feat: re-add custom gateway support to Istio Ingress

2022-04-21 20:41:15 +02:00 · 2022-04-21 20:41:15 +02:00 · f965380dd6
commit f965380dd6
parent db1b26b79e
4 changed files with 141 additions and 5 deletions
--- a/charts/kubezero/bootstrap.sh
+++ b/charts/kubezero/bootstrap.sh
@ -93,7 +93,7 @@ function _helm() {
  local action=$1
  local module=$2

-  local chart="kubezero-${module}"
+  local chart="$(yq eval '.spec.source.chart' $TMPDIR/kubezero/templates/${module}.yaml)"
  local namespace="$(yq eval '.spec.destination.namespace' $TMPDIR/kubezero/templates/${module}.yaml)"

  targetRevision=""
@ -123,7 +123,7 @@ function _helm() {
    apply

    # Delete dedicated namespace if not kube-system
-    delete_ns $namespace
+    [ -n "$DELETE_NS" ] && delete_ns $namespace
  fi

  return 0
--- a/charts/kubezero/templates/istio-ingress.yaml
+++ b/charts/kubezero/templates/istio-ingress.yaml
@ -0,0 +1,80 @@
+{{- define "istio-ingress-values" }}
+
+gateway:
+  name: istio-ingressgateway
+  labels:
+    app: istio-ingressgateway
+    istio: ingressgateway
+
+  # Only nodes who are fronted with matching private NLB
+  affinity:
+    nodeAffinity:
+      requiredDuringSchedulingIgnoredDuringExecution:
+        nodeSelectorTerms:
+        - matchExpressions:
+          - key: node.kubernetes.io/ingress.public
+            operator: Exists
+    podAntiAffinity:
+      requiredDuringSchedulingIgnoredDuringExecution:
+      - labelSelector:
+          matchExpressions:
+          - key: app
+            operator: In
+            values:
+            - istio-ingressgateway
+        topologyKey: "kubernetes.io/hostname"
+
+  service:
+    ports:
+    - name: status-port
+      port: 15021
+      nodePort: 30021
+      noGateway: true
+    - name: http2
+      port: 80
+      targetPort: 8080
+      nodePort: 30080
+      gatewayProtocol: HTTP2
+      tls:
+        httpsRedirect: true
+    - name: https
+      port: 443
+      targetPort: 8443
+      nodePort: 30443
+      gatewayProtocol: HTTPS
+      tls:
+        mode: SIMPLE
+
+  # custom hardened bootstrap config
+  env:
+    ISTIO_BOOTSTRAP_OVERRIDE: /etc/istio/custom-bootstrap/custom_bootstrap.json
+  volumes:
+    - name: custom-bootstrap-volume
+      configMap:
+        name: ingressgateway-bootstrap-config
+  volumeMounts:
+    - mountPath: /etc/istio/custom-bootstrap
+      name: custom-bootstrap-volume
+      readOnly: true
+
+  {{- with index .Values "istio-ingress" "gateway" }}
+  {{- toYaml . | nindent 2 }}
+  {{- end }}
+
+telemetry:
+  enabled: {{ $.Values.metrics.enabled }}
+certificates:
+{{- range $cert := index .Values "istio-ingress" "certificates" }}
+- name: {{ $cert.name }}
+  dnsNames:
+  {{- toYaml $cert.dnsNames | nindent 4 }}
+{{- end }}
+proxyProtocol: {{ default true (index .Values "istio-ingress" "proxyProtocol") }}
+
+{{- end }}
+
+
+{{- define "istio-ingress-argo" }}
+{{- end }}
+
+{{ include "kubezero-app.app" . }}
--- a/charts/kubezero/templates/istio-private-ingress.yaml
+++ b/charts/kubezero/templates/istio-private-ingress.yaml
@ -5,10 +5,65 @@ gateway:
  labels:
    app: istio-private-ingressgateway
    istio: private-ingressgateway
-  {{- with index .Values "istio-private-ingress" "gateway" }}
-  {{- toYaml . | nindent 2 }}
+
+  {{- with index .Values "istio-private-ingress" "gateway" "replicaCount" }}
+  replicaCount: {{ . }}
  {{- end }}

+  # Only nodes who are fronted with matching private NLB
+  affinity:
+    nodeAffinity:
+      requiredDuringSchedulingIgnoredDuringExecution:
+        nodeSelectorTerms:
+        - matchExpressions:
+          - key: node.kubernetes.io/ingress.private
+            operator: Exists
+    podAntiAffinity:
+      requiredDuringSchedulingIgnoredDuringExecution:
+      - labelSelector:
+          matchExpressions:
+          - key: app
+            operator: In
+            values:
+            - istio-private-ingressgateway
+        topologyKey: "kubernetes.io/hostname"
+
+  service:
+    ports:
+    - name: status-port
+      port: 15021
+      nodePort: 31021
+      noGateway: true
+    - name: http2
+      port: 80
+      targetPort: 8080
+      nodePort: 31080
+      gatewayProtocol: HTTP2
+      tls:
+        httpsRedirect: true
+    - name: https
+      port: 443
+      targetPort: 8443
+      nodePort: 31443
+      gatewayProtocol: HTTPS
+      tls:
+        mode: SIMPLE
+  {{- with index .Values "istio-private-ingress" "gateway" "service" "ports" }}
+  {{- toYaml . | nindent 4 }}
+  {{- end }}
+
+  # custom hardened bootstrap config
+  env:
+    ISTIO_BOOTSTRAP_OVERRIDE: /etc/istio/custom-bootstrap/custom_bootstrap.json
+  volumes:
+    - name: custom-bootstrap-volume
+      configMap:
+        name: private-ingressgateway-bootstrap-config
+  volumeMounts:
+    - mountPath: /etc/istio/custom-bootstrap
+      name: custom-bootstrap-volume
+      readOnly: true
+
 telemetry:
  enabled: {{ $.Values.metrics.enabled }}
 certificates:
--- a/charts/kubezero/values.yaml
+++ b/charts/kubezero/values.yaml
@ -35,6 +35,7 @@ istio:

 istio-ingress:
  enabled: false
+  chart: kubezero-istio-gateway
  namespace: istio-ingress
  targetRevision: 0.8.0