diff --git a/common/environments.yaml b/common/environments.yaml index ffdec4a..04ec0d3 100644 --- a/common/environments.yaml +++ b/common/environments.yaml @@ -18,6 +18,8 @@ environments: enabled: true - redis: enabled: true + - istio: + enabled: true etersoft: kubeContext: etersoft values: @@ -37,3 +39,5 @@ environments: enabled: false - postgres16: enabled: true + - istio: + enabled: false diff --git a/common/extensions/values.certificate.yaml b/common/extensions/values.certificate.yaml new file mode 100644 index 0000000..09fb519 --- /dev/null +++ b/common/extensions/values.certificate.yaml @@ -0,0 +1,19 @@ +certificate: + templates: + - | + {{ range .Values.certificate }} + --- + apiVersion: cert-manager.io/v1 + kind: Certificate + metadata: + name: {{ .name }} + spec: + dnsNames: + {{- range .dnsNames }} + - {{ . | quote }} + {{- end }} + issuerRef: + kind: {{ .issuer.kind }} + name: {{ .issuer.name }} + secretName: {{ .secretName }} + {{ end }} diff --git a/common/extensions/values.istio-gateway.yaml b/common/extensions/values.istio-gateway.yaml new file mode 100644 index 0000000..05445a1 --- /dev/null +++ b/common/extensions/values.istio-gateway.yaml @@ -0,0 +1,15 @@ +istio-gateway: + templates: + - | + {{ range .Values.gateways }} + --- + apiVersion: networking.istio.io/v1beta1 + kind: Gateway + metadata: + name: {{ .name }} + spec: + selector: + istio: ingressgateway + servers: + {{ toYaml .servers | indent 4 }} + {{ end }} diff --git a/installations/applications/helmfile-badhouseplants.yaml b/installations/applications/helmfile-badhouseplants.yaml index e817d10..e7f3ed1 100644 --- a/installations/applications/helmfile-badhouseplants.yaml +++ b/installations/applications/helmfile-badhouseplants.yaml @@ -100,6 +100,9 @@ releases: - template: default-env-values - template: ext-tcp-routes - template: ext-cilium + - template: ext-istio-gateway + - template: ext-certificate + - template: ext-istio-resource - name: server-xray-public-edge chart: allangers-charts/server-xray namespace: public-xray diff --git a/installations/system/helmfile.yaml b/installations/system/helmfile.yaml index 8f67a3f..28b84c6 100644 --- a/installations/system/helmfile.yaml +++ b/installations/system/helmfile.yaml @@ -25,6 +25,8 @@ repositories: url: https://openebs.github.io/openebs - name: local-path-provisioner url: git+https://github.com/rancher/local-path-provisioner@deploy/chart?ref=master + - name: istio + url: https://istio-release.storage.googleapis.com/charts releases: - name: namespaces @@ -147,7 +149,7 @@ releases: inherit: - template: default-env-values - # -- Not versions since it's installed from git + # -- Not versions since it's idnstalled from git - name: local-path-provisioner chart: local-path-provisioner/local-path-provisioner condition: localpath.enabled @@ -156,3 +158,28 @@ releases: - kube-system/cilium inherit: - template: default-env-values + + - name: istio-base + chart: istio/base + condition: istio.enabled + namespace: istio-system + inherit: + - template: crd-management-hook + + - name: istio-ingressgateway + chart: istio/gateway + condition: istio.enabled + namespace: istio-system + needs: + - istio-system/istio-base + inherit: + - template: default-env-values + + - name: istiod + chart: istio/istiod + condition: istio.enabled + namespace: istio-system + inherit: + - template: default-env-values + needs: + - istio-system/istio-base diff --git a/values/badhouseplants/values.istio-ingressgateway.yaml b/values/badhouseplants/values.istio-ingressgateway.yaml new file mode 100644 index 0000000..adf24cb --- /dev/null +++ b/values/badhouseplants/values.istio-ingressgateway.yaml @@ -0,0 +1,17 @@ +service: + type: LoadBalancer + externalTrafficPolicy: Local + ports: + - name: xray + port: 27015 + protocol: TCP + targetPort: 27015 +podAnnotations: + proxy.istio.io/config: '{"gatewayTopology" : { "numTrustedProxies": 0, "forwardClientCertDetails": SANITIZE } }' +resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 200m + memory: 1024Mi diff --git a/values/badhouseplants/values.istiod.yaml b/values/badhouseplants/values.istiod.yaml new file mode 100644 index 0000000..def0105 --- /dev/null +++ b/values/badhouseplants/values.istiod.yaml @@ -0,0 +1,13 @@ +pilot: + resources: + requests: + cpu: 50m + memory: 2048Mi +global: + proxy: + resources: + requests: + cpu: 20m + memory: 128Mi + limits: + memory: 128Mi diff --git a/values/badhouseplants/values.metallb-resources.yaml b/values/badhouseplants/values.metallb-resources.yaml index 94b681b..c326551 100644 --- a/values/badhouseplants/values.metallb-resources.yaml +++ b/values/badhouseplants/values.metallb-resources.yaml @@ -3,3 +3,5 @@ metallb: ippools: - name: fuji addresses: 195.201.249.91-195.201.249.91 + - name: matterhorn + addresses: 95.216.180.68-95.216.180.68 diff --git a/values/badhouseplants/values.namespaces.yaml b/values/badhouseplants/values.namespaces.yaml index 2c78049..00a79dd 100644 --- a/values/badhouseplants/values.namespaces.yaml +++ b/values/badhouseplants/values.namespaces.yaml @@ -2,6 +2,7 @@ namespaces: - name: kyverno - name: observability - name: databases + - name: istio-system - name: applications - name: platform - name: games diff --git a/values/badhouseplants/values.server-xray-public.yaml b/values/badhouseplants/values.server-xray-public.yaml index 868a17c..88b73d9 100644 --- a/values/badhouseplants/values.server-xray-public.yaml +++ b/values/badhouseplants/values.server-xray-public.yaml @@ -1,3 +1,38 @@ +istio: + enabled: true + istio: + - name: server-xray-public + gateway: istio-system/xray-public-dyn + kind: tcp + port_match: 27015 + hostname: "*" + service: server-xray-public-xray-https + port: 443 + +certificate: + enabled: true + certificate: + - name: xray-public.badhouseplants.net + secretName: xray-public.badhouseplants.net + issuer: + kind: ClusterIssuer + name: badhouseplants-issuer-http01 + dnsNames: + - xray-public-dyn.badhouseplants.net + - xray-public.badhouseplants.net + +istio-gateway: + enabled: true + gateways: + - name: xray-public-dyn + servers: + - hosts: + - "*" + port: + name: xray + number: 27015 + protocol: TCP + traefik: enabled: true tcpRoutes: @@ -12,7 +47,6 @@ ingress: main: enabled: true annotations: - cert-manager.io/cluster-issuer: badhouseplants-issuer-http01 kubernetes.io/ingress.allow-http: "false" kubernetes.io/ingress.class: traefik kubernetes.io/ingress.global-static-ip-name: "" diff --git a/values/badhouseplants/values.stalwart.yaml b/values/badhouseplants/values.stalwart.yaml index 1ec68e7..869c6f2 100644 --- a/values/badhouseplants/values.stalwart.yaml +++ b/values/badhouseplants/values.stalwart.yaml @@ -73,31 +73,37 @@ traefik: match: HostSNI(`*`) entrypoint: smtp port: 25 + proxyProtocolVersion: 2 - name: stalwart-smpt-startls match: HostSNI(`*`) service: stalwart-submission entrypoint: smtp-startls port: 587 + proxyProtocolVersion: 2 - name: stalwart-imap match: HostSNI(`*`) service: stalwart-imap entrypoint: imap port: 143 + proxyProtocolVersion: 2 - name: stalwart-imaps match: HostSNI(`*`) service: stalwart-imaptls entrypoint: imaps port: 993 + proxyProtocolVersion: 2 - name: stalwart-pop3 match: HostSNI(`*`) service: stalwart-pop3 entrypoint: pop3 + proxyProtocolVersion: 2 port: 110 - name: stalwart-pop3s match: HostSNI(`*`) service: stalwart-pop3s entrypoint: pop3s port: 995 + proxyProtocolVersion: 2 files: config: enabled: true diff --git a/values/badhouseplants/values.traefik.yaml b/values/badhouseplants/values.traefik.yaml index 9bf827e..b530f35 100644 --- a/values/badhouseplants/values.traefik.yaml +++ b/values/badhouseplants/values.traefik.yaml @@ -1,6 +1,8 @@ service: annotations: service.beta.kubernetes.io/do-loadbalancer-enable-proxy-protocol: "true" + spec: + externalTrafficPolicy: Local ports: websecure: transport: diff --git a/values/common/values.istio-gateway.yaml b/values/common/values.istio-gateway.yaml index d54bfa7..9483b63 100644 --- a/values/common/values.istio-gateway.yaml +++ b/values/common/values.istio-gateway.yaml @@ -1,16 +1,16 @@ ---- istio-gateway: templates: - | - {{ range .Values.gateways }} - --- - apiVersion: networking.istio.io/v1beta1 - kind: Gateway - metadata: - name: {{ .name }} - spec: - selector: - istio: ingressgateway - servers: - {{ toYaml .servers | indent 4 }} - {{ end }} + {{ range .Values.gateways }} + --- + apiVersion: networking.istio.io/v1beta1 + kind: Gateway + metadata: + name: {{ .name }} + namespace: istio-system + spec: + selector: + istio: ingressgateway + servers: + {{ toYaml .servers | indent 4 }} + {{ end }} diff --git a/values/common/values.tcp-route.yaml b/values/common/values.tcp-route.yaml index c682a6b..ef1564c 100644 --- a/values/common/values.tcp-route.yaml +++ b/values/common/values.tcp-route.yaml @@ -17,6 +17,7 @@ traefik: nativeLB: true port: {{ .port }} {{- if .proxyProtocolVersion }} - proxyProtocol: {{ .proxyProtocolVersion }} + proxyProtocol: + version: {{ .proxyProtocolVersion }} {{- end }} {{- end }}