{{- define "istio-private-ingress-values" }} gateway: name: istio-private-ingressgateway {{- if ne .Values.global.platform "gke" }} priorityClassName: "system-cluster-critical" {{- end }} {{- with index .Values "istio-private-ingress" "gateway" "replicaCount" }} replicaCount: {{ . }} {{- if gt (int .) 1 }} podDisruptionBudget: minAvailable: 1 {{- end }} {{- end }} # Only nodes who are fronted with matching LB affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: {{- if eq .Values.global.platform "gke" }} - key: "kubezero.zero-downtime.net/ingress.public" {{- else }} - key: "node.kubernetes.io/ingress.public" {{- end }} operator: Exists topologySpreadConstraints: - maxSkew: 1 topologyKey: topology.kubernetes.io/zone whenUnsatisfiable: DoNotSchedule labelSelector: matchLabels: app: istio-private-ingressgateway istio: private-ingressgateway - maxSkew: 1 topologyKey: kubernetes.io/hostname whenUnsatisfiable: DoNotSchedule labelSelector: matchLabels: app: istio-private-ingressgateway istio: private-ingressgateway service: ports: - name: status-port port: 15021 nodePort: 31021 noGateway: true - name: http2 port: 80 targetPort: 8080 nodePort: 31080 gatewayProtocol: HTTP2 tls: httpsRedirect: true - name: https port: 443 targetPort: 8443 nodePort: 31443 gatewayProtocol: HTTPS tls: mode: SIMPLE {{- with index .Values "istio-private-ingress" "gateway" "service" "ports" }} {{- toYaml . | nindent 4 }} {{- end }} # custom hardened bootstrap config env: ISTIO_BOOTSTRAP_OVERRIDE: /etc/istio/custom-bootstrap/custom_bootstrap.json volumes: - name: custom-bootstrap-volume configMap: name: private-ingressgateway-bootstrap-config volumeMounts: - mountPath: /etc/istio/custom-bootstrap name: custom-bootstrap-volume readOnly: true telemetry: enabled: {{ $.Values.metrics.enabled }} certificates: {{- range $cert := index .Values "istio-private-ingress" "certificates" }} - name: {{ $cert.name }} dnsNames: {{- toYaml $cert.dnsNames | nindent 4 }} {{- end }} proxyProtocol: {{ default true (index .Values "istio-private-ingress" "proxyProtocol") }} {{- with (index .Values "istio-private-ingress" "hardening") }} hardening: {{- toYaml . | nindent 2 }} {{- end }} {{- end }} {{- define "istio-private-ingress-argo" }} {{- end }} {{ include "kubezero-app.app" . }}