Add istio for the dynamic xray

2024-11-08 21:01:38 +01:00 · 2024-11-08 21:01:38 +01:00 · 6a4f94c97e
commit 6a4f94c97e
parent a2919fc5d1
14 changed files with 160 additions and 16 deletions
--- a/common/environments.yaml
+++ b/common/environments.yaml
@ -18,6 +18,8 @@ environments:
          enabled: true
      - redis:
          enabled: true
+      - istio:
+          enabled: true
  etersoft:
    kubeContext: etersoft
    values:
@ -37,3 +39,5 @@ environments:
          enabled: false
      - postgres16:
          enabled: true
+      - istio:
+          enabled: false
--- a/common/extensions/values.certificate.yaml
+++ b/common/extensions/values.certificate.yaml
@ -0,0 +1,19 @@
+certificate:
+  templates:
+    - |
+      {{ range .Values.certificate }}
+      ---
+      apiVersion: cert-manager.io/v1
+      kind: Certificate
+      metadata:
+        name: {{ .name }}
+      spec:
+        dnsNames:
+          {{- range .dnsNames }}
+          - {{ . | quote }}
+          {{- end }}
+        issuerRef:
+          kind: {{ .issuer.kind }}
+          name: {{ .issuer.name }}
+        secretName: {{ .secretName }}
+        {{ end }}
--- a/common/extensions/values.istio-gateway.yaml
+++ b/common/extensions/values.istio-gateway.yaml
@ -0,0 +1,15 @@
+istio-gateway:
+  templates:
+    - |
+      {{ range .Values.gateways }}
+      ---
+      apiVersion: networking.istio.io/v1beta1
+      kind: Gateway
+      metadata:
+        name: {{ .name }}
+      spec:
+        selector:
+          istio: ingressgateway
+        servers:
+      {{ toYaml .servers | indent 4 }}
+      {{ end }}
--- a/installations/applications/helmfile-badhouseplants.yaml
+++ b/installations/applications/helmfile-badhouseplants.yaml
@ -100,6 +100,9 @@ releases:
      - template: default-env-values
      - template: ext-tcp-routes
      - template: ext-cilium
+      - template: ext-istio-gateway
+      - template: ext-certificate
+      - template: ext-istio-resource
  - name: server-xray-public-edge
    chart: allangers-charts/server-xray
    namespace: public-xray
--- a/installations/system/helmfile.yaml
+++ b/installations/system/helmfile.yaml
@ -25,6 +25,8 @@ repositories:
    url: https://openebs.github.io/openebs
  - name: local-path-provisioner
    url: git+https://github.com/rancher/local-path-provisioner@deploy/chart?ref=master
+  - name: istio
+    url: https://istio-release.storage.googleapis.com/charts

 releases:
  - name: namespaces
@ -147,7 +149,7 @@ releases:
    inherit:
      - template: default-env-values

-  # -- Not versions since it's installed from git
+  # -- Not versions since it's idnstalled from git
  - name: local-path-provisioner
    chart: local-path-provisioner/local-path-provisioner
    condition: localpath.enabled
@ -156,3 +158,28 @@ releases:
      - kube-system/cilium
    inherit:
      - template: default-env-values
+
+  - name: istio-base
+    chart: istio/base
+    condition: istio.enabled
+    namespace: istio-system
+    inherit:
+      - template: crd-management-hook
+
+  - name: istio-ingressgateway
+    chart: istio/gateway
+    condition: istio.enabled
+    namespace: istio-system
+    needs:
+      - istio-system/istio-base
+    inherit:
+      - template: default-env-values
+
+  - name: istiod
+    chart: istio/istiod
+    condition: istio.enabled
+    namespace: istio-system
+    inherit:
+      - template: default-env-values
+    needs:
+      - istio-system/istio-base
--- a/values/badhouseplants/values.istio-ingressgateway.yaml
+++ b/values/badhouseplants/values.istio-ingressgateway.yaml
@ -0,0 +1,17 @@
+service:
+  type: LoadBalancer
+  externalTrafficPolicy: Local
+  ports:
+    - name: xray
+      port: 27015
+      protocol: TCP
+      targetPort: 27015
+podAnnotations:
+  proxy.istio.io/config: '{"gatewayTopology" : { "numTrustedProxies": 0, "forwardClientCertDetails": SANITIZE } }'
+resources:
+  requests:
+    cpu: 100m
+    memory: 128Mi
+  limits:
+    cpu: 200m
+    memory: 1024Mi
--- a/values/badhouseplants/values.istiod.yaml
+++ b/values/badhouseplants/values.istiod.yaml
@ -0,0 +1,13 @@
+pilot:
+  resources:
+    requests:
+      cpu: 50m
+      memory: 2048Mi
+global:
+  proxy:
+    resources:
+      requests:
+        cpu: 20m
+        memory: 128Mi
+      limits:
+        memory: 128Mi
--- a/values/badhouseplants/values.metallb-resources.yaml
+++ b/values/badhouseplants/values.metallb-resources.yaml
@ -3,3 +3,5 @@ metallb:
  ippools:
    - name: fuji
      addresses: 195.201.249.91-195.201.249.91
+    - name: matterhorn
+      addresses: 95.216.180.68-95.216.180.68
--- a/values/badhouseplants/values.namespaces.yaml
+++ b/values/badhouseplants/values.namespaces.yaml
@ -2,6 +2,7 @@ namespaces:
  - name: kyverno
  - name: observability
  - name: databases
+  - name: istio-system
  - name: applications
  - name: platform
  - name: games
--- a/values/badhouseplants/values.server-xray-public.yaml
+++ b/values/badhouseplants/values.server-xray-public.yaml
@ -1,3 +1,38 @@
+istio:
+  enabled: true
+  istio:
+    - name: server-xray-public
+      gateway: istio-system/xray-public-dyn
+      kind: tcp
+      port_match: 27015
+      hostname: "*"
+      service: server-xray-public-xray-https
+      port: 443
+
+certificate:
+  enabled: true
+  certificate:
+    - name: xray-public.badhouseplants.net
+      secretName: xray-public.badhouseplants.net
+      issuer:
+        kind: ClusterIssuer
+        name: badhouseplants-issuer-http01
+      dnsNames:
+        - xray-public-dyn.badhouseplants.net
+        - xray-public.badhouseplants.net
+
+istio-gateway:
+  enabled: true
+  gateways:
+    - name: xray-public-dyn
+      servers:
+        - hosts:
+            - "*"
+          port:
+            name: xray
+            number: 27015
+            protocol: TCP
+
 traefik:
  enabled: true
  tcpRoutes:
@ -12,7 +47,6 @@ ingress:
  main:
    enabled: true
    annotations:
-      cert-manager.io/cluster-issuer: badhouseplants-issuer-http01
      kubernetes.io/ingress.allow-http: "false"
      kubernetes.io/ingress.class: traefik
      kubernetes.io/ingress.global-static-ip-name: ""
--- a/values/badhouseplants/values.stalwart.yaml
+++ b/values/badhouseplants/values.stalwart.yaml
@ -73,31 +73,37 @@ traefik:
      match: HostSNI(`*`)
      entrypoint: smtp
      port: 25
+      proxyProtocolVersion: 2
    - name: stalwart-smpt-startls
      match: HostSNI(`*`)
      service: stalwart-submission
      entrypoint: smtp-startls
      port: 587
+      proxyProtocolVersion: 2
    - name: stalwart-imap
      match: HostSNI(`*`)
      service: stalwart-imap
      entrypoint: imap
      port: 143
+      proxyProtocolVersion: 2
    - name: stalwart-imaps
      match: HostSNI(`*`)
      service: stalwart-imaptls
      entrypoint: imaps
      port: 993
+      proxyProtocolVersion: 2
    - name: stalwart-pop3
      match: HostSNI(`*`)
      service: stalwart-pop3
      entrypoint: pop3
+      proxyProtocolVersion: 2
      port: 110
    - name: stalwart-pop3s
      match: HostSNI(`*`)
      service: stalwart-pop3s
      entrypoint: pop3s
      port: 995
+      proxyProtocolVersion: 2
 files:
  config:
    enabled: true
--- a/values/badhouseplants/values.traefik.yaml
+++ b/values/badhouseplants/values.traefik.yaml
@ -1,6 +1,8 @@
 service:
  annotations:
    service.beta.kubernetes.io/do-loadbalancer-enable-proxy-protocol: "true"
+  spec:
+    externalTrafficPolicy: Local
 ports:
  websecure:
    transport:
--- a/values/common/values.istio-gateway.yaml
+++ b/values/common/values.istio-gateway.yaml
@ -1,4 +1,3 @@
---
 istio-gateway:
  templates:
    - |
@ -8,6 +7,7 @@ istio-gateway:
      kind: Gateway
      metadata:
        name: {{ .name }}
+        namespace: istio-system
      spec:
        selector:
          istio: ingressgateway
--- a/values/common/values.tcp-route.yaml
+++ b/values/common/values.tcp-route.yaml
@ -17,6 +17,7 @@ traefik:
            nativeLB: true
            port: {{ .port }}
            {{- if .proxyProtocolVersion }}
-            proxyProtocol: {{ .proxyProtocolVersion }}
+            proxyProtocol:
+              version: {{ .proxyProtocolVersion }}
            {{- end }}
      {{- end }}