Check pointing; basically, registry can be on an external LoadBalancer

port, *and* on istio VirtualService.

Check pointing; basically, registry can be on an external LoadBalancer
port, *and* on istio VirtualService.
Adam Heath
Showing 16 changed files with 322 additions and 36 deletions
cert-manager/charts/cert-manager/helmfile.yaml
cert-manager/charts/cluster-issuer/kustomization.yaml
cert-manager/helmfile.yaml
istio/charts/gateway/deployment.yaml
istio/charts/gateway/kustomization.yaml
istio/helmfile.yaml
istio/istio-base.helmfile.yaml
istio/istiod.helmfile.yaml
redis/config.yaml → redis/charts/redis-server/config.yaml
redis/kustomization.yaml → redis/charts/redis-server/kustomization.yaml
redis/redis-server.yaml → redis/charts/redis-server/redis-server.yaml
redis/helmfile.yaml
registry/config.yaml → registry/charts/registry/config.yaml
registry/kustomization.yaml → registry/charts/registry/kustomization.yaml
registry/registry.yaml → registry/charts/registry/registry.yaml
registry/helmfile.yaml
--- a/cert-manager/charts/cert-manager/helmfile.yaml
View file @8b3feae
+++ b/cert-manager/charts/cert-manager/helmfile.yaml
View file @8b3feae
@@ -3,4 +3,5 @@ releases:
  - name: cert-manager
    chart: .
    wait: true
+    atomic: true
 ---
--- a/cert-manager/charts/cluster-issuer/kustomization.yaml
View file @8b3feae
+++ b/cert-manager/charts/cluster-issuer/kustomization.yaml
View file @8b3feae
@@ -3,4 +3,5 @@ kind: Kustomization

 resources:
  - ./cluster-issuer.yaml
+  - ./letsencrypt.yaml

--- a/cert-manager/helmfile.yaml
View file @8b3feae
+++ b/cert-manager/helmfile.yaml
View file @8b3feae
@@ -6,17 +6,28 @@ environments:
          strategicMergePatches: []
          caIssuer:
            secretName: root-ca
+          letsencrypt:
+            enabled: true
+            email: name@example.com
+            tls_key: replace-me
+
+repositories:
+  - name: jetstack
+    url: https://charts.jetstack.io

 ---
-helmfiles:
-  - path: ./charts/cert-manager/helmfile.yaml
+releases:
+  - name: cert-manager
+    chart: jetstack/cert-manager
+    namespace: cert-manager
    values:
-      -
-      {{- toYaml .Values | nindent 8 }}
+      - installCRDs: true

-releases:
  - name: cluster-issuer
    chart: charts/cluster-issuer
+    disableValidationOnInstall: true
+    needs:
+      - cert-manager/cert-manager
    jsonPatches:
      {{- if not (empty (.Values.clusterIssuer.jsonPatches)) }}
      {{- .Values.clusterIssuer.jsonPatches | toYaml | indent 6 }}
@@ -30,6 +41,39 @@ releases:
        spec:
          ca:
            secretName: {{ .Values.clusterIssuer.caIssuer.secretName }}
+      - apiVersion: v1
+        kind: Secret
+        metadata:
+          namespace: cert-manager
+          name: acme-account-key
+      {{- if .Values.clusterIssuer.letsencrypt.enabled }}
+        data:
+          tls.key: {{ .Values.clusterIssuer.letsencrypt.tls_key }}
+      {{- else }}
+        $patch: delete
+      {{- end }}
+      - apiVersion: cert-manager.io/v1
+        kind: ClusterIssuer
+        metadata:
+          namespace: cert-manager
+          name: letsencrypt-staging
+      {{- if .Values.clusterIssuer.letsencrypt.enabled }}
+        spec:
+          email: {{ .Values.clusterIssuer.letsencrypt.email }}
+      {{- else }}
+        $patch: delete
+      {{- end }}
+      - apiVersion: cert-manager.io/v1
+        kind: ClusterIssuer
+        metadata:
+          namespace: cert-manager
+          name: letsencrypt-production
+      {{- if .Values.clusterIssuer.letsencrypt.enabled }}
+        spec:
+          email: {{ .Values.clusterIssuer.letsencrypt.email }}
+      {{- else }}
+        $patch: delete
+      {{- end }}
      {{- if not (empty (.Values.clusterIssuer.strategicMergePatches)) }}
      {{- .Values.clusterIssuer.strategicMergePatches | toYaml | indent 6 }}
      {{- end }}
--- a/istio/charts/gateway/deployment.yaml 0 → 100644
View file @8b3feae
+++ b/istio/charts/gateway/deployment.yaml 0 → 100644
View file @8b3feae
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: istio-gateway-certs
+spec:
+  secretName: istio-gateway-certs
+  dnsNames:
+  - '*'
+  issuerRef:
+    name: ca-issuer
+    # We can reference ClusterIssuers by changing the kind here.
+    # The default value is Issuer (i.e. a locally namespaced Issuer)
+    kind: ClusterIssuer
+    group: cert-manager.io
+---
+apiVersion: networking.istio.io/v1beta1
+kind: Gateway
+metadata:
+  name: istio-gateway
+spec:
+  selector:
+    istio: istio-gateway
+  servers:
+  - hosts:
+    - '*'
+    port:
+      name: http
+      number: 80
+      protocol: HTTP
+  - hosts:
+    - '*'
+    port:
+      name: https
+      number: 443
+      protocol: HTTPS
+    tls:
+      credentialName: istio-gateway-certs
+      mode: SIMPLE
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: istio-gateway
+spec:
+  type: LoadBalancer
+  selector:
+    istio: istio-gateway
+  ports:
+		- port: 80
+			name: http
+		- port: 443
+			name: https
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: istio-gateway
+spec:
+  selector:
+    matchLabels:
+      istio: istio-gateway
+  template:
+    metadata:
+      annotations:
+        # Select the gateway injection template (rather than the default sidecar template)
+        inject.istio.io/templates: gateway
+      labels:
+        # Set a unique label for the gateway. This is required to ensure Gateways can select this workload
+        istio: istio-gateway
+        # Enable gateway injection. If connecting to a revisioned control plane, replace with "istio.io/rev: revision-name"
+        sidecar.istio.io/inject: "true"
+    spec:
+      containers:
+				- name: istio-proxy
+					image: auto # The image will automatically update each time the pod starts.
+---
+# Set up roles to allow reading credentials for TLS
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: istio-gateway-sds
+rules:
+	- apiGroups: [""]
+		resources: ["secrets"]
+		verbs: ["get", "watch", "list"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: istio-gateway-sds
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: istio-gateway-sds
+subjects:
+	- kind: ServiceAccount
+		name: default
+---
--- a/istio/charts/gateway/kustomization.yaml 0 → 100644
View file @8b3feae
+++ b/istio/charts/gateway/kustomization.yaml 0 → 100644
View file @8b3feae
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+#  - ./gateway.yaml
+#  - ./deployment.yaml
+
--- a/istio/helmfile.yaml
View file @8b3feae
+++ b/istio/helmfile.yaml
View file @8b3feae
@@ -3,11 +3,19 @@ environments:
    values:
      - namespace: istio-system
        namePrefix: ""
-        gateways: []
+        version:
+          istio: 1.14.1
+          raw: 1.1.0
+        gateways:
+          - name: cluster-local-gateway
+            hosts:
+              - "*"

 repositories:
  - name: istio
    url: https://istio-release.storage.googleapis.com/charts
+  - name: bedag
+    url: https://bedag.github.io/helm-charts/

 ---
 helmfiles:
@@ -15,34 +23,76 @@ helmfiles:
    values:
      - namespace: {{ .Values.namespace }}
        namePrefix: ""
+        version: {{ .Values.version.istio }}
  - path: istiod.helmfile.yaml
    values:
      - namespace: {{ .Values.namespace }}
        namePrefix: ""
+        version: {{ .Values.version.istio }}

 releases:
-{{- range $gateway_index, $gateway := .Values.gateways }}
-  - name: {{ $.Values.namePrefix }}gateway-{{ $gateway.name }}
-    namespace: {{ $gateway | get "namespace" "istio-system" }}
-    chart: istio/gateway
+  - name: {{ $.Values.namePrefix }}gateways
+    namespace: {{ .Values.namespace }}
+    chart: charts/gateway
+    dependencies:
+      {{- range $gateway_index, $gateway := .Values.gateways }}
+      - chart: istio/gateway
+        alias: gatewayd-{{ $gateway.name }}
+        version: {{ $.Values.version.istio }}
+      - chart: bedag/raw
+        alias: gateway-{{ $gateway.name }}
+        version: {{ $.Values.version.raw }}
+      {{- end }}
    values:
-      - service:
-          type: LoadBalancer
-          loadBalancerIP: {{ $gateway | get "loadBalancerIP" "" }}
-          externalTrafficPolicy: Cluster
-          ports:
-            - name: status-port
-              port: 15021
-              protocol: TCP
-              targetPort: 15021
-            - name: http2
-              port: 80
-              protocol: TCP
-              targetPort: 80
-            - name: https
-              port: 443
-              protocol: TCP
-              targetPort: 443
-        name: {{ $gateway.name }}
-{{- end }}
+      {{- range $gateway_index, $gateway := .Values.gateways }}
+      - gatewayd-{{ $gateway.name }}:
+          name: {{ $gateway.name }}
+          service:
+            type: LoadBalancer
+            loadBalancerIP: {{ $gateway | get "loadBalancerIP" "" }}
+          autoscaling:
+            enabled: false
+        gateway-{{ $gateway.name }}:
+          resources:
+            - apiVersion: cert-manager.io/v1
+              kind: Certificate
+              metadata:
+                name: istio-cert-{{ $gateway.name }}
+              spec:
+                secretName: istio-cert-{{ $gateway.name }}
+                dnsNames:
+                - '*'
+                issuerRef:
+                  name: ca-issuer
+                  # We can reference ClusterIssuers by changing the kind here.
+                  # The default value is Issuer (i.e. a locally namespaced Issuer)
+                  kind: ClusterIssuer
+                  group: cert-manager.io
+
+            - apiVersion: networking.istio.io/v1beta1
+              kind: Gateway
+              metadata:
+                name: {{ $gateway.name }}
+              spec:
+                selector:
+                  istio: {{ $gateway.name }}
+                servers:
+                - hosts:
+                  - '*'
+                  port:
+                    name: http
+                    number: 80
+                    protocol: HTTP
+                - hosts:
+                  - '*'
+                  port:
+                    name: https
+                    number: 443
+                    protocol: HTTPS
+                  tls:
+                    credentialName: istio-cert-{{ $gateway.name }}
+                    mode: SIMPLE
+
+      {{- end }}
+

--- a/istio/istio-base.helmfile.yaml
View file @8b3feae
+++ b/istio/istio-base.helmfile.yaml
View file @8b3feae
@@ -2,4 +2,6 @@ releases:
  - name: {{ .Values.namePrefix }}istio-base
    namespace: {{ .Values.namespace }}
    chart: istio/base
+    version: {{ .Values.version }}
+    wait: true

--- a/istio/istiod.helmfile.yaml
View file @8b3feae
+++ b/istio/istiod.helmfile.yaml
View file @8b3feae
@@ -2,4 +2,5 @@ releases:
  - name: {{ .Values.namePrefix }}istiod
    namespace: {{ .Values.namespace }}
    chart: istio/istiod
+    version: {{ .Values.version }}

--- a/redis/config.yaml → redis/charts/redis-server/config.yaml
View file @8b3feae
+++ b/redis/config.yaml → redis/charts/redis-server/config.yaml
View file @8b3feae
--- a/redis/kustomization.yaml → redis/charts/redis-server/kustomization.yaml
View file @8b3feae
+++ b/redis/kustomization.yaml → redis/charts/redis-server/kustomization.yaml
View file @8b3feae
--- a/redis/redis-server.yaml → redis/charts/redis-server/redis-server.yaml
View file @8b3feae
+++ b/redis/redis-server.yaml → redis/charts/redis-server/redis-server.yaml
View file @8b3feae
--- a/redis/helmfile.yaml
View file @8b3feae
+++ b/redis/helmfile.yaml
View file @8b3feae
@@ -14,7 +14,7 @@ releases:

  - name: {{ .Values.namePrefix }}redis-server
    namespace: {{ .Values.namespace }}
-    chart: .
+    chart: charts/redis-server
    values:
      - set-common-values.yaml.gotmpl
    jsonPatches:
--- a/registry/config.yaml → registry/charts/registry/config.yaml
View file @8b3feae
+++ b/registry/config.yaml → registry/charts/registry/config.yaml
View file @8b3feae
@@ -4,6 +4,8 @@ kind: ConfigMap
 metadata:
  name: registry-config
 data:
+  REGISTRY_HTTP_TLS_CERTIFICATE: /certs/tls.crt
+  REGISTRY_HTTP_TLS_KEY: /certs/tls.key
 ---
 apiVersion: v1
 kind: Secret
--- a/registry/kustomization.yaml → registry/charts/registry/kustomization.yaml
View file @8b3feae
+++ b/registry/kustomization.yaml → registry/charts/registry/kustomization.yaml
View file @8b3feae
--- a/registry/registry.yaml → registry/charts/registry/registry.yaml
View file @8b3feae
+++ b/registry/registry.yaml → registry/charts/registry/registry.yaml
View file @8b3feae
 ---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: registry-crt
+spec:
+  secretName: registry-crt
+  dnsNames:
+  - registry.local
+  issuerRef:
+    name: ca-issuer
+    # We can reference ClusterIssuers by changing the kind here.
+    # The default value is Issuer (i.e. a locally namespaced Issuer)
+    kind: ClusterIssuer
+    group: cert-manager.io
+---
 apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -15,16 +30,29 @@ spec:
          number: 5000
        host: registry
 ---
+apiVersion: networking.istio.io/v1beta1
+kind: DestinationRule
+metadata:
+  name: registry-originate-tls
+spec:
+  host: registry
+  trafficPolicy:
+    portLevelSettings:
+      - port:
+          number: 5000
+        tls:
+          mode: SIMPLE
+---
 apiVersion: v1
 kind: Service
 metadata:
  name: registry
 spec:
-  type: NodePort
+  type: ClusterIP
  selector:
    app: registry
  ports:
-    - name: registry
+    - name: https-registry
      protocol: TCP
      port: 5000
      targetPort: 5000
@@ -54,6 +82,9 @@ spec:
        - name: registry-data
          persistentVolumeClaim:
            claimName: registry-data
+        - name: certificate
+          secret:
+            secretName: registry-crt

      containers:
        - name: registry
@@ -66,4 +97,6 @@ spec:
          volumeMounts:
            - name: registry-data
              mountPath: /var/lib/registry
+            - name: certificate
+              mountPath: /certs

--- a/registry/helmfile.yaml
View file @8b3feae
+++ b/registry/helmfile.yaml
View file @8b3feae
@@ -10,7 +10,13 @@ environments:
          strategicMergePatches: []
          service:
            registry:
-              nodePort: 32123
+              nodePort: 0
+              clusterIP: 0
+              type: NodePort
+        certificate:
+          hostNames:
+            - registry.local
+          issuerRef: ca-issuer
        istioVirtualService:
          enabled: true
          jsonPatches: []
@@ -29,13 +35,13 @@ helmfiles:
    values:
      - namespace: {{ .Values.namespace }}
        namePrefix: {{ .Values.namePrefix }}registry-
-        images:
-          redis: {{ .Values.images.redis }}
+        #images:
+        #  redis: {{ .Values.images.redis }}

 releases:
  - name: {{ .Values.namePrefix }}registry
    namespace: {{ .Values.namespace }}
-    chart: .
+    chart: charts/registry
    values:
      - set-common-values.yaml.gotmpl
    jsonPatches:
@@ -49,8 +55,26 @@ releases:
            path: /spec/selector/app
            value: {{ .Values.namePrefix }}registry
          - op: replace
+            path: /spec/type
+            value: {{ .Values.registry.service.registry.type }}
+      {{- if .Values.registry.service.registry.clusterIP }}
+          - op: add
+            path: /spec/clusterIP
+            value: {{ .Values.registry.service.registry.clusterIP }}
+      {{- end }}
+      {{- if eq .Values.registry.service.registry.type "ClusterIP" }}
+          - op: remove
+            path: /spec/ports/0/nodePort
+      {{- else if eq .Values.registry.service.registry.type "LoadBalancer" }}
+          - op: remove
+            path: /spec/ports/0/nodePort
+      {{- else }}
+      {{-   if .Values.registry.service.registry.nodePort }}
+          - op: replace
            path: /spec/ports/0/nodePort
            value: {{ .Values.registry.service.registry.nodePort }}
+      {{-   end }}
+      {{- end }}
      {{- if .Values.istioVirtualService.enabled }}
      - target:
          kind: VirtualService
@@ -62,6 +86,16 @@ releases:
          - op: replace
            path: /spec/http/0/route/0/destination/host
            value: {{ .Values.namePrefix }}registry
+      - target:
+          kind: DestinationRule
+          name: {{ .Values.namePrefix }}registry-originate-tls
+          namespace: {{ .Values.namespace }}
+          version: v1beta1
+          group: networking.istio.io
+        patch:
+          - op: replace
+            path: /spec/host
+            value: {{ .Values.namePrefix }}registry
      {{- end }}
      {{- if not (empty (.Values.registry.jsonPatches)) }}
      {{- .Values.registry.jsonPatches | toYaml | indent 6 }}
@@ -85,6 +119,18 @@ releases:
      {{- else }}
        $patch: delete
      {{- end }}
+      - apiVersion: cert-manager.io/v1
+        kind: Certificate
+        metadata:
+          name: {{ .Values.namePrefix }}registry-crt
+          namespace: {{ .Values.namespace }}
+        spec:
+          dnsNames:
+            {{- range $hostName_index, $hostName := .Values.certificate.hostNames }}
+            - {{ $hostName | quote }}
+            {{- end }}
+          issuerRef:
+            name: {{ .Values.certificate.issuerRef }}
      - apiVersion: apps/v1
        kind: Deployment
        metadata: