8b3feaef by Adam Heath

Check pointing; basically, registry can be on an external LoadBalancer

port, *and* on istio VirtualService.
1 parent dfec78f8
......@@ -3,4 +3,5 @@ releases:
- name: cert-manager
chart: .
wait: true
atomic: true
---
......
......@@ -3,4 +3,5 @@ kind: Kustomization
resources:
- ./cluster-issuer.yaml
- ./letsencrypt.yaml
......
......@@ -6,17 +6,28 @@ environments:
strategicMergePatches: []
caIssuer:
secretName: root-ca
letsencrypt:
enabled: true
email: name@example.com
tls_key: replace-me
repositories:
- name: jetstack
url: https://charts.jetstack.io
---
helmfiles:
- path: ./charts/cert-manager/helmfile.yaml
releases:
- name: cert-manager
chart: jetstack/cert-manager
namespace: cert-manager
values:
-
{{- toYaml .Values | nindent 8 }}
- installCRDs: true
releases:
- name: cluster-issuer
chart: charts/cluster-issuer
disableValidationOnInstall: true
needs:
- cert-manager/cert-manager
jsonPatches:
{{- if not (empty (.Values.clusterIssuer.jsonPatches)) }}
{{- .Values.clusterIssuer.jsonPatches | toYaml | indent 6 }}
......@@ -30,6 +41,39 @@ releases:
spec:
ca:
secretName: {{ .Values.clusterIssuer.caIssuer.secretName }}
- apiVersion: v1
kind: Secret
metadata:
namespace: cert-manager
name: acme-account-key
{{- if .Values.clusterIssuer.letsencrypt.enabled }}
data:
tls.key: {{ .Values.clusterIssuer.letsencrypt.tls_key }}
{{- else }}
$patch: delete
{{- end }}
- apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
namespace: cert-manager
name: letsencrypt-staging
{{- if .Values.clusterIssuer.letsencrypt.enabled }}
spec:
email: {{ .Values.clusterIssuer.letsencrypt.email }}
{{- else }}
$patch: delete
{{- end }}
- apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
namespace: cert-manager
name: letsencrypt-production
{{- if .Values.clusterIssuer.letsencrypt.enabled }}
spec:
email: {{ .Values.clusterIssuer.letsencrypt.email }}
{{- else }}
$patch: delete
{{- end }}
{{- if not (empty (.Values.clusterIssuer.strategicMergePatches)) }}
{{- .Values.clusterIssuer.strategicMergePatches | toYaml | indent 6 }}
{{- end }}
......
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: istio-gateway-certs
spec:
secretName: istio-gateway-certs
dnsNames:
- '*'
issuerRef:
name: ca-issuer
# We can reference ClusterIssuers by changing the kind here.
# The default value is Issuer (i.e. a locally namespaced Issuer)
kind: ClusterIssuer
group: cert-manager.io
---
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
name: istio-gateway
spec:
selector:
istio: istio-gateway
servers:
- hosts:
- '*'
port:
name: http
number: 80
protocol: HTTP
- hosts:
- '*'
port:
name: https
number: 443
protocol: HTTPS
tls:
credentialName: istio-gateway-certs
mode: SIMPLE
---
apiVersion: v1
kind: Service
metadata:
name: istio-gateway
spec:
type: LoadBalancer
selector:
istio: istio-gateway
ports:
- port: 80
name: http
- port: 443
name: https
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: istio-gateway
spec:
selector:
matchLabels:
istio: istio-gateway
template:
metadata:
annotations:
# Select the gateway injection template (rather than the default sidecar template)
inject.istio.io/templates: gateway
labels:
# Set a unique label for the gateway. This is required to ensure Gateways can select this workload
istio: istio-gateway
# Enable gateway injection. If connecting to a revisioned control plane, replace with "istio.io/rev: revision-name"
sidecar.istio.io/inject: "true"
spec:
containers:
- name: istio-proxy
image: auto # The image will automatically update each time the pod starts.
---
# Set up roles to allow reading credentials for TLS
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: istio-gateway-sds
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "watch", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: istio-gateway-sds
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: istio-gateway-sds
subjects:
- kind: ServiceAccount
name: default
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
# - ./gateway.yaml
# - ./deployment.yaml
......@@ -3,11 +3,19 @@ environments:
values:
- namespace: istio-system
namePrefix: ""
gateways: []
version:
istio: 1.14.1
raw: 1.1.0
gateways:
- name: cluster-local-gateway
hosts:
- "*"
repositories:
- name: istio
url: https://istio-release.storage.googleapis.com/charts
- name: bedag
url: https://bedag.github.io/helm-charts/
---
helmfiles:
......@@ -15,34 +23,76 @@ helmfiles:
values:
- namespace: {{ .Values.namespace }}
namePrefix: ""
version: {{ .Values.version.istio }}
- path: istiod.helmfile.yaml
values:
- namespace: {{ .Values.namespace }}
namePrefix: ""
version: {{ .Values.version.istio }}
releases:
{{- range $gateway_index, $gateway := .Values.gateways }}
- name: {{ $.Values.namePrefix }}gateway-{{ $gateway.name }}
namespace: {{ $gateway | get "namespace" "istio-system" }}
chart: istio/gateway
- name: {{ $.Values.namePrefix }}gateways
namespace: {{ .Values.namespace }}
chart: charts/gateway
dependencies:
{{- range $gateway_index, $gateway := .Values.gateways }}
- chart: istio/gateway
alias: gatewayd-{{ $gateway.name }}
version: {{ $.Values.version.istio }}
- chart: bedag/raw
alias: gateway-{{ $gateway.name }}
version: {{ $.Values.version.raw }}
{{- end }}
values:
- service:
type: LoadBalancer
loadBalancerIP: {{ $gateway | get "loadBalancerIP" "" }}
externalTrafficPolicy: Cluster
ports:
- name: status-port
port: 15021
protocol: TCP
targetPort: 15021
- name: http2
port: 80
protocol: TCP
targetPort: 80
- name: https
port: 443
protocol: TCP
targetPort: 443
name: {{ $gateway.name }}
{{- end }}
{{- range $gateway_index, $gateway := .Values.gateways }}
- gatewayd-{{ $gateway.name }}:
name: {{ $gateway.name }}
service:
type: LoadBalancer
loadBalancerIP: {{ $gateway | get "loadBalancerIP" "" }}
autoscaling:
enabled: false
gateway-{{ $gateway.name }}:
resources:
- apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: istio-cert-{{ $gateway.name }}
spec:
secretName: istio-cert-{{ $gateway.name }}
dnsNames:
- '*'
issuerRef:
name: ca-issuer
# We can reference ClusterIssuers by changing the kind here.
# The default value is Issuer (i.e. a locally namespaced Issuer)
kind: ClusterIssuer
group: cert-manager.io
- apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
name: {{ $gateway.name }}
spec:
selector:
istio: {{ $gateway.name }}
servers:
- hosts:
- '*'
port:
name: http
number: 80
protocol: HTTP
- hosts:
- '*'
port:
name: https
number: 443
protocol: HTTPS
tls:
credentialName: istio-cert-{{ $gateway.name }}
mode: SIMPLE
{{- end }}
......
......@@ -2,4 +2,6 @@ releases:
- name: {{ .Values.namePrefix }}istio-base
namespace: {{ .Values.namespace }}
chart: istio/base
version: {{ .Values.version }}
wait: true
......
......@@ -2,4 +2,5 @@ releases:
- name: {{ .Values.namePrefix }}istiod
namespace: {{ .Values.namespace }}
chart: istio/istiod
version: {{ .Values.version }}
......
......@@ -14,7 +14,7 @@ releases:
- name: {{ .Values.namePrefix }}redis-server
namespace: {{ .Values.namespace }}
chart: .
chart: charts/redis-server
values:
- set-common-values.yaml.gotmpl
jsonPatches:
......
......@@ -4,6 +4,8 @@ kind: ConfigMap
metadata:
name: registry-config
data:
REGISTRY_HTTP_TLS_CERTIFICATE: /certs/tls.crt
REGISTRY_HTTP_TLS_KEY: /certs/tls.key
---
apiVersion: v1
kind: Secret
......
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: registry-crt
spec:
secretName: registry-crt
dnsNames:
- registry.local
issuerRef:
name: ca-issuer
# We can reference ClusterIssuers by changing the kind here.
# The default value is Issuer (i.e. a locally namespaced Issuer)
kind: ClusterIssuer
group: cert-manager.io
---
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
......@@ -15,16 +30,29 @@ spec:
number: 5000
host: registry
---
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
name: registry-originate-tls
spec:
host: registry
trafficPolicy:
portLevelSettings:
- port:
number: 5000
tls:
mode: SIMPLE
---
apiVersion: v1
kind: Service
metadata:
name: registry
spec:
type: NodePort
type: ClusterIP
selector:
app: registry
ports:
- name: registry
- name: https-registry
protocol: TCP
port: 5000
targetPort: 5000
......@@ -54,6 +82,9 @@ spec:
- name: registry-data
persistentVolumeClaim:
claimName: registry-data
- name: certificate
secret:
secretName: registry-crt
containers:
- name: registry
......@@ -66,4 +97,6 @@ spec:
volumeMounts:
- name: registry-data
mountPath: /var/lib/registry
- name: certificate
mountPath: /certs
......
......@@ -10,7 +10,13 @@ environments:
strategicMergePatches: []
service:
registry:
nodePort: 32123
nodePort: 0
clusterIP: 0
type: NodePort
certificate:
hostNames:
- registry.local
issuerRef: ca-issuer
istioVirtualService:
enabled: true
jsonPatches: []
......@@ -29,13 +35,13 @@ helmfiles:
values:
- namespace: {{ .Values.namespace }}
namePrefix: {{ .Values.namePrefix }}registry-
images:
redis: {{ .Values.images.redis }}
#images:
# redis: {{ .Values.images.redis }}
releases:
- name: {{ .Values.namePrefix }}registry
namespace: {{ .Values.namespace }}
chart: .
chart: charts/registry
values:
- set-common-values.yaml.gotmpl
jsonPatches:
......@@ -49,8 +55,26 @@ releases:
path: /spec/selector/app
value: {{ .Values.namePrefix }}registry
- op: replace
path: /spec/type
value: {{ .Values.registry.service.registry.type }}
{{- if .Values.registry.service.registry.clusterIP }}
- op: add
path: /spec/clusterIP
value: {{ .Values.registry.service.registry.clusterIP }}
{{- end }}
{{- if eq .Values.registry.service.registry.type "ClusterIP" }}
- op: remove
path: /spec/ports/0/nodePort
{{- else if eq .Values.registry.service.registry.type "LoadBalancer" }}
- op: remove
path: /spec/ports/0/nodePort
{{- else }}
{{- if .Values.registry.service.registry.nodePort }}
- op: replace
path: /spec/ports/0/nodePort
value: {{ .Values.registry.service.registry.nodePort }}
{{- end }}
{{- end }}
{{- if .Values.istioVirtualService.enabled }}
- target:
kind: VirtualService
......@@ -62,6 +86,16 @@ releases:
- op: replace
path: /spec/http/0/route/0/destination/host
value: {{ .Values.namePrefix }}registry
- target:
kind: DestinationRule
name: {{ .Values.namePrefix }}registry-originate-tls
namespace: {{ .Values.namespace }}
version: v1beta1
group: networking.istio.io
patch:
- op: replace
path: /spec/host
value: {{ .Values.namePrefix }}registry
{{- end }}
{{- if not (empty (.Values.registry.jsonPatches)) }}
{{- .Values.registry.jsonPatches | toYaml | indent 6 }}
......@@ -85,6 +119,18 @@ releases:
{{- else }}
$patch: delete
{{- end }}
- apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: {{ .Values.namePrefix }}registry-crt
namespace: {{ .Values.namespace }}
spec:
dnsNames:
{{- range $hostName_index, $hostName := .Values.certificate.hostNames }}
- {{ $hostName | quote }}
{{- end }}
issuerRef:
name: {{ .Values.certificate.issuerRef }}
- apiVersion: apps/v1
kind: Deployment
metadata:
......