{{- define "istio-private-ingress-values" }} gateway: name: istio-private-ingressgateway {{- with index .Values "istio-private-ingress" "gateway" "replicaCount" }} replicaCount: {{ . }} {{- end }} {{- if not (index .Values "istio-private-ingress" "gateway" "affinity") }} # Only nodes who are fronted with matching LB affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: node.kubernetes.io/ingress.private operator: Exists {{- end }} topologySpreadConstraints: - maxSkew: 1 topologyKey: topology.kubernetes.io/zone whenUnsatisfiable: DoNotSchedule labelSelector: matchLabels: app: istio-private-ingressgateway istio: private-ingressgateway - maxSkew: 1 topologyKey: kubernetes.io/hostname whenUnsatisfiable: DoNotSchedule labelSelector: matchLabels: app: istio-private-ingressgateway istio: private-ingressgateway service: ports: - name: status-port port: 15021 nodePort: 31021 noGateway: true - name: http2 port: 80 targetPort: 8080 nodePort: 31080 gatewayProtocol: HTTP2 tls: httpsRedirect: true - name: https port: 443 targetPort: 8443 nodePort: 31443 gatewayProtocol: HTTPS tls: mode: SIMPLE {{- with index .Values "istio-private-ingress" "gateway" "service" "ports" }} {{- toYaml . | nindent 4 }} {{- end }} # custom hardened bootstrap config env: ISTIO_BOOTSTRAP_OVERRIDE: /etc/istio/custom-bootstrap/custom_bootstrap.json volumes: - name: custom-bootstrap-volume configMap: name: private-ingressgateway-bootstrap-config volumeMounts: - mountPath: /etc/istio/custom-bootstrap name: custom-bootstrap-volume readOnly: true telemetry: enabled: {{ $.Values.metrics.enabled }} certificates: {{- range $cert := index .Values "istio-private-ingress" "certificates" }} - name: {{ $cert.name }} dnsNames: {{- toYaml $cert.dnsNames | nindent 4 }} {{- end }} proxyProtocol: {{ default true (index .Values "istio-private-ingress" "proxyProtocol") }} {{- end }} {{- define "istio-private-ingress-argo" }} {{- end }} {{ include "kubezero-app.app" . }}