Add istio for the dynamic xray

common/environments.yaml

@@ -18,6 +18,8 @@ environments:
           enabled: true
       - redis:
           enabled: true
+      - istio:
+          enabled: true
   etersoft:
     kubeContext: etersoft
     values:
@@ -37,3 +39,5 @@ environments:
           enabled: false
       - postgres16:
           enabled: true
+      - istio:
+          enabled: false

common/extensions/values.certificate.yaml

@@ -0,0 +1,19 @@
+certificate:
+  templates:
+    - |
+      {{ range .Values.certificate }}
+      ---
+      apiVersion: cert-manager.io/v1
+      kind: Certificate
+      metadata:
+        name: {{ .name }}
+      spec:
+        dnsNames:
+          {{- range .dnsNames }}
+          - {{ . | quote }}
+          {{- end }}
+        issuerRef:
+          kind: {{ .issuer.kind }}
+          name: {{ .issuer.name }}
+        secretName: {{ .secretName }}
+        {{ end }}

common/extensions/values.istio-gateway.yaml

@@ -0,0 +1,15 @@
+istio-gateway:
+  templates:
+    - |
+      {{ range .Values.gateways }}
+      ---
+      apiVersion: networking.istio.io/v1beta1
+      kind: Gateway
+      metadata:
+        name: {{ .name }}
+      spec:
+        selector:
+          istio: ingressgateway
+        servers:
+      {{ toYaml .servers | indent 4 }}
+      {{ end }}

installations/applications/helmfile-badhouseplants.yaml

@@ -100,6 +100,9 @@ releases:
       - template: default-env-values
       - template: ext-tcp-routes
       - template: ext-cilium
+      - template: ext-istio-gateway
+      - template: ext-certificate
+      - template: ext-istio-resource
   - name: server-xray-public-edge
     chart: allangers-charts/server-xray
     namespace: public-xray

installations/system/helmfile.yaml

@@ -25,6 +25,8 @@ repositories:
     url: https://openebs.github.io/openebs
   - name: local-path-provisioner
     url: git+https://github.com/rancher/local-path-provisioner@deploy/chart?ref=master
+  - name: istio
+    url: https://istio-release.storage.googleapis.com/charts
 
 releases:
   - name: namespaces
@@ -147,7 +149,7 @@ releases:
     inherit:
       - template: default-env-values
 
-  # -- Not versions since it's installed from git
+  # -- Not versions since it's idnstalled from git
   - name: local-path-provisioner
     chart: local-path-provisioner/local-path-provisioner
     condition: localpath.enabled
@@ -156,3 +158,28 @@ releases:
       - kube-system/cilium
     inherit:
       - template: default-env-values
+
+  - name: istio-base
+    chart: istio/base
+    condition: istio.enabled
+    namespace: istio-system
+    inherit:
+      - template: crd-management-hook
+
+  - name: istio-ingressgateway
+    chart: istio/gateway
+    condition: istio.enabled
+    namespace: istio-system
+    needs:
+      - istio-system/istio-base
+    inherit:
+      - template: default-env-values
+
+  - name: istiod
+    chart: istio/istiod
+    condition: istio.enabled
+    namespace: istio-system
+    inherit:
+      - template: default-env-values
+    needs:
+      - istio-system/istio-base

values/badhouseplants/values.istio-ingressgateway.yaml

@@ -0,0 +1,17 @@
+service:
+  type: LoadBalancer
+  externalTrafficPolicy: Local
+  ports:
+    - name: xray
+      port: 27015
+      protocol: TCP
+      targetPort: 27015
+podAnnotations:
+  proxy.istio.io/config: '{"gatewayTopology" : { "numTrustedProxies": 0, "forwardClientCertDetails": SANITIZE } }'
+resources:
+  requests:
+    cpu: 100m
+    memory: 128Mi
+  limits:
+    cpu: 200m
+    memory: 1024Mi

values/badhouseplants/values.istiod.yaml

@@ -0,0 +1,13 @@
+pilot:
+  resources:
+    requests:
+      cpu: 50m
+      memory: 2048Mi
+global:
+  proxy:
+    resources:
+      requests:
+        cpu: 20m
+        memory: 128Mi
+      limits:
+        memory: 128Mi

values/badhouseplants/values.metallb-resources.yaml

@@ -3,3 +3,5 @@ metallb:
   ippools:
     - name: fuji
       addresses: 195.201.249.91-195.201.249.91
+    - name: matterhorn
+      addresses: 95.216.180.68-95.216.180.68

values/badhouseplants/values.namespaces.yaml

@@ -2,6 +2,7 @@ namespaces:
   - name: kyverno
   - name: observability
   - name: databases
+  - name: istio-system
   - name: applications
   - name: platform
   - name: games

values/badhouseplants/values.server-xray-public.yaml

@@ -1,3 +1,38 @@
+istio:
+  enabled: true
+  istio:
+    - name: server-xray-public
+      gateway: istio-system/xray-public-dyn
+      kind: tcp
+      port_match: 27015
+      hostname: "*"
+      service: server-xray-public-xray-https
+      port: 443
+
+certificate:
+  enabled: true
+  certificate:
+    - name: xray-public.badhouseplants.net
+      secretName: xray-public.badhouseplants.net
+      issuer:
+        kind: ClusterIssuer
+        name: badhouseplants-issuer-http01
+      dnsNames:
+        - xray-public-dyn.badhouseplants.net
+        - xray-public.badhouseplants.net
+
+istio-gateway:
+  enabled: true
+  gateways:
+    - name: xray-public-dyn
+      servers:
+        - hosts:
+            - "*"
+          port:
+            name: xray
+            number: 27015
+            protocol: TCP
+
 traefik:
   enabled: true
   tcpRoutes:
@@ -12,7 +47,6 @@ ingress:
   main:
     enabled: true
     annotations:
-      cert-manager.io/cluster-issuer: badhouseplants-issuer-http01
       kubernetes.io/ingress.allow-http: "false"
       kubernetes.io/ingress.class: traefik
       kubernetes.io/ingress.global-static-ip-name: ""

values/badhouseplants/values.stalwart.yaml

@@ -73,31 +73,37 @@ traefik:
       match: HostSNI(`*`)
       entrypoint: smtp
       port: 25
+      proxyProtocolVersion: 2
     - name: stalwart-smpt-startls
       match: HostSNI(`*`)
       service: stalwart-submission
       entrypoint: smtp-startls
       port: 587
+      proxyProtocolVersion: 2
     - name: stalwart-imap
       match: HostSNI(`*`)
       service: stalwart-imap
       entrypoint: imap
       port: 143
+      proxyProtocolVersion: 2
     - name: stalwart-imaps
       match: HostSNI(`*`)
       service: stalwart-imaptls
       entrypoint: imaps
       port: 993
+      proxyProtocolVersion: 2
     - name: stalwart-pop3
       match: HostSNI(`*`)
       service: stalwart-pop3
       entrypoint: pop3
+      proxyProtocolVersion: 2
       port: 110
     - name: stalwart-pop3s
       match: HostSNI(`*`)
       service: stalwart-pop3s
       entrypoint: pop3s
       port: 995
+      proxyProtocolVersion: 2
 files:
   config:
     enabled: true

values/badhouseplants/values.traefik.yaml

@@ -1,6 +1,8 @@
 service:
   annotations:
     service.beta.kubernetes.io/do-loadbalancer-enable-proxy-protocol: "true"
+  spec:
+    externalTrafficPolicy: Local
 ports:
   websecure:
     transport:

values/common/values.istio-gateway.yaml

@@ -1,4 +1,3 @@
----
 istio-gateway:
   templates:
     - |
@@ -8,6 +7,7 @@ istio-gateway:
       kind: Gateway
       metadata:
         name: {{ .name }}
+        namespace: istio-system
       spec:
         selector:
           istio: ingressgateway

values/common/values.tcp-route.yaml

@@ -17,6 +17,7 @@ traefik:
             nativeLB: true
             port: {{ .port }}
             {{- if .proxyProtocolVersion }}
-            proxyProtocol: {{ .proxyProtocolVersion }}
+            proxyProtocol:
+              version: {{ .proxyProtocolVersion }}
             {{- end }}
       {{- end }}