Operatorless Istio with CORE packages only SKIP UPGRADE DEBUG

49b82d89 · Greg M · Michael Martin · 3ef346fc · 49b82d89 · 49b82d89
Commit 49b82d89 authored 1 month ago by Greg M Committed by Michael Martin 1 month ago
--- a/chart/templates/loki/helmrelease.yaml
+++ b/chart/templates/loki/helmrelease.yaml
@@ -78,6 +78,10 @@ spec:
    - name: istio
      namespace: {{ .Release.Namespace }}
    {{- end }}
+    {{- if .Values.istioCore.enabled }}
+    - name: istio-core
+      namespace: {{ .Release.Namespace }}
+    {{- end }}
    {{- if .Values.kyvernoPolicies.enabled }}
    - name: kyverno-policies
      namespace: {{ .Release.Namespace }}

--- a/chart/templates/loki/namespace.yaml
+++ b/chart/templates/loki/namespace.yaml
@@ -7,5 +7,5 @@ metadata:
    app.kubernetes.io/name: logging
    app.kubernetes.io/component: "core"
    {{- include "commonLabels" . | nindent 4}}
-    istio-injection: {{ ternary "enabled" "disabled" (and .Values.istio.enabled (eq (dig "istio" "injection" "enabled" .Values.loki) "enabled")) }}
+    istio-injection: {{ ternary "enabled" "disabled" (and (include "istioEnabled" .) (eq (dig "istio" "injection" "enabled" .Values.loki) "enabled")) }}
 {{- end }}
--- a/chart/templates/loki/values.yaml
+++ b/chart/templates/loki/values.yaml
@@ -13,8 +13,8 @@ clusterName: ""
 openshift: {{ .Values.openshift }}

 istio:
-  enabled: {{ .Values.istio.enabled }}
-  {{- if or
+  enabled: {{ include "istioEnabled" . }}
+  {{- if or 
      (dig "hardened" "enabled" false .Values.istio.values)
      (dig "istio" "hardened" "enabled" false .Values.monitoring.values)
      (dig "istio" "hardened" "enabled" false .Values.addons.authservice.values)
@@ -34,6 +34,10 @@ istio:
    minioOperator:
      enabled: {{ .Values.addons.minioOperator.enabled }}
  {{- end }}
+  loki:
+    enabled: true
+    gateways:
+    - {{ include "istioGatewayNamespace" . }}/{{ default (include "istioPublicGateway" . ) }}

 imagePullSecrets:
  - name: private-registry
@@ -44,13 +48,15 @@ image:
 networkPolicies:
  enabled: {{ .Values.networkPolicies.enabled }}
  controlPlaneCidr: {{ .Values.networkPolicies.controlPlaneCidr }}
+  istioNamespaceSelector:
+  {{ include "istioNamespaceSelector" . | nindent 4 }}

 monitoring:
  enabled: {{ .Values.monitoring.enabled }}
  serviceMonitor:
    enabled: {{ .Values.monitoring.enabled }}
    # conditional passes only for default istio: enabled, mTLS: SCRICT
-    {{- if and .Values.istio.enabled (eq (dig "istio" "mtls" "mode" "STRICT" .Values.loki.values) "STRICT") }}
+    {{- if and (include "istioEnabled" . ) (eq (dig "istio" "mtls" "mode" "STRICT" .Values.loki.values) "STRICT") }}
    scheme: https
    tlsConfig:
      caFile: /etc/prom-certs/root-cert.pem
@@ -102,7 +108,7 @@ loki:
    filesystem:
      directory: /var/loki/chunks
  {{- end }}
-  {{- if .Values.istio.enabled }}
+  {{- if include "istioEnabled" . }}
  podAnnotations:
    {{ include "istioAnnotation" . }}
  {{- end }}

--- a/chart/templates/metrics-server/namespace.yaml
+++ b/chart/templates/metrics-server/namespace.yaml
@@ -9,6 +9,6 @@ metadata:
    app.kubernetes.io/name: metrics-server
    app.kubernetes.io/component: "cluster-utilities"
    {{- include "commonLabels" . | nindent 4}}
-    istio-injection: {{ ternary "enabled" "disabled" (and .Values.istio.enabled (eq (dig "istio" "injection" "enabled" .Values.addons.metricsServer) "enabled")) }}
+    istio-injection: {{ ternary "enabled" "disabled" (and (include "istioEnabled" .) (eq (dig "istio" "injection" "enabled" .Values.addons.metricsServer) "enabled")) }}
  name: metrics-server
 {{- end }}
--- a/chart/templates/minio-operator/helmrelease.yaml
+++ b/chart/templates/minio-operator/helmrelease.yaml
@@ -69,6 +69,10 @@ spec:
    - name: istio
      namespace: {{ .Release.Namespace }}
    {{- end }}
+    {{- if .Values.istioCore.enabled }}
+    - name: istio-core
+      namespace: {{ .Release.Namespace }}
+    {{- end }}
    {{- if .Values.kyvernoPolicies.enabled }}
    - name: kyverno-policies
      namespace: {{ .Release.Namespace }}

--- a/chart/templates/minio-operator/namespace.yaml
+++ b/chart/templates/minio-operator/namespace.yaml
@@ -4,7 +4,7 @@ kind: Namespace
 metadata:
  name: minio-operator
  labels:
-    istio-injection: {{ ternary "enabled" "disabled" (and .Values.istio.enabled (eq (dig "istio" "injection" "enabled" .Values.addons.minioOperator) "enabled")) }}
+    istio-injection: {{ ternary "enabled" "disabled" (and (include "istioEnabled" .) (eq (dig "istio" "injection" "enabled" .Values.addons.minioOperator) "enabled")) }}
    app.kubernetes.io/name: minioOperator
    app.kubernetes.io/component: "application-utilities"
    {{- include "commonLabels" . | nindent 4}}

--- a/chart/templates/minio-operator/values.yaml
+++ b/chart/templates/minio-operator/values.yaml
@@ -38,13 +38,15 @@ operator:
 networkPolicies:
  enabled: {{ .Values.networkPolicies.enabled }}
  controlPlaneCidr: {{ .Values.networkPolicies.controlPlaneCidr }}
+  istioNamespaceSelector:
+  {{ include "istioNamespaceSelector" . | nindent 4 }}
  ingressLabels:
    {{- $gateway := default "public" .Values.addons.minio.ingress.gateway }}
    {{- $default := dict "app" (dig "gateways" $gateway "ingressGateway" nil .Values.istio) "istio" nil }}
    {{- toYaml (dig "values" "gateways" $gateway "selector" $default .Values.istio) | nindent 4 }}

 istio:
-  enabled: {{ .Values.istio.enabled }}
+  enabled: {{ include "istioEnabled" . }}
  hardened:
    enabled: {{ or
      (dig "istio" "hardened" "enabled" false .Values.addons.minioOperator.values)
@@ -53,9 +55,9 @@ istio:
    }}
  console:
    gateways:
-    - istio-system/{{ default "public" .Values.addons.minio.ingress.gateway }}
+    - {{ include "istioGatewayNamespace" . }}/{{ default (include "istioPublicGateway" . ) .Values.addons.minio.ingress.gateway }}

-{{- if .Values.istio.enabled }}
+{{- if include "istioEnabled" . }}
 annotations:
  {{ include "istioAnnotation" . }}
 {{- end }}

--- a/chart/templates/minio/namespace.yaml
+++ b/chart/templates/minio/namespace.yaml
@@ -4,7 +4,7 @@ kind: Namespace
 metadata:
  name: minio
  labels:
-    istio-injection: {{ ternary "enabled" "disabled" (and .Values.istio.enabled (eq (dig "istio" "injection" "enabled" .Values.addons.minio) "enabled")) }}
+    istio-injection: {{ ternary "enabled" "disabled" (and (include "istioEnabled" .) (eq (dig "istio" "injection" "enabled" .Values.addons.minio) "enabled")) }}
    app.kubernetes.io/name: minio
    app.kubernetes.io/component: "application-utilities"
    {{- include "commonLabels" . | nindent 4}}

--- a/chart/templates/minio/values.yaml
+++ b/chart/templates/minio/values.yaml
@@ -9,13 +9,13 @@ hostname: {{ $domainName }}
 domain: {{ $domainName }}

 istio:
-  enabled: {{ .Values.istio.enabled }}
+  enabled: {{ include "istioEnabled" . }}
  console:
    gateways:
-    - istio-system/{{ default "public" .Values.addons.minio.ingress.gateway }}
+    - {{ include "istioGatewayNamespace" . }}/{{ default (include "istioPublicGateway" . ) .Values.addons.minio.ingress.gateway }}
  api:
    gateways:
-    - istio-system/{{ default "public" .Values.addons.minio.ingress.gateway }}
+    - {{ include "istioGatewayNamespace" . }}/{{ default (include "istioPublicGateway" . ) .Values.addons.minio.ingress.gateway }}
  hardened:
    enabled: {{ or
      (dig "istio" "hardened" "enabled" false .Values.addons.minioOperator.values)
@@ -23,7 +23,7 @@ istio:
      (dig "hardened" "enabled" false .Values.istio.values)
    }}

-{{- if .Values.istio.enabled }}
+{{- if include "istioEnabled" . }}
 annotations:
  {{ include "istioAnnotation" . }}
 {{- end }}

--- a/chart/templates/monitoring/helmrelease.yaml
+++ b/chart/templates/monitoring/helmrelease.yaml
@@ -56,12 +56,16 @@ spec:
      valuesKey: "overlays"

  # TODO: DRY this up
-  {{- if or .Values.gatekeeper.enabled .Values.istio.enabled .Values.kyvernoPolicies.enabled .Values.addons.vault.enabled }}
+  {{- if or .Values.gatekeeper.enabled (include "istioEnabled" .) .Values.kyvernoPolicies.enabled .Values.addons.vault.enabled }}
  dependsOn:
  {{- if .Values.istio.enabled }}
    - name: istio
      namespace: {{ .Release.Namespace }}
  {{- end }}
+  {{- if .Values.istioCore.enabled }}
+    - name: istio-core
+      namespace: {{ .Release.Namespace }}
+  {{- end }}
  {{- if .Values.gatekeeper.enabled }}
    - name: gatekeeper
      namespace: {{ .Release.Namespace }}

--- a/chart/templates/monitoring/namespace.yaml
+++ b/chart/templates/monitoring/namespace.yaml
@@ -7,5 +7,5 @@ metadata:
    app.kubernetes.io/name: monitoring
    app.kubernetes.io/component: "core"
    {{- include "commonLabels" . | nindent 4}}
-    istio-injection: {{ ternary "enabled" "disabled" (and .Values.istio.enabled (eq (dig "istio" "injection" "enabled" .Values.monitoring) "enabled")) }}
+    istio-injection: {{ ternary "enabled" "disabled" (and (include "istioEnabled" .) (eq (dig "istio" "injection" "enabled" .Values.monitoring) "enabled")) }}
 {{- end }}
--- a/chart/templates/monitoring/values.yaml
+++ b/chart/templates/monitoring/values.yaml
@@ -8,7 +8,7 @@
 hostname: {{ $domainName }}
 domain: {{ $domainName }}

-{{- $istioInjection := (and (eq (dig "istio" "injection" "enabled" .Values.monitoring) "enabled") .Values.istio.enabled) }}
+{{- $istioInjection := (and (include "istioEnabled" .) (eq (dig "istio" "injection" "enabled" .Values.monitoring) "enabled")) }}
 {{- $gitlabRedis := (and (ne .Values.addons.gitlab.redis.password "" ) (or .Values.addons.gitlab.enabled .Values.addons.gitlabRunner.enabled)) }}
 {{- $authserviceRedisEnabled := (and (dig "values" "redis" "enabled" false .Values.addons.authservice) .Values.addons.authservice.enabled) }}
 {{- $redisDatasource := (or $gitlabRedis .Values.addons.argocd.enabled $authserviceRedisEnabled) }}
@@ -21,11 +21,19 @@ flux:

 networkPolicies:
  enabled: {{ .Values.networkPolicies.enabled }}
+  istioNamespaceSelector:
+  {{ include "istioNamespaceSelector" . | nindent 4 }}
  controlPlaneCidr: {{ .Values.networkPolicies.controlPlaneCidr }}
  ingressLabels:
+    {{- if .Values.istio.enabled }}
    {{- $gateway := default "public" .Values.monitoring.ingress.gateway }}
    {{- $default := dict "app" (dig "gateways" $gateway "ingressGateway" nil .Values.istio) "istio" nil }}
    {{- toYaml (dig "values" "gateways" $gateway "selector" $default .Values.istio) | nindent 4 }}
+    {{- end }}
+    {{- if .Values.istioCore.enabled }}
+    app: public-ingressgateway
+    istio: ingressgateway
+    {{- end }}

 openshift: {{ .Values.openshift }}

@@ -37,7 +45,7 @@ gitlabRunner:

 istio:
  {{- $monitoringInjection := dig "istio" "injection" "enabled" .Values.monitoring }}
-  enabled: {{ .Values.istio.enabled }}
+  enabled: {{ include "istioEnabled" . }}
  hardened:
    enabled: {{ or
      (dig "istio" "hardened" "enabled" false .Values.monitoring.values)
@@ -76,7 +84,7 @@ istio:
    namespace: authservice
    {{- end }}
    gateways:
-    - istio-system/{{ default "public" .Values.monitoring.ingress.gateway }}
+    - {{ include "istioGatewayNamespace" . }}/{{ default (include "istioPublicGateway" . ) .Values.monitoring.ingress.gateway }}
  alertmanager:
    enabled: true
    {{- if and .Values.monitoring.sso.enabled (eq $monitoringInjection "disabled") }}
@@ -85,7 +93,7 @@ istio:
    namespace: authservice
    {{- end }}
    gateways:
-    - istio-system/{{ default "public" .Values.monitoring.ingress.gateway }}
+    - {{ include "istioGatewayNamespace" . }}/{{ default (include "istioPublicGateway" . ) .Values.monitoring.ingress.gateway }}
  injection: {{ dig "istio" "injection" "enabled" .Values.monitoring }}

 alertmanager:
@@ -112,7 +120,7 @@ alertmanager:
        {{ include "istioAnnotation" . }}
      {{- end }}
    {{- end }}
-  {{- if and .Values.istio.enabled (eq (dig "istio" "mtls" "mode" "STRICT" .Values.monitoring.values) "STRICT") }}
+  {{- if and (include "istioEnabled" .) (eq (dig "istio" "mtls" "mode" "STRICT" .Values.monitoring.values) "STRICT") }}
  serviceMonitor:
    scheme: https
    tlsConfig:
@@ -143,7 +151,7 @@ prometheus:

  thanosServiceMonitor:
    enabled: true
-    {{- if and .Values.istio.enabled (eq (dig "istio" "mtls" "mode" "STRICT" .Values.monitoring.values) "STRICT") }}
+    {{- if and (include "istioEnabled" .) (eq (dig "istio" "mtls" "mode" "STRICT" .Values.monitoring.values) "STRICT") }}
    serviceMonitor:
      scheme: https
      tlsConfig:
@@ -154,7 +162,7 @@ prometheus:
    {{- end }}
  {{- end }}
  prometheusSpec:
-    {{- if and .Values.istio.enabled (eq (dig "istio" "mtls" "mode" "STRICT" .Values.monitoring.values) "STRICT") }}
+    {{- if and (include "istioEnabled" .) (eq (dig "istio" "mtls" "mode" "STRICT" .Values.monitoring.values) "STRICT") }}
    alertingEndpoints:
    - name: monitoring-monitoring-kube-alertmanager
      namespace: monitoring

--- a/chart/templates/neuvector/helmrelease.yaml
+++ b/chart/templates/neuvector/helmrelease.yaml
@@ -55,7 +55,7 @@ spec:
      kind: Secret
      valuesKey: "overlays"

-  {{- if or .Values.gatekeeper.enabled .Values.istio.enabled .Values.kyvernoPolicies.enabled .Values.monitoring.enabled }}
+  {{- if or .Values.gatekeeper.enabled (include "istioEnabled" .) .Values.kyvernoPolicies.enabled .Values.monitoring.enabled }}
  dependsOn:
    {{- if .Values.gatekeeper.enabled }}
    - name: gatekeeper
@@ -65,6 +65,10 @@ spec:
    - name: istio
      namespace: {{ .Release.Namespace }}
    {{- end }}
+    {{- if .Values.istioCore.enabled }}
+    - name: istio-core
+      namespace: {{ .Release.Namespace }}
+    {{- end }}
    {{- if .Values.kyvernoPolicies.enabled }}
    - name: kyverno-policies
      namespace: {{ .Release.Namespace }}

--- a/chart/templates/neuvector/namespace.yaml
+++ b/chart/templates/neuvector/namespace.yaml
@@ -7,5 +7,5 @@ metadata:
    app.kubernetes.io/name: neuvector
    app.kubernetes.io/component: "sandbox"
    {{- include "commonLabels" . | nindent 4}}
-    istio-injection: {{ ternary "enabled" "disabled" (and .Values.istio.enabled (eq (dig "istio" "injection" "enabled" .Values.neuvector) "enabled")) }}
+    istio-injection: {{ ternary "enabled" "disabled" (and (include "istioEnabled" .) (eq (dig "istio" "injection" "enabled" .Values.neuvector) "enabled")) }}
 {{- end }}
\ No newline at end of file
--- a/chart/templates/neuvector/values.yaml
+++ b/chart/templates/neuvector/values.yaml
@@ -7,10 +7,10 @@ domain: {{ default .Values.domain .Values.hostname }}

 openshift: {{ .Values.openshift }}

-{{ $istioInjection := (and .Values.istio.enabled (eq (dig "istio" "injection" "enabled" .Values.neuvector) "enabled")) }}
+{{ $istioInjection := (and (include "istioEnabled" .) (eq (dig "istio" "injection" "enabled" .Values.neuvector) "enabled")) }}

 istio:
-  enabled: {{ .Values.istio.enabled }}
+  enabled: {{ include "istioEnabled" . }}
  hardened:
    enabled: {{ or
      (dig "istio" "hardened" "enabled" false .Values.neuvector.values)
@@ -18,7 +18,7 @@ istio:
    }}
  neuvector:
    gateways:
-    - istio-system/{{ default "public" .Values.neuvector.ingress.gateway }}
+    - {{ include "istioGatewayNamespace" . }}/{{ default (include "istioPublicGateway" . ) .Values.monitoring.ingress.gateway }}
  injection: {{ ternary "enabled" "disabled" $istioInjection }}

 monitoring:
@@ -113,7 +113,7 @@ cve:
    {{- end }}
 {{- end }}

-{{- if or .Values.istio.enabled $.Values.kiali.enabled }}
+{{- if or (include "istioEnabled" .) $.Values.kiali.enabled }}
 manager:
  {{- if $istioInjection }}
  podAnnotations:
@@ -124,10 +124,18 @@ manager:
 networkPolicies:
  enabled: {{ .Values.networkPolicies.enabled }}
  controlPlaneCidr: {{ .Values.networkPolicies.controlPlaneCidr }}
+  istioNamespaceSelector:
+  {{ include "istioNamespaceSelector" . | nindent 4 }}
  ingressLabels:
+  {{- if .Values.istio.enabled }}
    {{- $gateway := default "public" .Values.neuvector.ingress.gateway }}
    {{- $default := dict "app" (dig "gateways" $gateway "ingressGateway" nil .Values.istio) "istio" nil }}
    {{- toYaml (dig "values" "gateways" $gateway "selector" $default .Values.istio) | nindent 4 }}
+  {{- end }}
+  {{- if .Values.istioCore.enabled }}
+    app: public-ingressgateway
+    istio: ingressgateway
+  {{- end }}
 {{- end }}

 {{- /* Create secret */ -}}

--- a/chart/templates/promtail/helmrelease.yaml
+++ b/chart/templates/promtail/helmrelease.yaml
@@ -70,6 +70,10 @@ spec:
    - name: istio
      namespace: {{ .Release.Namespace }}
    {{- end }}
+    {{- if .Values.istioCore.enabled }}
+    - name: istio-core
+      namespace: {{ .Release.Namespace }}
+    {{- end }}
    {{- if .Values.kyvernoPolicies.enabled }}
    - name: kyverno-policies
      namespace: {{ .Release.Namespace }}

--- a/chart/templates/promtail/namespace.yaml
+++ b/chart/templates/promtail/namespace.yaml
@@ -7,5 +7,5 @@ metadata:
    app.kubernetes.io/name: promtail
    app.kubernetes.io/component: "core"
    {{- include "commonLabels" . | nindent 4}}
-    istio-injection: {{ ternary "enabled" "disabled" (and .Values.istio.enabled (eq (dig "istio" "injection" "enabled" .Values.promtail) "enabled")) }}
+    istio-injection: {{ ternary "enabled" "disabled" (and (include "istioEnabled" .) (eq (dig "istio" "injection" "enabled" .Values.promtail) "enabled")) }}
 {{- end }}
--- a/chart/templates/promtail/values.yaml
+++ b/chart/templates/promtail/values.yaml
@@ -12,7 +12,7 @@ image:
 openshift: {{ .Values.openshift }}

 istio:
-  enabled: {{ .Values.istio.enabled }}
+  enabled: {{ include "istioEnabled" . }}
  hardened:
    enabled: {{ or
      (dig "istio" "hardened" "enabled" false .Values.promtail.values)
@@ -25,7 +25,7 @@ loki:
 serviceMonitor:
  enabled: {{ .Values.monitoring.enabled }}
  # conditional passes only for default istio: enabled, mTLS: SCRICT
-  {{- if and .Values.istio.enabled (eq (dig "istio" "mtls" "mode" "STRICT" .Values.promtail.values) "STRICT") }}
+  {{- if and (include "istioEnabled" . ) (eq (dig "istio" "mtls" "mode" "STRICT" .Values.promtail.values) "STRICT") }}
  scheme: https
  tlsConfig:
    caFile: /etc/prom-certs/root-cert.pem
@@ -41,7 +41,7 @@ networkPolicies:
  enabled: {{ .Values.networkPolicies.enabled }}
  controlPlaneCidr: {{ .Values.networkPolicies.controlPlaneCidr }}

-{{- if .Values.istio.enabled }}
+{{- if include "istioEnabled" . }}
 podAnnotations:
  {{ include "istioAnnotation" . }}
 {{- end }}

--- a/chart/templates/sonarqube/values.yaml
+++ b/chart/templates/sonarqube/values.yaml
@@ -30,6 +30,8 @@ monitoring:

 networkPolicies:
  enabled: {{ .Values.networkPolicies.enabled }}
+  istioNamespaceSelector:
+  {{ include "istioNamespaceSelector" . | nindent 4 }}
  ingressLabels:
    {{- $gateway := default "public" .Values.addons.sonarqube.ingress.gateway }}
    {{- $default := dict "app" (dig "gateways" $gateway "ingressGateway" nil .Values.istio) "istio" nil }}

--- a/chart/templates/tempo/helmrelease.yaml
+++ b/chart/templates/tempo/helmrelease.yaml
@@ -56,7 +56,7 @@ spec:
    - name: {{ .Release.Name }}-tempo-values
      kind: Secret
      valuesKey: "overlays"
-  {{- if or .Values.monitoring.enabled .Values.istio.enabled .Values.tempo.sso.enabled }}
+  {{- if or .Values.monitoring.enabled .Values.tempo.sso.enabled (include "istioEnabled" .) }}
  dependsOn:
    {{- if  .Values.monitoring.enabled }}
    - name: monitoring
@@ -70,5 +70,9 @@ spec:
    - name: istio
      namespace: {{ .Release.Namespace }}
    {{- end }}
+    {{- if .Values.istioCore.enabled }}
+    - name: istio-core
+      namespace: {{ .Release.Namespace }}
+    {{- end }}
  {{- end }}
 {{- end }}