Add CONTEXT_DIR, feature flags.

+bases:
+  - ../environments.yaml
+
 ---
 releases:
   - name: cert-manager
     chart: .
     wait: true
+    condition: cert-manager.enabled
 ---

+bases:
+  - ../environments.yaml
+
 ---
 releases:
   - name: cluster-issuer
     namespace: cert-manager
     chart: .
     wait: true
+    condition: cert-manager.enabled
 ---

@@ -67,6 +67,8 @@ x-k3s-agent-base: &_x-k3s-agent-base
   networks:
     default:
     nginx:
+  ports:
+    - 443
   environment:
     - K3S_URL=https://k3s-master:6443
     - K3S_TOKEN_FILE=/var/lib/rancher/k3s/server/node-token

+environments:
+  default:
+    values:
+      - cert-manager:
+          enabled: {{ env "CERT_MANAGER__ENABLED" | default true }}
+        istio:
+          enabled: {{ env "ISTIO__ENABLED" | default true }}

+bases:
+  - environments.yaml
+
+---
+
 helmfiles:
   - cert-manager/helmfile.yaml
   - cluster-issuer/helmfile.yaml

+apiVersion: install.istio.io/v1alpha1
+kind: IstioOperator
+spec:
+  values:
+    global:
+      proxy:
+        autoInject: enabled
+      useMCP: false
+      # The third-party-jwt is not enabled on all k8s.
+      # See: https://istio.io/docs/ops/best-practices/security/#configure-third-party-service-account-tokens
+      jwtPolicy: third-party-jwt
+
+  addonComponents:
+    pilot:
+      enabled: true
+
+  components:
+    ingressGateways:
+      - name: istio-ingressgateway
+        enabled: true

+#!/bin/bash
+
+CONTEXT_DIR="$TOP_DIR"
+
+declare -a args
+declare -A features=(
+	[cert-manager]=1
+	[istio]=1
+)
+
+while [[ $# -gt 0 ]]; do
+	arg="$1"
+	shift
+	case "$arg" in
+		(--context-dir)
+			CONTEXT_DIR="$1"
+			shift
+			;;
+		(--feature)
+			features[$1]=1
+			shift
+			;;
+		(--no-feature)
+			features[$1]=
+			shift
+			;;
+		(*)
+			args+=("$arg")
+			;;
+	esac
+done
+set -- "${args[@]}"
+
+for feature in "${!features[@]}"; do
+	fixed_feature="${feature^^*}"
+	fixed_feature="${fixed_feature//-/_}"
+	feature_enabled=false
+	[[ ${features[$feature]} ]] && feature_enabled=true
+	eval "${fixed_feature}_ENABLED"="$feature_enabled"
+	export "${fixed_feature}_ENABLED"
+done
+
+export CONTEXT_DIR

-#!/bin/sh
+#!/bin/bash
 
 set -e
 
 TOP_DIR="$(cd "$(dirname "$0")/.."; echo "$PWD")"
 export TOP_DIR
 
+. "$TOP_DIR/scripts/_parse_args.bash"
+
+case "$1" in
+	(switch-to)
+		"$TOP_DIR/scripts/update-docker-kubeconfig.sh" "$CONTEXT_DIR"
+		exit
+		;;
+	("")
+		;;
+	(*)
+		echo "Unknown command: $1" 1>&2
+		exit 1
+		;;
+esac
+
 "$TOP_DIR/scripts/ensure-certs.sh"
 docker-compose -f "$TOP_DIR/docker-compose.yaml" up -d registry
 "$TOP_DIR/scripts/wait-for-etcd.sh"
 
 docker-compose -f "$TOP_DIR/docker-compose.yaml" up -d k3s-master-1
-"$TOP_DIR/scripts/update-docker-kubeconfig.sh"
+"$TOP_DIR/scripts/update-docker-kubeconfig.sh" "$CONTEXT_DIR"
 "$TOP_DIR/scripts/wait-for-master-1.sh"
 
 docker-compose -f "$TOP_DIR/docker-compose.yaml" up -d k3s-coredns-1 k3s-coredns-2 k3s-coredns-3
@@ -21,5 +36,8 @@ docker-compose -f "$TOP_DIR/docker-compose.yaml" up -d k3s-master-2 k3s-master-3
 
 #docker-compose -f "$TOP_DIR/docker-compose.yaml" up -d k3s-proxy
 
+[[ ${features[istio]} ]] && istioctl install -yf "$TOP_DIR/istio-minimal-operator.yaml"
+
 cd "$TOP_DIR"
-helmfile apply
+
+helmfile --debug apply

-#!/bin/sh
+#!/bin/bash
 
-set -e
+set -ex
 
 TOP_DIR="$(cd "$(dirname "$0")/.."; echo "$PWD")"
 export TOP_DIR
 
+. "$TOP_DIR/scripts/_parse_args.bash"
+
 docker-compose -f "$TOP_DIR/docker-compose.yaml" down "$@"
 

@@ -2,6 +2,8 @@
 
 set -e
 
+CONTEXT_DIR="$1"
+
 TOP_DIR="$(cd "$(dirname "$0")/.."; echo "$PWD")"
 export TOP_DIR
 
@@ -30,8 +32,8 @@ kubectl config --kubeconfig="$tmpd/config.docker" view --raw=true -o jsonpath='{
 kubectl config --kubeconfig="$tmpd/config.docker" view --raw=true -o jsonpath='{.users[].user.client-certificate-data}' | base64 -d > "$tmpd/client-certificate"
 kubectl config --kubeconfig="$tmpd/config.docker" view --raw=true -o jsonpath='{.users[].user.client-key-data}' | base64 -d > "$tmpd/client-key"
 
-kubectl config set-cluster "$TOP_DIR" --embed-certs=true --server="https://$MASTER_IP:6443" --certificate-authority="$tmpd/cluster-certificate-authority" > /dev/null
-kubectl config set-credentials "$TOP_DIR" --embed-certs=true --client-certificate="$tmpd/client-certificate" --client-key="$tmpd/client-key" > /dev/null
-kubectl config set-context "$TOP_DIR" --cluster="$TOP_DIR" --user="$TOP_DIR" > /dev/null
-kubectl config use-context "$TOP_DIR"
+kubectl config set-cluster "$CONTEXT_DIR" --embed-certs=true --server="https://$MASTER_IP:6443" --certificate-authority="$tmpd/cluster-certificate-authority" > /dev/null
+kubectl config set-credentials "$CONTEXT_DIR" --embed-certs=true --client-certificate="$tmpd/client-certificate" --client-key="$tmpd/client-key" > /dev/null
+kubectl config set-context "$CONTEXT_DIR" --cluster="$CONTEXT_DIR" --user="$CONTEXT_DIR" > /dev/null
+kubectl config use-context "$CONTEXT_DIR"