ZeroDownTime/KubeZero
3
0
Fork 0
Code Issues 1 Pull Requests 25 Packages Projects Releases Wiki Activity

feat: Istio upgrade to 1.21

Browse Source
This commit is contained in:
Stefan Reimer 2024-04-03 11:49:07 +00:00
parent 08b2baafa1
commit fe99c5cdf8
21 changed files with 638 additions and 397 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
charts/kubezero-istio-gateway/Chart.yaml
View File

@ -2,7 +2,7 @@ apiVersion: v2
name: kubezero-istio-gateway name: kubezero-istio-gateway
description: KubeZero Umbrella Chart for Istio gateways description: KubeZero Umbrella Chart for Istio gateways
type: application type: application
version: 0.19.5 version: 0.21.0
home: https://kubezero.com home: https://kubezero.com
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
keywords: keywords:

6
charts/kubezero-istio-gateway/README.md
View File

@ -1,6 +1,6 @@
# kubezero-istio-gateway # kubezero-istio-gateway
![Version: 0.19.4](https://img.shields.io/badge/Version-0.19.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![Version: 0.21.0](https://img.shields.io/badge/Version-0.21.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
KubeZero Umbrella Chart for Istio gateways KubeZero Umbrella Chart for Istio gateways
@ -21,7 +21,7 @@ Kubernetes: `>= 1.26.0`
| Repository | Name | Version | | Repository | Name | Version |
|------------|------|---------| |------------|------|---------|
| https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.6 | | https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.6 |
| https://istio-release.storage.googleapis.com/charts | gateway | 1.19.4 | | https://istio-release.storage.googleapis.com/charts | gateway | 1.21.0 |
## Values ## Values
@ -41,6 +41,8 @@ Kubernetes: `>= 1.26.0`
| gateway.service.externalTrafficPolicy | string | `"Local"` | | | gateway.service.externalTrafficPolicy | string | `"Local"` | |
| gateway.service.type | string | `"NodePort"` | | | gateway.service.type | string | `"NodePort"` | |
| gateway.terminationGracePeriodSeconds | int | `120` | | | gateway.terminationGracePeriodSeconds | int | `120` | |
| hardening.rejectUnderscoresHeaders | bool | `true` | |
| hardening.unescapeSlashes | bool | `true` | |
| proxyProtocol | bool | `true` | | | proxyProtocol | bool | `true` | |
| telemetry.enabled | bool | `false` | | | telemetry.enabled | bool | `false` | |

4
charts/kubezero-istio-gateway/charts/gateway/Chart.yaml
View File

@ -1,5 +1,5 @@
apiVersion: v2 apiVersion: v2
appVersion: 1.19.4 appVersion: 1.21.0
description: Helm chart for deploying Istio gateways description: Helm chart for deploying Istio gateways
icon: https://istio.io/latest/favicons/android-192x192.png icon: https://istio.io/latest/favicons/android-192x192.png
keywords: keywords:
@ -9,4 +9,4 @@ name: gateway
sources: sources:
- https://github.com/istio/istio - https://github.com/istio/istio
type: application type: application
version: 1.19.4 version: 1.21.0

22
charts/kubezero-istio-gateway/charts/gateway/README.md
View File

@ -35,6 +35,28 @@ To view support configuration options and documentation, run:
helm show values istio/gateway helm show values istio/gateway
``` ```
### Profiles
Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets.
These can be set with `--set profile=<profile>`.
For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements.
For consistency, the same profiles are used across each chart, even if they do not impact a given chart.
Explicitly set values have highest priority, then profile settings, then chart defaults.
As an implementation detail of profiles, the default values for the chart are all nested under `defaults`.
When configuring the chart, you should not include this.
That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`.
### OpenShift
When deploying the gateway in an OpenShift cluster, use the `openshift` profile to override the default values, for example:
```console
helm install istio-ingressgateway istio/gateway -- set profile=openshift
```
### `image: auto` Information ### `image: auto` Information
The image used by the chart, `auto`, may be unintuitive. The image used by the chart, `auto`, may be unintuitive.

25
charts/kubezero-istio-gateway/charts/gateway/files/profile-ambient.yaml Normal file
View File

@ -0,0 +1,25 @@
# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed
meshConfig:
defaultConfig:
proxyMetadata:
ISTIO_META_ENABLE_HBONE: "true"
variant: distroless
pilot:
variant: distroless
env:
# Setup more secure default that is off in 'default' only for backwards compatibility
VERIFY_CERTIFICATE_AT_CLIENT: "true"
ENABLE_AUTO_SNI: "true"
PILOT_ENABLE_HBONE: "true"
CA_TRUSTED_NODE_ACCOUNTS: "istio-system/ztunnel,kube-system/ztunnel"
PILOT_ENABLE_AMBIENT_CONTROLLERS: "true"
cni:
logLevel: info
privileged: true
ambient:
enabled: true
# Default excludes istio-system; its actually fine to redirect there since we opt-out istiod, ztunnel, and istio-cni
excludeNamespaces:
- kube-system

6
charts/kubezero-istio-gateway/charts/gateway/files/profile-compatibility-version-1.20.yaml Normal file
View File

@ -0,0 +1,6 @@
pilot:
env:
ENABLE_EXTERNAL_NAME_ALIAS: "false"
PERSIST_OLDEST_FIRST_HEURISTIC_FOR_VIRTUAL_SERVICE_HOST_MATCHING: "true"
VERIFY_CERTIFICATE_AT_CLIENT: "false"
ENABLE_AUTO_SNI: "false"

69
charts/kubezero-istio-gateway/charts/gateway/files/profile-demo.yaml Normal file
View File

@ -0,0 +1,69 @@
# The demo profile enables a variety of things to try out Istio in non-production environments.
# * Lower resource utilization.
# * Some additional features are enabled by default; especially ones used in some tasks in istio.io.
# * More ports enabled on the ingress, which is used in some tasks.
meshConfig:
accessLogFile: /dev/stdout
extensionProviders:
- name: otel
envoyOtelAls:
service: opentelemetry-collector.istio-system.svc.cluster.local
port: 4317
- name: skywalking
skywalking:
service: tracing.istio-system.svc.cluster.local
port: 11800
- name: otel-tracing
opentelemetry:
port: 4317
service: opentelemetry-collector.otel-collector.svc.cluster.local
global:
proxy:
resources:
requests:
cpu: 10m
memory: 40Mi
pilot:
autoscaleEnabled: false
traceSampling: 100
resources:
requests:
cpu: 10m
memory: 100Mi
gateways:
istio-egressgateway:
autoscaleEnabled: false
resources:
requests:
cpu: 10m
memory: 40Mi
istio-ingressgateway:
autoscaleEnabled: false
ports:
## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces.
# Note that AWS ELB will by default perform health checks on the first port
# on this list. Setting this to the health check port will ensure that health
# checks always work. https://github.com/istio/istio/issues/12503
- port: 15021
targetPort: 15021
name: status-port
- port: 80
targetPort: 8080
name: http2
- port: 443
targetPort: 8443
name: https
- port: 31400
targetPort: 31400
name: tcp
# This is the port where sni routing happens
- port: 15443
targetPort: 15443
name: tls
resources:
requests:
cpu: 10m
memory: 40Mi

18
charts/kubezero-istio-gateway/charts/gateway/files/profile-openshift.yaml Normal file
View File

@ -0,0 +1,18 @@
# The OpenShift profile provides a basic set of settings to run Istio on OpenShift
# CNI must be installed.
cni:
cniBinDir: /var/lib/cni/bin
cniConfDir: /etc/cni/multus/net.d
chained: false
cniConfFileName: "istio-cni.conf"
excludeNamespaces:
- istio-system
- kube-system
logLevel: info
privileged: true
provider: "multus"
global:
platform: openshift
istio_cni:
enabled: true
chained: false

9
charts/kubezero-istio-gateway/charts/gateway/files/profile-preview.yaml Normal file
View File

@ -0,0 +1,9 @@
# The preview profile contains features that are experimental.
# This is intended to explore new features coming to Istio.
# Stability, security, and performance are not guaranteed - use at your own risk.
meshConfig:
defaultConfig:
proxyMetadata:
# Enable Istio agent to handle DNS requests for known hosts
# Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf
ISTIO_META_DNS_CAPTURE: "true"

12
charts/kubezero-istio-gateway/charts/gateway/templates/deployment.yaml
View File

@ -46,6 +46,10 @@ spec:
- name: net.ipv4.ip_unprivileged_port_start - name: net.ipv4.ip_unprivileged_port_start
value: "0" value: "0"
{{- end }} {{- end }}
{{- with .Values.volumes }}
volumes:
{{ toYaml . | nindent 8 }}
{{- end }}
containers: containers:
- name: istio-proxy - name: istio-proxy
# "auto" will be populated at runtime by the mutating webhook. See https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#customizing-injection # "auto" will be populated at runtime by the mutating webhook. See https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#customizing-injection
@ -94,9 +98,9 @@ spec:
name: http-envoy-prom name: http-envoy-prom
resources: resources:
{{- toYaml .Values.resources | nindent 12 }} {{- toYaml .Values.resources | nindent 12 }}
{{- if .Values.volumeMounts }} {{- with .Values.volumeMounts }}
volumeMounts: volumeMounts:
{{- toYaml .Values.volumeMounts | nindent 12 }} {{ toYaml . | nindent 12 }}
{{- end }} {{- end }}
{{- with .Values.nodeSelector }} {{- with .Values.nodeSelector }}
nodeSelector: nodeSelector:
@ -118,7 +122,3 @@ spec:
{{- with .Values.priorityClassName }} {{- with .Values.priorityClassName }}
priorityClassName: {{ . }} priorityClassName: {{ . }}
{{- end }} {{- end }}
{{- with .Values.volumes }}
volumes:
{{- toYaml . | nindent 8 }}
{{- end }}

11
charts/kubezero-istio-gateway/charts/gateway/templates/hpa.yaml
View File

@ -28,4 +28,15 @@ spec:
averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }}
type: Utilization type: Utilization
{{- end }} {{- end }}
{{- if .Values.autoscaling.targetMemoryUtilizationPercentage }}
- type: Resource
resource:
name: memory
target:
averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }}
type: Utilization
{{- end }}
{{- if .Values.autoscaling.autoscaleBehavior }}
behavior: {{ toYaml .Values.autoscaling.autoscaleBehavior | nindent 4 }}
{{- end }}
{{- end }} {{- end }}

15
charts/kubezero-istio-gateway/charts/gateway/templates/service.yaml
View File

@ -15,12 +15,19 @@ spec:
{{- with .Values.service.loadBalancerIP }} {{- with .Values.service.loadBalancerIP }}
loadBalancerIP: "{{ . }}" loadBalancerIP: "{{ . }}"
{{- end }} {{- end }}
{{- with .Values.service.ipFamilyPolicy }} {{- if eq .Values.service.type "LoadBalancer" }}
ipFamilyPolicy: "{{ . }}" {{- if hasKey .Values.service "allocateLoadBalancerNodePorts" }}
allocateLoadBalancerNodePorts: {{ .Values.service.allocateLoadBalancerNodePorts }}
{{- end }}
{{- end }} {{- end }}
{{- with .Values.service.ipFamilies }} {{- if .Values.service.ipFamilyPolicy }}
ipFamilyPolicy: {{ .Values.service.ipFamilyPolicy }}
{{- end }}
{{- if .Values.service.ipFamilies }}
ipFamilies: ipFamilies:
{{ toYaml . | indent 4 }} {{- range .Values.service.ipFamilies }}
- {{ . }}
{{- end }}
{{- end }} {{- end }}
{{- with .Values.service.loadBalancerSourceRanges }} {{- with .Values.service.loadBalancerSourceRanges }}
loadBalancerSourceRanges: loadBalancerSourceRanges:

34
charts/kubezero-istio-gateway/charts/gateway/templates/zzz_profile.yaml Normal file
View File

@ -0,0 +1,34 @@
{{/*
Complex logic ahead...
We have three sets of values, in order of precedence (last wins):
1. The builtin values.yaml defaults
2. The profile the user selects
3. Users input (-f or --set)
Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2).
However, we can workaround this by placing all of (1) under a specific key (.Values.defaults).
We can then merge the profile onto the defaults, then the user settings onto that.
Finally, we can set all of that under .Values so the chart behaves without awareness.
*/}}
{{- $defaults := $.Values.defaults }}
{{- $_ := unset $.Values "defaults" }}
{{- $profile := dict }}
{{- with .Values.profile }}
{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}}
{{- $profile = (. | fromYaml) }}
{{- else }}
{{ fail (cat "unknown profile" $.Values.profile) }}
{{- end }}
{{- end }}
{{- with .Values.compatibilityVersion }}
{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }}
{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
{{- else }}
{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }}
{{- end }}
{{- end }}
{{- if $profile }}
{{- $a := mustMergeOverwrite $defaults $profile }}
{{- end }}
{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }}

102
charts/kubezero-istio-gateway/charts/gateway/values.schema.json
View File

@ -2,6 +2,9 @@
"$schema": "http://json-schema.org/schema#", "$schema": "http://json-schema.org/schema#",
"type": "object", "type": "object",
"additionalProperties": false, "additionalProperties": false,
"$defs": {
"values": {
"type": "object",
"properties": { "properties": {
"global": { "global": {
"type": "object" "type": "object"
@ -10,14 +13,23 @@
"type": "object" "type": "object"
}, },
"securityContext": { "securityContext": {
"type": ["object", "null"] "type": [
"object",
"null"
]
}, },
"containerSecurityContext": { "containerSecurityContext": {
"type": ["object", "null"] "type": [
"object",
"null"
]
}, },
"kind":{ "kind": {
"type": "string", "type": "string",
"enum": ["Deployment", "DaemonSet"] "enum": [
"Deployment",
"DaemonSet"
]
}, },
"annotations": { "annotations": {
"additionalProperties": { "additionalProperties": {
@ -51,12 +63,6 @@
"labels": { "labels": {
"type": "object" "type": "object"
}, },
"volumes": {
"type": "array"
},
"volumeMounts": {
"type": "array"
},
"name": { "name": {
"type": "string" "type": "string"
}, },
@ -81,7 +87,10 @@
} }
}, },
"replicaCount": { "replicaCount": {
"type": [ "integer", "null" ] "type": [
"integer",
"null"
]
}, },
"resources": { "resources": {
"type": "object", "type": "object",
@ -113,12 +122,22 @@
"revision": { "revision": {
"type": "string" "type": "string"
}, },
"compatibilityVersion": {
"type": "string"
},
"runAsRoot": { "runAsRoot": {
"type": "boolean" "type": "boolean"
}, },
"unprivilegedPort": { "unprivilegedPort": {
"type": ["string", "boolean"], "type": [
"enum": [true, false, "auto"] "string",
"boolean"
],
"enum": [
true,
false,
"auto"
]
}, },
"service": { "service": {
"type": "object", "type": "object",
@ -135,15 +154,23 @@
"loadBalancerSourceRanges": { "loadBalancerSourceRanges": {
"type": "array" "type": "array"
}, },
"ipFamilies" : { "ipFamilies": {
"items": { "items": {
"type": "string", "type": "string",
"enum": ["IPv4", "IPv6"] "enum": [
"IPv4",
"IPv6"
]
} }
}, },
"ipFamilyPolicy" : { "ipFamilyPolicy": {
"type": "string", "type": "string",
"enum": ["", "SingleStack", "PreferDualStack", "RequireDualStack"] "enum": [
"",
"SingleStack",
"PreferDualStack",
"RequireDualStack"
]
}, },
"ports": { "ports": {
"type": "array", "type": "array",
@ -203,7 +230,12 @@
}, },
"imagePullPolicy": { "imagePullPolicy": {
"type": "string", "type": "string",
"enum": ["", "Always", "IfNotPresent", "Never"] "enum": [
"",
"Always",
"IfNotPresent",
"Never"
]
}, },
"imagePullSecrets": { "imagePullSecrets": {
"type": "array", "type": "array",
@ -220,22 +252,50 @@
"type": "object", "type": "object",
"properties": { "properties": {
"minAvailable": { "minAvailable": {
"type": ["integer", "string"] "type": [
"integer",
"string"
]
}, },
"maxUnavailable": { "maxUnavailable": {
"type": ["integer", "string"] "type": [
"integer",
"string"
]
}, },
"unhealthyPodEvictionPolicy": { "unhealthyPodEvictionPolicy": {
"type": "string", "type": "string",
"enum": ["", "IfHealthyBudget", "AlwaysAllow"] "enum": [
"",
"IfHealthyBudget",
"AlwaysAllow"
]
} }
} }
}, },
"terminationGracePeriodSeconds": { "terminationGracePeriodSeconds": {
"type": "number" "type": "number"
}, },
"volumes": {
"type": "array",
"items": {
"type": "object"
}
},
"volumeMounts": {
"type": "array",
"items": {
"type": "object"
}
},
"priorityClassName": { "priorityClassName": {
"type": "string" "type": "string"
} }
} }
}
},
"defaults": {
"$ref": "#/$defs/values"
},
"$ref": "#/$defs/values"
} }

153
charts/kubezero-istio-gateway/charts/gateway/values.yaml
View File

@ -1,20 +1,21 @@
# Name allows overriding the release name. Generally this should not be set defaults:
name: "" # Name allows overriding the release name. Generally this should not be set
# revision declares which revision this gateway is a part of name: ""
revision: "" # revision declares which revision this gateway is a part of
revision: ""
# Controls the spec.replicas setting for the Gateway deployment if set. # Controls the spec.replicas setting for the Gateway deployment if set.
# Otherwise defaults to Kubernetes Deployment default (1). # Otherwise defaults to Kubernetes Deployment default (1).
replicaCount: replicaCount:
kind: Deployment kind: Deployment
rbac: rbac:
# If enabled, roles will be created to enable accessing certificates from Gateways. This is not needed # If enabled, roles will be created to enable accessing certificates from Gateways. This is not needed
# when using http://gateway-api.org/. # when using http://gateway-api.org/.
enabled: true enabled: true
serviceAccount: serviceAccount:
# If set, a service account will be created. Otherwise, the default is used # If set, a service account will be created. Otherwise, the default is used
create: true create: true
# Annotations to add to the service account # Annotations to add to the service account
@ -23,20 +24,20 @@ serviceAccount:
# If not set, the release name is used # If not set, the release name is used
name: "" name: ""
podAnnotations: podAnnotations:
prometheus.io/port: "15020" prometheus.io/port: "15020"
prometheus.io/scrape: "true" prometheus.io/scrape: "true"
prometheus.io/path: "/stats/prometheus" prometheus.io/path: "/stats/prometheus"
inject.istio.io/templates: "gateway" inject.istio.io/templates: "gateway"
sidecar.istio.io/inject: "true" sidecar.istio.io/inject: "true"
# Define the security context for the pod. # Define the security context for the pod.
# If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443. # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443.
# On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl. # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl.
securityContext: ~ securityContext: ~
containerSecurityContext: ~ containerSecurityContext: ~
service: service:
# Type of service. Set to "None" to disable the service entirely # Type of service. Set to "None" to disable the service entirely
type: LoadBalancer type: LoadBalancer
ports: ports:
@ -59,8 +60,10 @@ service:
externalIPs: [] externalIPs: []
ipFamilyPolicy: "" ipFamilyPolicy: ""
ipFamilies: [] ipFamilies: []
## Whether to automatically allocate NodePorts (only for LoadBalancers).
# allocateLoadBalancerNodePorts: false
resources: resources:
requests: requests:
cpu: 100m cpu: 100m
memory: 128Mi memory: 128Mi
@ -68,72 +71,82 @@ resources:
cpu: 2000m cpu: 2000m
memory: 1024Mi memory: 1024Mi
autoscaling: autoscaling:
enabled: true enabled: true
minReplicas: 1 minReplicas: 1
maxReplicas: 5 maxReplicas: 5
targetCPUUtilizationPercentage: 80 targetCPUUtilizationPercentage: 80
targetMemoryUtilizationPercentage: {}
autoscaleBehavior: {}
# Pod environment variables # Pod environment variables
env: {} env: {}
# Labels to apply to all resources # Labels to apply to all resources
labels: {} labels: {}
# Annotations to apply to all resources # Annotations to apply to all resources
annotations: {} annotations: {}
nodeSelector: {} nodeSelector: {}
tolerations: [] tolerations: []
topologySpreadConstraints: [] topologySpreadConstraints: []
affinity: {} affinity: {}
# If specified, the gateway will act as a network gateway for the given network. # If specified, the gateway will act as a network gateway for the given network.
networkGateway: "" networkGateway: ""
# Specify image pull policy if default behavior isn't desired. # Specify image pull policy if default behavior isn't desired.
# Default behavior: latest images will be Always else IfNotPresent # Default behavior: latest images will be Always else IfNotPresent
imagePullPolicy: "" imagePullPolicy: ""
imagePullSecrets: [] imagePullSecrets: []
# This value is used to configure a Kubernetes PodDisruptionBudget for the gateway. # This value is used to configure a Kubernetes PodDisruptionBudget for the gateway.
# #
# By default, the `podDisruptionBudget` is disabled (set to `{}`), # By default, the `podDisruptionBudget` is disabled (set to `{}`),
# which means that no PodDisruptionBudget resource will be created. # which means that no PodDisruptionBudget resource will be created.
# #
# To enable the PodDisruptionBudget, configure it by specifying the # To enable the PodDisruptionBudget, configure it by specifying the
# `minAvailable` or `maxUnavailable`. For example, to set the # `minAvailable` or `maxUnavailable`. For example, to set the
# minimum number of available replicas to 1, you can update this value as follows: # minimum number of available replicas to 1, you can update this value as follows:
# #
# podDisruptionBudget: # podDisruptionBudget:
# minAvailable: 1 # minAvailable: 1
# #
# Or, to allow a maximum of 1 unavailable replica, you can set: # Or, to allow a maximum of 1 unavailable replica, you can set:
# #
# podDisruptionBudget: # podDisruptionBudget:
# maxUnavailable: 1 # maxUnavailable: 1
# #
# You can also specify the `unhealthyPodEvictionPolicy` field, and the valid values are `IfHealthyBudget` and `AlwaysAllow`. # You can also specify the `unhealthyPodEvictionPolicy` field, and the valid values are `IfHealthyBudget` and `AlwaysAllow`.
# For example, to set the `unhealthyPodEvictionPolicy` to `AlwaysAllow`, you can update this value as follows: # For example, to set the `unhealthyPodEvictionPolicy` to `AlwaysAllow`, you can update this value as follows:
# #
# podDisruptionBudget: # podDisruptionBudget:
# minAvailable: 1 # minAvailable: 1
# unhealthyPodEvictionPolicy: AlwaysAllow # unhealthyPodEvictionPolicy: AlwaysAllow
# #
# To disable the PodDisruptionBudget, you can leave it as an empty object `{}`: # To disable the PodDisruptionBudget, you can leave it as an empty object `{}`:
# #
# podDisruptionBudget: {} # podDisruptionBudget: {}
# #
podDisruptionBudget: {} podDisruptionBudget: {}
terminationGracePeriodSeconds: 30 terminationGracePeriodSeconds: 30
# Configure this to a higher priority class in order to make sure your Istio gateway pods # A list of `Volumes` added into the Gateway Pods. See
# will not be killed because of low priority class. # https://kubernetes.io/docs/concepts/storage/volumes/.
# Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass volumes: []
# for more detail.
priorityClassName: "" # A list of `VolumeMounts` added into the Gateway Pods. See
# https://kubernetes.io/docs/concepts/storage/volumes/.
volumeMounts: []
# Configure this to a higher priority class in order to make sure your Istio gateway pods
# will not be killed because of low priority class.
# Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
# for more detail.
priorityClassName: ""

35
charts/kubezero-istio-gateway/gateway.patch
View File

@ -11,25 +11,6 @@ diff -tubr charts/gateway.orig/templates/deployment.yaml charts/gateway/template
selector: selector:
matchLabels: matchLabels:
{{- include "gateway.selectorLabels" . | nindent 6 }} {{- include "gateway.selectorLabels" . | nindent 6 }}
@@ -86,6 +90,10 @@
name: http-envoy-prom
resources:
{{- toYaml .Values.resources | nindent 12 }}
+ {{- if .Values.volumeMounts }}
+ volumeMounts:
+ {{- toYaml .Values.volumeMounts | nindent 12 }}
+ {{- end }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
@@ -102,3 +110,7 @@
topologySpreadConstraints:
{{- toYaml . | nindent 8 }}
{{- end }}
+ {{- with .Values.volumes }}
+ volumes:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
diff -tubr charts/gateway.orig/templates/service.yaml charts/gateway/templates/service.yaml diff -tubr charts/gateway.orig/templates/service.yaml charts/gateway/templates/service.yaml
--- charts/gateway.orig/templates/service.yaml 2022-12-09 14:58:33.000000000 +0000 --- charts/gateway.orig/templates/service.yaml 2022-12-09 14:58:33.000000000 +0000
+++ charts/gateway/templates/service.yaml 2022-12-12 22:52:27.629670669 +0000 +++ charts/gateway/templates/service.yaml 2022-12-12 22:52:27.629670669 +0000
@ -49,19 +30,3 @@ diff -tubr charts/gateway.orig/templates/service.yaml charts/gateway/templates/s
{{- end }} {{- end }}
{{- if .Values.service.externalIPs }} {{- if .Values.service.externalIPs }}
externalIPs: {{- range .Values.service.externalIPs }} externalIPs: {{- range .Values.service.externalIPs }}
diff -tubr charts/gateway.orig/values.schema.json charts/gateway/values.schema.json
--- charts/gateway.orig/values.schema.json 2022-12-09 14:58:33.000000000 +0000
+++ charts/gateway/values.schema.json 2022-12-12 22:52:27.629670669 +0000
@@ -51,6 +51,12 @@
"labels": {
"type": "object"
},
+ "volumes": {
+ "type": "array"
+ },
+ "volumeMounts": {
+ "type": "array"
+ },
"name": {
"type": "string"
},

2
charts/kubezero-istio/Chart.yaml
View File

@ -2,7 +2,7 @@ apiVersion: v2
name: kubezero-istio name: kubezero-istio
description: KubeZero Umbrella Chart for Istio description: KubeZero Umbrella Chart for Istio
type: application type: application
version: 0.19.5 version: 0.21.0
home: https://kubezero.com home: https://kubezero.com
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
keywords: keywords:

8
charts/kubezero-istio/README.md
View File

@ -1,6 +1,6 @@
# kubezero-istio # kubezero-istio
![Version: 0.19.4](https://img.shields.io/badge/Version-0.19.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![Version: 0.21.0](https://img.shields.io/badge/Version-0.21.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
KubeZero Umbrella Chart for Istio KubeZero Umbrella Chart for Istio
@ -21,9 +21,9 @@ Kubernetes: `>= 1.26.0`
| Repository | Name | Version | | Repository | Name | Version |
|------------|------|---------| |------------|------|---------|
| https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.6 | | https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.6 |
| https://istio-release.storage.googleapis.com/charts | base | 1.19.4 | | https://istio-release.storage.googleapis.com/charts | base | 1.21.0 |
| https://istio-release.storage.googleapis.com/charts | istiod | 1.19.4 | | https://istio-release.storage.googleapis.com/charts | istiod | 1.21.0 |
| https://kiali.org/helm-charts | kiali-server | 1.76.0 | | https://kiali.org/helm-charts | kiali-server | 1.82.0 |
## Values ## Values

8
charts/kubezero-istio/dashboards.yaml
View File

@ -5,18 +5,18 @@ folder: Istio
condition: '.Values.istiod.telemetry.enabled' condition: '.Values.istiod.telemetry.enabled'
dashboards: dashboards:
- name: istio-control-plane - name: istio-control-plane
url: https://grafana.com/api/dashboards/7645/revisions/187/download url: https://grafana.com/api/dashboards/7645/revisions/201/download
tags: tags:
- Istio - Istio
- name: istio-mesh - name: istio-mesh
url: https://grafana.com/api/dashboards/7639/revisions/187/download url: https://grafana.com/api/dashboards/7639/revisions/201/download
tags: tags:
- Istio - Istio
- name: istio-service - name: istio-service
url: https://grafana.com/api/dashboards/7636/revisions/187/download url: https://grafana.com/api/dashboards/7636/revisions/201/download
tags: tags:
- Istio - Istio
- name: istio-workload - name: istio-workload
url: https://grafana.com/api/dashboards/7630/revisions/187/download url: https://grafana.com/api/dashboards/7630/revisions/201/download
tags: tags:
- Istio - Istio

8
charts/kubezero-istio/templates/grafana-dashboards.yaml
View File

File diff suppressed because one or more lines are too long

6
charts/kubezero/values.yaml
View File

@ -58,13 +58,13 @@ storage:
istio: istio:
enabled: false enabled: false
namespace: istio-system namespace: istio-system
targetRevision: 0.19.4 targetRevision: 0.21.0
istio-ingress: istio-ingress:
enabled: false enabled: false
chart: kubezero-istio-gateway chart: kubezero-istio-gateway
namespace: istio-ingress namespace: istio-ingress
targetRevision: 0.19.4 targetRevision: 0.21.0
gateway: gateway:
service: {} service: {}
@ -72,7 +72,7 @@ istio-private-ingress:
enabled: false enabled: false
chart: kubezero-istio-gateway chart: kubezero-istio-gateway
namespace: istio-ingress namespace: istio-ingress
targetRevision: 0.19.4 targetRevision: 0.21.0
gateway: gateway:
service: {} service: {}