Skip to content

brainfood / k8s-helmfiles

Go to a project
Toggle navigation
Toggle navigation pinning
9458134d by Adam Heath
Options

WIP: Per-application istio-gateway stuff.

1 parent 7f96dad7
Inline Side-by-side
Showing 6 changed files with 100 additions and 41 deletions
...@@ -27,6 +27,8 @@ releases: ...@@ -27,6 +27,8 @@ releases:
27 namespace: cert-manager 27 namespace: cert-manager
28 values: 28 values:
29 - installCRDs: true 29 - installCRDs: true
30 extraArgs:
31 - "--feature-gates=ExperimentalGatewayAPISupport=true"
30 32
31 - name: cluster-issuer 33 - name: cluster-issuer
32 chart: charts/cluster-issuer 34 chart: charts/cluster-issuer
......
1 apiVersion: kustomize.config.k8s.io/v1beta1
2 kind: Kustomization
3
4 resources:
5 - github.com/kubernetes-sigs/gateway-api/config/crd?ref=v0.5.0
6
1 releases:
2 - name: gateway-apis
3 chart: charts/gateway-apis
...@@ -2,11 +2,26 @@ ...@@ -2,11 +2,26 @@
2 apiVersion: cert-manager.io/v1 2 apiVersion: cert-manager.io/v1
3 kind: Certificate 3 kind: Certificate
4 metadata: 4 metadata:
5 name: istio-gateway-cert 5 name: istio-gateway-basecert
6 spec: 6 spec:
7 secretName: istio-gateway 7 secretName: istio-gateway
8 dnsNames: 8 dnsNames:
9 - '*' 9 - "example.com"
10 issuerRef:
11 name: ca-issuer
12 # We can reference ClusterIssuers by changing the kind here.
13 # The default value is Issuer (i.e. a locally namespaced Issuer)
14 kind: ClusterIssuer
15 group: cert-manager.io
16 ---
17 apiVersion: cert-manager.io/v1
18 kind: Certificate
19 metadata:
20 name: istio-gateway-wildcardcert
21 spec:
22 secretName: istio-gateway
23 dnsNames:
24 - '*.example.com'
10 issuerRef: 25 issuerRef:
11 name: ca-issuer 26 name: ca-issuer
12 # We can reference ClusterIssuers by changing the kind here. 27 # We can reference ClusterIssuers by changing the kind here.
......
1 namespace: default
2 name: default 1 name: default
3 selector: {} 2 version:
4 tls: 3 istio: 1.14.3
4 raw: 1.1.0
5 gateways:
6 - name: default
5 hosts: 7 hosts:
6 - "*" 8 - name: "*"
7 issuerRef: 9 tls: nil
8 name: ca-issuer 10
9 # We can reference ClusterIssuers by changing the kind here.
10 # The default value is Issuer (i.e. a locally namespaced Issuer)
11 kind: ClusterIssuer
12 group: cert-manager.io
13 mode: SIMPLE
14 http:
15 hosts:
16 - "*"
17 11
......
...@@ -3,50 +3,89 @@ bases: ...@@ -3,50 +3,89 @@ bases:
3 3
4 --- 4 ---
5 5
6 repositories:
7 - name: istio
8 url: https://istio-release.storage.googleapis.com/charts
9 - name: bedag
10 url: https://bedag.github.io/helm-charts/
11
6 releases: 12 releases:
7 - name: istio-gateway-{{ .Values.name }} 13 - name: istio-gateway-{{ .Values.name }}
8 namespace: {{ .Values.namespace }} 14 namespace: istio-system
9 chart: charts/gateway 15 chart: bedag/raw
16 version: {{ $.Values.version.raw }}
10 disableValidationOnInstall: true 17 disableValidationOnInstall: true
18 dependencies:
19 - chart: istio/gateway
20 alias: gateway
21 version: {{ $.Values.version.istio }}
11 values: 22 values:
12 - nameSuffix: -{{ .Values.name }} 23 - gateway: {}
13 strategicMergePatches: 24 resources:
25 - apiVersion: v1
26 kind: ConfigMap
27 metadata:
28 name: istio-gateway-foo-{{ .Values.name }}
29 data:
30 foo: "bar"
31 {{- range $gateway_index, $gateway := .Values.gateways }}
14 - apiVersion: networking.istio.io/v1beta1 32 - apiVersion: networking.istio.io/v1beta1
15 kind: Gateway 33 kind: Gateway
16 metadata: 34 metadata:
17 name: istio-gateway-{{ .Values.name }} 35 name: istio-gateway-{{ $gateway.name }}
18 namespace: {{ .Values.namespace }}
19 spec: 36 spec:
20 selector: {{ .Values.selector | toYaml | nindent 12 }} 37 selector:
38 app: istio-gateway-{{ $.Values.name }}
39 istio: gateway-{{ $.Values.name }}
21 servers: 40 servers:
22 {{- if .Values.http.hosts }} 41 {{- range $host_index, $host := $gateway.hosts }}
23 - port: 42 - port:
24 name: http 43 name: http-{{ $host.name }}
25 number: 80 44 number: 80
26 protocol: HTTP 45 protocol: HTTP
27 hosts: {{ .Values.http.hosts | toYaml | nindent 16 }} 46 hosts:
28 {{- end }} 47 - {{ $host.name | quote }}
29 {{- if .Values.tls.hosts }} 48 {{- if hasKey $host "tls" }}
30 - port: 49 - port:
31 name: https 50 name: https-{{ $host.name }}
32 number: 443 51 number: 443
33 protocol: HTTPS 52 protocol: HTTPS
34 hosts: {{ .Values.http.hosts | toYaml | nindent 16 }} 53 hosts:
54 - {{ $host.name | quote }}
35 tls: 55 tls:
36 credentialName: istio-gateway-cert-{{ .Values.name }} 56 # TODO: Switch certs based on wildcard or not
37 mode: {{ .Values.tls.mode | quote }} 57 {{- if hasKey $host.tls "certRef" }}
58 credentialName: {{ $host.tls.certRef | quote }}
59 {{- else if hasPrefix "*." $host.name }}
60 credentialName: istio-gateway-wildcardcert-{{ $host.name | replace "*." "" }}
61 {{- else }}
62 credentialName: istio-gateway-cert-{{ $host.name }}
38 {{- end }} 63 {{- end }}
64 mode: {{ $host.tls.mode | quote }}
65 {{- end }}
66 {{- end }}
67 {{- range $host_index, $host := $gateway.hosts }}
68 {{- if hasKey $host "tls" }}
69 {{- if not (hasKey $host.tls "certRef") }}
39 - apiVersion: cert-manager.io/v1 70 - apiVersion: cert-manager.io/v1
40 kind: Certificate 71 kind: Certificate
41 metadata: 72 metadata:
42 name: istio-gateway-cert-{{ .Values.name }} 73 {{- if hasPrefix "*." $host.name }}
43 namespace: {{ .Values.namespace }} 74 name: istio-gateway-wildcardcert-{{ $host.name | replace "*." "" }}
44 {{- if .Values.tls.hosts }} 75 {{- else }}
76 name: istio-gateway-cert-{{ $host.name }}
77 {{- end }}
45 spec: 78 spec:
46 secretName: istio-gateway-cert-{{ .Values.name }} 79 {{- if hasPrefix "*." $host.name }}
47 dnsNames: {{ .Values.tls.hosts | toYaml | nindent 12 }} 80 secretName: istio-gateway-wildcardcert-{{ $host.name | replace "*i." "" }}
48 issuerRef: {{ .Values.tls.issuerRef | toYaml | nindent 12 }} 81 {{- else }}
49 {{ else }} 82 secretName: istio-gateway-cert-{{ $host.name }}
50 $patch: delete
51 {{- end }} 83 {{- end }}
52 84 dnsNames:
85 - {{ $host.name | quote }}
86 issuerRef: {{ $host.tls.issuerRef | toYaml | nindent 18 }}
87 {{- end }}
88 {{- end }}
89 {{- end }}
90 {{- end }}
91 ---
......