{{- define "istio-private-ingress-values" }} gateway: name: istio-private-ingressgateway labels: app: istio-private-ingressgateway istio: private-ingressgateway {{- with index .Values "istio-private-ingress" "gateway" "replicaCount" }} replicaCount: {{ . }} {{- end }} # Only nodes who are fronted with matching private NLB affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: node.kubernetes.io/ingress.private operator: Exists podAntiAffinity: requiredDuringSchedulingIgnoredDuringExecution: - labelSelector: matchExpressions: - key: app operator: In values: - istio-private-ingressgateway topologyKey: "kubernetes.io/hostname" service: ports: - name: status-port port: 15021 nodePort: 31021 noGateway: true - name: http2 port: 80 targetPort: 8080 nodePort: 31080 gatewayProtocol: HTTP2 tls: httpsRedirect: true - name: https port: 443 targetPort: 8443 nodePort: 31443 gatewayProtocol: HTTPS tls: mode: SIMPLE {{- with index .Values "istio-private-ingress" "gateway" "service" "ports" }} {{- toYaml . | nindent 4 }} {{- end }} # custom hardened bootstrap config env: ISTIO_BOOTSTRAP_OVERRIDE: /etc/istio/custom-bootstrap/custom_bootstrap.json volumes: - name: custom-bootstrap-volume configMap: name: private-ingressgateway-bootstrap-config volumeMounts: - mountPath: /etc/istio/custom-bootstrap name: custom-bootstrap-volume readOnly: true telemetry: enabled: {{ $.Values.metrics.enabled }} certificates: {{- range $cert := index .Values "istio-private-ingress" "certificates" }} - name: {{ $cert.name }} dnsNames: {{- toYaml $cert.dnsNames | nindent 4 }} {{- end }} proxyProtocol: {{ default true (index .Values "istio-private-ingress" "proxyProtocol") }} {{- end }} {{- define "istio-private-ingress-argo" }} {{- end }} {{ include "kubezero-app.app" . }}