/cni:v3.15.0
|
||||
- command: ["/opt/cni/bin/calico-ipam", "-upgrade"]
|
||||
- env:
|
||||
- - name: KUBERNETES_NODE_NAME
|
||||
- valueFrom:
|
||||
- fieldRef:
|
||||
- fieldPath: spec.nodeName
|
||||
- - name: CALICO_NETWORKING_BACKEND
|
||||
- valueFrom:
|
||||
- configMapKeyRef:
|
||||
- name: calico-config
|
||||
- key: calico_backend
|
||||
- volumeMounts:
|
||||
- - mountPath: /var/lib/cni/networks
|
||||
- name: host-local-net-dir
|
||||
- - mountPath: /host/opt/cni/bin
|
||||
- name: cni-bin-dir
|
||||
- securityContext:
|
||||
- privileged: true
|
||||
# This container installs the CNI binaries
|
||||
# and CNI network config file on each node.
|
||||
- name: install-cni
|
||||
@@ -3545,7 +3522,7 @@
|
||||
key: calico_backend
|
||||
# Cluster type to identify the deployment type
|
||||
- name: CLUSTER_TYPE
|
||||
- value: "k8s,bgp"
|
||||
+ value: "k8s,kubeadm"
|
||||
# Auto-detect the BGP IP address.
|
||||
- name: IP
|
||||
value: "autodetect"
|
||||
@@ -3554,7 +3531,7 @@
|
||||
value: "Never"
|
||||
# Enable or Disable VXLAN on the default IP pool.
|
||||
- name: CALICO_IPV4POOL_VXLAN
|
||||
- value: "CrossSubnet"
|
||||
+ value: "Always"
|
||||
# Set MTU for tunnel device used if ipip is enabled
|
||||
- name: FELIX_IPINIPMTU
|
||||
valueFrom:
|
||||
@@ -3595,9 +3572,17 @@
|
||||
value: "false"
|
||||
# Set Felix logging to "info"
|
||||
- name: FELIX_LOGSEVERITYSCREEN
|
||||
- value: "info"
|
||||
+ value: "Warning"
|
||||
+ - name: FELIX_LOGSEVERITYFILE
|
||||
+ value: "Warning"
|
||||
+ - name: FELIX_LOGSEVERITYSYS
|
||||
+ value: ""
|
||||
- name: FELIX_HEALTHENABLED
|
||||
value: "true"
|
||||
+ - name: FELIX_PROMETHEUSGOMETRICSENABLED
|
||||
+ value: "false"
|
||||
+ - name: FELIX_PROMETHEUSMETRICSENABLED
|
||||
+ value: "true"
|
||||
securityContext:
|
||||
privileged: true
|
||||
resources:
|
||||
@@ -3608,7 +3593,6 @@
|
||||
command:
|
||||
- /bin/calico-node
|
||||
- -felix-live
|
||||
- - -bird-live
|
||||
periodSeconds: 10
|
||||
initialDelaySeconds: 10
|
||||
failureThreshold: 6
|
||||
@@ -3617,7 +3601,6 @@
|
||||
command:
|
||||
- /bin/calico-node
|
||||
- -felix-ready
|
||||
- - -bird-ready
|
||||
periodSeconds: 10
|
||||
volumeMounts:
|
||||
- mountPath: /lib/modules
|
3359
charts/kubezero-calico/calico-v3.16.5.patch
Normal file
3359
charts/kubezero-calico/calico-v3.16.5.patch
Normal file
File diff suppressed because it is too large
Load Diff
@ -1,3 +1,4 @@
|
||||
---
|
||||
# Source: calico/templates/kdd-crds.yaml
|
||||
|
||||
|
||||
@ -192,6 +193,29 @@ spec:
|
||||
description: Selector for the nodes that should have this peering. When
|
||||
this is set, the Node field must be empty.
|
||||
type: string
|
||||
password:
|
||||
description: Optional BGP password for the peerings generated by this
|
||||
BGPPeer resource.
|
||||
properties:
|
||||
secretKeyRef:
|
||||
description: Selects a key of a secret in the node pod's namespace.
|
||||
properties:
|
||||
key:
|
||||
description: The key of the secret to select from. Must be
|
||||
a valid secret key.
|
||||
type: string
|
||||
name:
|
||||
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
|
||||
TODO: Add other useful fields. apiVersion, kind, uid?'
|
||||
type: string
|
||||
optional:
|
||||
description: Specify whether the Secret or its key must be
|
||||
defined
|
||||
type: boolean
|
||||
required:
|
||||
- key
|
||||
type: object
|
||||
type: object
|
||||
peerIP:
|
||||
description: The IP address of the peer followed by an optional port
|
||||
number to peer with. If port number is given, format should be `[<IPv6>]:port`
|
||||
@ -396,6 +420,16 @@ spec:
|
||||
spec:
|
||||
description: FelixConfigurationSpec contains the values of the Felix configuration.
|
||||
properties:
|
||||
allowIPIPPacketsFromWorkloads:
|
||||
description: 'AllowIPIPPacketsFromWorkloads controls whether Felix
|
||||
will add a rule to drop IPIP encapsulated traffic from workloads
|
||||
[Default: false]'
|
||||
type: boolean
|
||||
allowVXLANPacketsFromWorkloads:
|
||||
description: 'AllowVXLANPacketsFromWorkloads controls whether Felix
|
||||
will add a rule to drop VXLAN encapsulated traffic from workloads
|
||||
[Default: false]'
|
||||
type: boolean
|
||||
awsSrcDstCheck:
|
||||
description: 'Set source-destination-check on AWS EC2 instances. Accepted
|
||||
value must be one of "DoNothing", "Enabled" or "Disabled". [Default:
|
||||
|
@ -1,6 +0,0 @@
|
||||
{{- if .Values.installCRDs }}
|
||||
{{- range $path, $_ := .Files.Glob "crds/*.yaml" }}
|
||||
{{ $.Files.Get $path }}
|
||||
---
|
||||
{{- end }}
|
||||
{{- end }}
|
@ -1,5 +1,3 @@
|
||||
installCRDs: false
|
||||
|
||||
image:
|
||||
tag: ""
|
||||
|
||||
|
@ -2,7 +2,7 @@ apiVersion: v2
|
||||
name: kubezero-cert-manager
|
||||
description: KubeZero Umbrella Chart for cert-manager
|
||||
type: application
|
||||
version: 0.4.0
|
||||
version: 0.4.1
|
||||
home: https://kubezero.com
|
||||
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
|
||||
keywords:
|
||||
@ -15,6 +15,7 @@ dependencies:
|
||||
version: ">= 0.1.3"
|
||||
repository: https://zero-down-time.github.io/kubezero/
|
||||
- name: cert-manager
|
||||
version: 1.0.3
|
||||
version: 1.1.0
|
||||
repository: https://charts.jetstack.io
|
||||
condition: cert-manager.enabled
|
||||
kubeVersion: ">= 1.16.0"
|
||||
|
@ -1,6 +1,6 @@
|
||||
# kubezero-cert-manager
|
||||
|
||||
![Version: 0.4.0](https://img.shields.io/badge/Version-0.4.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
|
||||
![Version: 0.4.1](https://img.shields.io/badge/Version-0.4.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
|
||||
|
||||
KubeZero Umbrella Chart for cert-manager
|
||||
|
||||
@ -18,7 +18,7 @@ Kubernetes: `>= 1.16.0`
|
||||
|
||||
| Repository | Name | Version |
|
||||
|------------|------|---------|
|
||||
| https://charts.jetstack.io | cert-manager | 1.0.3 |
|
||||
| https://charts.jetstack.io | cert-manager | 1.1.0 |
|
||||
| https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 |
|
||||
|
||||
## AWS - IAM Role
|
||||
@ -38,12 +38,13 @@ If your resolvers need additional sercrets like CloudFlare API tokens etc. make
|
||||
| cert-manager.cainjector.nodeSelector."node-role.kubernetes.io/master" | string | `""` | |
|
||||
| cert-manager.cainjector.tolerations[0].effect | string | `"NoSchedule"` | |
|
||||
| cert-manager.cainjector.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | |
|
||||
| cert-manager.enabled | bool | `true` | |
|
||||
| cert-manager.extraArgs[0] | string | `"--dns01-recursive-nameservers-only"` | |
|
||||
| cert-manager.global.leaderElection.namespace | string | `"cert-manager"` | |
|
||||
| cert-manager.ingressShim.defaultIssuerKind | string | `"ClusterIssuer"` | |
|
||||
| cert-manager.ingressShim.defaultIssuerName | string | `"letsencrypt-dns-prod"` | |
|
||||
| cert-manager.installCRDs | bool | `true` | |
|
||||
| cert-manager.nodeSelector."node-role.kubernetes.io/master" | string | `""` | |
|
||||
| cert-manager.podAnnotations | object | `{}` | "iam.amazonaws.com/roleIAM:" role ARN the cert-manager might use via kiam eg."arn:aws:iam::123456789012:role/certManagerRoleArn" |
|
||||
| cert-manager.podAnnotations | object | `{}` | |
|
||||
| cert-manager.prometheus.servicemonitor.enabled | bool | `false` | |
|
||||
| cert-manager.tolerations[0].effect | string | `"NoSchedule"` | |
|
||||
| cert-manager.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | |
|
||||
@ -51,5 +52,5 @@ If your resolvers need additional sercrets like CloudFlare API tokens etc. make
|
||||
| cert-manager.webhook.tolerations[0].effect | string | `"NoSchedule"` | |
|
||||
| cert-manager.webhook.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | |
|
||||
| clusterIssuer | object | `{}` | |
|
||||
| localCA.enabled | bool | `true` | |
|
||||
| localCA.enabled | bool | `false` | |
|
||||
| localCA.selfsigning | bool | `true` | |
|
||||
|
@ -3,11 +3,11 @@
|
||||
|
||||
# KubeZero / Local cluster CA
|
||||
# The resources are serialized via waves in Argo
|
||||
apiVersion: cert-manager.io/v1alpha2
|
||||
kind: Issuer
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: ClusterIssuer
|
||||
metadata:
|
||||
name: kubezero-selfsigning-issuer
|
||||
namespace: kube-system
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{ include "kubezero-lib.labels" . | indent 4 }}
|
||||
annotations:
|
||||
@ -15,11 +15,11 @@ metadata:
|
||||
spec:
|
||||
selfSigned: {}
|
||||
---
|
||||
apiVersion: cert-manager.io/v1alpha2
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: Certificate
|
||||
metadata:
|
||||
name: kubezero-local-ca
|
||||
namespace: kube-system
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{ include "kubezero-lib.labels" . | indent 4 }}
|
||||
annotations:
|
||||
@ -30,6 +30,7 @@ spec:
|
||||
isCA: true
|
||||
issuerRef:
|
||||
name: kubezero-selfsigning-issuer
|
||||
kind: ClusterIssuer
|
||||
usages:
|
||||
- "any"
|
||||
---
|
||||
@ -39,7 +40,7 @@ apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: kubezero-ca-tls
|
||||
namespace: kube-system
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{ include "kubezero-lib.labels" . | indent 4 }}
|
||||
data:
|
||||
@ -48,11 +49,11 @@ data:
|
||||
---
|
||||
{{- end }}
|
||||
|
||||
apiVersion: cert-manager.io/v1alpha2
|
||||
kind: Issuer
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: ClusterIssuer
|
||||
metadata:
|
||||
name: kubezero-local-ca-issuer
|
||||
namespace: kube-system
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{ include "kubezero-lib.labels" . | indent 4 }}
|
||||
annotations:
|
||||
|
@ -1,5 +1,5 @@
|
||||
{{- if .Values.clusterIssuer.name }}
|
||||
apiVersion: cert-manager.io/v1alpha2
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: ClusterIssuer
|
||||
metadata:
|
||||
name: {{ .Values.clusterIssuer.name }}
|
||||
|
@ -9,7 +9,7 @@ clusterIssuer: {}
|
||||
# hostedZoneID: 1234567890
|
||||
|
||||
localCA:
|
||||
enabled: true
|
||||
enabled: false
|
||||
# If selfsigning is false you must provide the ca key and crt below
|
||||
selfsigning: true
|
||||
#ca:
|
||||
@ -17,34 +17,45 @@ localCA:
|
||||
# crt: <pem-crt-material>
|
||||
|
||||
cert-manager:
|
||||
installCRDs: true
|
||||
enabled: true
|
||||
|
||||
global:
|
||||
leaderElection:
|
||||
namespace: "cert-manager"
|
||||
|
||||
podAnnotations: {}
|
||||
# iam.amazonaws.com/role: ""
|
||||
|
||||
tolerations:
|
||||
- key: node-role.kubernetes.io/master
|
||||
effect: NoSchedule
|
||||
nodeSelector:
|
||||
node-role.kubernetes.io/master: ""
|
||||
|
||||
ingressShim:
|
||||
defaultIssuerName: letsencrypt-dns-prod
|
||||
defaultIssuerKind: ClusterIssuer
|
||||
|
||||
webhook:
|
||||
tolerations:
|
||||
- key: node-role.kubernetes.io/master
|
||||
effect: NoSchedule
|
||||
nodeSelector:
|
||||
node-role.kubernetes.io/master: ""
|
||||
|
||||
cainjector:
|
||||
tolerations:
|
||||
- key: node-role.kubernetes.io/master
|
||||
effect: NoSchedule
|
||||
nodeSelector:
|
||||
node-role.kubernetes.io/master: ""
|
||||
|
||||
extraArgs:
|
||||
- "--dns01-recursive-nameservers-only"
|
||||
# When this flag is enabled, secrets will be automatically removed when the certificate resource is deleted
|
||||
# - --enable-certificate-owner-ref=true
|
||||
|
||||
prometheus:
|
||||
servicemonitor:
|
||||
enabled: false
|
||||
# cert-manager.podAnnotations -- "iam.amazonaws.com/roleIAM:" role ARN the cert-manager might use via kiam eg."arn:aws:iam::123456789012:role/certManagerRoleArn"
|
||||
podAnnotations: {}
|
||||
# iam.amazonaws.com/role: ""
|
||||
|
24
charts/kubezero-istio-ingress/Chart.yaml
Normal file
24
charts/kubezero-istio-ingress/Chart.yaml
Normal file
@ -0,0 +1,24 @@
|
||||
apiVersion: v2
|
||||
name: kubezero-istio-ingress
|
||||
description: KubeZero Umbrella Chart for Istio based Ingress
|
||||
type: application
|
||||
version: 0.1.1
|
||||
appVersion: 1.8.1
|
||||
home: https://kubezero.com
|
||||
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
|
||||
keywords:
|
||||
- kubezero
|
||||
- istio
|
||||
maintainers:
|
||||
- name: Quarky9
|
||||
dependencies:
|
||||
- name: kubezero-lib
|
||||
version: ">= 0.1.3"
|
||||
repository: https://zero-down-time.github.io/kubezero/
|
||||
- name: istio-ingress
|
||||
version: 1.1.0
|
||||
condition: istio-ingress.enabled
|
||||
- name: istio-private-ingress
|
||||
version: 1.1.0
|
||||
condition: istio-private-ingress.enabled
|
||||
kubeVersion: ">= 1.16.0"
|
97
charts/kubezero-istio-ingress/README.md
Normal file
97
charts/kubezero-istio-ingress/README.md
Normal file
@ -0,0 +1,97 @@
|
||||
# kubezero-istio-ingress
|
||||
|
||||
![Version: 0.1.1](https://img.shields.io/badge/Version-0.1.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.8.1](https://img.shields.io/badge/AppVersion-1.8.1-informational?style=flat-square)
|
||||
|
||||
KubeZero Umbrella Chart for Istio based Ingress
|
||||
|
||||
Installs Istio Ingress Gateways, requires kubezero-istio to be installed !
|
||||
|
||||
**Homepage:** <https://kubezero.com>
|
||||
|
||||
## Maintainers
|
||||
|
||||
| Name | Email | Url |
|
||||
| ---- | ------ | --- |
|
||||
| Quarky9 | | |
|
||||
|
||||
## Requirements
|
||||
|
||||
Kubernetes: `>= 1.16.0`
|
||||
|
||||
| Repository | Name | Version |
|
||||
|------------|------|---------|
|
||||
| | istio-ingress | 1.1.0 |
|
||||
| | istio-private-ingress | 1.1.0 |
|
||||
| https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 |
|
||||
|
||||
## Values
|
||||
|
||||
| Key | Type | Default | Description |
|
||||
|-----|------|---------|-------------|
|
||||
| global.arch.amd64 | int | `2` | |
|
||||
| global.defaultPodDisruptionBudget.enabled | bool | `false` | |
|
||||
| global.hub | string | `"docker.io/istio"` | |
|
||||
| global.jwtPolicy | string | `"first-party-jwt"` | |
|
||||
| global.logAsJson | bool | `true` | |
|
||||
| global.priorityClassName | string | `"system-cluster-critical"` | |
|
||||
| global.tag | string | `"1.8.1"` | |
|
||||
| istio-ingress.dnsNames | list | `[]` | |
|
||||
| istio-ingress.enabled | bool | `false` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.autoscaleEnabled | bool | `false` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.env.TERMINATION_DRAIN_DURATION_SECONDS | string | `"\"60\""` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.externalTrafficPolicy | string | `"Local"` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.nodeSelector."node.kubernetes.io/ingress.public" | string | `"30080_30443"` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].key | string | `"app"` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].operator | string | `"In"` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].topologyKey | string | `"kubernetes.io/hostname"` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].values | string | `"istio-ingressgateway"` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.ports[0].name | string | `"http-status"` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.ports[0].nodePort | int | `30021` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.ports[0].port | int | `15021` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.ports[1].name | string | `"http2"` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.ports[1].nodePort | int | `30080` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.ports[1].port | int | `80` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.ports[1].targetPort | int | `8080` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.ports[2].name | string | `"https"` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.ports[2].nodePort | int | `30443` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.ports[2].port | int | `443` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.ports[2].targetPort | int | `8443` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.replicaCount | int | `1` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.resources.limits.memory | string | `"256Mi"` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.resources.requests.memory | string | `"64Mi"` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.type | string | `"NodePort"` | |
|
||||
| istio-private-ingress.dnsNames | list | `[]` | |
|
||||
| istio-private-ingress.enabled | bool | `false` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.autoscaleEnabled | bool | `false` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.env.TERMINATION_DRAIN_DURATION_SECONDS | string | `"\"60\""` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.externalTrafficPolicy | string | `"Local"` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.labels.app | string | `"istio-private-ingressgateway"` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.labels.istio | string | `"private-ingressgateway"` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.name | string | `"istio-private-ingressgateway"` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.nodeSelector."node.kubernetes.io/ingress.private" | string | `"31080_31443"` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].key | string | `"app"` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].operator | string | `"In"` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].topologyKey | string | `"kubernetes.io/hostname"` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].values | string | `"istio-private-ingressgateway"` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.ports[0].name | string | `"http-status"` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.ports[0].nodePort | int | `31021` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.ports[0].port | int | `15021` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.ports[1].name | string | `"http2"` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.ports[1].nodePort | int | `31080` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.ports[1].port | int | `80` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.ports[1].targetPort | int | `8080` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.ports[2].name | string | `"https"` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.ports[2].nodePort | int | `31443` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.ports[2].port | int | `443` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.ports[2].targetPort | int | `8443` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.replicaCount | int | `1` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.resources.limits.memory | string | `"256Mi"` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.resources.requests.cpu | string | `"100m"` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.resources.requests.memory | string | `"64Mi"` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.type | string | `"NodePort"` | |
|
||||
|
||||
## Resources
|
||||
|
||||
- https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#IstioOperatorSpec
|
||||
- https://github.com/istio/istio/blob/master/manifests/profiles/default.yaml
|
||||
- https://istio.io/latest/docs/setup/install/standalone-operator/
|
24
charts/kubezero-istio-ingress/README.md.gotmpl
Normal file
24
charts/kubezero-istio-ingress/README.md.gotmpl
Normal file
@ -0,0 +1,24 @@
|
||||
{{ template "chart.header" . }}
|
||||
{{ template "chart.deprecationWarning" . }}
|
||||
|
||||
{{ template "chart.versionBadge" . }}{{ template "chart.typeBadge" . }}{{ template "chart.appVersionBadge" . }}
|
||||
|
||||
{{ template "chart.description" . }}
|
||||
|
||||
Installs Istio Ingress Gateways, requires kubezero-istio to be installed !
|
||||
|
||||
{{ template "chart.homepageLine" . }}
|
||||
|
||||
{{ template "chart.maintainersSection" . }}
|
||||
|
||||
{{ template "chart.sourcesSection" . }}
|
||||
|
||||
{{ template "chart.requirementsSection" . }}
|
||||
|
||||
{{ template "chart.valuesSection" . }}
|
||||
|
||||
## Resources
|
||||
|
||||
- https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#IstioOperatorSpec
|
||||
- https://github.com/istio/istio/blob/master/manifests/profiles/default.yaml
|
||||
- https://istio.io/latest/docs/setup/install/standalone-operator/
|
@ -0,0 +1,13 @@
|
||||
apiVersion: v1
|
||||
name: istio-ingress
|
||||
version: 1.1.0
|
||||
tillerVersion: ">=2.7.2"
|
||||
description: Helm chart for deploying Istio gateways
|
||||
keywords:
|
||||
- istio
|
||||
- ingressgateway
|
||||
- gateways
|
||||
sources:
|
||||
- http://github.com/istio/istio
|
||||
engine: gotpl
|
||||
icon: https://istio.io/latest/favicons/android-192x192.png
|
43
charts/kubezero-istio-ingress/charts/istio-ingress/NOTES.txt
Normal file
43
charts/kubezero-istio-ingress/charts/istio-ingress/NOTES.txt
Normal file
@ -0,0 +1,43 @@
|
||||
|
||||
Changes:
|
||||
- separate namespace allows:
|
||||
-- easier reconfig of just the gateway
|
||||
-- TLS secrets and domain name management is isolated, for better security
|
||||
-- simplified configuration
|
||||
-- multiple versions of the ingress can be used, to minimize upgrade risks
|
||||
|
||||
- the new chart uses the default namespace service account, and doesn't require
|
||||
additional RBAC permissions.
|
||||
|
||||
- simplified label and chart structure.
|
||||
- ability to run a pilot dedicated for the gateway, isolated from the main pilot. This is more robust, safer on upgrades
|
||||
and allows a bit more flexibility.
|
||||
- the dedicated pilot-per-ingress is required if the gateway needs to support k8s-style ingress.
|
||||
|
||||
# Port and basic host configuration
|
||||
|
||||
In order to configure the Service object, the install/upgrade needs to provide a list of all ports.
|
||||
In the past, this was done when installing/upgrading full istio, and involved some duplication - ports configured
|
||||
both in upgrade, Gateway and VirtualService.
|
||||
|
||||
The new Ingress chart uses a 'values.yaml' (see user-example-ingress), which auto-generates Service ports,
|
||||
Gateways and basic VirtualService. It is still possible to only configure the ports in Service, and do manual
|
||||
config for the rest.
|
||||
|
||||
All internal services ( telemetry, pilot debug ports, mesh expansion ) can now be configured via the new mechanism.
|
||||
|
||||
# Migration from istio-system
|
||||
|
||||
Istio 1.0 includes the gateways in istio-system. Since the external IP is associated
|
||||
with the Service and bound to the namespace, it is recommended to:
|
||||
|
||||
1. Install the new gateway in a new namespace.
|
||||
2. Copy any TLS certificate to the new namespace, and configure the domains.
|
||||
3. Checking the new gateway work - for example by overriding the IP in /etc/hosts
|
||||
4. Modify the DNS server to add the A record of the new namespace
|
||||
5. Check traffic
|
||||
6. Delete the A record corresponding to the gateway in istio-system
|
||||
7. Upgrade istio-system, disabling the ingressgateway
|
||||
8. Delete the domain TLS certs from istio-system.
|
||||
|
||||
If using certmanager, all Certificate and associated configs must be moved as well.
|
@ -0,0 +1,93 @@
|
||||
{{/* affinity - https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ */}}
|
||||
|
||||
{{- define "nodeaffinity" }}
|
||||
nodeAffinity:
|
||||
requiredDuringSchedulingIgnoredDuringExecution:
|
||||
{{- include "nodeAffinityRequiredDuringScheduling" . }}
|
||||
preferredDuringSchedulingIgnoredDuringExecution:
|
||||
{{- include "nodeAffinityPreferredDuringScheduling" . }}
|
||||
{{- end }}
|
||||
|
||||
{{- define "nodeAffinityRequiredDuringScheduling" }}
|
||||
nodeSelectorTerms:
|
||||
- matchExpressions:
|
||||
- key: kubernetes.io/arch
|
||||
operator: In
|
||||
values:
|
||||
{{- range $key, $val := .global.arch }}
|
||||
{{- if gt ($val | int) 0 }}
|
||||
- {{ $key | quote }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- $nodeSelector := default .global.defaultNodeSelector .nodeSelector -}}
|
||||
{{- range $key, $val := $nodeSelector }}
|
||||
- key: {{ $key }}
|
||||
operator: In
|
||||
values:
|
||||
- {{ $val | quote }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{- define "nodeAffinityPreferredDuringScheduling" }}
|
||||
{{- range $key, $val := .global.arch }}
|
||||
{{- if gt ($val | int) 0 }}
|
||||
- weight: {{ $val | int }}
|
||||
preference:
|
||||
matchExpressions:
|
||||
- key: kubernetes.io/arch
|
||||
operator: In
|
||||
values:
|
||||
- {{ $key | quote }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{- define "podAntiAffinity" }}
|
||||
{{- if or .podAntiAffinityLabelSelector .podAntiAffinityTermLabelSelector}}
|
||||
podAntiAffinity:
|
||||
{{- if .podAntiAffinityLabelSelector }}
|
||||
requiredDuringSchedulingIgnoredDuringExecution:
|
||||
{{- include "podAntiAffinityRequiredDuringScheduling" . }}
|
||||
{{- end }}
|
||||
{{- if .podAntiAffinityTermLabelSelector }}
|
||||
preferredDuringSchedulingIgnoredDuringExecution:
|
||||
{{- include "podAntiAffinityPreferredDuringScheduling" . }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{- define "podAntiAffinityRequiredDuringScheduling" }}
|
||||
{{- range $index, $item := .podAntiAffinityLabelSelector }}
|
||||
- labelSelector:
|
||||
matchExpressions:
|
||||
- key: {{ $item.key }}
|
||||
operator: {{ $item.operator }}
|
||||
{{- if $item.values }}
|
||||
values:
|
||||
{{- $vals := split "," $item.values }}
|
||||
{{- range $i, $v := $vals }}
|
||||
- {{ $v | quote }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
topologyKey: {{ $item.topologyKey }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{- define "podAntiAffinityPreferredDuringScheduling" }}
|
||||
{{- range $index, $item := .podAntiAffinityTermLabelSelector }}
|
||||
- podAffinityTerm:
|
||||
labelSelector:
|
||||
matchExpressions:
|
||||
- key: {{ $item.key }}
|
||||
operator: {{ $item.operator }}
|
||||
{{- if $item.values }}
|
||||
values:
|
||||
{{- $vals := split "," $item.values }}
|
||||
{{- range $i, $v := $vals }}
|
||||
- {{ $v | quote }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
topologyKey: {{ $item.topologyKey }}
|
||||
weight: 100
|
||||
{{- end }}
|
||||
{{- end }}
|
@ -0,0 +1,27 @@
|
||||
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
|
||||
{{- if and $gateway.autoscaleEnabled $gateway.autoscaleMin $gateway.autoscaleMax }}
|
||||
apiVersion: autoscaling/v2beta1
|
||||
kind: HorizontalPodAutoscaler
|
||||
metadata:
|
||||
name: {{ $gateway.name | default "istio-ingressgateway" }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{ $gateway.labels | toYaml | indent 4 }}
|
||||
release: {{ .Release.Name }}
|
||||
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||
operator.istio.io/component: "IngressGateways"
|
||||
spec:
|
||||
maxReplicas: {{ $gateway.autoscaleMax }}
|
||||
minReplicas: {{ $gateway.autoscaleMin }}
|
||||
scaleTargetRef:
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
name: {{ $gateway.name | default "istio-ingressgateway" }}
|
||||
metrics:
|
||||
- type: Resource
|
||||
resource:
|
||||
name: cpu
|
||||
targetAverageUtilization: {{ $gateway.cpu.targetAverageUtilization }}
|
||||
---
|
||||
{{- end }}
|
@ -0,0 +1,346 @@
|
||||
{{- $gateway := index .Values "gateways" "istio-ingressgateway" }}
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: {{ $gateway.name | default "istio-ingressgateway" }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{ $gateway.labels | toYaml | indent 4 }}
|
||||
release: {{ .Release.Name }}
|
||||
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||
operator.istio.io/component: "IngressGateways"
|
||||
spec:
|
||||
{{- if not $gateway.autoscaleEnabled }}
|
||||
{{- if $gateway.replicaCount }}
|
||||
replicas: {{ $gateway.replicaCount }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
selector:
|
||||
matchLabels:
|
||||
{{ $gateway.labels | toYaml | indent 6 }}
|
||||
strategy:
|
||||
rollingUpdate:
|
||||
maxSurge: {{ $gateway.rollingMaxSurge }}
|
||||
maxUnavailable: {{ $gateway.rollingMaxUnavailable }}
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
{{ $gateway.labels | toYaml | indent 8 }}
|
||||
{{- if eq .Release.Namespace "istio-system"}}
|
||||
heritage: Tiller
|
||||
release: istio
|
||||
chart: gateways
|
||||
{{- end }}
|
||||
service.istio.io/canonical-name: {{ $gateway.name | default "istio-ingressgateway" }}
|
||||
{{- if not (eq .Values.revision "") }}
|
||||
service.istio.io/canonical-revision: {{ .Values.revision }}
|
||||
{{- else}}
|
||||
service.istio.io/canonical-revision: latest
|
||||
{{- end }}
|
||||
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||
operator.istio.io/component: "IngressGateways"
|
||||
annotations:
|
||||
{{- if .Values.meshConfig.enablePrometheusMerge }}
|
||||
prometheus.io/port: "15020"
|
||||
prometheus.io/scrape: "true"
|
||||
prometheus.io/path: "/stats/prometheus"
|
||||
{{- end }}
|
||||
sidecar.istio.io/inject: "false"
|
||||
{{- if $gateway.podAnnotations }}
|
||||
{{ toYaml $gateway.podAnnotations | indent 8 }}
|
||||
{{ end }}
|
||||
spec:
|
||||
{{- if not $gateway.runAsRoot }}
|
||||
securityContext:
|
||||
runAsUser: 1337
|
||||
runAsGroup: 1337
|
||||
runAsNonRoot: true
|
||||
fsGroup: 1337
|
||||
{{- end }}
|
||||
serviceAccountName: {{ $gateway.name | default "istio-ingressgateway" }}-service-account
|
||||
{{- if .Values.global.priorityClassName }}
|
||||
priorityClassName: "{{ .Values.global.priorityClassName }}"
|
||||
{{- end }}
|
||||
terminationGracePeriodSeconds: 90
|
||||
{{- if .Values.global.proxy.enableCoreDump }}
|
||||
initContainers:
|
||||
- name: enable-core-dump
|
||||
{{- if contains "/" .Values.global.proxy.image }}
|
||||
image: "{{ .Values.global.proxy.image }}"
|
||||
{{- else }}
|
||||
image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image | default "proxyv2" }}:{{ .Values.global.tag }}"
|
||||
{{- end }}
|
||||
{{- if .Values.global.imagePullPolicy }}
|
||||
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
|
||||
{{- end }}
|
||||
command:
|
||||
- /bin/sh
|
||||
args:
|
||||
- -c
|
||||
- sysctl -w kernel.core_pattern=/var/lib/istio/data/core.proxy && ulimit -c unlimited
|
||||
securityContext:
|
||||
runAsUser: 0
|
||||
runAsGroup: 0
|
||||
runAsNonRoot: false
|
||||
privileged: true
|
||||
{{- end }}
|
||||
containers:
|
||||
- name: istio-proxy
|
||||
{{- if contains "/" .Values.global.proxy.image }}
|
||||
image: "{{ .Values.global.proxy.image }}"
|
||||
{{- else }}
|
||||
image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image | default "proxyv2" }}:{{ .Values.global.tag }}"
|
||||
{{- end }}
|
||||
{{- if .Values.global.imagePullPolicy }}
|
||||
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
|
||||
{{- end }}
|
||||
ports:
|
||||
{{- range $key, $val := $gateway.ports }}
|
||||
- containerPort: {{ $val.targetPort | default $val.port }}
|
||||
protocol: {{ $val.protocol | default "TCP" }}
|
||||
{{- end }}
|
||||
{{- if $.Values.global.meshExpansion.enabled }}
|
||||
{{- range $key, $val := $gateway.meshExpansionPorts }}
|
||||
- containerPort: {{ $val.targetPort | default $val.port }}
|
||||
protocol: {{ $val.protocol | default "TCP" }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
- containerPort: 15090
|
||||
protocol: TCP
|
||||
name: http-envoy-prom
|
||||
args:
|
||||
- proxy
|
||||
- router
|
||||
- --domain
|
||||
- $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
|
||||
{{- if .Values.global.proxy.logLevel }}
|
||||
- --proxyLogLevel={{ .Values.global.proxy.logLevel }}
|
||||
{{- end}}
|
||||
{{- if .Values.global.proxy.componentLogLevel }}
|
||||
- --proxyComponentLogLevel={{ .Values.global.proxy.componentLogLevel }}
|
||||
{{- end}}
|
||||
{{- if .Values.global.logging.level }}
|
||||
- --log_output_level={{ .Values.global.logging.level }}
|
||||
{{- end}}
|
||||
{{- if .Values.global.logAsJson }}
|
||||
- --log_as_json
|
||||
{{- end }}
|
||||
- --serviceCluster
|
||||
- {{ $gateway.name | default "istio-ingressgateway" }}
|
||||
{{- if .Values.global.sts.servicePort }}
|
||||
- --stsPort={{ .Values.global.sts.servicePort }}
|
||||
{{- end }}
|
||||
{{- if not $gateway.runAsRoot }}
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
privileged: false
|
||||
readOnlyRootFilesystem: true
|
||||
{{- end }}
|
||||
readinessProbe:
|
||||
failureThreshold: 30
|
||||
httpGet:
|
||||
path: /healthz/ready
|
||||
port: 15021
|
||||
scheme: HTTP
|
||||
initialDelaySeconds: 1
|
||||
periodSeconds: 2
|
||||
successThreshold: 1
|
||||
timeoutSeconds: 1
|
||||
resources:
|
||||
{{- if $gateway.resources }}
|
||||
{{ toYaml $gateway.resources | indent 12 }}
|
||||
{{- else }}
|
||||
{{ toYaml .Values.global.defaultResources | indent 12 }}
|
||||
{{- end }}
|
||||
env:
|
||||
- name: JWT_POLICY
|
||||
value: {{ .Values.global.jwtPolicy }}
|
||||
- name: PILOT_CERT_PROVIDER
|
||||
value: {{ .Values.global.pilotCertProvider }}
|
||||
- name: CA_ADDR
|
||||
{{- if .Values.global.caAddress }}
|
||||
value: {{ .Values.global.caAddress }}
|
||||
{{- else }}
|
||||
value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
|
||||
{{- end }}
|
||||
- name: NODE_NAME
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
apiVersion: v1
|
||||
fieldPath: spec.nodeName
|
||||
- name: POD_NAME
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
apiVersion: v1
|
||||
fieldPath: metadata.name
|
||||
- name: POD_NAMESPACE
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
apiVersion: v1
|
||||
fieldPath: metadata.namespace
|
||||
- name: INSTANCE_IP
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
apiVersion: v1
|
||||
fieldPath: status.podIP
|
||||
- name: HOST_IP
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
apiVersion: v1
|
||||
fieldPath: status.hostIP
|
||||
- name: SERVICE_ACCOUNT
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: spec.serviceAccountName
|
||||
- name: CANONICAL_SERVICE
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.labels['service.istio.io/canonical-name']
|
||||
- name: CANONICAL_REVISION
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.labels['service.istio.io/canonical-revision']
|
||||
- name: ISTIO_META_WORKLOAD_NAME
|
||||
value: {{ $gateway.name | default "istio-ingressgateway" }}
|
||||
- name: ISTIO_META_OWNER
|
||||
value: kubernetes://apis/apps/v1/namespaces/{{ .Release.Namespace }}/deployments/{{ $gateway.name | default "istio-ingressgateway" }}
|
||||
{{- if $.Values.global.meshID }}
|
||||
- name: ISTIO_META_MESH_ID
|
||||
value: "{{ $.Values.global.meshID }}"
|
||||
{{- else if $.Values.global.trustDomain | default (index .Values.meshConfig "trustDomain") }}
|
||||
- name: ISTIO_META_MESH_ID
|
||||
value: "{{ $.Values.global.trustDomain | default (index .Values.meshConfig "trustDomain") }}"
|
||||
{{- end }}
|
||||
{{- if .Values.global.trustDomain | default (index .Values.meshConfig "trustDomain") }}
|
||||
- name: TRUST_DOMAIN
|
||||
value: "{{ .Values.global.trustDomain | default (index .Values.meshConfig "trustDomain") }}"
|
||||
{{- end }}
|
||||
{{- range $key, $val := $gateway.env }}
|
||||
- name: {{ $key }}
|
||||
value: {{ $val }}
|
||||
{{- end }}
|
||||
{{- range $key, $value := .Values.meshConfig.defaultConfig.proxyMetadata }}
|
||||
- name: {{ $key }}
|
||||
value: "{{ $value }}"
|
||||
{{- end }}
|
||||
{{ $network_set := index $gateway.env "ISTIO_META_NETWORK" }}
|
||||
{{- if and (not $network_set) .Values.global.network }}
|
||||
- name: ISTIO_META_NETWORK
|
||||
value: {{ .Values.global.network }}
|
||||
{{- end }}
|
||||
{{- if $gateway.podAnnotations }}
|
||||
- name: "ISTIO_METAJSON_ANNOTATIONS"
|
||||
value: |
|
||||
{{ toJson $gateway.podAnnotations | indent 16}}
|
||||
{{ end }}
|
||||
- name: ISTIO_META_CLUSTER_ID
|
||||
value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}"
|
||||
volumeMounts:
|
||||
- name: istio-envoy
|
||||
mountPath: /etc/istio/proxy
|
||||
- name: config-volume
|
||||
mountPath: /etc/istio/config
|
||||
{{- if eq .Values.global.pilotCertProvider "istiod" }}
|
||||
- mountPath: /var/run/secrets/istio
|
||||
name: istiod-ca-cert
|
||||
{{- end }}
|
||||
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
|
||||
- name: istio-token
|
||||
mountPath: /var/run/secrets/tokens
|
||||
readOnly: true
|
||||
{{- end }}
|
||||
- name: gatewaysdsudspath
|
||||
mountPath: /var/run/ingress_gateway
|
||||
{{- if .Values.global.mountMtlsCerts }}
|
||||
# Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
|
||||
- name: istio-certs
|
||||
mountPath: /etc/certs
|
||||
readOnly: true
|
||||
{{- end }}
|
||||
- mountPath: /var/lib/istio/data
|
||||
name: istio-data
|
||||
- name: podinfo
|
||||
mountPath: /etc/istio/pod
|
||||
{{- range $gateway.secretVolumes }}
|
||||
- name: {{ .name }}
|
||||
mountPath: {{ .mountPath | quote }}
|
||||
readOnly: true
|
||||
{{- end }}
|
||||
{{- range $gateway.configVolumes }}
|
||||
{{- if .mountPath }}
|
||||
- name: {{ .name }}
|
||||
mountPath: {{ .mountPath | quote }}
|
||||
readOnly: true
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if $gateway.additionalContainers }}
|
||||
{{ toYaml $gateway.additionalContainers | indent 8 }}
|
||||
{{- end }}
|
||||
volumes:
|
||||
{{- if eq .Values.global.pilotCertProvider "istiod" }}
|
||||
- name: istiod-ca-cert
|
||||
configMap:
|
||||
name: istio-ca-root-cert
|
||||
{{- end }}
|
||||
- name: podinfo
|
||||
downwardAPI:
|
||||
items:
|
||||
- path: "labels"
|
||||
fieldRef:
|
||||
fieldPath: metadata.labels
|
||||
- path: "annotations"
|
||||
fieldRef:
|
||||
fieldPath: metadata.annotations
|
||||
- name: istio-envoy
|
||||
emptyDir: {}
|
||||
- name: gatewaysdsudspath
|
||||
emptyDir: {}
|
||||
- name: istio-data
|
||||
emptyDir: {}
|
||||
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
|
||||
- name: istio-token
|
||||
projected:
|
||||
sources:
|
||||
- serviceAccountToken:
|
||||
path: istio-token
|
||||
expirationSeconds: 43200
|
||||
audience: {{ .Values.global.sds.token.aud }}
|
||||
{{- end }}
|
||||
{{- if .Values.global.mountMtlsCerts }}
|
||||
# Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
|
||||
- name: istio-certs
|
||||
secret:
|
||||
secretName: istio.istio-ingressgateway-service-account
|
||||
optional: true
|
||||
{{- end }}
|
||||
- name: config-volume
|
||||
configMap:
|
||||
name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
||||
optional: true
|
||||
{{- range $gateway.secretVolumes }}
|
||||
- name: {{ .name }}
|
||||
secret:
|
||||
secretName: {{ .secretName | quote }}
|
||||
optional: true
|
||||
{{- end }}
|
||||
{{- range $gateway.configVolumes }}
|
||||
- name: {{ .name }}
|
||||
configMap:
|
||||
name: {{ .configMapName | quote }}
|
||||
optional: true
|
||||
{{- end }}
|
||||
affinity:
|
||||
{{- include "nodeaffinity" (dict "global" .Values.global "nodeSelector" $gateway.nodeSelector) | indent 6 }}
|
||||
{{- include "podAntiAffinity" $gateway | indent 6 }}
|
||||
{{- if $gateway.tolerations }}
|
||||
tolerations:
|
||||
{{ toYaml $gateway.tolerations | indent 6 }}
|
||||
{{- else if .Values.global.defaultTolerations }}
|
||||
tolerations:
|
||||
{{ toYaml .Values.global.defaultTolerations | indent 6 }}
|
||||
{{- end }}
|
@ -0,0 +1,79 @@
|
||||
{{- if .Values.global.meshExpansion.enabled }}
|
||||
apiVersion: networking.istio.io/v1alpha3
|
||||
kind: Gateway
|
||||
metadata:
|
||||
name: meshexpansion-gateway
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
release: {{ .Release.Name }}
|
||||
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||
operator.istio.io/component: "IngressGateways"
|
||||
spec:
|
||||
selector:
|
||||
istio: ingressgateway
|
||||
servers:
|
||||
- port:
|
||||
number: 15012
|
||||
protocol: TCP
|
||||
name: tcp-istiod
|
||||
hosts:
|
||||
- "*"
|
||||
- port:
|
||||
number: 15017
|
||||
protocol: TCP
|
||||
name: tcp-istiodwebhook
|
||||
hosts:
|
||||
- "*"
|
||||
---
|
||||
|
||||
apiVersion: networking.istio.io/v1alpha3
|
||||
kind: VirtualService
|
||||
metadata:
|
||||
name: meshexpansion-vs-istiod
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
release: {{ .Release.Name }}
|
||||
spec:
|
||||
hosts:
|
||||
- istiod.{{ .Values.global.istioNamespace }}.svc.{{ .Values.global.proxy.clusterDomain }}
|
||||
gateways:
|
||||
- meshexpansion-gateway
|
||||
tcp:
|
||||
- match:
|
||||
- port: 15012
|
||||
route:
|
||||
- destination:
|
||||
host: istiod.{{ .Values.global.istioNamespace }}.svc.{{ .Values.global.proxy.clusterDomain }}
|
||||
port:
|
||||
number: 15012
|
||||
- match:
|
||||
- port: 15017
|
||||
route:
|
||||
- destination:
|
||||
host: istiod.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }}
|
||||
port:
|
||||
number: 443
|
||||
---
|
||||
|
||||
apiVersion: networking.istio.io/v1alpha3
|
||||
kind: DestinationRule
|
||||
metadata:
|
||||
name: meshexpansion-dr-istiod
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
release: {{ .Release.Name }}
|
||||
spec:
|
||||
host: istiod.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }}
|
||||
trafficPolicy:
|
||||
portLevelSettings:
|
||||
- port:
|
||||
number: 15012
|
||||
tls:
|
||||
mode: DISABLE
|
||||
- port:
|
||||
number: 15017
|
||||
tls:
|
||||
mode: DISABLE
|
||||
|
||||
{{- end }}
|
@ -0,0 +1,19 @@
|
||||
{{- if .Values.global.defaultPodDisruptionBudget.enabled }}
|
||||
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
|
||||
apiVersion: policy/v1beta1
|
||||
kind: PodDisruptionBudget
|
||||
metadata:
|
||||
name: {{ $gateway.name | default "istio-ingressgateway" }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{ $gateway.labels | toYaml | trim | indent 4 }}
|
||||
release: {{ .Release.Name }}
|
||||
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||
operator.istio.io/component: "IngressGateways"
|
||||
spec:
|
||||
minAvailable: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
{{ $gateway.labels | toYaml | trim | indent 6 }}
|
||||
{{- end }}
|
@ -0,0 +1,78 @@
|
||||
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
|
||||
{{- if .Values.global.multiCluster.enabled }}
|
||||
apiVersion: networking.istio.io/v1alpha3
|
||||
kind: Gateway
|
||||
metadata:
|
||||
name: istio-multicluster-ingressgateway
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{ $gateway.labels | toYaml | indent 4 }}
|
||||
release: {{ .Release.Name }}
|
||||
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||
operator.istio.io/component: "IngressGateways"
|
||||
spec:
|
||||
selector:
|
||||
istio: ingressgateway
|
||||
servers:
|
||||
- hosts:
|
||||
- "*.{{ .Values.global.multiCluster.globalDomainSuffix | trim }}"
|
||||
port:
|
||||
name: tls
|
||||
number: 15443
|
||||
protocol: TLS
|
||||
tls:
|
||||
mode: AUTO_PASSTHROUGH
|
||||
---
|
||||
{{- if .Values.global.multiCluster.includeEnvoyFilter }}
|
||||
apiVersion: networking.istio.io/v1alpha3
|
||||
kind: EnvoyFilter
|
||||
metadata:
|
||||
name: istio-multicluster-ingressgateway
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{ $gateway.labels | toYaml | indent 4 }}
|
||||
release: {{ .Release.Name }}
|
||||
spec:
|
||||
workloadSelector:
|
||||
labels:
|
||||
istio: ingressgateway
|
||||
configPatches:
|
||||
- applyTo: NETWORK_FILTER
|
||||
match:
|
||||
context: GATEWAY
|
||||
listener:
|
||||
portNumber: 15443
|
||||
filterChain:
|
||||
filter:
|
||||
name: "envoy.filters.network.sni_cluster"
|
||||
patch:
|
||||
operation: INSERT_AFTER
|
||||
value:
|
||||
name: "envoy.filters.network.tcp_cluster_rewrite"
|
||||
typed_config:
|
||||
"@type": "type.googleapis.com/istio.envoy.config.filter.network.tcp_cluster_rewrite.v2alpha1.TcpClusterRewrite"
|
||||
cluster_pattern: "\\.{{ .Values.global.multiCluster.globalDomainSuffix | trim }}$"
|
||||
cluster_replacement: ".svc.{{ .Values.global.proxy.clusterDomain }}"
|
||||
---
|
||||
{{- end }}
|
||||
## To ensure all traffic to globalDomainSuffix is using mTLS
|
||||
apiVersion: networking.istio.io/v1alpha3
|
||||
kind: DestinationRule
|
||||
metadata:
|
||||
name: istio-multicluster-ingressgateway
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{ $gateway.labels | toYaml | indent 4 }}
|
||||
release: {{ .Release.Name }}
|
||||
spec:
|
||||
host: "*.{{ .Values.global.multiCluster.globalDomainSuffix | trim }}"
|
||||
{{- if .Values.global.defaultConfigVisibilitySettings }}
|
||||
exportTo:
|
||||
- '*'
|
||||
{{- end }}
|
||||
trafficPolicy:
|
||||
tls:
|
||||
mode: ISTIO_MUTUAL
|
||||
---
|
||||
{{- end }}
|
@ -0,0 +1,16 @@
|
||||
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
name: {{ $gateway.name | default "istio-ingressgateway" }}-sds
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
release: {{ .Release.Name }}
|
||||
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||
operator.istio.io/component: "IngressGateways"
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
resources: ["secrets"]
|
||||
verbs: ["get", "watch", "list"]
|
||||
---
|
@ -0,0 +1,19 @@
|
||||
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
name: {{ $gateway.name | default "istio-ingressgateway" }}-sds
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
release: {{ .Release.Name }}
|
||||
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||
operator.istio.io/component: "IngressGateways"
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: Role
|
||||
name: {{ $gateway.name | default "istio-ingressgateway" }}-sds
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ $gateway.name | default "istio-ingressgateway" }}-service-account
|
||||
---
|
@ -0,0 +1,55 @@
|
||||
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
|
||||
{{- if not $gateway.customService }}
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: {{ $gateway.name | default "istio-ingressgateway" }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
annotations:
|
||||
{{- range $key, $val := $gateway.serviceAnnotations }}
|
||||
{{ $key }}: {{ $val | quote }}
|
||||
{{- end }}
|
||||
labels:
|
||||
{{ $gateway.labels | toYaml | indent 4 }}
|
||||
release: {{ .Release.Name }}
|
||||
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||
operator.istio.io/component: "IngressGateways"
|
||||
spec:
|
||||
{{- if $gateway.loadBalancerIP }}
|
||||
loadBalancerIP: "{{ $gateway.loadBalancerIP }}"
|
||||
{{- end }}
|
||||
{{- if $gateway.loadBalancerSourceRanges }}
|
||||
loadBalancerSourceRanges:
|
||||
{{ toYaml $gateway.loadBalancerSourceRanges | indent 4 }}
|
||||
{{- end }}
|
||||
{{- if $gateway.externalTrafficPolicy }}
|
||||
externalTrafficPolicy: {{$gateway.externalTrafficPolicy }}
|
||||
{{- end }}
|
||||
type: {{ $gateway.type }}
|
||||
selector:
|
||||
{{ $gateway.labels | toYaml | indent 4 }}
|
||||
ports:
|
||||
|
||||
{{- range $key, $val := $gateway.ports }}
|
||||
-
|
||||
{{- range $pkey, $pval := $val }}
|
||||
{{ $pkey}}: {{ $pval }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{- if $.Values.global.meshExpansion.enabled }}
|
||||
{{- range $key, $val := $gateway.meshExpansionPorts }}
|
||||
-
|
||||
{{- range $pkey, $pval := $val }}
|
||||
{{ $pkey}}: {{ $pval }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{ range $app := $gateway.ingressPorts }}
|
||||
-
|
||||
port: {{ $app.port }}
|
||||
name: {{ $app.name }}
|
||||
{{- end }}
|
||||
---
|
||||
{{ end }}
|
@ -0,0 +1,18 @@
|
||||
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
{{- if .Values.global.imagePullSecrets }}
|
||||
imagePullSecrets:
|
||||
{{- range .Values.global.imagePullSecrets }}
|
||||
- name: {{ . }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
metadata:
|
||||
name: {{ $gateway.name | default "istio-ingressgateway" }}-service-account
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{ $gateway.labels | toYaml | trim | indent 4 }}
|
||||
release: {{ .Release.Name }}
|
||||
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||
operator.istio.io/component: "IngressGateways"
|
336
charts/kubezero-istio-ingress/charts/istio-ingress/values.yaml
Normal file
336
charts/kubezero-istio-ingress/charts/istio-ingress/values.yaml
Normal file
@ -0,0 +1,336 @@
|
||||
# A-la-carte istio ingress gateway.
|
||||
# Must be installed in a separate namespace, to minimize access to secrets.
|
||||
|
||||
gateways:
|
||||
istio-ingressgateway:
|
||||
name: istio-ingressgateway
|
||||
labels:
|
||||
app: istio-ingressgateway
|
||||
istio: ingressgateway
|
||||
ports:
|
||||
## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces.
|
||||
# Note that AWS ELB will by default perform health checks on the first port
|
||||
# on this list. Setting this to the health check port will ensure that health
|
||||
# checks always work. https://github.com/istio/istio/issues/12503
|
||||
- port: 15021
|
||||
targetPort: 15021
|
||||
name: status-port
|
||||
protocol: TCP
|
||||
- port: 80
|
||||
targetPort: 8080
|
||||
name: http2
|
||||
protocol: TCP
|
||||
- port: 443
|
||||
targetPort: 8443
|
||||
name: https
|
||||
protocol: TCP
|
||||
# This is the port where sni routing happens
|
||||
- port: 15443
|
||||
targetPort: 15443
|
||||
name: tls
|
||||
protocol: TCP
|
||||
|
||||
# Scalability tunning
|
||||
# replicaCount: 1
|
||||
rollingMaxSurge: 100%
|
||||
rollingMaxUnavailable: 25%
|
||||
autoscaleEnabled: true
|
||||
autoscaleMin: 1
|
||||
autoscaleMax: 5
|
||||
|
||||
cpu:
|
||||
targetAverageUtilization: 80
|
||||
|
||||
resources:
|
||||
requests:
|
||||
cpu: 100m
|
||||
memory: 128Mi
|
||||
limits:
|
||||
cpu: 2000m
|
||||
memory: 1024Mi
|
||||
|
||||
loadBalancerIP: ""
|
||||
loadBalancerSourceRanges: []
|
||||
serviceAnnotations: {}
|
||||
|
||||
# Enable cross-cluster access using SNI matching
|
||||
zvpn:
|
||||
enabled: false
|
||||
suffix: global
|
||||
|
||||
# To generate an internal load balancer:
|
||||
# --set serviceAnnotations.cloud.google.com/load-balancer-type=internal
|
||||
#serviceAnnotations:
|
||||
# cloud.google.com/load-balancer-type: "internal"
|
||||
|
||||
podAnnotations: {}
|
||||
type: LoadBalancer #change to NodePort, ClusterIP or LoadBalancer if need be
|
||||
|
||||
#### MESH EXPANSION PORTS ########
|
||||
# Pilot and Citadel MTLS ports are enabled in gateway - but will only redirect
|
||||
# to pilot/citadel if global.meshExpansion settings are enabled.
|
||||
# Delete these ports if mesh expansion is not enabled, to avoid
|
||||
# exposing unnecessary ports on the web.
|
||||
# You can remove these ports if you are not using mesh expansion
|
||||
meshExpansionPorts:
|
||||
- port: 15012
|
||||
targetPort: 15012
|
||||
name: tcp-istiod
|
||||
####### end MESH EXPANSION PORTS ######
|
||||
|
||||
##############
|
||||
secretVolumes:
|
||||
- name: ingressgateway-certs
|
||||
secretName: istio-ingressgateway-certs
|
||||
mountPath: /etc/istio/ingressgateway-certs
|
||||
- name: ingressgateway-ca-certs
|
||||
secretName: istio-ingressgateway-ca-certs
|
||||
mountPath: /etc/istio/ingressgateway-ca-certs
|
||||
|
||||
customService: false
|
||||
externalTrafficPolicy: ""
|
||||
|
||||
ingressPorts: []
|
||||
additionalContainers: []
|
||||
configVolumes: []
|
||||
|
||||
### Advanced options ############
|
||||
env:
|
||||
# A gateway with this mode ensures that pilot generates an additional
|
||||
# set of clusters for internal services but without Istio mTLS, to
|
||||
# enable cross cluster routing.
|
||||
ISTIO_META_ROUTER_MODE: "sni-dnat"
|
||||
|
||||
nodeSelector: {}
|
||||
tolerations: []
|
||||
|
||||
# Specify the pod anti-affinity that allows you to constrain which nodes
|
||||
# your pod is eligible to be scheduled based on labels on pods that are
|
||||
# already running on the node rather than based on labels on nodes.
|
||||
# There are currently two types of anti-affinity:
|
||||
# "requiredDuringSchedulingIgnoredDuringExecution"
|
||||
# "preferredDuringSchedulingIgnoredDuringExecution"
|
||||
# which denote "hard" vs. "soft" requirements, you can define your values
|
||||
# in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector"
|
||||
# correspondingly.
|
||||
# For example:
|
||||
# podAntiAffinityLabelSelector:
|
||||
# - key: security
|
||||
# operator: In
|
||||
# values: S1,S2
|
||||
# topologyKey: "kubernetes.io/hostname"
|
||||
# This pod anti-affinity rule says that the pod requires not to be scheduled
|
||||
# onto a node if that node is already running a pod with label having key
|
||||
# "security" and value "S1".
|
||||
podAntiAffinityLabelSelector: []
|
||||
podAntiAffinityTermLabelSelector: []
|
||||
|
||||
# whether to run the gateway in a privileged container
|
||||
runAsRoot: false
|
||||
|
||||
# Revision is set as 'version' label and part of the resource names when installing multiple control planes.
|
||||
revision: ""
|
||||
|
||||
# For Helm compatibility.
|
||||
ownerName: ""
|
||||
|
||||
global:
|
||||
# set the default set of namespaces to which services, service entries, virtual services, destination
|
||||
# rules should be exported to. Currently only one value can be provided in this list. This value
|
||||
# should be one of the following two options:
|
||||
# * implies these objects are visible to all namespaces, enabling any sidecar to talk to any other sidecar.
|
||||
# . implies these objects are visible to only to sidecars in the same namespace, or if imported as a Sidecar.egress.host
|
||||
defaultConfigVisibilitySettings: []
|
||||
|
||||
# enable pod disruption budget for the control plane, which is used to
|
||||
# ensure Istio control plane components are gradually upgraded or recovered.
|
||||
defaultPodDisruptionBudget:
|
||||
enabled: true
|
||||
|
||||
# A minimal set of requested resources to applied to all deployments so that
|
||||
# Horizontal Pod Autoscaler will be able to function (if set).
|
||||
# Each component can overwrite these default values by adding its own resources
|
||||
# block in the relevant section below and setting the desired resources values.
|
||||
defaultResources:
|
||||
requests:
|
||||
cpu: 10m
|
||||
# memory: 128Mi
|
||||
# limits:
|
||||
# cpu: 100m
|
||||
# memory: 128Mi
|
||||
|
||||
# Default node tolerations to be applied to all deployments so that all pods can be
|
||||
# scheduled to a particular nodes with matching taints. Each component can overwrite
|
||||
# these default values by adding its tolerations block in the relevant section below
|
||||
# and setting the desired values.
|
||||
# Configure this field in case that all pods of Istio control plane are expected to
|
||||
# be scheduled to particular nodes with specified taints.
|
||||
defaultTolerations: []
|
||||
|
||||
# Default hub for Istio images.
|
||||
# Releases are published to docker hub under 'istio' project.
|
||||
# Dev builds from prow are on gcr.io
|
||||
hub: gcr.io/istio-testing
|
||||
|
||||
# Default tag for Istio images.
|
||||
tag: latest
|
||||
|
||||
# Specify image pull policy if default behavior isn't desired.
|
||||
# Default behavior: latest images will be Always else IfNotPresent.
|
||||
imagePullPolicy: ""
|
||||
|
||||
# ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace
|
||||
# to use for pulling any images in pods that reference this ServiceAccount.
|
||||
# For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing)
|
||||
# ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects.
|
||||
# Must be set for any cluster configured with private docker registry.
|
||||
imagePullSecrets: []
|
||||
# - private-registry-key
|
||||
|
||||
# To output all istio components logs in json format by adding --log_as_json argument to each container argument
|
||||
logAsJson: false
|
||||
|
||||
# Specify pod scheduling arch(amd64, ppc64le, s390x) and weight as follows:
|
||||
# 0 - Never scheduled
|
||||
# 1 - Least preferred
|
||||
# 2 - No preference
|
||||
# 3 - Most preferred
|
||||
arch:
|
||||
amd64: 2
|
||||
s390x: 2
|
||||
ppc64le: 2
|
||||
|
||||
# Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>
|
||||
# The control plane has different scopes depending on component, but can configure default log level across all components
|
||||
# If empty, default scope and level will be used as configured in code
|
||||
logging:
|
||||
level: "default:info"
|
||||
|
||||
# If set to true, the pilot and citadel mtls will be exposed on the
|
||||
# ingress gateway
|
||||
meshExpansion:
|
||||
enabled: false
|
||||
# If set to true, the pilot and citadel mtls and the plain text pilot ports
|
||||
# will be exposed on an internal gateway
|
||||
useILB: false
|
||||
|
||||
# Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and
|
||||
# system-node-critical, it is better to configure this in order to make sure your Istio pods
|
||||
# will not be killed because of low priority class.
|
||||
# Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
|
||||
# for more detail.
|
||||
priorityClassName: ""
|
||||
|
||||
proxy:
|
||||
image: proxyv2
|
||||
|
||||
# CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value
|
||||
# cluster domain. Default value is "cluster.local".
|
||||
clusterDomain: "cluster.local"
|
||||
|
||||
# Per Component log level for proxy, applies to gateways and sidecars. If a component level is
|
||||
# not set, then the global "logLevel" will be used.
|
||||
componentLogLevel: "misc:error"
|
||||
|
||||
# If set, newly injected sidecars will have core dumps enabled.
|
||||
enableCoreDump: false
|
||||
|
||||
# Log level for proxy, applies to gateways and sidecars.
|
||||
# Expected values are: trace|debug|info|warning|error|critical|off
|
||||
logLevel: warning
|
||||
|
||||
##############################################################################################
|
||||
# The following values are found in other charts. To effectively modify these values, make #
|
||||
# make sure they are consistent across your Istio helm charts #
|
||||
##############################################################################################
|
||||
|
||||
# The customized CA address to retrieve certificates for the pods in the cluster.
|
||||
# CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint.
|
||||
caAddress: ""
|
||||
|
||||
# Used to locate istiod.
|
||||
istioNamespace: istio-system
|
||||
|
||||
# Configure the policy for validating JWT.
|
||||
# Currently, two options are supported: "third-party-jwt" and "first-party-jwt".
|
||||
jwtPolicy: "third-party-jwt"
|
||||
|
||||
# Mesh ID means Mesh Identifier. It should be unique within the scope where
|
||||
# meshes will interact with each other, but it is not required to be
|
||||
# globally/universally unique. For example, if any of the following are true,
|
||||
# then two meshes must have different Mesh IDs:
|
||||
# - Meshes will have their telemetry aggregated in one place
|
||||
# - Meshes will be federated together
|
||||
# - Policy will be written referencing one mesh from the other
|
||||
#
|
||||
# If an administrator expects that any of these conditions may become true in
|
||||
# the future, they should ensure their meshes have different Mesh IDs
|
||||
# assigned.
|
||||
#
|
||||
# Within a multicluster mesh, each cluster must be (manually or auto)
|
||||
# configured to have the same Mesh ID value. If an existing cluster 'joins' a
|
||||
# multicluster mesh, it will need to be migrated to the new mesh ID. Details
|
||||
# of migration TBD, and it may be a disruptive operation to change the Mesh
|
||||
# ID post-install.
|
||||
#
|
||||
# If the mesh admin does not specify a value, Istio will use the value of the
|
||||
# mesh's Trust Domain. The best practice is to select a proper Trust Domain
|
||||
# value.
|
||||
meshID: ""
|
||||
|
||||
# Use the user-specified, secret volume mounted key and certs for Pilot and workloads.
|
||||
mountMtlsCerts: false
|
||||
|
||||
multiCluster:
|
||||
# Set to true to connect two kubernetes clusters via their respective
|
||||
# ingressgateway services when pods in each cluster cannot directly
|
||||
# talk to one another. All clusters should be using Istio mTLS and must
|
||||
# have a shared root CA for this model to work.
|
||||
enabled: false
|
||||
# Should be set to the name of the cluster this installation will run in. This is required for sidecar injection
|
||||
# to properly label proxies
|
||||
clusterName: ""
|
||||
# The suffix for global service names
|
||||
globalDomainSuffix: "global"
|
||||
# Enable envoy filter to translate `globalDomainSuffix` to cluster local suffix for cross cluster communication
|
||||
includeEnvoyFilter: true
|
||||
|
||||
# Network defines the network this cluster belong to. This name
|
||||
# corresponds to the networks in the map of mesh networks.
|
||||
network: ""
|
||||
|
||||
# Configure the certificate provider for control plane communication.
|
||||
# Currently, two providers are supported: "kubernetes" and "istiod".
|
||||
# As some platforms may not have kubernetes signing APIs,
|
||||
# Istiod is the default
|
||||
pilotCertProvider: istiod
|
||||
|
||||
sds:
|
||||
# The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3.
|
||||
# When a CSR is sent from Citadel Agent to the CA (e.g. Citadel), this aud is to make sure the
|
||||
# JWT is intended for the CA.
|
||||
token:
|
||||
aud: istio-ca
|
||||
|
||||
sts:
|
||||
# The service port used by Security Token Service (STS) server to handle token exchange requests.
|
||||
# Setting this port to a non-zero value enables STS server.
|
||||
servicePort: 0
|
||||
|
||||
# Deprecated, use meshConfig.trustDomain
|
||||
# trustDomain: ""
|
||||
|
||||
meshConfig:
|
||||
enablePrometheusMerge: true
|
||||
# trustDomain: ""
|
||||
defaultConfig:
|
||||
proxyMetadata: {}
|
||||
tracing:
|
||||
# tlsSettings:
|
||||
# mode: DISABLE # DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL
|
||||
# clientCertificate: # example: /etc/istio/tracer/cert-chain.pem
|
||||
# privateKey: # example: /etc/istio/tracer/key.pem
|
||||
# caCertificates: # example: /etc/istio/tracer/root-cert.pem
|
||||
# sni: # example: tracer.somedomain
|
||||
# subjectAltNames: []
|
||||
# - tracer.somedomain
|
@ -0,0 +1,13 @@
|
||||
apiVersion: v1
|
||||
name: istio-private-ingress
|
||||
version: 1.1.0
|
||||
tillerVersion: ">=2.7.2"
|
||||
description: Helm chart for deploying Istio gateways
|
||||
keywords:
|
||||
- istio
|
||||
- ingressgateway
|
||||
- gateways
|
||||
sources:
|
||||
- http://github.com/istio/istio
|
||||
engine: gotpl
|
||||
icon: https://istio.io/latest/favicons/android-192x192.png
|
@ -0,0 +1,43 @@
|
||||
|
||||
Changes:
|
||||
- separate namespace allows:
|
||||
-- easier reconfig of just the gateway
|
||||
-- TLS secrets and domain name management is isolated, for better security
|
||||
-- simplified configuration
|
||||
-- multiple versions of the ingress can be used, to minimize upgrade risks
|
||||
|
||||
- the new chart uses the default namespace service account, and doesn't require
|
||||
additional RBAC permissions.
|
||||
|
||||
- simplified label and chart structure.
|
||||
- ability to run a pilot dedicated for the gateway, isolated from the main pilot. This is more robust, safer on upgrades
|
||||
and allows a bit more flexibility.
|
||||
- the dedicated pilot-per-ingress is required if the gateway needs to support k8s-style ingress.
|
||||
|
||||
# Port and basic host configuration
|
||||
|
||||
In order to configure the Service object, the install/upgrade needs to provide a list of all ports.
|
||||
In the past, this was done when installing/upgrading full istio, and involved some duplication - ports configured
|
||||
both in upgrade, Gateway and VirtualService.
|
||||
|
||||
The new Ingress chart uses a 'values.yaml' (see user-example-ingress), which auto-generates Service ports,
|
||||
Gateways and basic VirtualService. It is still possible to only configure the ports in Service, and do manual
|
||||
config for the rest.
|
||||
|
||||
All internal services ( telemetry, pilot debug ports, mesh expansion ) can now be configured via the new mechanism.
|
||||
|
||||
# Migration from istio-system
|
||||
|
||||
Istio 1.0 includes the gateways in istio-system. Since the external IP is associated
|
||||
with the Service and bound to the namespace, it is recommended to:
|
||||
|
||||
1. Install the new gateway in a new namespace.
|
||||
2. Copy any TLS certificate to the new namespace, and configure the domains.
|
||||
3. Checking the new gateway work - for example by overriding the IP in /etc/hosts
|
||||
4. Modify the DNS server to add the A record of the new namespace
|
||||
5. Check traffic
|
||||
6. Delete the A record corresponding to the gateway in istio-system
|
||||
7. Upgrade istio-system, disabling the ingressgateway
|
||||
8. Delete the domain TLS certs from istio-system.
|
||||
|
||||
If using certmanager, all Certificate and associated configs must be moved as well.
|
@ -0,0 +1,93 @@
|
||||
{{/* affinity - https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ */}}
|
||||
|
||||
{{- define "nodeaffinity" }}
|
||||
nodeAffinity:
|
||||
requiredDuringSchedulingIgnoredDuringExecution:
|
||||
{{- include "nodeAffinityRequiredDuringScheduling" . }}
|
||||
preferredDuringSchedulingIgnoredDuringExecution:
|
||||
{{- include "nodeAffinityPreferredDuringScheduling" . }}
|
||||
{{- end }}
|
||||
|
||||
{{- define "nodeAffinityRequiredDuringScheduling" }}
|
||||
nodeSelectorTerms:
|
||||
- matchExpressions:
|
||||
- key: kubernetes.io/arch
|
||||
operator: In
|
||||
values:
|
||||
{{- range $key, $val := .global.arch }}
|
||||
{{- if gt ($val | int) 0 }}
|
||||
- {{ $key | quote }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- $nodeSelector := default .global.defaultNodeSelector .nodeSelector -}}
|
||||
{{- range $key, $val := $nodeSelector }}
|
||||
- key: {{ $key }}
|
||||
operator: In
|
||||
values:
|
||||
- {{ $val | quote }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{- define "nodeAffinityPreferredDuringScheduling" }}
|
||||
{{- range $key, $val := .global.arch }}
|
||||
{{- if gt ($val | int) 0 }}
|
||||
- weight: {{ $val | int }}
|
||||
preference:
|
||||
matchExpressions:
|
||||
- key: kubernetes.io/arch
|
||||
operator: In
|
||||
values:
|
||||
- {{ $key | quote }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{- define "podAntiAffinity" }}
|
||||
{{- if or .podAntiAffinityLabelSelector .podAntiAffinityTermLabelSelector}}
|
||||
podAntiAffinity:
|
||||
{{- if .podAntiAffinityLabelSelector }}
|
||||
requiredDuringSchedulingIgnoredDuringExecution:
|
||||
{{- include "podAntiAffinityRequiredDuringScheduling" . }}
|
||||
{{- end }}
|
||||
{{- if .podAntiAffinityTermLabelSelector }}
|
||||
preferredDuringSchedulingIgnoredDuringExecution:
|
||||
{{- include "podAntiAffinityPreferredDuringScheduling" . }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{- define "podAntiAffinityRequiredDuringScheduling" }}
|
||||
{{- range $index, $item := .podAntiAffinityLabelSelector }}
|
||||
- labelSelector:
|
||||
matchExpressions:
|
||||
- key: {{ $item.key }}
|
||||
operator: {{ $item.operator }}
|
||||
{{- if $item.values }}
|
||||
values:
|
||||
{{- $vals := split "," $item.values }}
|
||||
{{- range $i, $v := $vals }}
|
||||
- {{ $v | quote }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
topologyKey: {{ $item.topologyKey }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{- define "podAntiAffinityPreferredDuringScheduling" }}
|
||||
{{- range $index, $item := .podAntiAffinityTermLabelSelector }}
|
||||
- podAffinityTerm:
|
||||
labelSelector:
|
||||
matchExpressions:
|
||||
- key: {{ $item.key }}
|
||||
operator: {{ $item.operator }}
|
||||
{{- if $item.values }}
|
||||
values:
|
||||
{{- $vals := split "," $item.values }}
|
||||
{{- range $i, $v := $vals }}
|
||||
- {{ $v | quote }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
topologyKey: {{ $item.topologyKey }}
|
||||
weight: 100
|
||||
{{- end }}
|
||||
{{- end }}
|
@ -0,0 +1,27 @@
|
||||
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
|
||||
{{- if and $gateway.autoscaleEnabled $gateway.autoscaleMin $gateway.autoscaleMax }}
|
||||
apiVersion: autoscaling/v2beta1
|
||||
kind: HorizontalPodAutoscaler
|
||||
metadata:
|
||||
name: {{ $gateway.name | default "istio-ingressgateway" }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{ $gateway.labels | toYaml | indent 4 }}
|
||||
release: {{ .Release.Name }}
|
||||
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||
operator.istio.io/component: "IngressGateways"
|
||||
spec:
|
||||
maxReplicas: {{ $gateway.autoscaleMax }}
|
||||
minReplicas: {{ $gateway.autoscaleMin }}
|
||||
scaleTargetRef:
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
name: {{ $gateway.name | default "istio-ingressgateway" }}
|
||||
metrics:
|
||||
- type: Resource
|
||||
resource:
|
||||
name: cpu
|
||||
targetAverageUtilization: {{ $gateway.cpu.targetAverageUtilization }}
|
||||
---
|
||||
{{- end }}
|
@ -0,0 +1,346 @@
|
||||
{{- $gateway := index .Values "gateways" "istio-ingressgateway" }}
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: {{ $gateway.name | default "istio-ingressgateway" }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{ $gateway.labels | toYaml | indent 4 }}
|
||||
release: {{ .Release.Name }}
|
||||
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||
operator.istio.io/component: "IngressGateways"
|
||||
spec:
|
||||
{{- if not $gateway.autoscaleEnabled }}
|
||||
{{- if $gateway.replicaCount }}
|
||||
replicas: {{ $gateway.replicaCount }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
selector:
|
||||
matchLabels:
|
||||
{{ $gateway.labels | toYaml | indent 6 }}
|
||||
strategy:
|
||||
rollingUpdate:
|
||||
maxSurge: {{ $gateway.rollingMaxSurge }}
|
||||
maxUnavailable: {{ $gateway.rollingMaxUnavailable }}
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
{{ $gateway.labels | toYaml | indent 8 }}
|
||||
{{- if eq .Release.Namespace "istio-system"}}
|
||||
heritage: Tiller
|
||||
release: istio
|
||||
chart: gateways
|
||||
{{- end }}
|
||||
service.istio.io/canonical-name: {{ $gateway.name | default "istio-ingressgateway" }}
|
||||
{{- if not (eq .Values.revision "") }}
|
||||
service.istio.io/canonical-revision: {{ .Values.revision }}
|
||||
{{- else}}
|
||||
service.istio.io/canonical-revision: latest
|
||||
{{- end }}
|
||||
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||
operator.istio.io/component: "IngressGateways"
|
||||
annotations:
|
||||
{{- if .Values.meshConfig.enablePrometheusMerge }}
|
||||
prometheus.io/port: "15020"
|
||||
prometheus.io/scrape: "true"
|
||||
prometheus.io/path: "/stats/prometheus"
|
||||
{{- end }}
|
||||
sidecar.istio.io/inject: "false"
|
||||
{{- if $gateway.podAnnotations }}
|
||||
{{ toYaml $gateway.podAnnotations | indent 8 }}
|
||||
{{ end }}
|
||||
spec:
|
||||
{{- if not $gateway.runAsRoot }}
|
||||
securityContext:
|
||||
runAsUser: 1337
|
||||
runAsGroup: 1337
|
||||
runAsNonRoot: true
|
||||
fsGroup: 1337
|
||||
{{- end }}
|
||||
serviceAccountName: {{ $gateway.name | default "istio-ingressgateway" }}-service-account
|
||||
{{- if .Values.global.priorityClassName }}
|
||||
priorityClassName: "{{ .Values.global.priorityClassName }}"
|
||||
{{- end }}
|
||||
terminationGracePeriodSeconds: 90
|
||||
{{- if .Values.global.proxy.enableCoreDump }}
|
||||
initContainers:
|
||||
- name: enable-core-dump
|
||||
{{- if contains "/" .Values.global.proxy.image }}
|
||||
image: "{{ .Values.global.proxy.image }}"
|
||||
{{- else }}
|
||||
image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image | default "proxyv2" }}:{{ .Values.global.tag }}"
|
||||
{{- end }}
|
||||
{{- if .Values.global.imagePullPolicy }}
|
||||
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
|
||||
{{- end }}
|
||||
command:
|
||||
- /bin/sh
|
||||
args:
|
||||
- -c
|
||||
- sysctl -w kernel.core_pattern=/var/lib/istio/data/core.proxy && ulimit -c unlimited
|
||||
securityContext:
|
||||
runAsUser: 0
|
||||
runAsGroup: 0
|
||||
runAsNonRoot: false
|
||||
privileged: true
|
||||
{{- end }}
|
||||
containers:
|
||||
- name: istio-proxy
|
||||
{{- if contains "/" .Values.global.proxy.image }}
|
||||
image: "{{ .Values.global.proxy.image }}"
|
||||
{{- else }}
|
||||
image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image | default "proxyv2" }}:{{ .Values.global.tag }}"
|
||||
{{- end }}
|
||||
{{- if .Values.global.imagePullPolicy }}
|
||||
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
|
||||
{{- end }}
|
||||
ports:
|
||||
{{- range $key, $val := $gateway.ports }}
|
||||
- containerPort: {{ $val.targetPort | default $val.port }}
|
||||
protocol: {{ $val.protocol | default "TCP" }}
|
||||
{{- end }}
|
||||
{{- if $.Values.global.meshExpansion.enabled }}
|
||||
{{- range $key, $val := $gateway.meshExpansionPorts }}
|
||||
- containerPort: {{ $val.targetPort | default $val.port }}
|
||||
protocol: {{ $val.protocol | default "TCP" }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
- containerPort: 15090
|
||||
protocol: TCP
|
||||
name: http-envoy-prom
|
||||
args:
|
||||
- proxy
|
||||
- router
|
||||
- --domain
|
||||
- $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
|
||||
{{- if .Values.global.proxy.logLevel }}
|
||||
- --proxyLogLevel={{ .Values.global.proxy.logLevel }}
|
||||
{{- end}}
|
||||
{{- if .Values.global.proxy.componentLogLevel }}
|
||||
- --proxyComponentLogLevel={{ .Values.global.proxy.componentLogLevel }}
|
||||
{{- end}}
|
||||
{{- if .Values.global.logging.level }}
|
||||
- --log_output_level={{ .Values.global.logging.level }}
|
||||
{{- end}}
|
||||
{{- if .Values.global.logAsJson }}
|
||||
- --log_as_json
|
||||
{{- end }}
|
||||
- --serviceCluster
|
||||
- {{ $gateway.name | default "istio-ingressgateway" }}
|
||||
{{- if .Values.global.sts.servicePort }}
|
||||
- --stsPort={{ .Values.global.sts.servicePort }}
|
||||
{{- end }}
|
||||
{{- if not $gateway.runAsRoot }}
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
privileged: false
|
||||
readOnlyRootFilesystem: true
|
||||
{{- end }}
|
||||
readinessProbe:
|
||||
failureThreshold: 30
|
||||
httpGet:
|
||||
path: /healthz/ready
|
||||
port: 15021
|
||||
scheme: HTTP
|
||||
initialDelaySeconds: 1
|
||||
periodSeconds: 2
|
||||
successThreshold: 1
|
||||
timeoutSeconds: 1
|
||||
resources:
|
||||
{{- if $gateway.resources }}
|
||||
{{ toYaml $gateway.resources | indent 12 }}
|
||||
{{- else }}
|
||||
{{ toYaml .Values.global.defaultResources | indent 12 }}
|
||||
{{- end }}
|
||||
env:
|
||||
- name: JWT_POLICY
|
||||
value: {{ .Values.global.jwtPolicy }}
|
||||
- name: PILOT_CERT_PROVIDER
|
||||
value: {{ .Values.global.pilotCertProvider }}
|
||||
- name: CA_ADDR
|
||||
{{- if .Values.global.caAddress }}
|
||||
value: {{ .Values.global.caAddress }}
|
||||
{{- else }}
|
||||
value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
|
||||
{{- end }}
|
||||
- name: NODE_NAME
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
apiVersion: v1
|
||||
fieldPath: spec.nodeName
|
||||
- name: POD_NAME
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
apiVersion: v1
|
||||
fieldPath: metadata.name
|
||||
- name: POD_NAMESPACE
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
apiVersion: v1
|
||||
fieldPath: metadata.namespace
|
||||
- name: INSTANCE_IP
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
apiVersion: v1
|
||||
fieldPath: status.podIP
|
||||
- name: HOST_IP
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
apiVersion: v1
|
||||
fieldPath: status.hostIP
|
||||
- name: SERVICE_ACCOUNT
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: spec.serviceAccountName
|
||||
- name: CANONICAL_SERVICE
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.labels['service.istio.io/canonical-name']
|
||||
- name: CANONICAL_REVISION
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.labels['service.istio.io/canonical-revision']
|
||||
- name: ISTIO_META_WORKLOAD_NAME
|
||||
value: {{ $gateway.name | default "istio-ingressgateway" }}
|
||||
- name: ISTIO_META_OWNER
|
||||
value: kubernetes://apis/apps/v1/namespaces/{{ .Release.Namespace }}/deployments/{{ $gateway.name | default "istio-ingressgateway" }}
|
||||
{{- if $.Values.global.meshID }}
|
||||
- name: ISTIO_META_MESH_ID
|
||||
value: "{{ $.Values.global.meshID }}"
|
||||
{{- else if $.Values.global.trustDomain | default (index .Values.meshConfig "trustDomain") }}
|
||||
- name: ISTIO_META_MESH_ID
|
||||
value: "{{ $.Values.global.trustDomain | default (index .Values.meshConfig "trustDomain") }}"
|
||||
{{- end }}
|
||||
{{- if .Values.global.trustDomain | default (index .Values.meshConfig "trustDomain") }}
|
||||
- name: TRUST_DOMAIN
|
||||
value: "{{ .Values.global.trustDomain | default (index .Values.meshConfig "trustDomain") }}"
|
||||
{{- end }}
|
||||
{{- range $key, $val := $gateway.env }}
|
||||
- name: {{ $key }}
|
||||
value: {{ $val }}
|
||||
{{- end }}
|
||||
{{- range $key, $value := .Values.meshConfig.defaultConfig.proxyMetadata }}
|
||||
- name: {{ $key }}
|
||||
value: "{{ $value }}"
|
||||
{{- end }}
|
||||
{{ $network_set := index $gateway.env "ISTIO_META_NETWORK" }}
|
||||
{{- if and (not $network_set) .Values.global.network }}
|
||||
- name: ISTIO_META_NETWORK
|
||||
value: {{ .Values.global.network }}
|
||||
{{- end }}
|
||||
{{- if $gateway.podAnnotations }}
|
||||
- name: "ISTIO_METAJSON_ANNOTATIONS"
|
||||
value: |
|
||||
{{ toJson $gateway.podAnnotations | indent 16}}
|
||||
{{ end }}
|
||||
- name: ISTIO_META_CLUSTER_ID
|
||||
value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}"
|
||||
volumeMounts:
|
||||
- name: istio-envoy
|
||||
mountPath: /etc/istio/proxy
|
||||
- name: config-volume
|
||||
mountPath: /etc/istio/config
|
||||
{{- if eq .Values.global.pilotCertProvider "istiod" }}
|
||||
- mountPath: /var/run/secrets/istio
|
||||
name: istiod-ca-cert
|
||||
{{- end }}
|
||||
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
|
||||
- name: istio-token
|
||||
mountPath: /var/run/secrets/tokens
|
||||
readOnly: true
|
||||
{{- end }}
|
||||
- name: gatewaysdsudspath
|
||||
mountPath: /var/run/ingress_gateway
|
||||
{{- if .Values.global.mountMtlsCerts }}
|
||||
# Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
|
||||
- name: istio-certs
|
||||
mountPath: /etc/certs
|
||||
readOnly: true
|
||||
{{- end }}
|
||||
- mountPath: /var/lib/istio/data
|
||||
name: istio-data
|
||||
- name: podinfo
|
||||
mountPath: /etc/istio/pod
|
||||
{{- range $gateway.secretVolumes }}
|
||||
- name: {{ .name }}
|
||||
mountPath: {{ .mountPath | quote }}
|
||||
readOnly: true
|
||||
{{- end }}
|
||||
{{- range $gateway.configVolumes }}
|
||||
{{- if .mountPath }}
|
||||
- name: {{ .name }}
|
||||
mountPath: {{ .mountPath | quote }}
|
||||
readOnly: true
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if $gateway.additionalContainers }}
|
||||
{{ toYaml $gateway.additionalContainers | indent 8 }}
|
||||
{{- end }}
|
||||
volumes:
|
||||
{{- if eq .Values.global.pilotCertProvider "istiod" }}
|
||||
- name: istiod-ca-cert
|
||||
configMap:
|
||||
name: istio-ca-root-cert
|
||||
{{- end }}
|
||||
- name: podinfo
|
||||
downwardAPI:
|
||||
items:
|
||||
- path: "labels"
|
||||
fieldRef:
|
||||
fieldPath: metadata.labels
|
||||
- path: "annotations"
|
||||
fieldRef:
|
||||
fieldPath: metadata.annotations
|
||||
- name: istio-envoy
|
||||
emptyDir: {}
|
||||
- name: gatewaysdsudspath
|
||||
emptyDir: {}
|
||||
- name: istio-data
|
||||
emptyDir: {}
|
||||
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
|
||||
- name: istio-token
|
||||
projected:
|
||||
sources:
|
||||
- serviceAccountToken:
|
||||
path: istio-token
|
||||
expirationSeconds: 43200
|
||||
audience: {{ .Values.global.sds.token.aud }}
|
||||
{{- end }}
|
||||
{{- if .Values.global.mountMtlsCerts }}
|
||||
# Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
|
||||
- name: istio-certs
|
||||
secret:
|
||||
secretName: istio.istio-ingressgateway-service-account
|
||||
optional: true
|
||||
{{- end }}
|
||||
- name: config-volume
|
||||
configMap:
|
||||
name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
||||
optional: true
|
||||
{{- range $gateway.secretVolumes }}
|
||||
- name: {{ .name }}
|
||||
secret:
|
||||
secretName: {{ .secretName | quote }}
|
||||
optional: true
|
||||
{{- end }}
|
||||
{{- range $gateway.configVolumes }}
|
||||
- name: {{ .name }}
|
||||
configMap:
|
||||
name: {{ .configMapName | quote }}
|
||||
optional: true
|
||||
{{- end }}
|
||||
affinity:
|
||||
{{- include "nodeaffinity" (dict "global" .Values.global "nodeSelector" $gateway.nodeSelector) | indent 6 }}
|
||||
{{- include "podAntiAffinity" $gateway | indent 6 }}
|
||||
{{- if $gateway.tolerations }}
|
||||
tolerations:
|
||||
{{ toYaml $gateway.tolerations | indent 6 }}
|
||||
{{- else if .Values.global.defaultTolerations }}
|
||||
tolerations:
|
||||
{{ toYaml .Values.global.defaultTolerations | indent 6 }}
|
||||
{{- end }}
|
@ -0,0 +1,79 @@
|
||||
{{- if .Values.global.meshExpansion.enabled }}
|
||||
apiVersion: networking.istio.io/v1alpha3
|
||||
kind: Gateway
|
||||
metadata:
|
||||
name: meshexpansion-gateway
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
release: {{ .Release.Name }}
|
||||
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||
operator.istio.io/component: "IngressGateways"
|
||||
spec:
|
||||
selector:
|
||||
istio: ingressgateway
|
||||
servers:
|
||||
- port:
|
||||
number: 15012
|
||||
protocol: TCP
|
||||
name: tcp-istiod
|
||||
hosts:
|
||||
- "*"
|
||||
- port:
|
||||
number: 15017
|
||||
protocol: TCP
|
||||
name: tcp-istiodwebhook
|
||||
hosts:
|
||||
- "*"
|
||||
---
|
||||
|
||||
apiVersion: networking.istio.io/v1alpha3
|
||||
kind: VirtualService
|
||||
metadata:
|
||||
name: meshexpansion-vs-istiod
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
release: {{ .Release.Name }}
|
||||
spec:
|
||||
hosts:
|
||||
- istiod.{{ .Values.global.istioNamespace }}.svc.{{ .Values.global.proxy.clusterDomain }}
|
||||
gateways:
|
||||
- meshexpansion-gateway
|
||||
tcp:
|
||||
- match:
|
||||
- port: 15012
|
||||
route:
|
||||
- destination:
|
||||
host: istiod.{{ .Values.global.istioNamespace }}.svc.{{ .Values.global.proxy.clusterDomain }}
|
||||
port:
|
||||
number: 15012
|
||||
- match:
|
||||
- port: 15017
|
||||
route:
|
||||
- destination:
|
||||
host: istiod.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }}
|
||||
port:
|
||||
number: 443
|
||||
---
|
||||
|
||||
apiVersion: networking.istio.io/v1alpha3
|
||||
kind: DestinationRule
|
||||
metadata:
|
||||
name: meshexpansion-dr-istiod
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
release: {{ .Release.Name }}
|
||||
spec:
|
||||
host: istiod.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }}
|
||||
trafficPolicy:
|
||||
portLevelSettings:
|
||||
- port:
|
||||
number: 15012
|
||||
tls:
|
||||
mode: DISABLE
|
||||
- port:
|
||||
number: 15017
|
||||
tls:
|
||||
mode: DISABLE
|
||||
|
||||
{{- end }}
|
@ -0,0 +1,19 @@
|
||||
{{- if .Values.global.defaultPodDisruptionBudget.enabled }}
|
||||
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
|
||||
apiVersion: policy/v1beta1
|
||||
kind: PodDisruptionBudget
|
||||
metadata:
|
||||
name: {{ $gateway.name | default "istio-ingressgateway" }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{ $gateway.labels | toYaml | trim | indent 4 }}
|
||||
release: {{ .Release.Name }}
|
||||
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||
operator.istio.io/component: "IngressGateways"
|
||||
spec:
|
||||
minAvailable: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
{{ $gateway.labels | toYaml | trim | indent 6 }}
|
||||
{{- end }}
|
@ -0,0 +1,78 @@
|
||||
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
|
||||
{{- if .Values.global.multiCluster.enabled }}
|
||||
apiVersion: networking.istio.io/v1alpha3
|
||||
kind: Gateway
|
||||
metadata:
|
||||
name: istio-multicluster-ingressgateway
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{ $gateway.labels | toYaml | indent 4 }}
|
||||
release: {{ .Release.Name }}
|
||||
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||
operator.istio.io/component: "IngressGateways"
|
||||
spec:
|
||||
selector:
|
||||
istio: ingressgateway
|
||||
servers:
|
||||
- hosts:
|
||||
- "*.{{ .Values.global.multiCluster.globalDomainSuffix | trim }}"
|
||||
port:
|
||||
name: tls
|
||||
number: 15443
|
||||
protocol: TLS
|
||||
tls:
|
||||
mode: AUTO_PASSTHROUGH
|
||||
---
|
||||
{{- if .Values.global.multiCluster.includeEnvoyFilter }}
|
||||
apiVersion: networking.istio.io/v1alpha3
|
||||
kind: EnvoyFilter
|
||||
metadata:
|
||||
name: istio-multicluster-ingressgateway
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{ $gateway.labels | toYaml | indent 4 }}
|
||||
release: {{ .Release.Name }}
|
||||
spec:
|
||||
workloadSelector:
|
||||
labels:
|
||||
istio: ingressgateway
|
||||
configPatches:
|
||||
- applyTo: NETWORK_FILTER
|
||||
match:
|
||||
context: GATEWAY
|
||||
listener:
|
||||
portNumber: 15443
|
||||
filterChain:
|
||||
filter:
|
||||
name: "envoy.filters.network.sni_cluster"
|
||||
patch:
|
||||
operation: INSERT_AFTER
|
||||
value:
|
||||
name: "envoy.filters.network.tcp_cluster_rewrite"
|
||||
typed_config:
|
||||
"@type": "type.googleapis.com/istio.envoy.config.filter.network.tcp_cluster_rewrite.v2alpha1.TcpClusterRewrite"
|
||||
cluster_pattern: "\\.{{ .Values.global.multiCluster.globalDomainSuffix | trim }}$"
|
||||
cluster_replacement: ".svc.{{ .Values.global.proxy.clusterDomain }}"
|
||||
---
|
||||
{{- end }}
|
||||
## To ensure all traffic to globalDomainSuffix is using mTLS
|
||||
apiVersion: networking.istio.io/v1alpha3
|
||||
kind: DestinationRule
|
||||
metadata:
|
||||
name: istio-multicluster-ingressgateway
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{ $gateway.labels | toYaml | indent 4 }}
|
||||
release: {{ .Release.Name }}
|
||||
spec:
|
||||
host: "*.{{ .Values.global.multiCluster.globalDomainSuffix | trim }}"
|
||||
{{- if .Values.global.defaultConfigVisibilitySettings }}
|
||||
exportTo:
|
||||
- '*'
|
||||
{{- end }}
|
||||
trafficPolicy:
|
||||
tls:
|
||||
mode: ISTIO_MUTUAL
|
||||
---
|
||||
{{- end }}
|
@ -0,0 +1,16 @@
|
||||
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
name: {{ $gateway.name | default "istio-ingressgateway" }}-sds
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
release: {{ .Release.Name }}
|
||||
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||
operator.istio.io/component: "IngressGateways"
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
resources: ["secrets"]
|
||||
verbs: ["get", "watch", "list"]
|
||||
---
|
@ -0,0 +1,19 @@
|
||||
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
name: {{ $gateway.name | default "istio-ingressgateway" }}-sds
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
release: {{ .Release.Name }}
|
||||
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||
operator.istio.io/component: "IngressGateways"
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: Role
|
||||
name: {{ $gateway.name | default "istio-ingressgateway" }}-sds
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ $gateway.name | default "istio-ingressgateway" }}-service-account
|
||||
---
|
@ -0,0 +1,55 @@
|
||||
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
|
||||
{{- if not $gateway.customService }}
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: {{ $gateway.name | default "istio-ingressgateway" }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
annotations:
|
||||
{{- range $key, $val := $gateway.serviceAnnotations }}
|
||||
{{ $key }}: {{ $val | quote }}
|
||||
{{- end }}
|
||||
labels:
|
||||
{{ $gateway.labels | toYaml | indent 4 }}
|
||||
release: {{ .Release.Name }}
|
||||
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||
operator.istio.io/component: "IngressGateways"
|
||||
spec:
|
||||
{{- if $gateway.loadBalancerIP }}
|
||||
loadBalancerIP: "{{ $gateway.loadBalancerIP }}"
|
||||
{{- end }}
|
||||
{{- if $gateway.loadBalancerSourceRanges }}
|
||||
loadBalancerSourceRanges:
|
||||
{{ toYaml $gateway.loadBalancerSourceRanges | indent 4 }}
|
||||
{{- end }}
|
||||
{{- if $gateway.externalTrafficPolicy }}
|
||||
externalTrafficPolicy: {{$gateway.externalTrafficPolicy }}
|
||||
{{- end }}
|
||||
type: {{ $gateway.type }}
|
||||
selector:
|
||||
{{ $gateway.labels | toYaml | indent 4 }}
|
||||
ports:
|
||||
|
||||
{{- range $key, $val := $gateway.ports }}
|
||||
-
|
||||
{{- range $pkey, $pval := $val }}
|
||||
{{ $pkey}}: {{ $pval }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{- if $.Values.global.meshExpansion.enabled }}
|
||||
{{- range $key, $val := $gateway.meshExpansionPorts }}
|
||||
-
|
||||
{{- range $pkey, $pval := $val }}
|
||||
{{ $pkey}}: {{ $pval }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{ range $app := $gateway.ingressPorts }}
|
||||
-
|
||||
port: {{ $app.port }}
|
||||
name: {{ $app.name }}
|
||||
{{- end }}
|
||||
---
|
||||
{{ end }}
|
@ -0,0 +1,18 @@
|
||||
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
{{- if .Values.global.imagePullSecrets }}
|
||||
imagePullSecrets:
|
||||
{{- range .Values.global.imagePullSecrets }}
|
||||
- name: {{ . }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
metadata:
|
||||
name: {{ $gateway.name | default "istio-ingressgateway" }}-service-account
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{ $gateway.labels | toYaml | trim | indent 4 }}
|
||||
release: {{ .Release.Name }}
|
||||
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||
operator.istio.io/component: "IngressGateways"
|
@ -0,0 +1,336 @@
|
||||
# A-la-carte istio ingress gateway.
|
||||
# Must be installed in a separate namespace, to minimize access to secrets.
|
||||
|
||||
gateways:
|
||||
istio-ingressgateway:
|
||||
name: istio-ingressgateway
|
||||
labels:
|
||||
app: istio-ingressgateway
|
||||
istio: ingressgateway
|
||||
ports:
|
||||
## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces.
|
||||
# Note that AWS ELB will by default perform health checks on the first port
|
||||
# on this list. Setting this to the health check port will ensure that health
|
||||
# checks always work. https://github.com/istio/istio/issues/12503
|
||||
- port: 15021
|
||||
targetPort: 15021
|
||||
name: status-port
|
||||
protocol: TCP
|
||||
- port: 80
|
||||
targetPort: 8080
|
||||
name: http2
|
||||
protocol: TCP
|
||||
- port: 443
|
||||
targetPort: 8443
|
||||
name: https
|
||||
protocol: TCP
|
||||
# This is the port where sni routing happens
|
||||
- port: 15443
|
||||
targetPort: 15443
|
||||
name: tls
|
||||
protocol: TCP
|
||||
|
||||
# Scalability tunning
|
||||
# replicaCount: 1
|
||||
rollingMaxSurge: 100%
|
||||
rollingMaxUnavailable: 25%
|
||||
autoscaleEnabled: true
|
||||
autoscaleMin: 1
|
||||
autoscaleMax: 5
|
||||
|
||||
cpu:
|
||||
targetAverageUtilization: 80
|
||||
|
||||
resources:
|
||||
requests:
|
||||
cpu: 100m
|
||||
memory: 128Mi
|
||||
limits:
|
||||
cpu: 2000m
|
||||
memory: 1024Mi
|
||||
|
||||
loadBalancerIP: ""
|
||||
loadBalancerSourceRanges: []
|
||||
serviceAnnotations: {}
|
||||
|
||||
# Enable cross-cluster access using SNI matching
|
||||
zvpn:
|
||||
enabled: false
|
||||
suffix: global
|
||||
|
||||
# To generate an internal load balancer:
|
||||
# --set serviceAnnotations.cloud.google.com/load-balancer-type=internal
|
||||
#serviceAnnotations:
|
||||
# cloud.google.com/load-balancer-type: "internal"
|
||||
|
||||
podAnnotations: {}
|
||||
type: LoadBalancer #change to NodePort, ClusterIP or LoadBalancer if need be
|
||||
|
||||
#### MESH EXPANSION PORTS ########
|
||||
# Pilot and Citadel MTLS ports are enabled in gateway - but will only redirect
|
||||
# to pilot/citadel if global.meshExpansion settings are enabled.
|
||||
# Delete these ports if mesh expansion is not enabled, to avoid
|
||||
# exposing unnecessary ports on the web.
|
||||
# You can remove these ports if you are not using mesh expansion
|
||||
meshExpansionPorts:
|
||||
- port: 15012
|
||||
targetPort: 15012
|
||||
name: tcp-istiod
|
||||
####### end MESH EXPANSION PORTS ######
|
||||
|
||||
##############
|
||||
secretVolumes:
|
||||
- name: ingressgateway-certs
|
||||
secretName: istio-ingressgateway-certs
|
||||
mountPath: /etc/istio/ingressgateway-certs
|
||||
- name: ingressgateway-ca-certs
|
||||
secretName: istio-ingressgateway-ca-certs
|
||||
mountPath: /etc/istio/ingressgateway-ca-certs
|
||||
|
||||
customService: false
|
||||
externalTrafficPolicy: ""
|
||||
|
||||
ingressPorts: []
|
||||
additionalContainers: []
|
||||
configVolumes: []
|
||||
|
||||
### Advanced options ############
|
||||
env:
|
||||
# A gateway with this mode ensures that pilot generates an additional
|
||||
# set of clusters for internal services but without Istio mTLS, to
|
||||
# enable cross cluster routing.
|
||||
ISTIO_META_ROUTER_MODE: "sni-dnat"
|
||||
|
||||
nodeSelector: {}
|
||||
tolerations: []
|
||||
|
||||
# Specify the pod anti-affinity that allows you to constrain which nodes
|
||||
# your pod is eligible to be scheduled based on labels on pods that are
|
||||
# already running on the node rather than based on labels on nodes.
|
||||
# There are currently two types of anti-affinity:
|
||||
# "requiredDuringSchedulingIgnoredDuringExecution"
|
||||
# "preferredDuringSchedulingIgnoredDuringExecution"
|
||||
# which denote "hard" vs. "soft" requirements, you can define your values
|
||||
# in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector"
|
||||
# correspondingly.
|
||||
# For example:
|
||||
# podAntiAffinityLabelSelector:
|
||||
# - key: security
|
||||
# operator: In
|
||||
# values: S1,S2
|
||||
# topologyKey: "kubernetes.io/hostname"
|
||||
# This pod anti-affinity rule says that the pod requires not to be scheduled
|
||||
# onto a node if that node is already running a pod with label having key
|
||||
# "security" and value "S1".
|
||||
podAntiAffinityLabelSelector: []
|
||||
podAntiAffinityTermLabelSelector: []
|
||||
|
||||
# whether to run the gateway in a privileged container
|
||||
runAsRoot: false
|
||||
|
||||
# Revision is set as 'version' label and part of the resource names when installing multiple control planes.
|
||||
revision: ""
|
||||
|
||||
# For Helm compatibility.
|
||||
ownerName: ""
|
||||
|
||||
global:
|
||||
# set the default set of namespaces to which services, service entries, virtual services, destination
|
||||
# rules should be exported to. Currently only one value can be provided in this list. This value
|
||||
# should be one of the following two options:
|
||||
# * implies these objects are visible to all namespaces, enabling any sidecar to talk to any other sidecar.
|
||||
# . implies these objects are visible to only to sidecars in the same namespace, or if imported as a Sidecar.egress.host
|
||||
defaultConfigVisibilitySettings: []
|
||||
|
||||
# enable pod disruption budget for the control plane, which is used to
|
||||
# ensure Istio control plane components are gradually upgraded or recovered.
|
||||
defaultPodDisruptionBudget:
|
||||
enabled: true
|
||||
|
||||
# A minimal set of requested resources to applied to all deployments so that
|
||||
# Horizontal Pod Autoscaler will be able to function (if set).
|
||||
# Each component can overwrite these default values by adding its own resources
|
||||
# block in the relevant section below and setting the desired resources values.
|
||||
defaultResources:
|
||||
requests:
|
||||
cpu: 10m
|
||||
# memory: 128Mi
|
||||
# limits:
|
||||
# cpu: 100m
|
||||
# memory: 128Mi
|
||||
|
||||
# Default node tolerations to be applied to all deployments so that all pods can be
|
||||
# scheduled to a particular nodes with matching taints. Each component can overwrite
|
||||
# these default values by adding its tolerations block in the relevant section below
|
||||
# and setting the desired values.
|
||||
# Configure this field in case that all pods of Istio control plane are expected to
|
||||
# be scheduled to particular nodes with specified taints.
|
||||
defaultTolerations: []
|
||||
|
||||
# Default hub for Istio images.
|
||||
# Releases are published to docker hub under 'istio' project.
|
||||
# Dev builds from prow are on gcr.io
|
||||
hub: gcr.io/istio-testing
|
||||
|
||||
# Default tag for Istio images.
|
||||
tag: latest
|
||||
|
||||
# Specify image pull policy if default behavior isn't desired.
|
||||
# Default behavior: latest images will be Always else IfNotPresent.
|
||||
imagePullPolicy: ""
|
||||
|
||||
# ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace
|
||||
# to use for pulling any images in pods that reference this ServiceAccount.
|
||||
# For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing)
|
||||
# ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects.
|
||||
# Must be set for any cluster configured with private docker registry.
|
||||
imagePullSecrets: []
|
||||
# - private-registry-key
|
||||
|
||||
# To output all istio components logs in json format by adding --log_as_json argument to each container argument
|
||||
logAsJson: false
|
||||
|
||||
# Specify pod scheduling arch(amd64, ppc64le, s390x) and weight as follows:
|
||||
# 0 - Never scheduled
|
||||
# 1 - Least preferred
|
||||
# 2 - No preference
|
||||
# 3 - Most preferred
|
||||
arch:
|
||||
amd64: 2
|
||||
s390x: 2
|
||||
ppc64le: 2
|
||||
|
||||
# Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>
|
||||
# The control plane has different scopes depending on component, but can configure default log level across all components
|
||||
# If empty, default scope and level will be used as configured in code
|
||||
logging:
|
||||
level: "default:info"
|
||||
|
||||
# If set to true, the pilot and citadel mtls will be exposed on the
|
||||
# ingress gateway
|
||||
meshExpansion:
|
||||
enabled: false
|
||||
# If set to true, the pilot and citadel mtls and the plain text pilot ports
|
||||
# will be exposed on an internal gateway
|
||||
useILB: false
|
||||
|
||||
# Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and
|
||||
# system-node-critical, it is better to configure this in order to make sure your Istio pods
|
||||
# will not be killed because of low priority class.
|
||||
# Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
|
||||
# for more detail.
|
||||
priorityClassName: ""
|
||||
|
||||
proxy:
|
||||
image: proxyv2
|
||||
|
||||
# CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value
|
||||
# cluster domain. Default value is "cluster.local".
|
||||
clusterDomain: "cluster.local"
|
||||
|
||||
# Per Component log level for proxy, applies to gateways and sidecars. If a component level is
|
||||
# not set, then the global "logLevel" will be used.
|
||||
componentLogLevel: "misc:error"
|
||||
|
||||
# If set, newly injected sidecars will have core dumps enabled.
|
||||
enableCoreDump: false
|
||||
|
||||
# Log level for proxy, applies to gateways and sidecars.
|
||||
# Expected values are: trace|debug|info|warning|error|critical|off
|
||||
logLevel: warning
|
||||
|
||||
##############################################################################################
|
||||
# The following values are found in other charts. To effectively modify these values, make #
|
||||
# make sure they are consistent across your Istio helm charts #
|
||||
##############################################################################################
|
||||
|
||||
# The customized CA address to retrieve certificates for the pods in the cluster.
|
||||
# CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint.
|
||||
caAddress: ""
|
||||
|
||||
# Used to locate istiod.
|
||||
istioNamespace: istio-system
|
||||
|
||||
# Configure the policy for validating JWT.
|
||||
# Currently, two options are supported: "third-party-jwt" and "first-party-jwt".
|
||||
jwtPolicy: "third-party-jwt"
|
||||
|
||||
# Mesh ID means Mesh Identifier. It should be unique within the scope where
|
||||
# meshes will interact with each other, but it is not required to be
|
||||
# globally/universally unique. For example, if any of the following are true,
|
||||
# then two meshes must have different Mesh IDs:
|
||||
# - Meshes will have their telemetry aggregated in one place
|
||||
# - Meshes will be federated together
|
||||
# - Policy will be written referencing one mesh from the other
|
||||
#
|
||||
# If an administrator expects that any of these conditions may become true in
|
||||
# the future, they should ensure their meshes have different Mesh IDs
|
||||
# assigned.
|
||||
#
|
||||
# Within a multicluster mesh, each cluster must be (manually or auto)
|
||||
# configured to have the same Mesh ID value. If an existing cluster 'joins' a
|
||||
# multicluster mesh, it will need to be migrated to the new mesh ID. Details
|
||||
# of migration TBD, and it may be a disruptive operation to change the Mesh
|
||||
# ID post-install.
|
||||
#
|
||||
# If the mesh admin does not specify a value, Istio will use the value of the
|
||||
# mesh's Trust Domain. The best practice is to select a proper Trust Domain
|
||||
# value.
|
||||
meshID: ""
|
||||
|
||||
# Use the user-specified, secret volume mounted key and certs for Pilot and workloads.
|
||||
mountMtlsCerts: false
|
||||
|
||||
multiCluster:
|
||||
# Set to true to connect two kubernetes clusters via their respective
|
||||
# ingressgateway services when pods in each cluster cannot directly
|
||||
# talk to one another. All clusters should be using Istio mTLS and must
|
||||
# have a shared root CA for this model to work.
|
||||
enabled: false
|
||||
# Should be set to the name of the cluster this installation will run in. This is required for sidecar injection
|
||||
# to properly label proxies
|
||||
clusterName: ""
|
||||
# The suffix for global service names
|
||||
globalDomainSuffix: "global"
|
||||
# Enable envoy filter to translate `globalDomainSuffix` to cluster local suffix for cross cluster communication
|
||||
includeEnvoyFilter: true
|
||||
|
||||
# Network defines the network this cluster belong to. This name
|
||||
# corresponds to the networks in the map of mesh networks.
|
||||
network: ""
|
||||
|
||||
# Configure the certificate provider for control plane communication.
|
||||
# Currently, two providers are supported: "kubernetes" and "istiod".
|
||||
# As some platforms may not have kubernetes signing APIs,
|
||||
# Istiod is the default
|
||||
pilotCertProvider: istiod
|
||||
|
||||
sds:
|
||||
# The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3.
|
||||
# When a CSR is sent from Citadel Agent to the CA (e.g. Citadel), this aud is to make sure the
|
||||
# JWT is intended for the CA.
|
||||
token:
|
||||
aud: istio-ca
|
||||
|
||||
sts:
|
||||
# The service port used by Security Token Service (STS) server to handle token exchange requests.
|
||||
# Setting this port to a non-zero value enables STS server.
|
||||
servicePort: 0
|
||||
|
||||
# Deprecated, use meshConfig.trustDomain
|
||||
# trustDomain: ""
|
||||
|
||||
meshConfig:
|
||||
enablePrometheusMerge: true
|
||||
# trustDomain: ""
|
||||
defaultConfig:
|
||||
proxyMetadata: {}
|
||||
tracing:
|
||||
# tlsSettings:
|
||||
# mode: DISABLE # DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL
|
||||
# clientCertificate: # example: /etc/istio/tracer/cert-chain.pem
|
||||
# privateKey: # example: /etc/istio/tracer/key.pem
|
||||
# caCertificates: # example: /etc/istio/tracer/root-cert.pem
|
||||
# sni: # example: tracer.somedomain
|
||||
# subjectAltNames: []
|
||||
# - tracer.somedomain
|
@ -1,8 +1,9 @@
|
||||
{{- if index .Values "istio-ingress" "enabled" }}
|
||||
apiVersion: networking.istio.io/v1alpha3
|
||||
kind: EnvoyFilter
|
||||
metadata:
|
||||
name: ingressgateway-listener-tcp-keepalive
|
||||
namespace: istio-system
|
||||
namespace: {{ .Release.Namespace }}
|
||||
spec:
|
||||
workloadSelector:
|
||||
labels:
|
||||
@ -30,14 +31,15 @@ spec:
|
||||
name: 5
|
||||
int_value: 60
|
||||
state: STATE_LISTENING
|
||||
{{- end }}
|
||||
|
||||
{{- if .Values.ingress.private.enabled }}
|
||||
{{- if index .Values "istio-private-ingress" "enabled" }}
|
||||
---
|
||||
apiVersion: networking.istio.io/v1alpha3
|
||||
kind: EnvoyFilter
|
||||
metadata:
|
||||
name: private-ingressgateway-listener-tcp-keepalive
|
||||
namespace: istio-system
|
||||
namespace: {{ .Release.Namespace }}
|
||||
spec:
|
||||
workloadSelector:
|
||||
labels:
|
@ -0,0 +1,35 @@
|
||||
{{- if index .Values "istio-ingress" "dnsNames" }}
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: Certificate
|
||||
metadata:
|
||||
name: ingress-cert
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{ include "kubezero-lib.labels" . | indent 4 }}
|
||||
spec:
|
||||
secretName: ingress-cert
|
||||
issuerRef:
|
||||
name: letsencrypt-dns-prod
|
||||
kind: ClusterIssuer
|
||||
dnsNames:
|
||||
{{ toYaml (index .Values "istio-ingress" "dnsNames") | indent 4 }}
|
||||
{{- end }}
|
||||
|
||||
{{- if index .Values "istio-private-ingress" "dnsNames" }}
|
||||
---
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: Certificate
|
||||
metadata:
|
||||
name: private-ingress-cert
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{ include "kubezero-lib.labels" . | indent 4 }}
|
||||
spec:
|
||||
secretName: private-ingress-cert
|
||||
issuerRef:
|
||||
name: letsencrypt-dns-prod
|
||||
kind: ClusterIssuer
|
||||
dnsNames:
|
||||
{{ toYaml (index .Values "istio-private-ingress" "dnsNames") | indent 4 }}
|
||||
{{- end }}
|
||||
|
@ -1,8 +1,9 @@
|
||||
apiVersion: networking.istio.io/v1alpha3
|
||||
{{- if and (index .Values "istio-ingress" "enabled") (index .Values "istio-ingress" "dnsNames") }}
|
||||
apiVersion: networking.istio.io/v1beta1
|
||||
kind: Gateway
|
||||
metadata:
|
||||
name: ingressgateway
|
||||
namespace: istio-system
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{ include "kubezero-lib.labels" . | indent 4 }}
|
||||
spec:
|
||||
@ -14,7 +15,7 @@ spec:
|
||||
name: http
|
||||
protocol: HTTP2
|
||||
hosts:
|
||||
{{- toYaml .Values.ingress.dnsNames | nindent 4 }}
|
||||
{{- toYaml (index .Values "istio-ingress" "dnsNames") | nindent 4 }}
|
||||
tls:
|
||||
httpsRedirect: true
|
||||
- port:
|
||||
@ -22,20 +23,21 @@ spec:
|
||||
name: https
|
||||
protocol: HTTPS
|
||||
hosts:
|
||||
{{- toYaml .Values.ingress.dnsNames | nindent 4 }}
|
||||
{{- toYaml (index .Values "istio-ingress" "dnsNames") | nindent 4 }}
|
||||
tls:
|
||||
mode: SIMPLE
|
||||
privateKey: /etc/istio/ingressgateway-certs/tls.key
|
||||
serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
|
||||
credentialName: public-ingress-cert
|
||||
credentialName: ingress-cert
|
||||
{{- end }}
|
||||
|
||||
{{- if .Values.ingress.private.enabled }}
|
||||
{{- if and (index .Values "istio-private-ingress" "enabled") (index .Values "istio-private-ingress" "dnsNames") }}
|
||||
---
|
||||
apiVersion: networking.istio.io/v1alpha3
|
||||
apiVersion: networking.istio.io/v1beta1
|
||||
kind: Gateway
|
||||
metadata:
|
||||
name: private-ingressgateway
|
||||
namespace: istio-system
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{ include "kubezero-lib.labels" . | indent 4 }}
|
||||
spec:
|
||||
@ -47,7 +49,7 @@ spec:
|
||||
name: http
|
||||
protocol: HTTP2
|
||||
hosts:
|
||||
{{- toYaml .Values.ingress.dnsNames | nindent 4 }}
|
||||
{{- toYaml (index .Values "istio-private-ingress" "dnsNames") | nindent 4 }}
|
||||
tls:
|
||||
httpsRedirect: true
|
||||
- port:
|
||||
@ -55,33 +57,45 @@ spec:
|
||||
name: https
|
||||
protocol: HTTPS
|
||||
hosts:
|
||||
{{- toYaml .Values.ingress.dnsNames | nindent 4 }}
|
||||
{{- toYaml (index .Values "istio-private-ingress" "dnsNames") | nindent 4 }}
|
||||
tls:
|
||||
mode: SIMPLE
|
||||
privateKey: /etc/istio/ingressgateway-certs/tls.key
|
||||
serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
|
||||
credentialName: public-ingress-cert
|
||||
credentialName: private-ingress-cert
|
||||
- port:
|
||||
number: 5672
|
||||
name: amqp
|
||||
protocol: TCP
|
||||
hosts:
|
||||
{{- toYaml .Values.ingress.dnsNames | nindent 4 }}
|
||||
{{- toYaml (index .Values "istio-private-ingress" "dnsNames") | nindent 4 }}
|
||||
- port:
|
||||
number: 5671
|
||||
name: amqps
|
||||
protocol: TCP
|
||||
hosts:
|
||||
{{- toYaml .Values.ingress.dnsNames | nindent 4 }}
|
||||
{{- toYaml (index .Values "istio-private-ingress" "dnsNames") | nindent 4 }}
|
||||
- port:
|
||||
number: 24224
|
||||
name: fluentd-forward
|
||||
protocol: TLS
|
||||
hosts:
|
||||
{{- toYaml .Values.ingress.dnsNames | nindent 4 }}
|
||||
{{- toYaml (index .Values "istio-private-ingress" "dnsNames") | nindent 4 }}
|
||||
tls:
|
||||
mode: SIMPLE
|
||||
privateKey: /etc/istio/ingressgateway-certs/tls.key
|
||||
serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
|
||||
credentialName: public-ingress-cert
|
||||
credentialName: private-ingress-cert
|
||||
- port:
|
||||
number: 6379
|
||||
name: redis
|
||||
protocol: TCP
|
||||
hosts:
|
||||
{{- toYaml (index .Values "istio-private-ingress" "dnsNames") | nindent 4 }}
|
||||
- port:
|
||||
number: 6380
|
||||
name: redis-1
|
||||
protocol: TCP
|
||||
hosts:
|
||||
{{- toYaml (index .Values "istio-private-ingress" "dnsNames") | nindent 4 }}
|
||||
{{- end }}
|
122
charts/kubezero-istio-ingress/values.yaml
Normal file
122
charts/kubezero-istio-ingress/values.yaml
Normal file
@ -0,0 +1,122 @@
|
||||
# Make sure these values match kuberzero-istio !!!
|
||||
global:
|
||||
hub: docker.io/istio
|
||||
tag: 1.8.1
|
||||
|
||||
logAsJson: true
|
||||
jwtPolicy: first-party-jwt
|
||||
|
||||
priorityClassName: "system-cluster-critical"
|
||||
|
||||
defaultPodDisruptionBudget:
|
||||
enabled: false
|
||||
|
||||
arch:
|
||||
amd64: 2
|
||||
|
||||
istio-ingress:
|
||||
enabled: false
|
||||
|
||||
gateways:
|
||||
istio-ingressgateway:
|
||||
autoscaleEnabled: false
|
||||
replicaCount: 1
|
||||
resources:
|
||||
requests:
|
||||
memory: 64Mi
|
||||
limits:
|
||||
# cpu: 100m
|
||||
memory: 256Mi
|
||||
externalTrafficPolicy: Local
|
||||
podAntiAffinityLabelSelector:
|
||||
- key: app
|
||||
operator: In
|
||||
topologyKey: kubernetes.io/hostname
|
||||
values: istio-ingressgateway
|
||||
type: NodePort
|
||||
env:
|
||||
TERMINATION_DRAIN_DURATION_SECONDS: '"60"'
|
||||
# ISTIO_META_HTTP10: '"1"'
|
||||
|
||||
# The node selector is normally the list of nodeports, see CloudBender
|
||||
nodeSelector:
|
||||
node.kubernetes.io/ingress.public: "30080_30443"
|
||||
ports:
|
||||
- name: http-status
|
||||
port: 15021
|
||||
nodePort: 30021
|
||||
- name: http2
|
||||
port: 80
|
||||
targetPort: 8080
|
||||
nodePort: 30080
|
||||
- name: https
|
||||
port: 443
|
||||
targetPort: 8443
|
||||
nodePort: 30443
|
||||
|
||||
dnsNames: []
|
||||
# - '*.example.com'
|
||||
|
||||
istio-private-ingress:
|
||||
enabled: false
|
||||
|
||||
gateways:
|
||||
istio-ingressgateway:
|
||||
# name and labels make the ingress private
|
||||
name: istio-private-ingressgateway
|
||||
labels:
|
||||
app: istio-private-ingressgateway
|
||||
istio: private-ingressgateway
|
||||
|
||||
autoscaleEnabled: false
|
||||
replicaCount: 1
|
||||
resources:
|
||||
requests:
|
||||
cpu: 100m
|
||||
memory: 64Mi
|
||||
limits:
|
||||
# cpu: 100m
|
||||
memory: 256Mi
|
||||
externalTrafficPolicy: Local
|
||||
podAntiAffinityLabelSelector:
|
||||
- key: app
|
||||
operator: In
|
||||
topologyKey: kubernetes.io/hostname
|
||||
values: istio-private-ingressgateway
|
||||
type: NodePort
|
||||
env:
|
||||
TERMINATION_DRAIN_DURATION_SECONDS: '"60"'
|
||||
# ISTIO_META_HTTP10: '"1"'
|
||||
|
||||
nodeSelector:
|
||||
node.kubernetes.io/ingress.private: "31080_31443"
|
||||
#nodeSelector: "31080_31443_31671_31672_31224"
|
||||
|
||||
ports:
|
||||
- name: http-status
|
||||
port: 15021
|
||||
nodePort: 31021
|
||||
- name: http2
|
||||
port: 80
|
||||
targetPort: 8080
|
||||
nodePort: 31080
|
||||
- name: https
|
||||
port: 443
|
||||
targetPort: 8443
|
||||
nodePort: 31443
|
||||
#- name: fluentd-forward
|
||||
# port: 24224
|
||||
# nodePort: 31224
|
||||
#- name: amqps
|
||||
# port: 5671
|
||||
# nodePort: 31671
|
||||
#- name: amqp
|
||||
# port: 5672
|
||||
# nodePort: 31672
|
||||
#- name: redis
|
||||
# port: 6379
|
||||
# nodePort: 31379
|
||||
|
||||
dnsNames: []
|
||||
# - '*.example.com'
|
||||
|
2
charts/kubezero-istio/.gitignore
vendored
2
charts/kubezero-istio/.gitignore
vendored
@ -1,2 +1,2 @@
|
||||
istioctl
|
||||
istio-*
|
||||
istio-?.?.?
|
||||
|
2
charts/kubezero-istio/.helmignore
Normal file
2
charts/kubezero-istio/.helmignore
Normal file
@ -0,0 +1,2 @@
|
||||
istioctl
|
||||
istio-?.?.?
|
@ -2,8 +2,8 @@ apiVersion: v2
|
||||
name: kubezero-istio
|
||||
description: KubeZero Umbrella Chart for Istio
|
||||
type: application
|
||||
version: 0.3.4
|
||||
appVersion: 1.7.3
|
||||
version: 0.4.1
|
||||
appVersion: 1.8.1
|
||||
home: https://kubezero.com
|
||||
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
|
||||
keywords:
|
||||
@ -15,6 +15,8 @@ dependencies:
|
||||
- name: kubezero-lib
|
||||
version: ">= 0.1.3"
|
||||
repository: https://zero-down-time.github.io/kubezero/
|
||||
- name: istio-operator
|
||||
version: ">= 1.7"
|
||||
- name: base
|
||||
version: 1.1.0
|
||||
- name: istio-discovery
|
||||
version: 1.2.0
|
||||
kubeVersion: ">= 1.16.0"
|
||||
|
@ -1,10 +1,10 @@
|
||||
# kubezero-istio
|
||||
|
||||
![Version: 0.3.4](https://img.shields.io/badge/Version-0.3.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.7.3](https://img.shields.io/badge/AppVersion-1.7.3-informational?style=flat-square)
|
||||
![Version: 0.4.1](https://img.shields.io/badge/Version-0.4.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.8.1](https://img.shields.io/badge/AppVersion-1.8.1-informational?style=flat-square)
|
||||
|
||||
KubeZero Umbrella Chart for Istio
|
||||
|
||||
Installs Istio Operator and KubeZero Istio profile
|
||||
Installs the Istio control plane
|
||||
|
||||
**Homepage:** <https://kubezero.com>
|
||||
|
||||
@ -20,26 +20,33 @@ Kubernetes: `>= 1.16.0`
|
||||
|
||||
| Repository | Name | Version |
|
||||
|------------|------|---------|
|
||||
| | istio-operator | >= 1.7 |
|
||||
| | base | 1.1.0 |
|
||||
| | istio-discovery | 1.2.0 |
|
||||
| https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 |
|
||||
|
||||
## KubeZero default configuration
|
||||
- mapped istio-operator to run on the controller nodes only
|
||||
|
||||
## Values
|
||||
|
||||
| Key | Type | Default | Description |
|
||||
|-----|------|---------|-------------|
|
||||
| ingress.autoscaleEnabled | bool | `false` | |
|
||||
| ingress.dnsNames[0] | string | `"*"` | |
|
||||
| ingress.private.enabled | bool | `true` | |
|
||||
| ingress.private.nodeSelector | string | `"31080_31443_31671_31672_31224"` | |
|
||||
| ingress.replicaCount | int | `2` | |
|
||||
| ingress.type | string | `"NodePort"` | |
|
||||
| istio-operator.hub | string | `"docker.io/istio"` | |
|
||||
| istio-operator.tag | string | `"1.7.3"` | |
|
||||
| istiod.autoscaleEnabled | bool | `false` | |
|
||||
| istiod.replicaCount | int | `1` | |
|
||||
| global.defaultPodDisruptionBudget.enabled | bool | `false` | |
|
||||
| global.hub | string | `"docker.io/istio"` | |
|
||||
| global.jwtPolicy | string | `"first-party-jwt"` | |
|
||||
| global.logAsJson | bool | `true` | |
|
||||
| global.priorityClassName | string | `"system-cluster-critical"` | |
|
||||
| global.tag | string | `"1.8.0"` | |
|
||||
| istio-discovery.meshConfig.accessLogEncoding | string | `"JSON"` | |
|
||||
| istio-discovery.meshConfig.accessLogFile | string | `"/dev/stdout"` | |
|
||||
| istio-discovery.meshConfig.h2UpgradePolicy | string | `"DO_NOT_UPGRADE"` | |
|
||||
| istio-discovery.meshConfig.tcpKeepalive.interval | string | `"30s"` | |
|
||||
| istio-discovery.meshConfig.tcpKeepalive.time | string | `"60s"` | |
|
||||
| istio-discovery.pilot.autoscaleEnabled | bool | `false` | |
|
||||
| istio-discovery.pilot.nodeSelector."node-role.kubernetes.io/master" | string | `""` | |
|
||||
| istio-discovery.pilot.replicaCount | int | `1` | |
|
||||
| istio-discovery.pilot.resources.requests.cpu | string | `"100m"` | |
|
||||
| istio-discovery.pilot.resources.requests.memory | string | `"128Mi"` | |
|
||||
| istio-discovery.pilot.tolerations[0].effect | string | `"NoSchedule"` | |
|
||||
| istio-discovery.pilot.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | |
|
||||
| istio-discovery.telemetry.enabled | bool | `false` | |
|
||||
|
||||
## Resources
|
||||
|
||||
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user