feat: re-add custom gateway support to Istio Ingress

This commit is contained in:
Stefan Reimer 2022-04-21 20:41:15 +02:00
parent db1b26b79e
commit f965380dd6
4 changed files with 141 additions and 5 deletions

View File

@ -93,7 +93,7 @@ function _helm() {
local action=$1 local action=$1
local module=$2 local module=$2
local chart="kubezero-${module}" local chart="$(yq eval '.spec.source.chart' $TMPDIR/kubezero/templates/${module}.yaml)"
local namespace="$(yq eval '.spec.destination.namespace' $TMPDIR/kubezero/templates/${module}.yaml)" local namespace="$(yq eval '.spec.destination.namespace' $TMPDIR/kubezero/templates/${module}.yaml)"
targetRevision="" targetRevision=""
@ -123,7 +123,7 @@ function _helm() {
apply apply
# Delete dedicated namespace if not kube-system # Delete dedicated namespace if not kube-system
delete_ns $namespace [ -n "$DELETE_NS" ] && delete_ns $namespace
fi fi
return 0 return 0

View File

@ -0,0 +1,80 @@
{{- define "istio-ingress-values" }}
gateway:
name: istio-ingressgateway
labels:
app: istio-ingressgateway
istio: ingressgateway
# Only nodes who are fronted with matching private NLB
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: node.kubernetes.io/ingress.public
operator: Exists
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: app
operator: In
values:
- istio-ingressgateway
topologyKey: "kubernetes.io/hostname"
service:
ports:
- name: status-port
port: 15021
nodePort: 30021
noGateway: true
- name: http2
port: 80
targetPort: 8080
nodePort: 30080
gatewayProtocol: HTTP2
tls:
httpsRedirect: true
- name: https
port: 443
targetPort: 8443
nodePort: 30443
gatewayProtocol: HTTPS
tls:
mode: SIMPLE
# custom hardened bootstrap config
env:
ISTIO_BOOTSTRAP_OVERRIDE: /etc/istio/custom-bootstrap/custom_bootstrap.json
volumes:
- name: custom-bootstrap-volume
configMap:
name: ingressgateway-bootstrap-config
volumeMounts:
- mountPath: /etc/istio/custom-bootstrap
name: custom-bootstrap-volume
readOnly: true
{{- with index .Values "istio-ingress" "gateway" }}
{{- toYaml . | nindent 2 }}
{{- end }}
telemetry:
enabled: {{ $.Values.metrics.enabled }}
certificates:
{{- range $cert := index .Values "istio-ingress" "certificates" }}
- name: {{ $cert.name }}
dnsNames:
{{- toYaml $cert.dnsNames | nindent 4 }}
{{- end }}
proxyProtocol: {{ default true (index .Values "istio-ingress" "proxyProtocol") }}
{{- end }}
{{- define "istio-ingress-argo" }}
{{- end }}
{{ include "kubezero-app.app" . }}

View File

@ -2,13 +2,68 @@
gateway: gateway:
name: istio-private-ingressgateway name: istio-private-ingressgateway
labels: labels:
app: istio-private-ingressgateway app: istio-private-ingressgateway
istio: private-ingressgateway istio: private-ingressgateway
{{- with index .Values "istio-private-ingress" "gateway" }}
{{- toYaml . | nindent 2 }} {{- with index .Values "istio-private-ingress" "gateway" "replicaCount" }}
replicaCount: {{ . }}
{{- end }} {{- end }}
# Only nodes who are fronted with matching private NLB
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: node.kubernetes.io/ingress.private
operator: Exists
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: app
operator: In
values:
- istio-private-ingressgateway
topologyKey: "kubernetes.io/hostname"
service:
ports:
- name: status-port
port: 15021
nodePort: 31021
noGateway: true
- name: http2
port: 80
targetPort: 8080
nodePort: 31080
gatewayProtocol: HTTP2
tls:
httpsRedirect: true
- name: https
port: 443
targetPort: 8443
nodePort: 31443
gatewayProtocol: HTTPS
tls:
mode: SIMPLE
{{- with index .Values "istio-private-ingress" "gateway" "service" "ports" }}
{{- toYaml . | nindent 4 }}
{{- end }}
# custom hardened bootstrap config
env:
ISTIO_BOOTSTRAP_OVERRIDE: /etc/istio/custom-bootstrap/custom_bootstrap.json
volumes:
- name: custom-bootstrap-volume
configMap:
name: private-ingressgateway-bootstrap-config
volumeMounts:
- mountPath: /etc/istio/custom-bootstrap
name: custom-bootstrap-volume
readOnly: true
telemetry: telemetry:
enabled: {{ $.Values.metrics.enabled }} enabled: {{ $.Values.metrics.enabled }}
certificates: certificates:

View File

@ -35,6 +35,7 @@ istio:
istio-ingress: istio-ingress:
enabled: false enabled: false
chart: kubezero-istio-gateway
namespace: istio-ingress namespace: istio-ingress
targetRevision: 0.8.0 targetRevision: 0.8.0