From 0c88f62889150deb8f96c029d7d7b3778fc272d9 Mon Sep 17 00:00:00 2001 From: Stefan Reimer Date: Tue, 21 Jul 2020 18:30:21 +0100 Subject: [PATCH] Add KubeZero default Istio config --- .../templates/ingress-certificate.yaml | 12 ++ .../templates/ingress-gateway.yaml | 68 +++++++++ .../templates/istio-private-ingress.yaml | 97 +++++++++++++ charts/kubezero-istio/templates/istio.yaml | 130 ++++++++++++++++++ charts/kubezero-istio/upgrade_from_14.sh | 15 ++ charts/kubezero-istio/values.yaml | 10 ++ deploy/templates/values.yaml | 6 +- 7 files changed, 334 insertions(+), 4 deletions(-) create mode 100644 charts/kubezero-istio/templates/ingress-certificate.yaml create mode 100644 charts/kubezero-istio/templates/ingress-gateway.yaml create mode 100644 charts/kubezero-istio/templates/istio-private-ingress.yaml create mode 100644 charts/kubezero-istio/templates/istio.yaml create mode 100755 charts/kubezero-istio/upgrade_from_14.sh diff --git a/charts/kubezero-istio/templates/ingress-certificate.yaml b/charts/kubezero-istio/templates/ingress-certificate.yaml new file mode 100644 index 00000000..301af2a4 --- /dev/null +++ b/charts/kubezero-istio/templates/ingress-certificate.yaml @@ -0,0 +1,12 @@ +apiVersion: cert-manager.io/v1alpha2 +kind: Certificate +metadata: + name: public-ingress-cert + namespace: istio-system +spec: + secretName: public-ingress-cert + issuerRef: + name: letsencrypt-dns-prod + kind: ClusterIssuer + dnsNames: +{{ toYaml .Values.ingress.dnsNames | indent 4 }} diff --git a/charts/kubezero-istio/templates/ingress-gateway.yaml b/charts/kubezero-istio/templates/ingress-gateway.yaml new file mode 100644 index 00000000..7f31c2b4 --- /dev/null +++ b/charts/kubezero-istio/templates/ingress-gateway.yaml @@ -0,0 +1,68 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: ingressgateway + namespace: istio-system + annotations: + argocd.argoproj.io/sync-wave: "10" +spec: + selector: + istio: ingressgateway + servers: + - port: + number: 80 + name: http + protocol: HTTP2 + hosts: + - "*" + tls: + httpsRedirect: true + - port: + number: 443 + name: https + protocol: HTTPS + hosts: + - "*" + tls: + mode: SIMPLE + privateKey: /etc/istio/ingressgateway-certs/tls.key + serverCertificate: /etc/istio/ingressgateway-certs/tls.crt + credentialName: public-ingress-cert + +--- +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: private-ingressgateway + namespace: istio-system + annotations: + argocd.argoproj.io/sync-wave: "10" +spec: + selector: + istio: private-ingressgateway + servers: + - port: + number: 80 + name: http + protocol: HTTP2 + hosts: + - "*" + tls: + httpsRedirect: true + - port: + number: 443 + name: https + protocol: HTTPS + hosts: + - "*" + tls: + mode: SIMPLE + privateKey: /etc/istio/ingressgateway-certs/tls.key + serverCertificate: /etc/istio/ingressgateway-certs/tls.crt + credentialName: public-ingress-cert + - port: + number: 24224 + name: fluentd-forward + protocol: TCP + hosts: + - "*" diff --git a/charts/kubezero-istio/templates/istio-private-ingress.yaml b/charts/kubezero-istio/templates/istio-private-ingress.yaml new file mode 100644 index 00000000..65226eb0 --- /dev/null +++ b/charts/kubezero-istio/templates/istio-private-ingress.yaml @@ -0,0 +1,97 @@ +apiVersion: install.istio.io/v1alpha1 +kind: IstioOperator +metadata: + name: kubezero-istio-private-ingress + namespace: istio-system +spec: + profile: empty + components: + ingressGateways: + - name: istio-private-ingressgateway + enabled: true + namespace: istio-system + k8s: + env: + - name: ISTIO_META_HTTP10 + value: '"1"' + - name: ISTIO_META_ROUTER_MODE + value: standard + hpaSpec: + maxReplicas: 5 + metrics: + - resource: + name: cpu + targetAverageUtilization: 80 + type: Resource + minReplicas: 1 + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: istio-private-ingressgateway + nodeSelector: + node.kubernetes.io/ingress.private: "31080_31443_30671_30672_31224" + resources: + limits: + cpu: 2000m + memory: 1024Mi + requests: + cpu: 100m + memory: 128Mi + strategy: + rollingUpdate: + maxSurge: 100% + maxUnavailable: 25% + values: + gateways: + istio-ingressgateway: + externalTrafficPolicy: Local + labels: + app: istio-private-ingressgateway + istio: private-ingressgateway + meshExpansionPorts: [] + podAntiAffinityLabelSelector: + - key: app + operator: In + topologyKey: kubernetes.io/hostname + values: istio-ingressgateway + ports: + - name: http2 + nodePort: 31080 + port: 80 + targetPort: 80 + - name: https + nodePort: 31443 + port: 443 + - name: amqp + nodePort: 30672 + port: 5672 + targetPort: 5672 + - name: amqps + nodePort: 30671 + port: 5671 + targetPort: 5671 + - name: fluentd-forward + nodePort: 31224 + port: 24224 + targetPort: 24224 + sds: + enabled: true + image: node-agent-k8s + resources: + limits: + cpu: 2000m + memory: 1024Mi + requests: + cpu: 100m + memory: 128Mi + secretVolumes: + - mountPath: /etc/istio/ingressgateway-certs + name: ingressgateway-certs + secretName: istio-ingressgateway-certs + - mountPath: /etc/istio/ingressgateway-ca-certs + name: ingressgateway-ca-certs + secretName: istio-ingressgateway-ca-certs + type: NodePort + + global: + jwtPolicy: first-party-jwt diff --git a/charts/kubezero-istio/templates/istio.yaml b/charts/kubezero-istio/templates/istio.yaml new file mode 100644 index 00000000..904d2b19 --- /dev/null +++ b/charts/kubezero-istio/templates/istio.yaml @@ -0,0 +1,130 @@ +apiVersion: install.istio.io/v1alpha1 +kind: IstioOperator +metadata: + name: kubezero-istio + namespace: istio-system +spec: + profile: empty + addonComponents: + prometheus: + enabled: false + components: + base: + enabled: true + citadel: + enabled: false + galley: + enabled: false + ingressGateways: + - enabled: true + k8s: + env: + - name: ISTIO_META_HTTP10 + value: '"1"' + - name: ISTIO_META_ROUTER_MODE + value: standard + hpaSpec: + maxReplicas: 5 + metrics: + - resource: + name: cpu + targetAverageUtilization: 80 + type: Resource + minReplicas: 1 + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: istio-ingressgateway + nodeSelector: + node.kubernetes.io/ingress.public: "30080_30443" + resources: + limits: + cpu: 2000m + memory: 1024Mi + requests: + cpu: 100m + memory: 128Mi + strategy: + rollingUpdate: + maxSurge: 100% + maxUnavailable: 25% + name: istio-ingressgateway + pilot: + enabled: true + k8s: + nodeSelector: + node-role.kubernetes.io/master: "" + replicaCount: 1 + resources: + requests: + cpu: 100m + memory: 128Mi + tolerations: + - effect: NoSchedule + key: node-role.kubernetes.io/master + policy: + enabled: true + k8s: + replicaCount: 1 + nodeSelector: + node-role.kubernetes.io/master: "" + tolerations: + - effect: NoSchedule + key: node-role.kubernetes.io/master + sidecarInjector: + enabled: false + telemetry: + enabled: false + values: + gateways: + istio-ingressgateway: + externalTrafficPolicy: Local + labels: + app: istio-ingressgateway + istio: ingressgateway + meshExpansionPorts: [] + podAntiAffinityLabelSelector: + - key: app + operator: In + topologyKey: kubernetes.io/hostname + values: istio-ingressgateway + ports: + - name: http2 + nodePort: 30080 + port: 80 + targetPort: 80 + - name: https + nodePort: 30443 + port: 443 + sds: + enabled: true + image: node-agent-k8s + resources: + limits: + cpu: 2000m + memory: 1024Mi + requests: + cpu: 100m + memory: 128Mi + secretVolumes: + - mountPath: /etc/istio/ingressgateway-certs + name: ingressgateway-certs + secretName: istio-ingressgateway-certs + - mountPath: /etc/istio/ingressgateway-ca-certs + name: ingressgateway-ca-certs + secretName: istio-ingressgateway-ca-certs + type: NodePort + meshConfig: + accessLogFile: /dev/stdout + disablePolicyChecks: false + global: + jwtPolicy: first-party-jwt + omitSidecarInjectorConfigMap: true + proxy: + accessLogEncoding: JSON + autoInject: disabled + envoyStatsd: + enabled: false + useMCP: false + pilot: + sidecar: false diff --git a/charts/kubezero-istio/upgrade_from_14.sh b/charts/kubezero-istio/upgrade_from_14.sh new file mode 100755 index 00000000..49467fdb --- /dev/null +++ b/charts/kubezero-istio/upgrade_from_14.sh @@ -0,0 +1,15 @@ +#!/bin/bash + +# First delete old 1.4 +kubectl delete -f ingress-gateway.yaml +kubectl delete -f istio.yaml +kubectl delete -f istio-init.yaml +kubectl delete -f namespace.yaml + +# Now we need to install the new Istio Operator via KubeZero + +# deploy the CR for 1.6 +kubectl apply -f istio-1.6.yaml + +# add the additiona private ingress gateway as dedicated CR +kubectl apply -f istio-1.6-private-ingress.yaml diff --git a/charts/kubezero-istio/values.yaml b/charts/kubezero-istio/values.yaml index ce028acc..8c087e67 100644 --- a/charts/kubezero-istio/values.yaml +++ b/charts/kubezero-istio/values.yaml @@ -1,3 +1,13 @@ +istiod: + autoscale: true + # replicaCount: 2 + +ingress: + autoscale: true + # replicaCount: 2 + dnsNames: + - "*.example.com" + istio-operator: hub: docker.io/istio tag: 1.6.5 diff --git a/deploy/templates/values.yaml b/deploy/templates/values.yaml index 5730224b..3eb11b62 100644 --- a/deploy/templates/values.yaml +++ b/deploy/templates/values.yaml @@ -16,10 +16,7 @@ kubezero: cert-manager: enabled: {{ index .Values "cert-manager" "enabled" }} values: -{{- if .Values.bootstrap }} - localCA: - enabled: false -{{- else }} +{{- if not .Values.bootstrap }} {{- if .Values.aws }} cert-manager: podAnnotations: @@ -41,6 +38,7 @@ kubezero: region: {{ .Values.region }} {{- end }} + # AWS only components {{- if .Values.aws }} aws-ebs-csi-driver: enabled: {{ index .Values "aws-ebs-csi-driver" "enabled" }}