Newer
Older
Josh Wolf
committed
{{- if .Values.istio.enabled }}
{{- include "values-secret" (dict "root" $ "package" .Values.istio "name" "istio" "defaults" (include "bigbang.defaults.istio" .)) }}
{{- end }}
{{- define "bigbang.defaults.istio" -}}
# hostname is deprecated and replaced with domain. But if hostname exists then use it.
{{- $domainName := default .Values.domain .Values.hostname }}
domain: {{ $domainName }}
mtls:
mode: {{ .Values.istio.mtls.mode }}
{{- if not (semverCompare "<1.19" .Capabilities.KubeVersion.GitVersion) }}
env:
- name: ENABLE_LEGACY_FSGROUP_INJECTION
value: "false"
{{- end }}
# Change default hpaSpec to ensure generated HPA uses autoscaling/v2
{{- if .Capabilities.APIVersions.Has "autoscaling/v2" }}
hpaSpec:
metrics:
- type: Resource
resource:
name: cpu
target:
type: Utilization
averageUtilization: 60
{{- else }}
hpaSpec:
metrics:
- type: Resource
resource:
name: cpu
targetAverageUtilization: 60
{{- end }}
{{- if or .Values.jaeger.enabled .Values.tempo.enabled }}
tracing:
{{- if .Values.jaeger.enabled }}
enabled: {{ .Values.jaeger.enabled }}
sampling: 100
max_path_tag_length: 99999
{{- end }}
{{- end }}
{{- if .Values.tempo.enabled }}
meshConfig:
accessLogFormat: |
[%START_TIME%] "%REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%" %RESPONSE_CODE% %RESPONSE_FLAGS% %RESPONSE_CODE_DETAILS% %CONNECTION_TERMINATION_DETAILS% "%UPSTREAM_TRANSPORT_FAILURE_REASON%" %BYTES_RECEIVED% %BYTES_SENT% %DURATION% %RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)% "%REQ(X-FORWARDED-FOR)%" "%REQ(USER-AGENT)%" "%REQ(X-REQUEST-ID)%" "%REQ(:AUTHORITY)%" "%UPSTREAM_HOST%" %UPSTREAM_CLUSTER% %UPSTREAM_LOCAL_ADDRESS% %DOWNSTREAM_LOCAL_ADDRESS% %DOWNSTREAM_REMOTE_ADDRESS% %REQUESTED_SERVER_NAME% %ROUTE_NAME% traceID=%REQ(x-b3-traceid)%
{{- end }}
Josh Wolf
committed
imagePullSecrets:
- private-registry
openshift: {{ .Values.openshift }}
enabled: {{ or .Values.addons.authservice.enabled (and .Values.monitoring.enabled .Values.monitoring.sso.enabled) (and .Values.jaeger.enabled .Values.jaeger.sso.enabled) (and .Values.tempo.enabled .Values.tempo.sso.enabled) }}
monitoring:
enabled: {{ .Values.monitoring.enabled }}
kiali:
enabled: {{ .Values.kiali.enabled }}
networkPolicies:
enabled: {{ .Values.networkPolicies.enabled }}
controlPlaneCidr: {{ .Values.networkPolicies.controlPlaneCidr }}
Tawsif Siddiqui
committed
imagePullPolicy: {{ .Values.imagePullPolicy }}
Noah Gearhart
committed
{{- if or .Values.sso.certificate_authority (dig "certificateAuthority" "cert" false .Values.sso)}}
values:
pilot:
jwksResolverExtraRootCA: {{ default (dig "certificateAuthority" "cert" "" .Values.sso) .Values.sso.certificate_authority | quote }}
{{- end }}
{{- if .Values.istio.ingressGateways }}
ingressGateways:
istio-ingressgateway:
enabled: false
{{- range $name, $values := .Values.istio.ingressGateways }}
{{ $name | nindent 2 }}:
{{- toYaml (merge (dict "k8s" $values.kubernetesResourceSpec) (fromYaml (include "istio.ingressgateway.k8s" $values))) | nindent 4 }}
{{- toYaml (dict "extraLabels" $values.extraLabels) | nindent 4 }}
{{- end}}
{{- end }}
{{- if .Values.istio.gateways }}
gateways:
main: null
{{- end }}
{{- range $name, $values := .Values.istio.gateways }}
{{ $name | nindent 2 }}:
selector:
app: {{ $values.ingressGateway }}
autoHttpRedirect:
enabled: {{ dig "autoHttpRedirect" "enabled" "true" $values }}
{{- if $values.servers }}
{{- range $index, $servervalues := $values.servers}}
- hosts:
{{- tpl ( $servervalues.hosts | default (list) | toYaml) $ | nindent 8 }}
port:
{{- if $servervalues.port }}
{{- tpl ( $servervalues.port | default (dict) | toYaml) $ | nindent 8 }}
{{- else }}
name: https
number: 8443
protocol: HTTPS
{{- end }}
tls:
{{- $tlsMode := (dig "tls" "mode" "SIMPLE" $servervalues) }}
mode: {{ $tlsMode }}
{{- if or (eq $tlsMode "SIMPLE") (eq $tlsMode "MUTUAL") }}
{{- $tlsMinVersion := (dig "tls" "minProtocolVersion" "" $values) }}
{{- if $tlsMinVersion }}
minProtocolVersion: {{ $tlsMinVersion }}
{{- end }}
{{- end }}
{{- else if ($values.ports) }}
{{- range $values.ports }}
{{- tpl ($values.hosts | default (list) | toYaml) $ | nindent 8 }}
port:
{{- tpl ( . | default (list) | toYaml) $ | nindent 8 }}
tls:
{{- $tlsMode := (dig "tls" "mode" "SIMPLE" $values) }}
mode: {{ $tlsMode }}
{{- if or (eq $tlsMode "SIMPLE") (eq $tlsMode "MUTUAL") }}
credentialName: {{ $name }}-cert
{{- $tlsMinVersion := (dig "tls" "minProtocolVersion" "" $values) }}
{{- if $tlsMinVersion }}
minProtocolVersion: {{ $tlsMinVersion }}
{{- end }}
{{- tpl ($values.hosts | default (list) | toYaml) $ | nindent 8 }}
port:
name: https
number: 8443
protocol: HTTPS
tls:
{{- $tlsMode := (dig "tls" "mode" "SIMPLE" $values) }}
mode: {{ $tlsMode }}
{{- if or (eq $tlsMode "SIMPLE") (eq $tlsMode "MUTUAL") }}
credentialName: {{ $name }}-cert
{{- $tlsMinVersion := (dig "tls" "minProtocolVersion" "" $values) }}
{{- if $tlsMinVersion }}
minProtocolVersion: {{ $tlsMinVersion }}
{{- end }}
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
{{- end }}
{{- define "istio.ingressgateway.k8s" -}}
k8s:
service:
type: {{ .type }}
{{- if .nodePortBase }}
ports: # Pulled from Istio gateway defaults (https://github.com/istio/istio/blob/master/manifests/charts/gateways/istio-ingress/values.yaml)
# Ports default to "protocol: TCP" and "targetPort = port"
# AWS ELB will by default perform health checks on the first port on this list. https://github.com/istio/istio/issues/12503
- port: 15021
name: status-port
nodePort: {{ add .nodePortBase 0 }}
- port: 80
targetPort: 8080
name: http2
nodePort: {{ add .nodePortBase 1 }}
- port: 443
targetPort: 8443
name: https
nodePort: {{ add .nodePortBase 2 }}
# SNI Routing port
- port: 15443
name: tls
nodePort: {{ add .nodePortBase 3 }}
{{- end }}