Check pointing; basically, registry can be on an external LoadBalancer
port, *and* on istio VirtualService.
Showing
16 changed files
with
322 additions
and
36 deletions
... | @@ -6,17 +6,28 @@ environments: | ... | @@ -6,17 +6,28 @@ environments: |
6 | strategicMergePatches: [] | 6 | strategicMergePatches: [] |
7 | caIssuer: | 7 | caIssuer: |
8 | secretName: root-ca | 8 | secretName: root-ca |
9 | letsencrypt: | ||
10 | enabled: true | ||
11 | email: name@example.com | ||
12 | tls_key: replace-me | ||
13 | |||
14 | repositories: | ||
15 | - name: jetstack | ||
16 | url: https://charts.jetstack.io | ||
9 | 17 | ||
10 | --- | 18 | --- |
11 | helmfiles: | 19 | releases: |
12 | - path: ./charts/cert-manager/helmfile.yaml | 20 | - name: cert-manager |
21 | chart: jetstack/cert-manager | ||
22 | namespace: cert-manager | ||
13 | values: | 23 | values: |
14 | - | 24 | - installCRDs: true |
15 | {{- toYaml .Values | nindent 8 }} | ||
16 | 25 | ||
17 | releases: | ||
18 | - name: cluster-issuer | 26 | - name: cluster-issuer |
19 | chart: charts/cluster-issuer | 27 | chart: charts/cluster-issuer |
28 | disableValidationOnInstall: true | ||
29 | needs: | ||
30 | - cert-manager/cert-manager | ||
20 | jsonPatches: | 31 | jsonPatches: |
21 | {{- if not (empty (.Values.clusterIssuer.jsonPatches)) }} | 32 | {{- if not (empty (.Values.clusterIssuer.jsonPatches)) }} |
22 | {{- .Values.clusterIssuer.jsonPatches | toYaml | indent 6 }} | 33 | {{- .Values.clusterIssuer.jsonPatches | toYaml | indent 6 }} |
... | @@ -30,6 +41,39 @@ releases: | ... | @@ -30,6 +41,39 @@ releases: |
30 | spec: | 41 | spec: |
31 | ca: | 42 | ca: |
32 | secretName: {{ .Values.clusterIssuer.caIssuer.secretName }} | 43 | secretName: {{ .Values.clusterIssuer.caIssuer.secretName }} |
44 | - apiVersion: v1 | ||
45 | kind: Secret | ||
46 | metadata: | ||
47 | namespace: cert-manager | ||
48 | name: acme-account-key | ||
49 | {{- if .Values.clusterIssuer.letsencrypt.enabled }} | ||
50 | data: | ||
51 | tls.key: {{ .Values.clusterIssuer.letsencrypt.tls_key }} | ||
52 | {{- else }} | ||
53 | $patch: delete | ||
54 | {{- end }} | ||
55 | - apiVersion: cert-manager.io/v1 | ||
56 | kind: ClusterIssuer | ||
57 | metadata: | ||
58 | namespace: cert-manager | ||
59 | name: letsencrypt-staging | ||
60 | {{- if .Values.clusterIssuer.letsencrypt.enabled }} | ||
61 | spec: | ||
62 | email: {{ .Values.clusterIssuer.letsencrypt.email }} | ||
63 | {{- else }} | ||
64 | $patch: delete | ||
65 | {{- end }} | ||
66 | - apiVersion: cert-manager.io/v1 | ||
67 | kind: ClusterIssuer | ||
68 | metadata: | ||
69 | namespace: cert-manager | ||
70 | name: letsencrypt-production | ||
71 | {{- if .Values.clusterIssuer.letsencrypt.enabled }} | ||
72 | spec: | ||
73 | email: {{ .Values.clusterIssuer.letsencrypt.email }} | ||
74 | {{- else }} | ||
75 | $patch: delete | ||
76 | {{- end }} | ||
33 | {{- if not (empty (.Values.clusterIssuer.strategicMergePatches)) }} | 77 | {{- if not (empty (.Values.clusterIssuer.strategicMergePatches)) }} |
34 | {{- .Values.clusterIssuer.strategicMergePatches | toYaml | indent 6 }} | 78 | {{- .Values.clusterIssuer.strategicMergePatches | toYaml | indent 6 }} |
35 | {{- end }} | 79 | {{- end }} | ... | ... |
istio/charts/gateway/deployment.yaml
0 → 100644
1 | --- | ||
2 | apiVersion: cert-manager.io/v1 | ||
3 | kind: Certificate | ||
4 | metadata: | ||
5 | name: istio-gateway-certs | ||
6 | spec: | ||
7 | secretName: istio-gateway-certs | ||
8 | dnsNames: | ||
9 | - '*' | ||
10 | issuerRef: | ||
11 | name: ca-issuer | ||
12 | # We can reference ClusterIssuers by changing the kind here. | ||
13 | # The default value is Issuer (i.e. a locally namespaced Issuer) | ||
14 | kind: ClusterIssuer | ||
15 | group: cert-manager.io | ||
16 | --- | ||
17 | apiVersion: networking.istio.io/v1beta1 | ||
18 | kind: Gateway | ||
19 | metadata: | ||
20 | name: istio-gateway | ||
21 | spec: | ||
22 | selector: | ||
23 | istio: istio-gateway | ||
24 | servers: | ||
25 | - hosts: | ||
26 | - '*' | ||
27 | port: | ||
28 | name: http | ||
29 | number: 80 | ||
30 | protocol: HTTP | ||
31 | - hosts: | ||
32 | - '*' | ||
33 | port: | ||
34 | name: https | ||
35 | number: 443 | ||
36 | protocol: HTTPS | ||
37 | tls: | ||
38 | credentialName: istio-gateway-certs | ||
39 | mode: SIMPLE | ||
40 | --- | ||
41 | apiVersion: v1 | ||
42 | kind: Service | ||
43 | metadata: | ||
44 | name: istio-gateway | ||
45 | spec: | ||
46 | type: LoadBalancer | ||
47 | selector: | ||
48 | istio: istio-gateway | ||
49 | ports: | ||
50 | - port: 80 | ||
51 | name: http | ||
52 | - port: 443 | ||
53 | name: https | ||
54 | --- | ||
55 | apiVersion: apps/v1 | ||
56 | kind: Deployment | ||
57 | metadata: | ||
58 | name: istio-gateway | ||
59 | spec: | ||
60 | selector: | ||
61 | matchLabels: | ||
62 | istio: istio-gateway | ||
63 | template: | ||
64 | metadata: | ||
65 | annotations: | ||
66 | # Select the gateway injection template (rather than the default sidecar template) | ||
67 | inject.istio.io/templates: gateway | ||
68 | labels: | ||
69 | # Set a unique label for the gateway. This is required to ensure Gateways can select this workload | ||
70 | istio: istio-gateway | ||
71 | # Enable gateway injection. If connecting to a revisioned control plane, replace with "istio.io/rev: revision-name" | ||
72 | sidecar.istio.io/inject: "true" | ||
73 | spec: | ||
74 | containers: | ||
75 | - name: istio-proxy | ||
76 | image: auto # The image will automatically update each time the pod starts. | ||
77 | --- | ||
78 | # Set up roles to allow reading credentials for TLS | ||
79 | apiVersion: rbac.authorization.k8s.io/v1 | ||
80 | kind: Role | ||
81 | metadata: | ||
82 | name: istio-gateway-sds | ||
83 | rules: | ||
84 | - apiGroups: [""] | ||
85 | resources: ["secrets"] | ||
86 | verbs: ["get", "watch", "list"] | ||
87 | --- | ||
88 | apiVersion: rbac.authorization.k8s.io/v1 | ||
89 | kind: RoleBinding | ||
90 | metadata: | ||
91 | name: istio-gateway-sds | ||
92 | roleRef: | ||
93 | apiGroup: rbac.authorization.k8s.io | ||
94 | kind: Role | ||
95 | name: istio-gateway-sds | ||
96 | subjects: | ||
97 | - kind: ServiceAccount | ||
98 | name: default | ||
99 | --- |
istio/charts/gateway/kustomization.yaml
0 → 100644
... | @@ -3,11 +3,19 @@ environments: | ... | @@ -3,11 +3,19 @@ environments: |
3 | values: | 3 | values: |
4 | - namespace: istio-system | 4 | - namespace: istio-system |
5 | namePrefix: "" | 5 | namePrefix: "" |
6 | gateways: [] | 6 | version: |
7 | istio: 1.14.1 | ||
8 | raw: 1.1.0 | ||
9 | gateways: | ||
10 | - name: cluster-local-gateway | ||
11 | hosts: | ||
12 | - "*" | ||
7 | 13 | ||
8 | repositories: | 14 | repositories: |
9 | - name: istio | 15 | - name: istio |
10 | url: https://istio-release.storage.googleapis.com/charts | 16 | url: https://istio-release.storage.googleapis.com/charts |
17 | - name: bedag | ||
18 | url: https://bedag.github.io/helm-charts/ | ||
11 | 19 | ||
12 | --- | 20 | --- |
13 | helmfiles: | 21 | helmfiles: |
... | @@ -15,34 +23,76 @@ helmfiles: | ... | @@ -15,34 +23,76 @@ helmfiles: |
15 | values: | 23 | values: |
16 | - namespace: {{ .Values.namespace }} | 24 | - namespace: {{ .Values.namespace }} |
17 | namePrefix: "" | 25 | namePrefix: "" |
26 | version: {{ .Values.version.istio }} | ||
18 | - path: istiod.helmfile.yaml | 27 | - path: istiod.helmfile.yaml |
19 | values: | 28 | values: |
20 | - namespace: {{ .Values.namespace }} | 29 | - namespace: {{ .Values.namespace }} |
21 | namePrefix: "" | 30 | namePrefix: "" |
31 | version: {{ .Values.version.istio }} | ||
22 | 32 | ||
23 | releases: | 33 | releases: |
24 | {{- range $gateway_index, $gateway := .Values.gateways }} | 34 | - name: {{ $.Values.namePrefix }}gateways |
25 | - name: {{ $.Values.namePrefix }}gateway-{{ $gateway.name }} | 35 | namespace: {{ .Values.namespace }} |
26 | namespace: {{ $gateway | get "namespace" "istio-system" }} | 36 | chart: charts/gateway |
27 | chart: istio/gateway | 37 | dependencies: |
38 | {{- range $gateway_index, $gateway := .Values.gateways }} | ||
39 | - chart: istio/gateway | ||
40 | alias: gatewayd-{{ $gateway.name }} | ||
41 | version: {{ $.Values.version.istio }} | ||
42 | - chart: bedag/raw | ||
43 | alias: gateway-{{ $gateway.name }} | ||
44 | version: {{ $.Values.version.raw }} | ||
45 | {{- end }} | ||
28 | values: | 46 | values: |
29 | - service: | 47 | {{- range $gateway_index, $gateway := .Values.gateways }} |
30 | type: LoadBalancer | 48 | - gatewayd-{{ $gateway.name }}: |
31 | loadBalancerIP: {{ $gateway | get "loadBalancerIP" "" }} | 49 | name: {{ $gateway.name }} |
32 | externalTrafficPolicy: Cluster | 50 | service: |
33 | ports: | 51 | type: LoadBalancer |
34 | - name: status-port | 52 | loadBalancerIP: {{ $gateway | get "loadBalancerIP" "" }} |
35 | port: 15021 | 53 | autoscaling: |
36 | protocol: TCP | 54 | enabled: false |
37 | targetPort: 15021 | 55 | gateway-{{ $gateway.name }}: |
38 | - name: http2 | 56 | resources: |
39 | port: 80 | 57 | - apiVersion: cert-manager.io/v1 |
40 | protocol: TCP | 58 | kind: Certificate |
41 | targetPort: 80 | 59 | metadata: |
42 | - name: https | 60 | name: istio-cert-{{ $gateway.name }} |
43 | port: 443 | 61 | spec: |
44 | protocol: TCP | 62 | secretName: istio-cert-{{ $gateway.name }} |
45 | targetPort: 443 | 63 | dnsNames: |
46 | name: {{ $gateway.name }} | 64 | - '*' |
47 | {{- end }} | 65 | issuerRef: |
66 | name: ca-issuer | ||
67 | # We can reference ClusterIssuers by changing the kind here. | ||
68 | # The default value is Issuer (i.e. a locally namespaced Issuer) | ||
69 | kind: ClusterIssuer | ||
70 | group: cert-manager.io | ||
71 | |||
72 | - apiVersion: networking.istio.io/v1beta1 | ||
73 | kind: Gateway | ||
74 | metadata: | ||
75 | name: {{ $gateway.name }} | ||
76 | spec: | ||
77 | selector: | ||
78 | istio: {{ $gateway.name }} | ||
79 | servers: | ||
80 | - hosts: | ||
81 | - '*' | ||
82 | port: | ||
83 | name: http | ||
84 | number: 80 | ||
85 | protocol: HTTP | ||
86 | - hosts: | ||
87 | - '*' | ||
88 | port: | ||
89 | name: https | ||
90 | number: 443 | ||
91 | protocol: HTTPS | ||
92 | tls: | ||
93 | credentialName: istio-cert-{{ $gateway.name }} | ||
94 | mode: SIMPLE | ||
95 | |||
96 | {{- end }} | ||
97 | |||
48 | 98 | ... | ... |
... | @@ -2,4 +2,6 @@ releases: | ... | @@ -2,4 +2,6 @@ releases: |
2 | - name: {{ .Values.namePrefix }}istio-base | 2 | - name: {{ .Values.namePrefix }}istio-base |
3 | namespace: {{ .Values.namespace }} | 3 | namespace: {{ .Values.namespace }} |
4 | chart: istio/base | 4 | chart: istio/base |
5 | version: {{ .Values.version }} | ||
6 | wait: true | ||
5 | 7 | ... | ... |
... | @@ -2,4 +2,5 @@ releases: | ... | @@ -2,4 +2,5 @@ releases: |
2 | - name: {{ .Values.namePrefix }}istiod | 2 | - name: {{ .Values.namePrefix }}istiod |
3 | namespace: {{ .Values.namespace }} | 3 | namespace: {{ .Values.namespace }} |
4 | chart: istio/istiod | 4 | chart: istio/istiod |
5 | version: {{ .Values.version }} | ||
5 | 6 | ... | ... |
... | @@ -14,7 +14,7 @@ releases: | ... | @@ -14,7 +14,7 @@ releases: |
14 | 14 | ||
15 | - name: {{ .Values.namePrefix }}redis-server | 15 | - name: {{ .Values.namePrefix }}redis-server |
16 | namespace: {{ .Values.namespace }} | 16 | namespace: {{ .Values.namespace }} |
17 | chart: . | 17 | chart: charts/redis-server |
18 | values: | 18 | values: |
19 | - set-common-values.yaml.gotmpl | 19 | - set-common-values.yaml.gotmpl |
20 | jsonPatches: | 20 | jsonPatches: | ... | ... |
... | @@ -4,6 +4,8 @@ kind: ConfigMap | ... | @@ -4,6 +4,8 @@ kind: ConfigMap |
4 | metadata: | 4 | metadata: |
5 | name: registry-config | 5 | name: registry-config |
6 | data: | 6 | data: |
7 | REGISTRY_HTTP_TLS_CERTIFICATE: /certs/tls.crt | ||
8 | REGISTRY_HTTP_TLS_KEY: /certs/tls.key | ||
7 | --- | 9 | --- |
8 | apiVersion: v1 | 10 | apiVersion: v1 |
9 | kind: Secret | 11 | kind: Secret | ... | ... |
1 | --- | 1 | --- |
2 | apiVersion: cert-manager.io/v1 | ||
3 | kind: Certificate | ||
4 | metadata: | ||
5 | name: registry-crt | ||
6 | spec: | ||
7 | secretName: registry-crt | ||
8 | dnsNames: | ||
9 | - registry.local | ||
10 | issuerRef: | ||
11 | name: ca-issuer | ||
12 | # We can reference ClusterIssuers by changing the kind here. | ||
13 | # The default value is Issuer (i.e. a locally namespaced Issuer) | ||
14 | kind: ClusterIssuer | ||
15 | group: cert-manager.io | ||
16 | --- | ||
2 | apiVersion: networking.istio.io/v1beta1 | 17 | apiVersion: networking.istio.io/v1beta1 |
3 | kind: VirtualService | 18 | kind: VirtualService |
4 | metadata: | 19 | metadata: |
... | @@ -15,16 +30,29 @@ spec: | ... | @@ -15,16 +30,29 @@ spec: |
15 | number: 5000 | 30 | number: 5000 |
16 | host: registry | 31 | host: registry |
17 | --- | 32 | --- |
33 | apiVersion: networking.istio.io/v1beta1 | ||
34 | kind: DestinationRule | ||
35 | metadata: | ||
36 | name: registry-originate-tls | ||
37 | spec: | ||
38 | host: registry | ||
39 | trafficPolicy: | ||
40 | portLevelSettings: | ||
41 | - port: | ||
42 | number: 5000 | ||
43 | tls: | ||
44 | mode: SIMPLE | ||
45 | --- | ||
18 | apiVersion: v1 | 46 | apiVersion: v1 |
19 | kind: Service | 47 | kind: Service |
20 | metadata: | 48 | metadata: |
21 | name: registry | 49 | name: registry |
22 | spec: | 50 | spec: |
23 | type: NodePort | 51 | type: ClusterIP |
24 | selector: | 52 | selector: |
25 | app: registry | 53 | app: registry |
26 | ports: | 54 | ports: |
27 | - name: registry | 55 | - name: https-registry |
28 | protocol: TCP | 56 | protocol: TCP |
29 | port: 5000 | 57 | port: 5000 |
30 | targetPort: 5000 | 58 | targetPort: 5000 |
... | @@ -54,6 +82,9 @@ spec: | ... | @@ -54,6 +82,9 @@ spec: |
54 | - name: registry-data | 82 | - name: registry-data |
55 | persistentVolumeClaim: | 83 | persistentVolumeClaim: |
56 | claimName: registry-data | 84 | claimName: registry-data |
85 | - name: certificate | ||
86 | secret: | ||
87 | secretName: registry-crt | ||
57 | 88 | ||
58 | containers: | 89 | containers: |
59 | - name: registry | 90 | - name: registry |
... | @@ -66,4 +97,6 @@ spec: | ... | @@ -66,4 +97,6 @@ spec: |
66 | volumeMounts: | 97 | volumeMounts: |
67 | - name: registry-data | 98 | - name: registry-data |
68 | mountPath: /var/lib/registry | 99 | mountPath: /var/lib/registry |
100 | - name: certificate | ||
101 | mountPath: /certs | ||
69 | 102 | ... | ... |
... | @@ -10,7 +10,13 @@ environments: | ... | @@ -10,7 +10,13 @@ environments: |
10 | strategicMergePatches: [] | 10 | strategicMergePatches: [] |
11 | service: | 11 | service: |
12 | registry: | 12 | registry: |
13 | nodePort: 32123 | 13 | nodePort: 0 |
14 | clusterIP: 0 | ||
15 | type: NodePort | ||
16 | certificate: | ||
17 | hostNames: | ||
18 | - registry.local | ||
19 | issuerRef: ca-issuer | ||
14 | istioVirtualService: | 20 | istioVirtualService: |
15 | enabled: true | 21 | enabled: true |
16 | jsonPatches: [] | 22 | jsonPatches: [] |
... | @@ -29,13 +35,13 @@ helmfiles: | ... | @@ -29,13 +35,13 @@ helmfiles: |
29 | values: | 35 | values: |
30 | - namespace: {{ .Values.namespace }} | 36 | - namespace: {{ .Values.namespace }} |
31 | namePrefix: {{ .Values.namePrefix }}registry- | 37 | namePrefix: {{ .Values.namePrefix }}registry- |
32 | images: | 38 | #images: |
33 | redis: {{ .Values.images.redis }} | 39 | # redis: {{ .Values.images.redis }} |
34 | 40 | ||
35 | releases: | 41 | releases: |
36 | - name: {{ .Values.namePrefix }}registry | 42 | - name: {{ .Values.namePrefix }}registry |
37 | namespace: {{ .Values.namespace }} | 43 | namespace: {{ .Values.namespace }} |
38 | chart: . | 44 | chart: charts/registry |
39 | values: | 45 | values: |
40 | - set-common-values.yaml.gotmpl | 46 | - set-common-values.yaml.gotmpl |
41 | jsonPatches: | 47 | jsonPatches: |
... | @@ -49,8 +55,26 @@ releases: | ... | @@ -49,8 +55,26 @@ releases: |
49 | path: /spec/selector/app | 55 | path: /spec/selector/app |
50 | value: {{ .Values.namePrefix }}registry | 56 | value: {{ .Values.namePrefix }}registry |
51 | - op: replace | 57 | - op: replace |
58 | path: /spec/type | ||
59 | value: {{ .Values.registry.service.registry.type }} | ||
60 | {{- if .Values.registry.service.registry.clusterIP }} | ||
61 | - op: add | ||
62 | path: /spec/clusterIP | ||
63 | value: {{ .Values.registry.service.registry.clusterIP }} | ||
64 | {{- end }} | ||
65 | {{- if eq .Values.registry.service.registry.type "ClusterIP" }} | ||
66 | - op: remove | ||
67 | path: /spec/ports/0/nodePort | ||
68 | {{- else if eq .Values.registry.service.registry.type "LoadBalancer" }} | ||
69 | - op: remove | ||
70 | path: /spec/ports/0/nodePort | ||
71 | {{- else }} | ||
72 | {{- if .Values.registry.service.registry.nodePort }} | ||
73 | - op: replace | ||
52 | path: /spec/ports/0/nodePort | 74 | path: /spec/ports/0/nodePort |
53 | value: {{ .Values.registry.service.registry.nodePort }} | 75 | value: {{ .Values.registry.service.registry.nodePort }} |
76 | {{- end }} | ||
77 | {{- end }} | ||
54 | {{- if .Values.istioVirtualService.enabled }} | 78 | {{- if .Values.istioVirtualService.enabled }} |
55 | - target: | 79 | - target: |
56 | kind: VirtualService | 80 | kind: VirtualService |
... | @@ -62,6 +86,16 @@ releases: | ... | @@ -62,6 +86,16 @@ releases: |
62 | - op: replace | 86 | - op: replace |
63 | path: /spec/http/0/route/0/destination/host | 87 | path: /spec/http/0/route/0/destination/host |
64 | value: {{ .Values.namePrefix }}registry | 88 | value: {{ .Values.namePrefix }}registry |
89 | - target: | ||
90 | kind: DestinationRule | ||
91 | name: {{ .Values.namePrefix }}registry-originate-tls | ||
92 | namespace: {{ .Values.namespace }} | ||
93 | version: v1beta1 | ||
94 | group: networking.istio.io | ||
95 | patch: | ||
96 | - op: replace | ||
97 | path: /spec/host | ||
98 | value: {{ .Values.namePrefix }}registry | ||
65 | {{- end }} | 99 | {{- end }} |
66 | {{- if not (empty (.Values.registry.jsonPatches)) }} | 100 | {{- if not (empty (.Values.registry.jsonPatches)) }} |
67 | {{- .Values.registry.jsonPatches | toYaml | indent 6 }} | 101 | {{- .Values.registry.jsonPatches | toYaml | indent 6 }} |
... | @@ -85,6 +119,18 @@ releases: | ... | @@ -85,6 +119,18 @@ releases: |
85 | {{- else }} | 119 | {{- else }} |
86 | $patch: delete | 120 | $patch: delete |
87 | {{- end }} | 121 | {{- end }} |
122 | - apiVersion: cert-manager.io/v1 | ||
123 | kind: Certificate | ||
124 | metadata: | ||
125 | name: {{ .Values.namePrefix }}registry-crt | ||
126 | namespace: {{ .Values.namespace }} | ||
127 | spec: | ||
128 | dnsNames: | ||
129 | {{- range $hostName_index, $hostName := .Values.certificate.hostNames }} | ||
130 | - {{ $hostName | quote }} | ||
131 | {{- end }} | ||
132 | issuerRef: | ||
133 | name: {{ .Values.certificate.issuerRef }} | ||
88 | - apiVersion: apps/v1 | 134 | - apiVersion: apps/v1 |
89 | kind: Deployment | 135 | kind: Deployment |
90 | metadata: | 136 | metadata: | ... | ... |
-
Please register or sign in to post a comment