Skip to content

brainfood / k8s-helmfiles

Go to a project
Toggle navigation
Toggle navigation pinning
9458134d by Adam Heath
Options

WIP: Per-application istio-gateway stuff.

1 parent 7f96dad7
Inline Side-by-side
Showing 6 changed files with 116 additions and 57 deletions
...@@ -27,6 +27,8 @@ releases: ...@@ -27,6 +27,8 @@ releases:
27 namespace: cert-manager 27 namespace: cert-manager
28 values: 28 values:
29 - installCRDs: true 29 - installCRDs: true
30 extraArgs:
31 - "--feature-gates=ExperimentalGatewayAPISupport=true"
30 32
31 - name: cluster-issuer 33 - name: cluster-issuer
32 chart: charts/cluster-issuer 34 chart: charts/cluster-issuer
......
1 apiVersion: kustomize.config.k8s.io/v1beta1
2 kind: Kustomization
3
4 resources:
5 - github.com/kubernetes-sigs/gateway-api/config/crd?ref=v0.5.0
6
1 releases:
2 - name: gateway-apis
3 chart: charts/gateway-apis
...@@ -2,11 +2,26 @@ ...@@ -2,11 +2,26 @@
2 apiVersion: cert-manager.io/v1 2 apiVersion: cert-manager.io/v1
3 kind: Certificate 3 kind: Certificate
4 metadata: 4 metadata:
5 name: istio-gateway-cert 5 name: istio-gateway-basecert
6 spec: 6 spec:
7 secretName: istio-gateway 7 secretName: istio-gateway
8 dnsNames: 8 dnsNames:
9 - '*' 9 - "example.com"
10 issuerRef:
11 name: ca-issuer
12 # We can reference ClusterIssuers by changing the kind here.
13 # The default value is Issuer (i.e. a locally namespaced Issuer)
14 kind: ClusterIssuer
15 group: cert-manager.io
16 ---
17 apiVersion: cert-manager.io/v1
18 kind: Certificate
19 metadata:
20 name: istio-gateway-wildcardcert
21 spec:
22 secretName: istio-gateway
23 dnsNames:
24 - '*.example.com'
10 issuerRef: 25 issuerRef:
11 name: ca-issuer 26 name: ca-issuer
12 # We can reference ClusterIssuers by changing the kind here. 27 # We can reference ClusterIssuers by changing the kind here.
......
1 namespace: default
2 name: default 1 name: default
3 selector: {} 2 version:
4 tls: 3 istio: 1.14.3
5 hosts: 4 raw: 1.1.0
6 - "*" 5 gateways:
7 issuerRef: 6 - name: default
8 name: ca-issuer 7 hosts:
9 # We can reference ClusterIssuers by changing the kind here. 8 - name: "*"
10 # The default value is Issuer (i.e. a locally namespaced Issuer) 9 tls: nil
11 kind: ClusterIssuer 10
12 group: cert-manager.io
13 mode: SIMPLE
14 http:
15 hosts:
16 - "*"
17 11
......
...@@ -3,50 +3,89 @@ bases: ...@@ -3,50 +3,89 @@ bases:
3 3
4 --- 4 ---
5 5
6 repositories:
7 - name: istio
8 url: https://istio-release.storage.googleapis.com/charts
9 - name: bedag
10 url: https://bedag.github.io/helm-charts/
11
6 releases: 12 releases:
7 - name: istio-gateway-{{ .Values.name }} 13 - name: istio-gateway-{{ .Values.name }}
8 namespace: {{ .Values.namespace }} 14 namespace: istio-system
9 chart: charts/gateway 15 chart: bedag/raw
16 version: {{ $.Values.version.raw }}
10 disableValidationOnInstall: true 17 disableValidationOnInstall: true
18 dependencies:
19 - chart: istio/gateway
20 alias: gateway
21 version: {{ $.Values.version.istio }}
11 values: 22 values:
12 - nameSuffix: -{{ .Values.name }} 23 - gateway: {}
13 strategicMergePatches: 24 resources:
14 - apiVersion: networking.istio.io/v1beta1 25 - apiVersion: v1
15 kind: Gateway 26 kind: ConfigMap
16 metadata: 27 metadata:
17 name: istio-gateway-{{ .Values.name }} 28 name: istio-gateway-foo-{{ .Values.name }}
18 namespace: {{ .Values.namespace }} 29 data:
19 spec: 30 foo: "bar"
20 selector: {{ .Values.selector | toYaml | nindent 12 }} 31 {{- range $gateway_index, $gateway := .Values.gateways }}
21 servers: 32 - apiVersion: networking.istio.io/v1beta1
22 {{- if .Values.http.hosts }} 33 kind: Gateway
23 - port: 34 metadata:
24 name: http 35 name: istio-gateway-{{ $gateway.name }}
25 number: 80 36 spec:
26 protocol: HTTP 37 selector:
27 hosts: {{ .Values.http.hosts | toYaml | nindent 16 }} 38 app: istio-gateway-{{ $.Values.name }}
39 istio: gateway-{{ $.Values.name }}
40 servers:
41 {{- range $host_index, $host := $gateway.hosts }}
42 - port:
43 name: http-{{ $host.name }}
44 number: 80
45 protocol: HTTP
46 hosts:
47 - {{ $host.name | quote }}
48 {{- if hasKey $host "tls" }}
49 - port:
50 name: https-{{ $host.name }}
51 number: 443
52 protocol: HTTPS
53 hosts:
54 - {{ $host.name | quote }}
55 tls:
56 # TODO: Switch certs based on wildcard or not
57 {{- if hasKey $host.tls "certRef" }}
58 credentialName: {{ $host.tls.certRef | quote }}
59 {{- else if hasPrefix "*." $host.name }}
60 credentialName: istio-gateway-wildcardcert-{{ $host.name | replace "*." "" }}
61 {{- else }}
62 credentialName: istio-gateway-cert-{{ $host.name }}
63 {{- end }}
64 mode: {{ $host.tls.mode | quote }}
65 {{- end }}
66 {{- end }}
67 {{- range $host_index, $host := $gateway.hosts }}
68 {{- if hasKey $host "tls" }}
69 {{- if not (hasKey $host.tls "certRef") }}
70 - apiVersion: cert-manager.io/v1
71 kind: Certificate
72 metadata:
73 {{- if hasPrefix "*." $host.name }}
74 name: istio-gateway-wildcardcert-{{ $host.name | replace "*." "" }}
75 {{- else }}
76 name: istio-gateway-cert-{{ $host.name }}
28 {{- end }} 77 {{- end }}
29 {{- if .Values.tls.hosts }} 78 spec:
30 - port: 79 {{- if hasPrefix "*." $host.name }}
31 name: https 80 secretName: istio-gateway-wildcardcert-{{ $host.name | replace "*i." "" }}
32 number: 443 81 {{- else }}
33 protocol: HTTPS 82 secretName: istio-gateway-cert-{{ $host.name }}
34 hosts: {{ .Values.http.hosts | toYaml | nindent 16 }}
35 tls:
36 credentialName: istio-gateway-cert-{{ .Values.name }}
37 mode: {{ .Values.tls.mode | quote }}
38 {{- end }} 83 {{- end }}
39 - apiVersion: cert-manager.io/v1 84 dnsNames:
40 kind: Certificate 85 - {{ $host.name | quote }}
41 metadata: 86 issuerRef: {{ $host.tls.issuerRef | toYaml | nindent 18 }}
42 name: istio-gateway-cert-{{ .Values.name }} 87 {{- end }}
43 namespace: {{ .Values.namespace }}
44 {{- if .Values.tls.hosts }}
45 spec:
46 secretName: istio-gateway-cert-{{ .Values.name }}
47 dnsNames: {{ .Values.tls.hosts | toYaml | nindent 12 }}
48 issuerRef: {{ .Values.tls.issuerRef | toYaml | nindent 12 }}
49 {{ else }}
50 $patch: delete
51 {{- end }} 88 {{- end }}
52 89 {{- end }}
90 {{- end }}
91 ---
......