8b3feaef by Adam Heath

Check pointing; basically, registry can be on an external LoadBalancer

port, *and* on istio VirtualService.
1 parent dfec78f8
...@@ -3,4 +3,5 @@ releases: ...@@ -3,4 +3,5 @@ releases:
3 - name: cert-manager 3 - name: cert-manager
4 chart: . 4 chart: .
5 wait: true 5 wait: true
6 atomic: true
6 --- 7 ---
......
...@@ -3,4 +3,5 @@ kind: Kustomization ...@@ -3,4 +3,5 @@ kind: Kustomization
3 3
4 resources: 4 resources:
5 - ./cluster-issuer.yaml 5 - ./cluster-issuer.yaml
6 - ./letsencrypt.yaml
6 7
......
...@@ -6,17 +6,28 @@ environments: ...@@ -6,17 +6,28 @@ environments:
6 strategicMergePatches: [] 6 strategicMergePatches: []
7 caIssuer: 7 caIssuer:
8 secretName: root-ca 8 secretName: root-ca
9 letsencrypt:
10 enabled: true
11 email: name@example.com
12 tls_key: replace-me
13
14 repositories:
15 - name: jetstack
16 url: https://charts.jetstack.io
9 17
10 --- 18 ---
11 helmfiles: 19 releases:
12 - path: ./charts/cert-manager/helmfile.yaml 20 - name: cert-manager
21 chart: jetstack/cert-manager
22 namespace: cert-manager
13 values: 23 values:
14 - 24 - installCRDs: true
15 {{- toYaml .Values | nindent 8 }}
16 25
17 releases:
18 - name: cluster-issuer 26 - name: cluster-issuer
19 chart: charts/cluster-issuer 27 chart: charts/cluster-issuer
28 disableValidationOnInstall: true
29 needs:
30 - cert-manager/cert-manager
20 jsonPatches: 31 jsonPatches:
21 {{- if not (empty (.Values.clusterIssuer.jsonPatches)) }} 32 {{- if not (empty (.Values.clusterIssuer.jsonPatches)) }}
22 {{- .Values.clusterIssuer.jsonPatches | toYaml | indent 6 }} 33 {{- .Values.clusterIssuer.jsonPatches | toYaml | indent 6 }}
...@@ -30,6 +41,39 @@ releases: ...@@ -30,6 +41,39 @@ releases:
30 spec: 41 spec:
31 ca: 42 ca:
32 secretName: {{ .Values.clusterIssuer.caIssuer.secretName }} 43 secretName: {{ .Values.clusterIssuer.caIssuer.secretName }}
44 - apiVersion: v1
45 kind: Secret
46 metadata:
47 namespace: cert-manager
48 name: acme-account-key
49 {{- if .Values.clusterIssuer.letsencrypt.enabled }}
50 data:
51 tls.key: {{ .Values.clusterIssuer.letsencrypt.tls_key }}
52 {{- else }}
53 $patch: delete
54 {{- end }}
55 - apiVersion: cert-manager.io/v1
56 kind: ClusterIssuer
57 metadata:
58 namespace: cert-manager
59 name: letsencrypt-staging
60 {{- if .Values.clusterIssuer.letsencrypt.enabled }}
61 spec:
62 email: {{ .Values.clusterIssuer.letsencrypt.email }}
63 {{- else }}
64 $patch: delete
65 {{- end }}
66 - apiVersion: cert-manager.io/v1
67 kind: ClusterIssuer
68 metadata:
69 namespace: cert-manager
70 name: letsencrypt-production
71 {{- if .Values.clusterIssuer.letsencrypt.enabled }}
72 spec:
73 email: {{ .Values.clusterIssuer.letsencrypt.email }}
74 {{- else }}
75 $patch: delete
76 {{- end }}
33 {{- if not (empty (.Values.clusterIssuer.strategicMergePatches)) }} 77 {{- if not (empty (.Values.clusterIssuer.strategicMergePatches)) }}
34 {{- .Values.clusterIssuer.strategicMergePatches | toYaml | indent 6 }} 78 {{- .Values.clusterIssuer.strategicMergePatches | toYaml | indent 6 }}
35 {{- end }} 79 {{- end }}
......
1 ---
2 apiVersion: cert-manager.io/v1
3 kind: Certificate
4 metadata:
5 name: istio-gateway-certs
6 spec:
7 secretName: istio-gateway-certs
8 dnsNames:
9 - '*'
10 issuerRef:
11 name: ca-issuer
12 # We can reference ClusterIssuers by changing the kind here.
13 # The default value is Issuer (i.e. a locally namespaced Issuer)
14 kind: ClusterIssuer
15 group: cert-manager.io
16 ---
17 apiVersion: networking.istio.io/v1beta1
18 kind: Gateway
19 metadata:
20 name: istio-gateway
21 spec:
22 selector:
23 istio: istio-gateway
24 servers:
25 - hosts:
26 - '*'
27 port:
28 name: http
29 number: 80
30 protocol: HTTP
31 - hosts:
32 - '*'
33 port:
34 name: https
35 number: 443
36 protocol: HTTPS
37 tls:
38 credentialName: istio-gateway-certs
39 mode: SIMPLE
40 ---
41 apiVersion: v1
42 kind: Service
43 metadata:
44 name: istio-gateway
45 spec:
46 type: LoadBalancer
47 selector:
48 istio: istio-gateway
49 ports:
50 - port: 80
51 name: http
52 - port: 443
53 name: https
54 ---
55 apiVersion: apps/v1
56 kind: Deployment
57 metadata:
58 name: istio-gateway
59 spec:
60 selector:
61 matchLabels:
62 istio: istio-gateway
63 template:
64 metadata:
65 annotations:
66 # Select the gateway injection template (rather than the default sidecar template)
67 inject.istio.io/templates: gateway
68 labels:
69 # Set a unique label for the gateway. This is required to ensure Gateways can select this workload
70 istio: istio-gateway
71 # Enable gateway injection. If connecting to a revisioned control plane, replace with "istio.io/rev: revision-name"
72 sidecar.istio.io/inject: "true"
73 spec:
74 containers:
75 - name: istio-proxy
76 image: auto # The image will automatically update each time the pod starts.
77 ---
78 # Set up roles to allow reading credentials for TLS
79 apiVersion: rbac.authorization.k8s.io/v1
80 kind: Role
81 metadata:
82 name: istio-gateway-sds
83 rules:
84 - apiGroups: [""]
85 resources: ["secrets"]
86 verbs: ["get", "watch", "list"]
87 ---
88 apiVersion: rbac.authorization.k8s.io/v1
89 kind: RoleBinding
90 metadata:
91 name: istio-gateway-sds
92 roleRef:
93 apiGroup: rbac.authorization.k8s.io
94 kind: Role
95 name: istio-gateway-sds
96 subjects:
97 - kind: ServiceAccount
98 name: default
99 ---
1 apiVersion: kustomize.config.k8s.io/v1beta1
2 kind: Kustomization
3
4 resources:
5 # - ./gateway.yaml
6 # - ./deployment.yaml
7
...@@ -3,11 +3,19 @@ environments: ...@@ -3,11 +3,19 @@ environments:
3 values: 3 values:
4 - namespace: istio-system 4 - namespace: istio-system
5 namePrefix: "" 5 namePrefix: ""
6 gateways: [] 6 version:
7 istio: 1.14.1
8 raw: 1.1.0
9 gateways:
10 - name: cluster-local-gateway
11 hosts:
12 - "*"
7 13
8 repositories: 14 repositories:
9 - name: istio 15 - name: istio
10 url: https://istio-release.storage.googleapis.com/charts 16 url: https://istio-release.storage.googleapis.com/charts
17 - name: bedag
18 url: https://bedag.github.io/helm-charts/
11 19
12 --- 20 ---
13 helmfiles: 21 helmfiles:
...@@ -15,34 +23,76 @@ helmfiles: ...@@ -15,34 +23,76 @@ helmfiles:
15 values: 23 values:
16 - namespace: {{ .Values.namespace }} 24 - namespace: {{ .Values.namespace }}
17 namePrefix: "" 25 namePrefix: ""
26 version: {{ .Values.version.istio }}
18 - path: istiod.helmfile.yaml 27 - path: istiod.helmfile.yaml
19 values: 28 values:
20 - namespace: {{ .Values.namespace }} 29 - namespace: {{ .Values.namespace }}
21 namePrefix: "" 30 namePrefix: ""
31 version: {{ .Values.version.istio }}
22 32
23 releases: 33 releases:
24 {{- range $gateway_index, $gateway := .Values.gateways }} 34 - name: {{ $.Values.namePrefix }}gateways
25 - name: {{ $.Values.namePrefix }}gateway-{{ $gateway.name }} 35 namespace: {{ .Values.namespace }}
26 namespace: {{ $gateway | get "namespace" "istio-system" }} 36 chart: charts/gateway
27 chart: istio/gateway 37 dependencies:
38 {{- range $gateway_index, $gateway := .Values.gateways }}
39 - chart: istio/gateway
40 alias: gatewayd-{{ $gateway.name }}
41 version: {{ $.Values.version.istio }}
42 - chart: bedag/raw
43 alias: gateway-{{ $gateway.name }}
44 version: {{ $.Values.version.raw }}
45 {{- end }}
28 values: 46 values:
29 - service: 47 {{- range $gateway_index, $gateway := .Values.gateways }}
48 - gatewayd-{{ $gateway.name }}:
49 name: {{ $gateway.name }}
50 service:
30 type: LoadBalancer 51 type: LoadBalancer
31 loadBalancerIP: {{ $gateway | get "loadBalancerIP" "" }} 52 loadBalancerIP: {{ $gateway | get "loadBalancerIP" "" }}
32 externalTrafficPolicy: Cluster 53 autoscaling:
33 ports: 54 enabled: false
34 - name: status-port 55 gateway-{{ $gateway.name }}:
35 port: 15021 56 resources:
36 protocol: TCP 57 - apiVersion: cert-manager.io/v1
37 targetPort: 15021 58 kind: Certificate
38 - name: http2 59 metadata:
39 port: 80 60 name: istio-cert-{{ $gateway.name }}
40 protocol: TCP 61 spec:
41 targetPort: 80 62 secretName: istio-cert-{{ $gateway.name }}
42 - name: https 63 dnsNames:
43 port: 443 64 - '*'
44 protocol: TCP 65 issuerRef:
45 targetPort: 443 66 name: ca-issuer
67 # We can reference ClusterIssuers by changing the kind here.
68 # The default value is Issuer (i.e. a locally namespaced Issuer)
69 kind: ClusterIssuer
70 group: cert-manager.io
71
72 - apiVersion: networking.istio.io/v1beta1
73 kind: Gateway
74 metadata:
46 name: {{ $gateway.name }} 75 name: {{ $gateway.name }}
47 {{- end }} 76 spec:
77 selector:
78 istio: {{ $gateway.name }}
79 servers:
80 - hosts:
81 - '*'
82 port:
83 name: http
84 number: 80
85 protocol: HTTP
86 - hosts:
87 - '*'
88 port:
89 name: https
90 number: 443
91 protocol: HTTPS
92 tls:
93 credentialName: istio-cert-{{ $gateway.name }}
94 mode: SIMPLE
95
96 {{- end }}
97
48 98
......
...@@ -2,4 +2,6 @@ releases: ...@@ -2,4 +2,6 @@ releases:
2 - name: {{ .Values.namePrefix }}istio-base 2 - name: {{ .Values.namePrefix }}istio-base
3 namespace: {{ .Values.namespace }} 3 namespace: {{ .Values.namespace }}
4 chart: istio/base 4 chart: istio/base
5 version: {{ .Values.version }}
6 wait: true
5 7
......
...@@ -2,4 +2,5 @@ releases: ...@@ -2,4 +2,5 @@ releases:
2 - name: {{ .Values.namePrefix }}istiod 2 - name: {{ .Values.namePrefix }}istiod
3 namespace: {{ .Values.namespace }} 3 namespace: {{ .Values.namespace }}
4 chart: istio/istiod 4 chart: istio/istiod
5 version: {{ .Values.version }}
5 6
......
...@@ -14,7 +14,7 @@ releases: ...@@ -14,7 +14,7 @@ releases:
14 14
15 - name: {{ .Values.namePrefix }}redis-server 15 - name: {{ .Values.namePrefix }}redis-server
16 namespace: {{ .Values.namespace }} 16 namespace: {{ .Values.namespace }}
17 chart: . 17 chart: charts/redis-server
18 values: 18 values:
19 - set-common-values.yaml.gotmpl 19 - set-common-values.yaml.gotmpl
20 jsonPatches: 20 jsonPatches:
......
...@@ -4,6 +4,8 @@ kind: ConfigMap ...@@ -4,6 +4,8 @@ kind: ConfigMap
4 metadata: 4 metadata:
5 name: registry-config 5 name: registry-config
6 data: 6 data:
7 REGISTRY_HTTP_TLS_CERTIFICATE: /certs/tls.crt
8 REGISTRY_HTTP_TLS_KEY: /certs/tls.key
7 --- 9 ---
8 apiVersion: v1 10 apiVersion: v1
9 kind: Secret 11 kind: Secret
......
1 --- 1 ---
2 apiVersion: cert-manager.io/v1
3 kind: Certificate
4 metadata:
5 name: registry-crt
6 spec:
7 secretName: registry-crt
8 dnsNames:
9 - registry.local
10 issuerRef:
11 name: ca-issuer
12 # We can reference ClusterIssuers by changing the kind here.
13 # The default value is Issuer (i.e. a locally namespaced Issuer)
14 kind: ClusterIssuer
15 group: cert-manager.io
16 ---
2 apiVersion: networking.istio.io/v1beta1 17 apiVersion: networking.istio.io/v1beta1
3 kind: VirtualService 18 kind: VirtualService
4 metadata: 19 metadata:
...@@ -15,16 +30,29 @@ spec: ...@@ -15,16 +30,29 @@ spec:
15 number: 5000 30 number: 5000
16 host: registry 31 host: registry
17 --- 32 ---
33 apiVersion: networking.istio.io/v1beta1
34 kind: DestinationRule
35 metadata:
36 name: registry-originate-tls
37 spec:
38 host: registry
39 trafficPolicy:
40 portLevelSettings:
41 - port:
42 number: 5000
43 tls:
44 mode: SIMPLE
45 ---
18 apiVersion: v1 46 apiVersion: v1
19 kind: Service 47 kind: Service
20 metadata: 48 metadata:
21 name: registry 49 name: registry
22 spec: 50 spec:
23 type: NodePort 51 type: ClusterIP
24 selector: 52 selector:
25 app: registry 53 app: registry
26 ports: 54 ports:
27 - name: registry 55 - name: https-registry
28 protocol: TCP 56 protocol: TCP
29 port: 5000 57 port: 5000
30 targetPort: 5000 58 targetPort: 5000
...@@ -54,6 +82,9 @@ spec: ...@@ -54,6 +82,9 @@ spec:
54 - name: registry-data 82 - name: registry-data
55 persistentVolumeClaim: 83 persistentVolumeClaim:
56 claimName: registry-data 84 claimName: registry-data
85 - name: certificate
86 secret:
87 secretName: registry-crt
57 88
58 containers: 89 containers:
59 - name: registry 90 - name: registry
...@@ -66,4 +97,6 @@ spec: ...@@ -66,4 +97,6 @@ spec:
66 volumeMounts: 97 volumeMounts:
67 - name: registry-data 98 - name: registry-data
68 mountPath: /var/lib/registry 99 mountPath: /var/lib/registry
100 - name: certificate
101 mountPath: /certs
69 102
......
...@@ -10,7 +10,13 @@ environments: ...@@ -10,7 +10,13 @@ environments:
10 strategicMergePatches: [] 10 strategicMergePatches: []
11 service: 11 service:
12 registry: 12 registry:
13 nodePort: 32123 13 nodePort: 0
14 clusterIP: 0
15 type: NodePort
16 certificate:
17 hostNames:
18 - registry.local
19 issuerRef: ca-issuer
14 istioVirtualService: 20 istioVirtualService:
15 enabled: true 21 enabled: true
16 jsonPatches: [] 22 jsonPatches: []
...@@ -29,13 +35,13 @@ helmfiles: ...@@ -29,13 +35,13 @@ helmfiles:
29 values: 35 values:
30 - namespace: {{ .Values.namespace }} 36 - namespace: {{ .Values.namespace }}
31 namePrefix: {{ .Values.namePrefix }}registry- 37 namePrefix: {{ .Values.namePrefix }}registry-
32 images: 38 #images:
33 redis: {{ .Values.images.redis }} 39 # redis: {{ .Values.images.redis }}
34 40
35 releases: 41 releases:
36 - name: {{ .Values.namePrefix }}registry 42 - name: {{ .Values.namePrefix }}registry
37 namespace: {{ .Values.namespace }} 43 namespace: {{ .Values.namespace }}
38 chart: . 44 chart: charts/registry
39 values: 45 values:
40 - set-common-values.yaml.gotmpl 46 - set-common-values.yaml.gotmpl
41 jsonPatches: 47 jsonPatches:
...@@ -49,8 +55,26 @@ releases: ...@@ -49,8 +55,26 @@ releases:
49 path: /spec/selector/app 55 path: /spec/selector/app
50 value: {{ .Values.namePrefix }}registry 56 value: {{ .Values.namePrefix }}registry
51 - op: replace 57 - op: replace
58 path: /spec/type
59 value: {{ .Values.registry.service.registry.type }}
60 {{- if .Values.registry.service.registry.clusterIP }}
61 - op: add
62 path: /spec/clusterIP
63 value: {{ .Values.registry.service.registry.clusterIP }}
64 {{- end }}
65 {{- if eq .Values.registry.service.registry.type "ClusterIP" }}
66 - op: remove
67 path: /spec/ports/0/nodePort
68 {{- else if eq .Values.registry.service.registry.type "LoadBalancer" }}
69 - op: remove
70 path: /spec/ports/0/nodePort
71 {{- else }}
72 {{- if .Values.registry.service.registry.nodePort }}
73 - op: replace
52 path: /spec/ports/0/nodePort 74 path: /spec/ports/0/nodePort
53 value: {{ .Values.registry.service.registry.nodePort }} 75 value: {{ .Values.registry.service.registry.nodePort }}
76 {{- end }}
77 {{- end }}
54 {{- if .Values.istioVirtualService.enabled }} 78 {{- if .Values.istioVirtualService.enabled }}
55 - target: 79 - target:
56 kind: VirtualService 80 kind: VirtualService
...@@ -62,6 +86,16 @@ releases: ...@@ -62,6 +86,16 @@ releases:
62 - op: replace 86 - op: replace
63 path: /spec/http/0/route/0/destination/host 87 path: /spec/http/0/route/0/destination/host
64 value: {{ .Values.namePrefix }}registry 88 value: {{ .Values.namePrefix }}registry
89 - target:
90 kind: DestinationRule
91 name: {{ .Values.namePrefix }}registry-originate-tls
92 namespace: {{ .Values.namespace }}
93 version: v1beta1
94 group: networking.istio.io
95 patch:
96 - op: replace
97 path: /spec/host
98 value: {{ .Values.namePrefix }}registry
65 {{- end }} 99 {{- end }}
66 {{- if not (empty (.Values.registry.jsonPatches)) }} 100 {{- if not (empty (.Values.registry.jsonPatches)) }}
67 {{- .Values.registry.jsonPatches | toYaml | indent 6 }} 101 {{- .Values.registry.jsonPatches | toYaml | indent 6 }}
...@@ -85,6 +119,18 @@ releases: ...@@ -85,6 +119,18 @@ releases:
85 {{- else }} 119 {{- else }}
86 $patch: delete 120 $patch: delete
87 {{- end }} 121 {{- end }}
122 - apiVersion: cert-manager.io/v1
123 kind: Certificate
124 metadata:
125 name: {{ .Values.namePrefix }}registry-crt
126 namespace: {{ .Values.namespace }}
127 spec:
128 dnsNames:
129 {{- range $hostName_index, $hostName := .Values.certificate.hostNames }}
130 - {{ $hostName | quote }}
131 {{- end }}
132 issuerRef:
133 name: {{ .Values.certificate.issuerRef }}
88 - apiVersion: apps/v1 134 - apiVersion: apps/v1
89 kind: Deployment 135 kind: Deployment
90 metadata: 136 metadata:
......