diff --git a/charts/kubezero-istio-ingress/bootstrap-config.yaml b/charts/kubezero-istio-ingress/templates/bootstrap-config.yaml similarity index 72% rename from charts/kubezero-istio-ingress/bootstrap-config.yaml rename to charts/kubezero-istio-ingress/templates/bootstrap-config.yaml index fb39ddc..bf2c386 100644 --- a/charts/kubezero-istio-ingress/bootstrap-config.yaml +++ b/charts/kubezero-istio-ingress/templates/bootstrap-config.yaml @@ -1,6 +1,6 @@ # https://www.envoyproxy.io/docs/envoy/v1.17.1/configuration/best_practices/edge#configuring-envoy-as-an-edge-proxy # https://github.com/istio/istio/issues/24715 - +{{- if or (index .Values "istio-ingress" "enabled") (index .Values "istio-private-ingress" "enabled") }} apiVersion: v1 kind: ConfigMap metadata: @@ -39,10 +39,21 @@ data: { "name": "envoy.resource_monitors.fixed_heap", "typed_config": { - "@type": "type.googleapis.com/envoy.extensions.resource_monitors.fixed_heap.v3.FixedHeapConfig", + "@type": "type.googleapis.com/envoy.config.resource_monitor.fixed_heap.v2alpha.FixedHeapConfig", "max_heap_size_bytes": 536870912 } } ] + }, + "layeredRuntime": { + "layers": [ + { + "name": "static_layer_0", + "staticLayer": { + "overload.global_downstream_max_connections": 50000 + } + } + ] } } +{{- end }} diff --git a/charts/kubezero-istio-ingress/templates/envoyfilter-hardening.yaml b/charts/kubezero-istio-ingress/templates/envoyfilter-hardening.yaml new file mode 100644 index 0000000..5d6a29a --- /dev/null +++ b/charts/kubezero-istio-ingress/templates/envoyfilter-hardening.yaml @@ -0,0 +1,36 @@ +{{- if or (index .Values "istio-ingress" "enabled") (index .Values "istio-private-ingress" "enabled") }} +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: ingressgateway-hardening + namespace: {{ .Release.Namespace }} +spec: + configPatches: + - applyTo: CLUSTER + patch: + operation: MERGE + value: + connect_timeout: 15s + per_connection_buffer_limit_bytes: 32768 # 32 KiB + - applyTo: NETWORK_FILTER + match: + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + patch: + operation: MERGE + value: + name: "envoy.filters.network.http_connection_manager" + typed_config: + "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager" + common_http_protocol_options: + idle_timeout: 3600s # 1 hour + # headers_with_underscores_action: REJECT_REQUEST + http2_protocol_options: + max_concurrent_streams: 500 + initial_stream_window_size: 65536 # 64 KiB + initial_connection_window_size: 1048576 # 1 MiB + #stream_idle_timeout: 300s # 5 mins, must be disabled for long-lived and streaming requests + #request_timeout: 300s # 5 mins, must be disabled for long-lived and streaming requests +{{- end }} diff --git a/charts/kubezero-istio-ingress/templates/envoyfilter-keepalive-nlb.yaml b/charts/kubezero-istio-ingress/templates/envoyfilter-keepalive-nlb.yaml new file mode 100644 index 0000000..da8feea --- /dev/null +++ b/charts/kubezero-istio-ingress/templates/envoyfilter-keepalive-nlb.yaml @@ -0,0 +1,31 @@ +{{- if or (index .Values "istio-ingress" "enabled") (index .Values "istio-private-ingress" "enabled") }} +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: ingressgateway-listener-tcp-keepalive + namespace: {{ .Release.Namespace }} +spec: + configPatches: + - applyTo: LISTENER + patch: + operation: MERGE + value: + socket_options: + # SOL_SOCKET = 1 + # SO_KEEPALIVE = 9 + - level: 1 + name: 9 + int_value: 1 + state: STATE_LISTENING + # IPPROTO_TCP = 6 + # TCP_KEEPIDLE = 4 + - level: 6 + name: 4 + int_value: 60 + state: STATE_LISTENING + # TCP_KEEPINTVL = 5 + - level: 6 + name: 5 + int_value: 60 + state: STATE_LISTENING +{{- end }} diff --git a/charts/kubezero-istio-ingress/templates/envoyfilter.yaml b/charts/kubezero-istio-ingress/templates/envoyfilter.yaml deleted file mode 100644 index f11e290..0000000 --- a/charts/kubezero-istio-ingress/templates/envoyfilter.yaml +++ /dev/null @@ -1,70 +0,0 @@ -{{- if index .Values "istio-ingress" "enabled" }} -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: ingressgateway-listener-tcp-keepalive - namespace: {{ .Release.Namespace }} -spec: - workloadSelector: - labels: - istio: ingressgateway - configPatches: - - applyTo: LISTENER - patch: - operation: MERGE - value: - socket_options: - # SOL_SOCKET = 1 - # SO_KEEPALIVE = 9 - - level: 1 - name: 9 - int_value: 1 - state: STATE_LISTENING - # IPPROTO_TCP = 6 - # TCP_KEEPIDLE = 4 - - level: 6 - name: 4 - int_value: 60 - state: STATE_LISTENING - # TCP_KEEPINTVL = 5 - - level: 6 - name: 5 - int_value: 60 - state: STATE_LISTENING -{{- end }} - -{{- if index .Values "istio-private-ingress" "enabled" }} ---- -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: private-ingressgateway-listener-tcp-keepalive - namespace: {{ .Release.Namespace }} -spec: - workloadSelector: - labels: - istio: private-ingressgateway - configPatches: - - applyTo: LISTENER - patch: - operation: MERGE - value: - socket_options: - # SOL_SOCKET = 1 - # SO_KEEPALIVE = 9 - - level: 1 - name: 9 - int_value: 1 - state: STATE_LISTENING - # IPPROTO_TCP = 6 - # TCP_KEEPIDLE = 4 - - level: 6 - name: 4 - int_value: 60 - state: STATE_LISTENING - # TCP_KEEPINTVL = 5 - - level: 6 - name: 5 - int_value: 60 - state: STATE_LISTENING -{{- end }} diff --git a/charts/kubezero-istio-ingress/values.yaml b/charts/kubezero-istio-ingress/values.yaml index 79642a1..0cf503a 100644 --- a/charts/kubezero-istio-ingress/values.yaml +++ b/charts/kubezero-istio-ingress/values.yaml @@ -37,8 +37,17 @@ istio-ingress: topologyKey: kubernetes.io/hostname values: istio-ingressgateway type: NodePort - #podAnnotations: - # sidecar.istio.io/bootstrapOverride: istio-gateway-bootstrap-config + podAnnotations: + proxy.istio.io/config: '{ "terminationDrainDuration": "20s" }' + + # custom hardened bootstrap config + env: + ISTIO_BOOTSTRAP_OVERRIDE: /etc/istio/custom-bootstrap/custom_bootstrap.json + configVolumes: + - name: custom-bootstrap-volume + mountPath: /etc/istio/custom-bootstrap + configMapName: istio-gateway-bootstrap-config + # The node selector is normally the list of nodeports, see CloudBender nodeSelector: node.kubernetes.io/ingress.public: "30080_30443" @@ -107,6 +116,9 @@ istio-private-ingress: topologyKey: kubernetes.io/hostname values: istio-private-ingressgateway type: NodePort + podAnnotations: + # sidecar.istio.io/bootstrapOverride: istio-gateway-bootstrap-config + proxy.istio.io/config: '{ "terminationDrainDuration": "20s" }' nodeSelector: node.kubernetes.io/ingress.private: "31080_31443" #nodeSelector: "31080_31443_31671_31672_31224" diff --git a/charts/kubezero-istio/.gitignore b/charts/kubezero-istio/.gitignore index 3c48b60..07f190b 100644 --- a/charts/kubezero-istio/.gitignore +++ b/charts/kubezero-istio/.gitignore @@ -1,2 +1,3 @@ istioctl istio +istio.zdt diff --git a/charts/kubezero-istio/values.yaml b/charts/kubezero-istio/values.yaml index ad1fe62..04e34d5 100644 --- a/charts/kubezero-istio/values.yaml +++ b/charts/kubezero-istio/values.yaml @@ -35,11 +35,5 @@ istio-discovery: enabled: false meshConfig: - defaultConfig: - terminationDrainDuration: 20s accessLogFile: /dev/stdout accessLogEncoding: 'JSON' - h2UpgradePolicy: 'DO_NOT_UPGRADE' - tcpKeepalive: - interval: 30s - time: 60s