{{- define "istio-ingress-values" }} gateway: name: istio-ingressgateway {{- with index .Values "istio-ingress" "gateway" "replicaCount" }} replicaCount: {{ . }} {{- end }} {{- if not (index .Values "istio-ingress" "gateway" "affinity") }} # Only nodes who are fronted with matching LB affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: node.kubernetes.io/ingress.public operator: Exists {{- end }} topologySpreadConstraints: - maxSkew: 1 topologyKey: topology.kubernetes.io/zone whenUnsatisfiable: DoNotSchedule labelSelector: matchLabels: app: istio-ingressgateway istio: ingressgateway - maxSkew: 1 topologyKey: kubernetes.io/hostname whenUnsatisfiable: DoNotSchedule labelSelector: matchLabels: app: istio-ingressgateway istio: ingressgateway service: {{- with index .Values "istio-ingress" "gateway" "service" "type" }} type: {{ . }} {{- end }} ports: - name: status-port port: 15021 nodePort: 30021 noGateway: true - name: http2 port: 80 targetPort: 8080 nodePort: 30080 gatewayProtocol: HTTP2 tls: httpsRedirect: true - name: https port: 443 targetPort: 8443 nodePort: 30443 gatewayProtocol: HTTPS tls: mode: SIMPLE {{- with index .Values "istio-ingress" "gateway" "service" "ports" }} {{- toYaml . | nindent 4 }} {{- end }} # custom hardened bootstrap config env: ISTIO_BOOTSTRAP_OVERRIDE: /etc/istio/custom-bootstrap/custom_bootstrap.json volumes: - name: custom-bootstrap-volume configMap: name: ingressgateway-bootstrap-config volumeMounts: - mountPath: /etc/istio/custom-bootstrap name: custom-bootstrap-volume readOnly: true telemetry: enabled: {{ $.Values.metrics.enabled }} {{- with index .Values "istio-ingress" "certificates" }} certificates: {{- range $cert := . }} - name: {{ $cert.name }} dnsNames: {{- toYaml $cert.dnsNames | nindent 4 }} {{- end }} {{- end }} proxyProtocol: {{ default true (index .Values "istio-ingress" "proxyProtocol") }} {{- end }} {{- define "istio-ingress-argo" }} {{- end }} {{ include "kubezero-app.app" . }}