allanger/shoebill-test
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Activity

chore(release): Add a new release: metrics-server

Browse Source 
A new release is added to the cluster:
		  Name: metrics-server 
		  Namespace: kube-system
		  Version: 3.11.0
		  Chart: metrics-server/metrics-server
This commit is contained in:
Nikolai Rodionov
2024-09-09 09:41:17 +02:00
parent 7936b2f5d2
commit 012aaadacc
174 changed files with 29571 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
charts/gateway-istio-ingressgateway/Chart.yaml Normal file
View File

@ -0,0 +1,12 @@
apiVersion: v2
appVersion: 1.23.0
description: Helm chart for deploying Istio gateways
icon: https://istio.io/latest/favicons/android-192x192.png
keywords:
- istio
- gateways
name: gateway
sources:
- https://github.com/istio/istio
type: application
version: 1.23.0

170
charts/gateway-istio-ingressgateway/README.md Normal file
View File

@ -0,0 +1,170 @@
# Istio Gateway Helm Chart
This chart installs an Istio gateway deployment.
## Setup Repo Info
```console
helm repo add istio https://istio-release.storage.googleapis.com/charts
helm repo update
```
_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._
## Installing the Chart
To install the chart with the release name `istio-ingressgateway`:
```console
helm install istio-ingressgateway istio/gateway
```
## Uninstalling the Chart
To uninstall/delete the `istio-ingressgateway` deployment:
```console
helm delete istio-ingressgateway
```
## Configuration
To view support configuration options and documentation, run:
```console
helm show values istio/gateway
```
### Profiles
Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets.
These can be set with `--set profile=<profile>`.
For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements.
For consistency, the same profiles are used across each chart, even if they do not impact a given chart.
Explicitly set values have highest priority, then profile settings, then chart defaults.
As an implementation detail of profiles, the default values for the chart are all nested under `defaults`.
When configuring the chart, you should not include this.
That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`.
### OpenShift
When deploying the gateway in an OpenShift cluster, use the `openshift` profile to override the default values, for example:
```console
helm install istio-ingressgateway istio/gateway --set profile=openshift
```
### `image: auto` Information
The image used by the chart, `auto`, may be unintuitive.
This exists because the pod spec will be automatically populated at runtime, using the same mechanism as [Sidecar Injection](istio.io/latest/docs/setup/additional-setup/sidecar-injection).
This allows the same configurations and lifecycle to apply to gateways as sidecars.
Note: this does mean that the namespace the gateway is deployed in must not have the `istio-injection=disabled` label.
See [Controlling the injection policy](https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#controlling-the-injection-policy) for more info.
### Examples
#### Egress Gateway
Deploying a Gateway to be used as an [Egress Gateway](https://istio.io/latest/docs/tasks/traffic-management/egress/egress-gateway/):
```yaml
service:
# Egress gateways do not need an external LoadBalancer IP
type: ClusterIP
```
#### Multi-network/VM Gateway
Deploying a Gateway to be used as a [Multi-network Gateway](https://istio.io/latest/docs/setup/install/multicluster/) for network `network-1`:
```yaml
networkGateway: network-1
```
### Migrating from other installation methods
Installations from other installation methods (such as istioctl, Istio Operator, other helm charts, etc) can be migrated to use the new Helm charts
following the guidance below.
If you are able to, a clean installation is simpler. However, this often requires an external IP migration which can be challenging.
WARNING: when installing over an existing deployment, the two deployments will be merged together by Helm, which may lead to unexpected results.
#### Legacy Gateway Helm charts
Istio historically offered two different charts - `manifests/charts/gateways/istio-ingress` and `manifests/charts/gateways/istio-egress`.
These are replaced by this chart.
While not required, it is recommended all new users use this chart, and existing users migrate when possible.
This chart has the following benefits and differences:
* Designed with Helm best practices in mind (standardized values options, values schema, values are not all nested under `gateways.istio-ingressgateway.*`, release name and namespace taken into account, etc).
* Utilizes Gateway injection, simplifying upgrades, allowing gateways to run in any namespace, and avoiding repeating config for sidecars and gateways.
* Published to official Istio Helm repository.
* Single chart for all gateways (Ingress, Egress, East West).
#### General concerns
For a smooth migration, the resource names and `Deployment.spec.selector` labels must match.
If you install with `helm install istio-gateway istio/gateway`, resources will be named `istio-gateway` and the `selector` labels set to:
```yaml
app: istio-gateway
istio: gateway # the release name with leading istio- prefix stripped
```
If your existing installation doesn't follow these names, you can override them. For example, if you have resources named `my-custom-gateway` with `selector` labels
`foo=bar,istio=ingressgateway`:
```yaml
name: my-custom-gateway # Override the name to match existing resources
labels:
app: "" # Unset default app selector label
istio: ingressgateway # override default istio selector label
foo: bar # Add the existing custom selector label
```
#### Migrating an existing Helm release
An existing helm release can be `helm upgrade`d to this chart by using the same release name. For example, if a previous
installation was done like:
```console
helm install istio-ingress manifests/charts/gateways/istio-ingress -n istio-system
```
It could be upgraded with
```console
helm upgrade istio-ingress manifests/charts/gateway -n istio-system --set name=istio-ingressgateway --set labels.app=istio-ingressgateway --set labels.istio=ingressgateway
```
Note the name and labels are overridden to match the names of the existing installation.
Warning: the helm charts here default to using port 80 and 443, while the old charts used 8080 and 8443.
If you have AuthorizationPolicies that reference port these ports, you should update them during this process,
or customize the ports to match the old defaults.
See the [security advisory](https://istio.io/latest/news/security/istio-security-2021-002/) for more information.
#### Other migrations
If you see errors like `rendered manifests contain a resource that already exists` during installation, you may need to forcibly take ownership.
The script below can handle this for you. Replace `RELEASE` and `NAMESPACE` with the name and namespace of the release:
```console
KINDS=(service deployment)
RELEASE=istio-ingressgateway
NAMESPACE=istio-system
for KIND in "${KINDS[@]}"; do
kubectl --namespace $NAMESPACE --overwrite=true annotate $KIND $RELEASE meta.helm.sh/release-name=$RELEASE
kubectl --namespace $NAMESPACE --overwrite=true annotate $KIND $RELEASE meta.helm.sh/release-namespace=$NAMESPACE
kubectl --namespace $NAMESPACE --overwrite=true label $KIND $RELEASE app.kubernetes.io/managed-by=Helm
done
```
You may ignore errors about resources not being found.

20
charts/gateway-istio-ingressgateway/files/profile-ambient.yaml Normal file
View File

@ -0,0 +1,20 @@
# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
# The original version of this file is located at /manifests/helm-profiles directory.
# If you want to make a change in this file, edit the original one and run "make gen".
# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed
meshConfig:
defaultConfig:
proxyMetadata:
ISTIO_META_ENABLE_HBONE: "true"
global:
variant: distroless
pilot:
env:
PILOT_ENABLE_AMBIENT: "true"
cni:
ambient:
enabled: true
# Ztunnel doesn't use a namespace, so everything here is mostly for ztunnel
variant: distroless

26
charts/gateway-istio-ingressgateway/files/profile-compatibility-version-1.20.yaml Normal file
View File

@ -0,0 +1,26 @@
# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
# The original version of this file is located at /manifests/helm-profiles directory.
# If you want to make a change in this file, edit the original one and run "make gen".
pilot:
env:
# 1.21 behavioral changes
ENABLE_EXTERNAL_NAME_ALIAS: "false"
PERSIST_OLDEST_FIRST_HEURISTIC_FOR_VIRTUAL_SERVICE_HOST_MATCHING: "true"
VERIFY_CERTIFICATE_AT_CLIENT: "false"
ENABLE_AUTO_SNI: "false"
# 1.22 behavioral changes
ENABLE_ENHANCED_RESOURCE_SCOPING: "false"
ENABLE_RESOLUTION_NONE_TARGET_PORT: "false"
meshConfig:
defaultConfig:
proxyMetadata:
# 1.22 behavioral changes
ISTIO_DELTA_XDS: "false"
# 1.23 behavioral changes
ENABLE_DELIMITED_STATS_TAG_REGEX: "false"
tracing:
zipkin:
address: zipkin.istio-system:9411

19
charts/gateway-istio-ingressgateway/files/profile-compatibility-version-1.21.yaml Normal file
View File

@ -0,0 +1,19 @@
# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
# The original version of this file is located at /manifests/helm-profiles directory.
# If you want to make a change in this file, edit the original one and run "make gen".
pilot:
env:
# 1.22 behavioral changes
ENABLE_ENHANCED_RESOURCE_SCOPING: "false"
ENABLE_RESOLUTION_NONE_TARGET_PORT: "false"
meshConfig:
# 1.22 behavioral changes
defaultConfig:
proxyMetadata:
ISTIO_DELTA_XDS: "false"
# 1.23 behavioral changes
ENABLE_DELIMITED_STATS_TAG_REGEX: "false"
tracing:
zipkin:
address: zipkin.istio-system:9411

11
charts/gateway-istio-ingressgateway/files/profile-compatibility-version-1.22.yaml Normal file
View File

@ -0,0 +1,11 @@
# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
# The original version of this file is located at /manifests/helm-profiles directory.
# If you want to make a change in this file, edit the original one and run "make gen".
meshConfig:
defaultConfig:
proxyMetadata:
# 1.22 behavioral changes
ENABLE_DEFERRED_CLUSTER_CREATION: "false"
# 1.23 behavioral changes
ENABLE_DELIMITED_STATS_TAG_REGEX": "false"

73
charts/gateway-istio-ingressgateway/files/profile-demo.yaml Normal file
View File

@ -0,0 +1,73 @@
# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
# The original version of this file is located at /manifests/helm-profiles directory.
# If you want to make a change in this file, edit the original one and run "make gen".
# The demo profile enables a variety of things to try out Istio in non-production environments.
# * Lower resource utilization.
# * Some additional features are enabled by default; especially ones used in some tasks in istio.io.
# * More ports enabled on the ingress, which is used in some tasks.
meshConfig:
accessLogFile: /dev/stdout
extensionProviders:
- name: otel
envoyOtelAls:
service: opentelemetry-collector.observability.svc.cluster.local
port: 4317
- name: skywalking
skywalking:
service: tracing.istio-system.svc.cluster.local
port: 11800
- name: otel-tracing
opentelemetry:
port: 4317
service: opentelemetry-collector.observability.svc.cluster.local
global:
proxy:
resources:
requests:
cpu: 10m
memory: 40Mi
pilot:
autoscaleEnabled: false
traceSampling: 100
resources:
requests:
cpu: 10m
memory: 100Mi
gateways:
istio-egressgateway:
autoscaleEnabled: false
resources:
requests:
cpu: 10m
memory: 40Mi
istio-ingressgateway:
autoscaleEnabled: false
ports:
## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces.
# Note that AWS ELB will by default perform health checks on the first port
# on this list. Setting this to the health check port will ensure that health
# checks always work. https://github.com/istio/istio/issues/12503
- port: 15021
targetPort: 15021
name: status-port
- port: 80
targetPort: 8080
name: http2
- port: 443
targetPort: 8443
name: https
- port: 31400
targetPort: 31400
name: tcp
# This is the port where sni routing happens
- port: 15443
targetPort: 15443
name: tls
resources:
requests:
cpu: 10m
memory: 40Mi

33
charts/gateway-istio-ingressgateway/files/profile-openshift-ambient.yaml Normal file
View File

@ -0,0 +1,33 @@
# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
# The original version of this file is located at /manifests/helm-profiles directory.
# If you want to make a change in this file, edit the original one and run "make gen".
meshConfig:
defaultConfig:
proxyMetadata:
ISTIO_META_ENABLE_HBONE: "true"
global:
platform: openshift
cni:
ambient:
enabled: true
cniBinDir: /var/lib/cni/bin
cniConfDir: /etc/cni/multus/net.d
chained: false
cniConfFileName: "istio-cni.conf"
logLevel: info
provider: "multus"
pilot:
cni:
enabled: true
provider: "multus"
variant: distroless
env:
PILOT_ENABLE_AMBIENT: "true"
# Allow sidecars/ingress to send/receive HBONE. This is required for interop.
PILOT_ENABLE_SENDING_HBONE: "true"
PILOT_ENABLE_SIDECAR_LISTENING_HBONE: "true"
platform: openshift
variant: distroless
seLinuxOptions:
type: spc_t

20
charts/gateway-istio-ingressgateway/files/profile-openshift.yaml Normal file
View File

@ -0,0 +1,20 @@
# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
# The original version of this file is located at /manifests/helm-profiles directory.
# If you want to make a change in this file, edit the original one and run "make gen".
# The OpenShift profile provides a basic set of settings to run Istio on OpenShift
# CNI must be installed.
cni:
cniBinDir: /var/lib/cni/bin
cniConfDir: /etc/cni/multus/net.d
chained: false
cniConfFileName: "istio-cni.conf"
logLevel: info
provider: "multus"
global:
platform: openshift
pilot:
cni:
enabled: true
provider: "multus"
platform: openshift

13
charts/gateway-istio-ingressgateway/files/profile-preview.yaml Normal file
View File

@ -0,0 +1,13 @@
# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
# The original version of this file is located at /manifests/helm-profiles directory.
# If you want to make a change in this file, edit the original one and run "make gen".
# The preview profile contains features that are experimental.
# This is intended to explore new features coming to Istio.
# Stability, security, and performance are not guaranteed - use at your own risk.
meshConfig:
defaultConfig:
proxyMetadata:
# Enable Istio agent to handle DNS requests for known hosts
# Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf
ISTIO_META_DNS_CAPTURE: "true"

8
charts/gateway-istio-ingressgateway/files/profile-stable.yaml Normal file
View File

@ -0,0 +1,8 @@
# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
# The original version of this file is located at /manifests/helm-profiles directory.
# If you want to make a change in this file, edit the original one and run "make gen".
# The stable profile deploys admission control to ensure that only stable resources and fields are used
# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE
experimental:
stableValidationPolicy: true

9
charts/gateway-istio-ingressgateway/templates/NOTES.txt Normal file
View File

@ -0,0 +1,9 @@
"{{ include "gateway.name" . }}" successfully installed!
To learn more about the release, try:
$ helm status {{ .Release.Name }} -n {{ .Release.Namespace }}
$ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }}
Next steps:
* Deploy an HTTP Gateway: https://istio.io/latest/docs/tasks/traffic-management/ingress/ingress-control/
* Deploy an HTTPS Gateway: https://istio.io/latest/docs/tasks/traffic-management/ingress/secure-ingress/

51
charts/gateway-istio-ingressgateway/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,51 @@
{{- define "gateway.name" -}}
{{- if eq .Release.Name "RELEASE-NAME" -}}
{{- .Values.name | default "istio-ingressgateway" -}}
{{- else -}}
{{- .Values.name | default .Release.Name | default "istio-ingressgateway" -}}
{{- end -}}
{{- end }}
{{/*
Create chart name and version as used by the helm.sh/chart label.
*/}}
{{- define "gateway.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- define "gateway.labels" -}}
helm.sh/chart: {{ include "gateway.chart" . }}
{{ include "gateway.selectorLabels" . }}
app.kubernetes.io/name: {{ include "gateway.name" . }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- range $key, $val := .Values.labels }}
{{- if and (ne $key "app") (ne $key "istio") }}
{{ $key | quote }}: {{ $val | quote }}
{{- end }}
{{- end }}
{{- end }}
{{- define "gateway.selectorLabels" -}}
app: {{ (.Values.labels.app | quote) | default (include "gateway.name" .) }}
istio: {{ (.Values.labels.istio | quote) | default (include "gateway.name" . | trimPrefix "istio-") }}
{{- end }}
{{/*
Keep sidecar injection labels together
https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#controlling-the-injection-policy
*/}}
{{- define "gateway.sidecarInjectionLabels" -}}
sidecar.istio.io/inject: "true"
{{- with .Values.revision }}
istio.io/rev: {{ . | quote }}
{{- end }}
{{- end }}
{{- define "gateway.serviceAccountName" -}}
{{- if .Values.serviceAccount.create }}
{{- .Values.serviceAccount.name | default (include "gateway.name" .) }}
{{- else }}
{{- .Values.serviceAccount.name | default "default" }}
{{- end }}
{{- end }}

115
charts/gateway-istio-ingressgateway/templates/deployment.yaml Normal file
View File

@ -0,0 +1,115 @@
apiVersion: apps/v1
kind: {{ .Values.kind | default "Deployment" }}
metadata:
name: {{ include "gateway.name" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "gateway.labels" . | nindent 4}}
annotations:
{{- .Values.annotations | toYaml | nindent 4 }}
spec:
{{- if not .Values.autoscaling.enabled }}
{{- with .Values.replicaCount }}
replicas: {{ . }}
{{- end }}
{{- end }}
selector:
matchLabels:
{{- include "gateway.selectorLabels" . | nindent 6 }}
template:
metadata:
{{- with .Values.podAnnotations }}
annotations:
{{- toYaml . | nindent 8 }}
{{- end }}
labels:
{{- include "gateway.sidecarInjectionLabels" . | nindent 8 }}
{{- include "gateway.selectorLabels" . | nindent 8 }}
app.kubernetes.io/name: {{ include "gateway.name" . }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- range $key, $val := .Values.labels }}
{{- if and (ne $key "app") (ne $key "istio") }}
{{ $key | quote }}: {{ $val | quote }}
{{- end }}
{{- end }}
spec:
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ include "gateway.serviceAccountName" . }}
securityContext:
{{- if .Values.securityContext }}
{{- toYaml .Values.securityContext | nindent 8 }}
{{- else }}
# Safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326
sysctls:
- name: net.ipv4.ip_unprivileged_port_start
value: "0"
{{- end }}
{{- with .Values.volumes }}
volumes:
{{ toYaml . | nindent 8 }}
{{- end }}
containers:
- name: istio-proxy
# "auto" will be populated at runtime by the mutating webhook. See https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#customizing-injection
image: auto
{{- with .Values.imagePullPolicy }}
imagePullPolicy: {{ . }}
{{- end }}
securityContext:
{{- if .Values.containerSecurityContext }}
{{- toYaml .Values.containerSecurityContext | nindent 12 }}
{{- else }}
capabilities:
drop:
- ALL
allowPrivilegeEscalation: false
privileged: false
readOnlyRootFilesystem: true
{{- if not (eq .Values.platform "openshift") }}
runAsUser: 1337
runAsGroup: 1337
{{- end }}
runAsNonRoot: true
{{- end }}
env:
{{- with .Values.networkGateway }}
- name: ISTIO_META_REQUESTED_NETWORK_VIEW
value: "{{.}}"
{{- end }}
{{- range $key, $val := .Values.env }}
- name: {{ $key }}
value: {{ $val | quote }}
{{- end }}
ports:
- containerPort: 15090
protocol: TCP
name: http-envoy-prom
resources:
{{- toYaml .Values.resources | nindent 12 }}
{{- with .Values.volumeMounts }}
volumeMounts:
{{ toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.topologySpreadConstraints }}
topologySpreadConstraints:
{{- toYaml . | nindent 8 }}
{{- end }}
terminationGracePeriodSeconds: {{ $.Values.terminationGracePeriodSeconds }}
{{- with .Values.priorityClassName }}
priorityClassName: {{ . }}
{{- end }}

38
charts/gateway-istio-ingressgateway/templates/hpa.yaml Normal file
View File

@ -0,0 +1,38 @@
{{- if and (.Values.autoscaling.enabled) (eq .Values.kind "Deployment") }}
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
name: {{ include "gateway.name" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "gateway.labels" . | nindent 4 }}
annotations:
{{- .Values.annotations | toYaml | nindent 4 }}
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: {{ .Values.kind | default "Deployment" }}
name: {{ include "gateway.name" . }}
minReplicas: {{ .Values.autoscaling.minReplicas }}
maxReplicas: {{ .Values.autoscaling.maxReplicas }}
metrics:
{{- if .Values.autoscaling.targetCPUUtilizationPercentage }}
- type: Resource
resource:
name: cpu
target:
averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }}
type: Utilization
{{- end }}
{{- if .Values.autoscaling.targetMemoryUtilizationPercentage }}
- type: Resource
resource:
name: memory
target:
averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }}
type: Utilization
{{- end }}
{{- if .Values.autoscaling.autoscaleBehavior }}
behavior: {{ toYaml .Values.autoscaling.autoscaleBehavior | nindent 4 }}
{{- end }}
{{- end }}

16
charts/gateway-istio-ingressgateway/templates/poddisruptionbudget.yaml Normal file
View File

@ -0,0 +1,16 @@
{{- if .Values.podDisruptionBudget }}
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: {{ include "gateway.name" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "gateway.labels" . | nindent 4}}
spec:
selector:
matchLabels:
{{- include "gateway.selectorLabels" . | nindent 6 }}
{{- with .Values.podDisruptionBudget }}
{{- toYaml . | nindent 2 }}
{{- end }}
{{- end }}

33
charts/gateway-istio-ingressgateway/templates/role.yaml Normal file
View File

@ -0,0 +1,33 @@
{{/*Set up roles for Istio Gateway. Not required for gateway-api*/}}
{{- if .Values.rbac.enabled }}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ include "gateway.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "gateway.labels" . | nindent 4}}
annotations:
{{- .Values.annotations | toYaml | nindent 4 }}
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "watch", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "gateway.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "gateway.labels" . | nindent 4}}
annotations:
{{- .Values.annotations | toYaml | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ include "gateway.serviceAccountName" . }}
subjects:
- kind: ServiceAccount
name: {{ include "gateway.serviceAccountName" . }}
{{- end }}

64
charts/gateway-istio-ingressgateway/templates/service.yaml Normal file
View File

@ -0,0 +1,64 @@
{{- if not (eq .Values.service.type "None") }}
apiVersion: v1
kind: Service
metadata:
name: {{ include "gateway.name" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "gateway.labels" . | nindent 4 }}
{{- with .Values.networkGateway }}
topology.istio.io/network: "{{.}}"
{{- end }}
annotations:
{{- merge (deepCopy .Values.service.annotations) .Values.annotations | toYaml | nindent 4 }}
spec:
{{- with .Values.service.loadBalancerIP }}
loadBalancerIP: "{{ . }}"
{{- end }}
{{- if eq .Values.service.type "LoadBalancer" }}
{{- if hasKey .Values.service "allocateLoadBalancerNodePorts" }}
allocateLoadBalancerNodePorts: {{ .Values.service.allocateLoadBalancerNodePorts }}
{{- end }}
{{- end }}
{{- if .Values.service.ipFamilyPolicy }}
ipFamilyPolicy: {{ .Values.service.ipFamilyPolicy }}
{{- end }}
{{- if .Values.service.ipFamilies }}
ipFamilies:
{{- range .Values.service.ipFamilies }}
- {{ . }}
{{- end }}
{{- end }}
{{- with .Values.service.loadBalancerSourceRanges }}
loadBalancerSourceRanges:
{{ toYaml . | indent 4 }}
{{- end }}
{{- with .Values.service.externalTrafficPolicy }}
externalTrafficPolicy: "{{ . }}"
{{- end }}
type: {{ .Values.service.type }}
ports:
{{- if .Values.networkGateway }}
- name: status-port
port: 15021
targetPort: 15021
- name: tls
port: 15443
targetPort: 15443
- name: tls-istiod
port: 15012
targetPort: 15012
- name: tls-webhook
port: 15017
targetPort: 15017
{{- else }}
{{ .Values.service.ports | toYaml | indent 4 }}
{{- end }}
{{- if .Values.service.externalIPs }}
externalIPs: {{- range .Values.service.externalIPs }}
- {{.}}
{{- end }}
{{- end }}
selector:
{{- include "gateway.selectorLabels" . | nindent 4 }}
{{- end }}

13
charts/gateway-istio-ingressgateway/templates/serviceaccount.yaml Normal file
View File

@ -0,0 +1,13 @@
{{- if .Values.serviceAccount.create }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "gateway.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "gateway.labels" . | nindent 4 }}
{{- with .Values.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}

43
charts/gateway-istio-ingressgateway/templates/zzz_profile.yaml Normal file
View File

@ -0,0 +1,43 @@
{{/*
WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY.
The original version of this file is located at /manifests directory.
If you want to make a change in this file, edit the original one and run "make gen".
Complex logic ahead...
We have three sets of values, in order of precedence (last wins):
1. The builtin values.yaml defaults
2. The profile the user selects
3. Users input (-f or --set)
Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2).
However, we can workaround this by placing all of (1) under a specific key (.Values.defaults).
We can then merge the profile onto the defaults, then the user settings onto that.
Finally, we can set all of that under .Values so the chart behaves without awareness.
*/}}
{{- $globals := $.Values.global | default dict | deepCopy }}
{{- $defaults := $.Values.defaults }}
{{- $_ := unset $.Values "defaults" }}
{{- $profile := dict }}
{{- with .Values.profile }}
{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}}
{{- $profile = (. | fromYaml) }}
{{- else }}
{{ fail (cat "unknown profile" $.Values.profile) }}
{{- end }}
{{- end }}
{{- with .Values.compatibilityVersion }}
{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }}
{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
{{- else }}
{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }}
{{- end }}
{{- end }}
{{- if $profile }}
{{- $a := mustMergeOverwrite $defaults $profile }}
{{- end }}
# Flatten globals, if defined on a per-chart basis
{{- if false }}
{{- $a := mustMergeOverwrite $defaults $globals }}
{{- end }}
{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }}

301
charts/gateway-istio-ingressgateway/values.schema.json Normal file
View File

@ -0,0 +1,301 @@
{
"$schema": "http://json-schema.org/schema#",
"type": "object",
"additionalProperties": false,
"$defs": {
"values": {
"type": "object",
"properties": {
"global": {
"type": "object"
},
"affinity": {
"type": "object"
},
"securityContext": {
"type": [
"object",
"null"
]
},
"containerSecurityContext": {
"type": [
"object",
"null"
]
},
"kind": {
"type": "string",
"enum": [
"Deployment",
"DaemonSet"
]
},
"annotations": {
"additionalProperties": {
"type": [
"string",
"integer"
]
},
"type": "object"
},
"autoscaling": {
"type": "object",
"properties": {
"enabled": {
"type": "boolean"
},
"maxReplicas": {
"type": "integer"
},
"minReplicas": {
"type": "integer"
},
"targetCPUUtilizationPercentage": {
"type": "integer"
}
}
},
"env": {
"type": "object"
},
"labels": {
"type": "object"
},
"name": {
"type": "string"
},
"nodeSelector": {
"type": "object"
},
"podAnnotations": {
"type": "object",
"properties": {
"inject.istio.io/templates": {
"type": "string"
},
"prometheus.io/path": {
"type": "string"
},
"prometheus.io/port": {
"type": "string"
},
"prometheus.io/scrape": {
"type": "string"
}
}
},
"replicaCount": {
"type": [
"integer",
"null"
]
},
"resources": {
"type": "object",
"properties": {
"limits": {
"type": "object",
"properties": {
"cpu": {
"type": ["string", "null"]
},
"memory": {
"type": ["string", "null"]
}
}
},
"requests": {
"type": "object",
"properties": {
"cpu": {
"type": ["string", "null"]
},
"memory": {
"type": ["string", "null"]
}
}
}
}
},
"revision": {
"type": "string"
},
"compatibilityVersion": {
"type": "string"
},
"runAsRoot": {
"type": "boolean"
},
"unprivilegedPort": {
"type": [
"string",
"boolean"
],
"enum": [
true,
false,
"auto"
]
},
"service": {
"type": "object",
"properties": {
"annotations": {
"type": "object"
},
"externalTrafficPolicy": {
"type": "string"
},
"loadBalancerIP": {
"type": "string"
},
"loadBalancerSourceRanges": {
"type": "array"
},
"ipFamilies": {
"items": {
"type": "string",
"enum": [
"IPv4",
"IPv6"
]
}
},
"ipFamilyPolicy": {
"type": "string",
"enum": [
"",
"SingleStack",
"PreferDualStack",
"RequireDualStack"
]
},
"ports": {
"type": "array",
"items": {
"type": "object",
"properties": {
"name": {
"type": "string"
},
"port": {
"type": "integer"
},
"protocol": {
"type": "string"
},
"targetPort": {
"type": "integer"
}
}
}
},
"type": {
"type": "string"
}
}
},
"serviceAccount": {
"type": "object",
"properties": {
"annotations": {
"type": "object"
},
"name": {
"type": "string"
},
"create": {
"type": "boolean"
}
}
},
"rbac": {
"type": "object",
"properties": {
"enabled": {
"type": "boolean"
}
}
},
"tolerations": {
"type": "array"
},
"topologySpreadConstraints": {
"type": "array"
},
"networkGateway": {
"type": "string"
},
"imagePullPolicy": {
"type": "string",
"enum": [
"",
"Always",
"IfNotPresent",
"Never"
]
},
"imagePullSecrets": {
"type": "array",
"items": {
"type": "object",
"properties": {
"name": {
"type": "string"
}
}
}
},
"podDisruptionBudget": {
"type": "object",
"properties": {
"minAvailable": {
"type": [
"integer",
"string"
]
},
"maxUnavailable": {
"type": [
"integer",
"string"
]
},
"unhealthyPodEvictionPolicy": {
"type": "string",
"enum": [
"",
"IfHealthyBudget",
"AlwaysAllow"
]
}
}
},
"terminationGracePeriodSeconds": {
"type": "number"
},
"volumes": {
"type": "array",
"items": {
"type": "object"
}
},
"volumeMounts": {
"type": "array",
"items": {
"type": "object"
}
},
"priorityClassName": {
"type": "string"
}
}
}
},
"defaults": {
"$ref": "#/$defs/values"
},
"$ref": "#/$defs/values"
}

154
charts/gateway-istio-ingressgateway/values.yaml Normal file
View File

@ -0,0 +1,154 @@
# "defaults" is a workaround for Helm limitations. Users should NOT set ".defaults" explicitly, but rather directly set the fields internally.
# For instance, instead of `--set defaults.foo=bar`, just set `--set foo=bar`.
defaults:
# Name allows overriding the release name. Generally this should not be set
name: ""
# revision declares which revision this gateway is a part of
revision: ""
# Controls the spec.replicas setting for the Gateway deployment if set.
# Otherwise defaults to Kubernetes Deployment default (1).
replicaCount:
kind: Deployment
rbac:
# If enabled, roles will be created to enable accessing certificates from Gateways. This is not needed
# when using http://gateway-api.org/.
enabled: true
serviceAccount:
# If set, a service account will be created. Otherwise, the default is used
create: true
# Annotations to add to the service account
annotations: {}
# The name of the service account to use.
# If not set, the release name is used
name: ""
podAnnotations:
prometheus.io/port: "15020"
prometheus.io/scrape: "true"
prometheus.io/path: "/stats/prometheus"
inject.istio.io/templates: "gateway"
sidecar.istio.io/inject: "true"
# Define the security context for the pod.
# If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443.
# On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl.
securityContext: {}
containerSecurityContext: {}
service:
# Type of service. Set to "None" to disable the service entirely
type: LoadBalancer
ports:
- name: status-port
port: 15021
protocol: TCP
targetPort: 15021
- name: http2
port: 80
protocol: TCP
targetPort: 80
- name: https
port: 443
protocol: TCP
targetPort: 443
annotations: {}
loadBalancerIP: ""
loadBalancerSourceRanges: []
externalTrafficPolicy: ""
externalIPs: []
ipFamilyPolicy: ""
ipFamilies: []
## Whether to automatically allocate NodePorts (only for LoadBalancers).
# allocateLoadBalancerNodePorts: false
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 2000m
memory: 1024Mi
autoscaling:
enabled: true
minReplicas: 1
maxReplicas: 5
targetCPUUtilizationPercentage: 80
targetMemoryUtilizationPercentage: {}
autoscaleBehavior: {}
# Pod environment variables
env: {}
# Labels to apply to all resources
labels: {}
# Annotations to apply to all resources
annotations: {}
nodeSelector: {}
tolerations: []
topologySpreadConstraints: []
affinity: {}
# If specified, the gateway will act as a network gateway for the given network.
networkGateway: ""
# Specify image pull policy if default behavior isn't desired.
# Default behavior: latest images will be Always else IfNotPresent
imagePullPolicy: ""
imagePullSecrets: []
# This value is used to configure a Kubernetes PodDisruptionBudget for the gateway.
#
# By default, the `podDisruptionBudget` is disabled (set to `{}`),
# which means that no PodDisruptionBudget resource will be created.
#
# To enable the PodDisruptionBudget, configure it by specifying the
# `minAvailable` or `maxUnavailable`. For example, to set the
# minimum number of available replicas to 1, you can update this value as follows:
#
# podDisruptionBudget:
# minAvailable: 1
#
# Or, to allow a maximum of 1 unavailable replica, you can set:
#
# podDisruptionBudget:
# maxUnavailable: 1
#
# You can also specify the `unhealthyPodEvictionPolicy` field, and the valid values are `IfHealthyBudget` and `AlwaysAllow`.
# For example, to set the `unhealthyPodEvictionPolicy` to `AlwaysAllow`, you can update this value as follows:
#
# podDisruptionBudget:
# minAvailable: 1
# unhealthyPodEvictionPolicy: AlwaysAllow
#
# To disable the PodDisruptionBudget, you can leave it as an empty object `{}`:
#
# podDisruptionBudget: {}
#
podDisruptionBudget: {}
terminationGracePeriodSeconds: 30
# A list of `Volumes` added into the Gateway Pods. See
# https://kubernetes.io/docs/concepts/storage/volumes/.
volumes: []
# A list of `VolumeMounts` added into the Gateway Pods. See
# https://kubernetes.io/docs/concepts/storage/volumes/.
volumeMounts: []
# Configure this to a higher priority class in order to make sure your Istio gateway pods
# will not be killed because of low priority class.
# Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
# for more detail.
priorityClassName: ""