From 9b28807d478eec00b6dacdd982883d4d68f7af4d Mon Sep 17 00:00:00 2001 From: Stefan Reimer Date: Thu, 21 Apr 2022 16:37:28 +0200 Subject: [PATCH] feat: New Istio gateway deploy first working PoC --- charts/kubezero-istio-gateway/README.md | 117 ++++-------------- .../templates/envoyfilter-proxy-protocol.yaml | 4 +- charts/kubezero-istio-gateway/values.yaml | 50 +------- 3 files changed, 24 insertions(+), 147 deletions(-) diff --git a/charts/kubezero-istio-gateway/README.md b/charts/kubezero-istio-gateway/README.md index a4f2f9b..d35d3eb 100644 --- a/charts/kubezero-istio-gateway/README.md +++ b/charts/kubezero-istio-gateway/README.md @@ -1,8 +1,8 @@ -# kubezero-istio-ingress +# kubezero-istio-gateway -![Version: 0.7.5](https://img.shields.io/badge/Version-0.7.5-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.11.3](https://img.shields.io/badge/AppVersion-1.11.3-informational?style=flat-square) +![Version: 0.8.0](https://img.shields.io/badge/Version-0.8.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) -KubeZero Umbrella Chart for Istio based Ingress +KubeZero Umbrella Chart for Istio gateways Installs Istio Ingress Gateways, requires kubezero-istio to be installed ! @@ -12,111 +12,36 @@ Installs Istio Ingress Gateways, requires kubezero-istio to be installed ! | Name | Email | Url | | ---- | ------ | --- | -| Quarky9 | | | +| Stefan Reimer | stefan@zero-downtime.net | | ## Requirements -Kubernetes: `>= 1.18.0` +Kubernetes: `>= 1.20.0` | Repository | Name | Version | |------------|------|---------| -| | istio-ingress | 1.11.3 | -| | istio-private-ingress | 1.11.3 | | https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.4 | +| https://istio-release.storage.googleapis.com/charts | gateway | 1.13.3 | ## Values | Key | Type | Default | Description | |-----|------|---------|-------------| -| global.arch.amd64 | int | `2` | | -| global.defaultPodDisruptionBudget.enabled | bool | `false` | | -| global.logAsJson | bool | `true` | | -| global.priorityClassName | string | `"system-cluster-critical"` | | -| istio-ingress.certificates[0].dnsNames | list | `[]` | | -| istio-ingress.certificates[0].name | string | `"ingress-cert"` | | -| istio-ingress.enabled | bool | `false` | | -| istio-ingress.gateways.istio-ingressgateway.autoscaleEnabled | bool | `false` | | -| istio-ingress.gateways.istio-ingressgateway.configVolumes[0].configMapName | string | `"istio-gateway-bootstrap-config"` | | -| istio-ingress.gateways.istio-ingressgateway.configVolumes[0].mountPath | string | `"/etc/istio/custom-bootstrap"` | | -| istio-ingress.gateways.istio-ingressgateway.configVolumes[0].name | string | `"custom-bootstrap-volume"` | | -| istio-ingress.gateways.istio-ingressgateway.env.ISTIO_BOOTSTRAP_OVERRIDE | string | `"/etc/istio/custom-bootstrap/custom_bootstrap.json"` | | -| istio-ingress.gateways.istio-ingressgateway.externalTrafficPolicy | string | `"Local"` | | -| istio-ingress.gateways.istio-ingressgateway.nodeSelector."node.kubernetes.io/ingress.public" | string | `"Exists"` | | -| istio-ingress.gateways.istio-ingressgateway.podAnnotations."proxy.istio.io/config" | string | `"{ \"terminationDrainDuration\": \"20s\" }"` | | -| istio-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].key | string | `"app"` | | -| istio-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].operator | string | `"In"` | | -| istio-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].topologyKey | string | `"kubernetes.io/hostname"` | | -| istio-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].values | string | `"istio-ingressgateway"` | | -| istio-ingress.gateways.istio-ingressgateway.ports[0].name | string | `"status-port"` | | -| istio-ingress.gateways.istio-ingressgateway.ports[0].noGateway | bool | `true` | | -| istio-ingress.gateways.istio-ingressgateway.ports[0].nodePort | int | `30021` | | -| istio-ingress.gateways.istio-ingressgateway.ports[0].port | int | `15021` | | -| istio-ingress.gateways.istio-ingressgateway.ports[1].gatewayProtocol | string | `"HTTP2"` | | -| istio-ingress.gateways.istio-ingressgateway.ports[1].name | string | `"http2"` | | -| istio-ingress.gateways.istio-ingressgateway.ports[1].nodePort | int | `30080` | | -| istio-ingress.gateways.istio-ingressgateway.ports[1].port | int | `80` | | -| istio-ingress.gateways.istio-ingressgateway.ports[1].targetPort | int | `8080` | | -| istio-ingress.gateways.istio-ingressgateway.ports[1].tls.httpsRedirect | bool | `true` | | -| istio-ingress.gateways.istio-ingressgateway.ports[2].gatewayProtocol | string | `"HTTPS"` | | -| istio-ingress.gateways.istio-ingressgateway.ports[2].name | string | `"https"` | | -| istio-ingress.gateways.istio-ingressgateway.ports[2].nodePort | int | `30443` | | -| istio-ingress.gateways.istio-ingressgateway.ports[2].port | int | `443` | | -| istio-ingress.gateways.istio-ingressgateway.ports[2].targetPort | int | `8443` | | -| istio-ingress.gateways.istio-ingressgateway.ports[2].tls.mode | string | `"SIMPLE"` | | -| istio-ingress.gateways.istio-ingressgateway.replicaCount | int | `1` | | -| istio-ingress.gateways.istio-ingressgateway.resources.limits.memory | string | `"512Mi"` | | -| istio-ingress.gateways.istio-ingressgateway.resources.requests.cpu | string | `"50m"` | | -| istio-ingress.gateways.istio-ingressgateway.resources.requests.memory | string | `"64Mi"` | | -| istio-ingress.gateways.istio-ingressgateway.rollingMaxSurge | int | `1` | | -| istio-ingress.gateways.istio-ingressgateway.rollingMaxUnavailable | int | `0` | | -| istio-ingress.gateways.istio-ingressgateway.type | string | `"NodePort"` | | -| istio-ingress.meshConfig.defaultConfig.proxyMetadata | string | `nil` | | -| istio-ingress.proxyProtocol | bool | `true` | | -| istio-ingress.telemetry.enabled | bool | `false` | | -| istio-private-ingress.certificates[0].dnsNames | list | `[]` | | -| istio-private-ingress.certificates[0].name | string | `"private-ingress-cert"` | | -| istio-private-ingress.enabled | bool | `false` | | -| istio-private-ingress.gateways.istio-ingressgateway.autoscaleEnabled | bool | `false` | | -| istio-private-ingress.gateways.istio-ingressgateway.configVolumes[0].configMapName | string | `"istio-gateway-bootstrap-config"` | | -| istio-private-ingress.gateways.istio-ingressgateway.configVolumes[0].mountPath | string | `"/etc/istio/custom-bootstrap"` | | -| istio-private-ingress.gateways.istio-ingressgateway.configVolumes[0].name | string | `"custom-bootstrap-volume"` | | -| istio-private-ingress.gateways.istio-ingressgateway.env.ISTIO_BOOTSTRAP_OVERRIDE | string | `"/etc/istio/custom-bootstrap/custom_bootstrap.json"` | | -| istio-private-ingress.gateways.istio-ingressgateway.externalTrafficPolicy | string | `"Local"` | | -| istio-private-ingress.gateways.istio-ingressgateway.labels.app | string | `"istio-private-ingressgateway"` | | -| istio-private-ingress.gateways.istio-ingressgateway.labels.istio | string | `"private-ingressgateway"` | | -| istio-private-ingress.gateways.istio-ingressgateway.name | string | `"istio-private-ingressgateway"` | | -| istio-private-ingress.gateways.istio-ingressgateway.nodeSelector."node.kubernetes.io/ingress.private" | string | `"Exists"` | | -| istio-private-ingress.gateways.istio-ingressgateway.podAnnotations."proxy.istio.io/config" | string | `"{ \"terminationDrainDuration\": \"20s\" }"` | | -| istio-private-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].key | string | `"app"` | | -| istio-private-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].operator | string | `"In"` | | -| istio-private-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].topologyKey | string | `"kubernetes.io/hostname"` | | -| istio-private-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].values | string | `"istio-private-ingressgateway"` | | -| istio-private-ingress.gateways.istio-ingressgateway.ports[0].name | string | `"status-port"` | | -| istio-private-ingress.gateways.istio-ingressgateway.ports[0].noGateway | bool | `true` | | -| istio-private-ingress.gateways.istio-ingressgateway.ports[0].nodePort | int | `31021` | | -| istio-private-ingress.gateways.istio-ingressgateway.ports[0].port | int | `15021` | | -| istio-private-ingress.gateways.istio-ingressgateway.ports[1].gatewayProtocol | string | `"HTTP2"` | | -| istio-private-ingress.gateways.istio-ingressgateway.ports[1].name | string | `"http2"` | | -| istio-private-ingress.gateways.istio-ingressgateway.ports[1].nodePort | int | `31080` | | -| istio-private-ingress.gateways.istio-ingressgateway.ports[1].port | int | `80` | | -| istio-private-ingress.gateways.istio-ingressgateway.ports[1].targetPort | int | `8080` | | -| istio-private-ingress.gateways.istio-ingressgateway.ports[1].tls.httpsRedirect | bool | `true` | | -| istio-private-ingress.gateways.istio-ingressgateway.ports[2].gatewayProtocol | string | `"HTTPS"` | | -| istio-private-ingress.gateways.istio-ingressgateway.ports[2].name | string | `"https"` | | -| istio-private-ingress.gateways.istio-ingressgateway.ports[2].nodePort | int | `31443` | | -| istio-private-ingress.gateways.istio-ingressgateway.ports[2].port | int | `443` | | -| istio-private-ingress.gateways.istio-ingressgateway.ports[2].targetPort | int | `8443` | | -| istio-private-ingress.gateways.istio-ingressgateway.ports[2].tls.mode | string | `"SIMPLE"` | | -| istio-private-ingress.gateways.istio-ingressgateway.replicaCount | int | `1` | | -| istio-private-ingress.gateways.istio-ingressgateway.resources.limits.memory | string | `"512Mi"` | | -| istio-private-ingress.gateways.istio-ingressgateway.resources.requests.cpu | string | `"50m"` | | -| istio-private-ingress.gateways.istio-ingressgateway.resources.requests.memory | string | `"64Mi"` | | -| istio-private-ingress.gateways.istio-ingressgateway.rollingMaxSurge | int | `1` | | -| istio-private-ingress.gateways.istio-ingressgateway.rollingMaxUnavailable | int | `0` | | -| istio-private-ingress.gateways.istio-ingressgateway.type | string | `"NodePort"` | | -| istio-private-ingress.meshConfig.defaultConfig.proxyMetadata | string | `nil` | | -| istio-private-ingress.proxyProtocol | bool | `true` | | -| istio-private-ingress.telemetry.enabled | bool | `false` | | +| certificates[0].dnsNames | list | `[]` | | +| certificates[0].name | string | `"ingress-cert"` | | +| gateway.autoscaling.enabled | bool | `false` | | +| gateway.autoscaling.maxReplicas | int | `4` | | +| gateway.autoscaling.minReplicas | int | `1` | | +| gateway.autoscaling.targetCPUUtilizationPercentage | int | `80` | | +| gateway.podAnnotations."proxy.istio.io/config" | string | `"{ \"terminationDrainDuration\": \"20s\" }"` | | +| gateway.replicaCount | int | `1` | | +| gateway.resources.limits.memory | string | `"512Mi"` | | +| gateway.resources.requests.cpu | string | `"50m"` | | +| gateway.resources.requests.memory | string | `"64Mi"` | | +| gateway.service.externalTrafficPolicy | string | `"Local"` | | +| gateway.service.type | string | `"NodePort"` | | +| proxyProtocol | bool | `true` | | +| telemetry.enabled | string | `"falser"` | | ## Resources diff --git a/charts/kubezero-istio-gateway/templates/envoyfilter-proxy-protocol.yaml b/charts/kubezero-istio-gateway/templates/envoyfilter-proxy-protocol.yaml index 1c1fce6..a1fa22d 100644 --- a/charts/kubezero-istio-gateway/templates/envoyfilter-proxy-protocol.yaml +++ b/charts/kubezero-istio-gateway/templates/envoyfilter-proxy-protocol.yaml @@ -16,6 +16,6 @@ spec: operation: MERGE value: listener_filters: - - name: envoy.listener.proxy_protocol - - name: envoy.listener.tls_inspector + - name: envoy.filters.listener.proxy_protocol + - name: envoy.filters.listener.tls_inspector {{- end }} diff --git a/charts/kubezero-istio-gateway/values.yaml b/charts/kubezero-istio-gateway/values.yaml index 873221f..bee461f 100644 --- a/charts/kubezero-istio-gateway/values.yaml +++ b/charts/kubezero-istio-gateway/values.yaml @@ -24,64 +24,16 @@ gateway: # noGateway: true -> this port does NOT get mapped to a Gateway port # tls: optional gateway port setting # gatewayProtocol: Loadbalancer protocol which is NOT the same as Container Procotol ! - ports: - - name: status-port - port: 15021 - nodePort: 30021 - noGateway: true - - name: http2 - port: 80 - targetPort: 8080 - nodePort: 30080 - gatewayProtocol: HTTP2 - tls: - httpsRedirect: true - - name: https - port: 443 - targetPort: 8443 - nodePort: 30443 - gatewayProtocol: HTTPS - tls: - mode: SIMPLE - - affinity: - # Only nodes who are fronted with matching NLB - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: node.kubernetes.io/ingress.public - operator: Exists - podAntiAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchExpressions: - - key: app - operator: In - values: - - istio-ingressgateway - topologyKey: "kubernetes.io/hostname" podAnnotations: proxy.istio.io/config: '{ "terminationDrainDuration": "20s" }' - # TODO - # custom hardened bootstrap config - #env: - # ISTIO_BOOTSTRAP_OVERRIDE: /etc/istio/custom-bootstrap/custom_bootstrap.json - - #configVolumes: - #- name: custom-bootstrap-volume - # mountPath: /etc/istio/custom-bootstrap - # configMapName: istio-gateway-bootstrap-config - - certificates: - name: ingress-cert dnsNames: [] # - '*.example.com' telemetry: - enabled: false + enabled: falser proxyProtocol: true