WIP: Per-application istio-gateway stuff.

Adam Heath
Showing 6 changed files with 116 additions and 57 deletions
cert-manager/helmfile.yaml
gateway-apis/charts/gateway-apis/kustomization.yaml
gateway-apis/helmfile.yaml
istio-gateway/charts/gateway/gateway.yaml
istio-gateway/environments/default-values.yaml
istio-gateway/helmfile.yaml
--- a/cert-manager/helmfile.yaml
View file @9458134
+++ b/cert-manager/helmfile.yaml
View file @9458134
@@ -27,6 +27,8 @@ releases:
    namespace: cert-manager
    values:
      - installCRDs: true
+        extraArgs:
+          - "--feature-gates=ExperimentalGatewayAPISupport=true"

  - name: cluster-issuer
    chart: charts/cluster-issuer
--- a/gateway-apis/charts/gateway-apis/kustomization.yaml 0 → 100644
View file @9458134
+++ b/gateway-apis/charts/gateway-apis/kustomization.yaml 0 → 100644
View file @9458134
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - github.com/kubernetes-sigs/gateway-api/config/crd?ref=v0.5.0
+
--- a/gateway-apis/helmfile.yaml 0 → 100644
View file @9458134
+++ b/gateway-apis/helmfile.yaml 0 → 100644
View file @9458134
+releases:
+  - name: gateway-apis
+    chart: charts/gateway-apis
--- a/istio-gateway/charts/gateway/gateway.yaml
View file @9458134
+++ b/istio-gateway/charts/gateway/gateway.yaml
View file @9458134
@@ -2,11 +2,26 @@
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
-  name: istio-gateway-cert
+  name: istio-gateway-basecert
 spec:
  secretName: istio-gateway
  dnsNames:
-    - '*'
+    - "example.com"
+  issuerRef:
+    name: ca-issuer
+    # We can reference ClusterIssuers by changing the kind here.
+    # The default value is Issuer (i.e. a locally namespaced Issuer)
+    kind: ClusterIssuer
+    group: cert-manager.io
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: istio-gateway-wildcardcert
+spec:
+  secretName: istio-gateway
+  dnsNames:
+    - '*.example.com'
  issuerRef:
    name: ca-issuer
    # We can reference ClusterIssuers by changing the kind here.
--- a/istio-gateway/environments/default-values.yaml
View file @9458134
+++ b/istio-gateway/environments/default-values.yaml
View file @9458134
-namespace: default
 name: default
-selector: {}
-tls:
-  hosts:
-    - "*"
-  issuerRef:
-    name: ca-issuer
-    # We can reference ClusterIssuers by changing the kind here.
-    # The default value is Issuer (i.e. a locally namespaced Issuer)
-    kind: ClusterIssuer
-    group: cert-manager.io
-  mode: SIMPLE
-http:
-  hosts:
-    - "*"
+version:
+  istio: 1.14.3
+  raw: 1.1.0
+gateways:
+  - name: default
+    hosts:
+      - name: "*"
+        tls: nil
+

--- a/istio-gateway/helmfile.yaml
View file @9458134
+++ b/istio-gateway/helmfile.yaml
View file @9458134
@@ -3,50 +3,89 @@ bases:

 ---

+repositories:
+  - name: istio
+    url: https://istio-release.storage.googleapis.com/charts
+  - name: bedag
+    url: https://bedag.github.io/helm-charts/
+
 releases:
  - name: istio-gateway-{{ .Values.name }}
-    namespace: {{ .Values.namespace }}
-    chart: charts/gateway
+    namespace: istio-system
+    chart: bedag/raw
+    version: {{ $.Values.version.raw }}
    disableValidationOnInstall: true
+    dependencies:
+      - chart: istio/gateway
+        alias: gateway
+        version: {{ $.Values.version.istio }}
    values:
-      - nameSuffix: -{{ .Values.name }}
-    strategicMergePatches:
-      - apiVersion: networking.istio.io/v1beta1
-        kind: Gateway
-        metadata:
-          name: istio-gateway-{{ .Values.name }}
-          namespace: {{ .Values.namespace }}
-        spec:
-          selector: {{ .Values.selector | toYaml | nindent 12 }}
-          servers:
-            {{- if .Values.http.hosts }}
-            - port:
-                name: http
-                number: 80
-                protocol: HTTP
-              hosts: {{ .Values.http.hosts | toYaml | nindent 16 }}
+      - gateway: {}
+        resources:
+          - apiVersion: v1
+            kind: ConfigMap
+            metadata:
+              name: istio-gateway-foo-{{ .Values.name }}
+            data:
+              foo: "bar"
+    {{- range $gateway_index, $gateway := .Values.gateways }}
+          - apiVersion: networking.istio.io/v1beta1
+            kind: Gateway
+            metadata:
+              name: istio-gateway-{{ $gateway.name }}
+            spec:
+              selector:
+                app: istio-gateway-{{ $.Values.name }}
+                istio: gateway-{{ $.Values.name }}
+              servers:
+      {{- range $host_index, $host := $gateway.hosts }}
+                - port:
+                    name: http-{{ $host.name }}
+                    number: 80
+                    protocol: HTTP
+                  hosts:
+                    - {{ $host.name | quote }}
+        {{- if hasKey $host "tls" }}
+                - port:
+                    name: https-{{ $host.name }}
+                    number: 443
+                    protocol: HTTPS
+                  hosts:
+                    - {{ $host.name | quote }}
+                  tls:
+                    # TODO: Switch certs based on wildcard or not
+          {{- if hasKey $host.tls "certRef" }}
+                    credentialName: {{ $host.tls.certRef | quote }}
+          {{- else if hasPrefix "*." $host.name }}
+                    credentialName: istio-gateway-wildcardcert-{{ $host.name | replace "*." "" }}
+          {{- else }}
+                    credentialName: istio-gateway-cert-{{ $host.name }}
+          {{- end }}
+                    mode: {{ $host.tls.mode | quote }}
+        {{- end }}
+      {{- end }}
+      {{- range $host_index, $host := $gateway.hosts }}
+        {{- if hasKey $host "tls" }}
+          {{- if not (hasKey $host.tls "certRef") }}
+          - apiVersion: cert-manager.io/v1
+            kind: Certificate
+            metadata:
+            {{- if hasPrefix "*." $host.name }}
+              name: istio-gateway-wildcardcert-{{ $host.name | replace "*." "" }}
+            {{- else }}
+              name: istio-gateway-cert-{{ $host.name }}
            {{- end }}
-            {{- if .Values.tls.hosts }}
-            - port:
-                name: https
-                number: 443
-                protocol: HTTPS
-              hosts: {{ .Values.http.hosts | toYaml | nindent 16 }}
-              tls:
-                credentialName: istio-gateway-cert-{{ .Values.name }}
-                mode: {{ .Values.tls.mode | quote }}
+            spec:
+            {{- if hasPrefix "*." $host.name }}
+              secretName: istio-gateway-wildcardcert-{{ $host.name | replace "*i." "" }}
+            {{- else }}
+              secretName: istio-gateway-cert-{{ $host.name }}
            {{- end }}
-      - apiVersion: cert-manager.io/v1
-        kind: Certificate
-        metadata:
-          name: istio-gateway-cert-{{ .Values.name }}
-          namespace: {{ .Values.namespace }}
-        {{- if .Values.tls.hosts }}
-        spec:
-          secretName: istio-gateway-cert-{{ .Values.name }}
-          dnsNames: {{ .Values.tls.hosts | toYaml | nindent 12 }}
-          issuerRef: {{ .Values.tls.issuerRef | toYaml | nindent 12 }}
-        {{ else }}
-        $patch: delete
+              dnsNames:
+                - {{ $host.name | quote }}
+              issuerRef: {{ $host.tls.issuerRef | toYaml | nindent 18 }}
+          {{- end }}
        {{- end }}
-
+      {{- end }}
+    {{- end }}
+---