diff --git a/chart/ingress-certs.yaml b/chart/ingress-certs.yaml
index 96a8375f5231cef3e92d9e4c9605cccbf0223989..8cf53db684eb9ccef6cdb53934ecf8d359dd5738 100644
--- a/chart/ingress-certs.yaml
+++ b/chart/ingress-certs.yaml
@@ -1,3 +1,94 @@
+istioGatewayPublic:
+ tls:
+ key: |
+ -----BEGIN PRIVATE KEY-----
+ MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDCkz9rWBxaiDui
+ uw8vF49lTKtShFTu3tAkWiyp3IwzSH3F/HeSZ8pMTl7reCiRbhXHSmqiCyVVFkg7
+ eG6gA1fJNhJI26zoTSaN+seV1N4qgQIa4vkVgUEumPo6L+X93n7X7rH1GwVilYFo
+ 5MpYZkGoTLp8JtZRsUAXmooRa2URUoX11Wx4aegPR55gKkhXKnTl5a7cln93zOZb
+ 6QKG/UOmSIJe5C5JKQYhpQlv5DWi7Zf6ZqJABT27Lu8U/DY4qCv4pVphxdcZZqGl
+ 8GbBRmZ3pEHKS9KzlffHRE4xl/xy1cSdG60jlpBL8f8PO+bGEnqCMr8LXJqoU1Lp
+ Samg9AuJAgMBAAECggEAG8CLzaA6HxGKS/oZPtLB8aVfVDwqrw1Zq62u7CVYW+It
+ ikUputiR6pNNB5HSW3fTpGKxVd54Gyw77juNr8X6Sekr73dhsJp8csi/mdfMPky7
+ Q6F2/IG8jcxk+FKnn6+R8POLL1YEzRxc4lyrnbMsDziuapHRhMJezV8N7VEfj7ox
+ HbZDv00sLdwlIpnG6llJysq+S48s86l8CYBzpTk33XNOwWahrwZBGmpRBwdj2niP
+ 8UVZMD2GPSX+RevWEM5l3TkU6YbaFgOFthXmP3KcQjUHFkPRZq8iEcJnFixcaOGK
+ ySm3SbRr2kdHzuIpWTm4Yro9/9Jj3y5bfg3uo29jhwKBgQDydCIIeglxVaZgx06x
+ o7LdZpRQvVp3/Es6KTppqDeYwrFAZNTiP6aH4ZXpnyL7jrMn2iqSvBJ9/WnadKyc
+ gvgxBPBj+b84a7mVN/5AILzmcSxqHgEju0Ql+NuAuY1YHINtqgfNM9u68/JYw9s9
+ OeK81rja99CID1JNSmKM30zGxwKBgQDNckx/rhuSgiKI55WIQ7//yOtgRvzOWArH
+ vGlb2N+8zyfJd+D0tZyB39ZIvGGROm95rMNW/jmyEgiF8TkMLvjFMB/EpCWT58LG
+ I0WvkPizCd62tGoiBdIJ3tQi8RDwTVcLrzZsv7b039kkHpnFg0io93i4g/zOUear
+ wK/MiycLLwKBgQDFL8iCJmbJo0RGz7Jj7WRKhuQ3allK3ol8Sw2z4tkcx7OLULaH
+ MAdL2h+nuwKjn2J8FgasAoPzrgfKYTwFqssaaw7r8LIhvBNalgiVtUqNDRx3TeHV
+ YrfBPk2fusmHEOGfbjscHIIn4cGHifskJ5ENzoDXrdcO4Y8pR0cxlWcG/wKBgCRY
+ ViQ4XvRaRVXG8nM62RqdJtbPeCXg+XdAY7s18M7sLvO7W3avMlLfkH8ppHEWz2XN
+ JHmdXAOeoRdhB2CaZrQrwVL+Xw99br2yu79FfFngIyBbZnNCaFgKrajI0OBSLlYI
+ 1y4B9JH5j+aN61I/2Xja3uZ1oyG054P3AKLE81FNAoGAHVV7TcyVwi8OJo/1YGHq
+ ybWK0UvWTKJ4YgpMO3Asn3MzwadoxY5E6p0RpqQSDCV+txAPX1QqHNRuCcKmPHSF
+ 6E7oWeFD09vcOcaPQSTw7NfGUktoMLDzjfiHHGLGKH3PeB7qgPIfnHvOa4iJjyQp
+ gBaI0ROebBfbZ5pUyr/NEx4=
+ -----END PRIVATE KEY-----
+ cert: |
+ -----BEGIN CERTIFICATE-----
+ MIIE9DCCA9ygAwIBAgISBLhHLRR5idjuJooPRuDdhyFaMA0GCSqGSIb3DQEBCwUA
+ MDMxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQwwCgYDVQQD
+ EwNSMTEwHhcNMjUwMjEyMTcxNzU4WhcNMjUwNTEzMTcxNzU3WjAcMRowGAYDVQQD
+ DBEqLmRldi5iaWdiYW5nLm1pbDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
+ ggEBAMKTP2tYHFqIO6K7Dy8Xj2VMq1KEVO7e0CRaLKncjDNIfcX8d5JnykxOXut4
+ KJFuFcdKaqILJVUWSDt4bqADV8k2EkjbrOhNJo36x5XU3iqBAhri+RWBQS6Y+jov
+ 5f3eftfusfUbBWKVgWjkylhmQahMunwm1lGxQBeaihFrZRFShfXVbHhp6A9HnmAq
+ SFcqdOXlrtyWf3fM5lvpAob9Q6ZIgl7kLkkpBiGlCW/kNaLtl/pmokAFPbsu7xT8
+ NjioK/ilWmHF1xlmoaXwZsFGZnekQcpL0rOV98dETjGX/HLVxJ0brSOWkEvx/w87
+ 5sYSeoIyvwtcmqhTUulJqaD0C4kCAwEAAaOCAhcwggITMA4GA1UdDwEB/wQEAwIF
+ oDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAd
+ BgNVHQ4EFgQUbbIRs2GOo9GYzktU5Url5c9dSzIwHwYDVR0jBBgwFoAUxc9GpOr0
+ w8B6bJXELbBeki8m47kwVwYIKwYBBQUHAQEESzBJMCIGCCsGAQUFBzABhhZodHRw
+ Oi8vcjExLm8ubGVuY3Iub3JnMCMGCCsGAQUFBzAChhdodHRwOi8vcjExLmkubGVu
+ Y3Iub3JnLzAcBgNVHREEFTATghEqLmRldi5iaWdiYW5nLm1pbDATBgNVHSAEDDAK
+ MAgGBmeBDAECATCCAQYGCisGAQQB1nkCBAIEgfcEgfQA8gB3AHMgIg8IFor588Sm
+ iwqyappKAO71d4WKCE0FANSlQkRZAAABlPtgcQIAAAQDAEgwRgIhAKLzkKto2f2R
+ l3TrYZ+fLvW9qXRSVN8x3ilaKdcS+dEKAiEAg408cpgsAv88HOx9lLI9jJmLXm/7
+ hUhT22LkL1JaVgMAdwCi4wrkRe+9rZt+OO1HZ3dT14JbhJTXK14bLMS5UKRH5wAA
+ AZT7YHjfAAAEAwBIMEYCIQDWMGhLWcUeAP8YZSMvwD7eiJ2IWlpbvtBIEswIYPg7
+ BAIhAL8JoxIMP6GTmvGGd8Fmx6kUC/fTx5odro0Z1eag731hMA0GCSqGSIb3DQEB
+ CwUAA4IBAQAH2I9lef1qGbjAwa92YU95l8G+DvQZ1nEJVADqcXZ/EGW0r4St5t7j
+ y0wFEweo8PZmQG81wemsGWKPGwtL/+ow29RjSmHL+Wg3cY+WrtYuAwFwJguIBDoU
+ 8nU7x29lHZy2E0i5fPL0lfHATvjNdhaycrg50Oc2/osOusTSzR5GPtIqFnQt0hKj
+ EvotDUCxlFD+tmgEdYDfAhD+PM2r/qXI5U/1mmXqmQF2YwzXsxZzS/PqhGnD2Day
+ jSTELbgAtsPMW8yh0Js20deOZ3aT6Wj1s8OpzgoIMb4Ztw9sLD9IcgdzVvgaBYQf
+ nJNGNWiG+v+1Lp2rEnEbN3R/f34JteTG
+ -----END CERTIFICATE-----
+ -----BEGIN CERTIFICATE-----
+ MIIFBjCCAu6gAwIBAgIRAIp9PhPWLzDvI4a9KQdrNPgwDQYJKoZIhvcNAQELBQAw
+ TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
+ cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjQwMzEzMDAwMDAw
+ WhcNMjcwMzEyMjM1OTU5WjAzMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
+ RW5jcnlwdDEMMAoGA1UEAxMDUjExMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+ CgKCAQEAuoe8XBsAOcvKCs3UZxD5ATylTqVhyybKUvsVAbe5KPUoHu0nsyQYOWcJ
+ DAjs4DqwO3cOvfPlOVRBDE6uQdaZdN5R2+97/1i9qLcT9t4x1fJyyXJqC4N0lZxG
+ AGQUmfOx2SLZzaiSqhwmej/+71gFewiVgdtxD4774zEJuwm+UE1fj5F2PVqdnoPy
+ 6cRms+EGZkNIGIBloDcYmpuEMpexsr3E+BUAnSeI++JjF5ZsmydnS8TbKF5pwnnw
+ SVzgJFDhxLyhBax7QG0AtMJBP6dYuC/FXJuluwme8f7rsIU5/agK70XEeOtlKsLP
+ Xzze41xNG/cLJyuqC0J3U095ah2H2QIDAQABo4H4MIH1MA4GA1UdDwEB/wQEAwIB
+ hjAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwEgYDVR0TAQH/BAgwBgEB
+ /wIBADAdBgNVHQ4EFgQUxc9GpOr0w8B6bJXELbBeki8m47kwHwYDVR0jBBgwFoAU
+ ebRZ5nu25eQBc4AIiMgaWPbpm24wMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzAC
+ hhZodHRwOi8veDEuaS5sZW5jci5vcmcvMBMGA1UdIAQMMAowCAYGZ4EMAQIBMCcG
+ A1UdHwQgMB4wHKAaoBiGFmh0dHA6Ly94MS5jLmxlbmNyLm9yZy8wDQYJKoZIhvcN
+ AQELBQADggIBAE7iiV0KAxyQOND1H/lxXPjDj7I3iHpvsCUf7b632IYGjukJhM1y
+ v4Hz/MrPU0jtvfZpQtSlET41yBOykh0FX+ou1Nj4ScOt9ZmWnO8m2OG0JAtIIE38
+ 01S0qcYhyOE2G/93ZCkXufBL713qzXnQv5C/viOykNpKqUgxdKlEC+Hi9i2DcaR1
+ e9KUwQUZRhy5j/PEdEglKg3l9dtD4tuTm7kZtB8v32oOjzHTYw+7KdzdZiw/sBtn
+ UfhBPORNuay4pJxmY/WrhSMdzFO2q3Gu3MUBcdo27goYKjL9CTF8j/Zz55yctUoV
+ aneCWs/ajUX+HypkBTA+c8LGDLnWO2NKq0YD/pnARkAnYGPfUDoHR9gVSp/qRx+Z
+ WghiDLZsMwhN1zjtSC0uBWiugF3vTNzYIEFfaPG7Ws3jDrAMMYebQ95JQ+HIBD/R
+ PBuHRTBpqKlyDnkSHDHYPiNX3adPoPAcgdF3H2/W0rmoswMWgTlLn1Wu0mrks7/q
+ pdWfS6PJ1jty80r2VKsM/Dj3YIDfbjXKdaFU5C+8bhfJGqU3taKauuz0wHVGT3eo
+ 6FlWkWYtbt4pgdamlwVeZEW+LM7qZEJEsMNPrfC03APKmZsJgpWCDWOKZvkZcvjV
+ uYkQ4omYCTX5ohy+knMjdOmdH9c7SpqEWBDC86fiNex+O0XOMEZSa8DA
+ -----END CERTIFICATE-----
+
istio:
gateways:
public:
@@ -271,4 +362,4 @@ addons:
pdWfS6PJ1jty80r2VKsM/Dj3YIDfbjXKdaFU5C+8bhfJGqU3taKauuz0wHVGT3eo
6FlWkWYtbt4pgdamlwVeZEW+LM7qZEJEsMNPrfC03APKmZsJgpWCDWOKZvkZcvjV
uYkQ4omYCTX5ohy+knMjdOmdH9c7SpqEWBDC86fiNex+O0XOMEZSa8DA
- -----END CERTIFICATE-----
+ -----END CERTIFICATE-----
\ No newline at end of file
diff --git a/chart/templates/_helpers.tpl b/chart/templates/_helpers.tpl
index d2dc916a4e5feea1190d8fb4cdc344844b096531..d20fefb088d78e1102868a74878c7d843172254e 100644
--- a/chart/templates/_helpers.tpl
+++ b/chart/templates/_helpers.tpl
@@ -438,4 +438,45 @@ data:
{{- end -}}
{{- end -}}
+{{- /* Returns namespace of istio gateways */ -}}
+{{- define "istioGatewayNamespace" -}}
+{{- if .Values.istio.enabled -}}
+ {{- print "istio-system" -}}
+{{- else -}}
+ {{- print "istio-gateway" -}}
+{{- end -}}
+{{- end -}}
+
+{{- /* Returns name of istio public gateway */ -}}
+{{- define "istioPublicGateway" -}}
+{{- if .Values.istio.enabled -}}
+ {{- print "public" -}}
+{{- else -}}
+ {{- print "public-ingressgateway" -}}
+{{- end -}}
+{{- end -}}
+{{- /* Returns name of istio passthrough gateway */ -}}
+{{- define "istioPassthroughGateway" -}}
+{{- if .Values.istio.enabled -}}
+ {{- print "passthrough" -}}
+{{- else -}}
+ {{- print "passthrough-ingressgateway" -}}
+{{- end -}}
+{{- end -}}
+
+{{- /* Returns true if either istio or istioCore is enabled */ -}}
+{{- define "istioEnabled" -}}
+{{ or .Values.istio.enabled .Values.istioCore.enabled }}
+{{- end -}}
+
+{{- /* Returns name of istio Namespace Selector*/ -}}
+{{- define "istioNamespaceSelector" -}}
+{{- if .Values.istioCore.enabled -}}
+ingress: istio-gateway
+egress: istio-core
+{{- else -}}
+ingress: istio-controlplane
+egress: istio-controlplane
+{{- end -}}
+{{- end -}}
\ No newline at end of file
diff --git a/chart/templates/argocd/namespace.yaml b/chart/templates/argocd/namespace.yaml
index 3897cb98af27930df6e739737ba225a61867c5dc..8ee74e2897315e2c32f780d608b200b3e8f2c50c 100644
--- a/chart/templates/argocd/namespace.yaml
+++ b/chart/templates/argocd/namespace.yaml
@@ -6,6 +6,6 @@ metadata:
app.kubernetes.io/name: argocd
app.kubernetes.io/component: "core"
{{- include "commonLabels" . | nindent 4}}
- istio-injection: {{ ternary "enabled" "disabled" (and .Values.istio.enabled (eq (dig "istio" "injection" "enabled" .Values.addons.argocd) "enabled")) }}
+ istio-injection: {{ ternary "enabled" "disabled" (and (include "istioEnabled" .) (eq (dig "istio" "injection" "enabled" .Values.addons.argocd) "enabled")) }}
name: argocd
-{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/chart/templates/argocd/values.yaml b/chart/templates/argocd/values.yaml
index d36a93c9ad6dac4db3c3757ff3772e87a9e730e4..7a4939525cd9deb8fadb4c3b97dbd696dafdacd2 100644
--- a/chart/templates/argocd/values.yaml
+++ b/chart/templates/argocd/values.yaml
@@ -142,7 +142,7 @@ repoServer:
{{- end }}
istio:
- enabled: {{ .Values.istio.enabled }}
+ enabled: {{ include "istioEnabled" . }}
hardened:
enabled: {{ or
(dig "istio" "hardened" "enabled" false .Values.addons.argocd.values)
@@ -151,13 +151,15 @@ istio:
injection: {{ dig "istio" "injection" "enabled" .Values.addons.argocd }}
argocd:
gateways:
- - istio-system/{{ default "public" .Values.addons.argocd.ingress.gateway }}
+ - {{ include "istioGatewayNamespace" . }}/{{ default (include "istioPublicGateway" . ) .Values.addons.argocd.ingress.gateway }}
monitoring:
enabled: {{ .Values.monitoring.enabled }}
networkPolicies:
enabled: {{ .Values.networkPolicies.enabled }}
+ istioNamespaceSelector:
+ {{ include "istioNamespaceSelector" . | nindent 4 }}
controlPlaneCidr: {{ .Values.networkPolicies.controlPlaneCidr }}
ingressLabels:
{{- $gateway := default "public" .Values.addons.argocd.ingress.gateway }}
diff --git a/chart/templates/authservice/gitrepository.yaml b/chart/templates/authservice/gitrepository.yaml
index c6665ace28684b1020df720b29b54f9b51e9bf09..24ed66eb80b69159f76c4afca049628978346b8e 100644
--- a/chart/templates/authservice/gitrepository.yaml
+++ b/chart/templates/authservice/gitrepository.yaml
@@ -1,4 +1,4 @@
-{{- if and .Values.istio.enabled (eq .Values.addons.authservice.sourceType "git") (or .Values.addons.authservice.enabled (and .Values.monitoring.enabled .Values.monitoring.sso.enabled) (and .Values.jaeger.enabled .Values.jaeger.sso.enabled) (and .Values.tempo.enabled .Values.tempo.sso.enabled)) }}
+{{- if and (include "istioEnabled" .) (eq .Values.addons.authservice.sourceType "git") (or .Values.addons.authservice.enabled (and .Values.monitoring.enabled .Values.monitoring.sso.enabled) (and .Values.jaeger.enabled .Values.jaeger.sso.enabled) (and .Values.tempo.enabled .Values.tempo.sso.enabled)) }}
{{- $gitCredsDict := dict
"name" "authservice"
"packageGitScope" .Values.addons.authservice.git
diff --git a/chart/templates/authservice/helmrelease.yaml b/chart/templates/authservice/helmrelease.yaml
index 2032be1475e510d8332078cf23bcea33eed8237b..da10540585e8ef23fa7896178defcb36e3866487 100644
--- a/chart/templates/authservice/helmrelease.yaml
+++ b/chart/templates/authservice/helmrelease.yaml
@@ -1,5 +1,5 @@
{{- $fluxSettingsAuthservice := merge .Values.addons.authservice.flux .Values.flux -}}
-{{- if and .Values.istio.enabled (or .Values.addons.authservice.enabled (and .Values.monitoring.enabled .Values.monitoring.sso.enabled) (and .Values.jaeger.enabled .Values.jaeger.sso.enabled) (and .Values.tempo.enabled .Values.tempo.sso.enabled)) }}
+{{- if and (include "istioEnabled" .) (or .Values.addons.authservice.enabled (and .Values.monitoring.enabled .Values.monitoring.sso.enabled) (and .Values.jaeger.enabled .Values.jaeger.sso.enabled) (and .Values.tempo.enabled .Values.tempo.sso.enabled)) }}
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
@@ -65,4 +65,8 @@ spec:
- name: monitoring
namespace: {{ .Release.Namespace }}
{{- end }}
+ {{- if .Values.istioCore.enabled }}
+ - name: istio-core
+ namespace: {{ .Release.Namespace }}
+ {{- end }}
{{- end }}
diff --git a/chart/templates/authservice/imagepullsecret.yaml b/chart/templates/authservice/imagepullsecret.yaml
index c26e456c3015e5dced62b38aad48b707da0301c8..e8f7d29ae096aded9d25ca7d18a2281556fb7578 100644
--- a/chart/templates/authservice/imagepullsecret.yaml
+++ b/chart/templates/authservice/imagepullsecret.yaml
@@ -1,4 +1,4 @@
-{{- if and .Values.istio.enabled (or .Values.addons.authservice.enabled (and .Values.monitoring.enabled .Values.monitoring.sso.enabled) (and .Values.jaeger.enabled .Values.jaeger.sso.enabled) (and .Values.tempo.enabled .Values.tempo.sso.enabled)) }}
+{{- if and (include "istioEnabled" .) (or .Values.addons.authservice.enabled (and .Values.monitoring.enabled .Values.monitoring.sso.enabled) (and .Values.jaeger.enabled .Values.jaeger.sso.enabled) (and .Values.tempo.enabled .Values.tempo.sso.enabled)) }}
{{- if ( include "imagePullSecret" . ) }}
apiVersion: v1
kind: Secret
diff --git a/chart/templates/authservice/namespace.yaml b/chart/templates/authservice/namespace.yaml
index 4a29c465de96b35b27d3b9d7762f9273dfb57c20..20e545621da4640454700609949cfc16501a6581 100644
--- a/chart/templates/authservice/namespace.yaml
+++ b/chart/templates/authservice/namespace.yaml
@@ -1,10 +1,10 @@
-{{- if and .Values.istio.enabled (or .Values.addons.authservice.enabled (and .Values.monitoring.enabled .Values.monitoring.sso.enabled) (and .Values.jaeger.enabled .Values.jaeger.sso.enabled) (and .Values.tempo.enabled .Values.tempo.sso.enabled)) }}
+{{- if and (include "istioEnabled" .) (or .Values.addons.authservice.enabled (and .Values.monitoring.enabled .Values.monitoring.sso.enabled) (and .Values.jaeger.enabled .Values.jaeger.sso.enabled) (and .Values.tempo.enabled .Values.tempo.sso.enabled)) }}
apiVersion: v1
kind: Namespace
metadata:
name: authservice
labels:
- istio-injection: {{ ternary "enabled" "disabled" (and .Values.istio.enabled (eq (dig "istio" "injection" "enabled" .Values.addons.authservice) "enabled")) }}
+ istio-injection: {{ ternary "enabled" "disabled" (and (include "istioEnabled" .) (eq (dig "istio" "injection" "enabled" .Values.addons.authservice) "enabled")) }}
app.kubernetes.io/name: authservice
app.kubernetes.io/component: "core"
{{- include "commonLabels" . | nindent 4}}
diff --git a/chart/templates/authservice/values.yaml b/chart/templates/authservice/values.yaml
index 6b0a2a6d15af8f0912fd04782416ae9cfa2e99d1..c90fd913b8f79f65a7290f02d807d2263a3d2168 100644
--- a/chart/templates/authservice/values.yaml
+++ b/chart/templates/authservice/values.yaml
@@ -1,4 +1,4 @@
-{{- if and .Values.istio.enabled (or .Values.addons.authservice.enabled (and .Values.monitoring.enabled .Values.monitoring.sso.enabled) (and .Values.jaeger.enabled .Values.jaeger.sso.enabled) (and .Values.tempo.enabled .Values.tempo.sso.enabled) (and .Values.addons.thanos.enabled .Values.addons.thanos.sso.enabled) (and .Values.addons.holocron.enabled .Values.addons.holocron.sso.enabled)) }}
+{{- if and (include "istioEnabled" .) (or .Values.addons.authservice.enabled (and .Values.monitoring.enabled .Values.monitoring.sso.enabled) (and .Values.jaeger.enabled .Values.jaeger.sso.enabled) (and .Values.tempo.enabled .Values.tempo.sso.enabled) (and .Values.addons.thanos.enabled .Values.addons.thanos.sso.enabled) (and .Values.addons.holocron.enabled .Values.addons.holocron.sso.enabled)) }}
{{- include "values-secret" (dict "root" $ "package" .Values.addons.authservice "name" "authservice" "defaults" (include "bigbang.defaults.authservice" .)) }}
{{- end }}
@@ -16,7 +16,7 @@
}}
istio:
- enabled: {{ .Values.istio.enabled | default false }}
+ enabled: {{ (include "istioEnabled" .) | default false }}
hardened:
enabled: {{ $authServiceHardened }}
clusterWideHardenedEnabled: {{ dig "hardened" "enabled" false .Values.istio.values }}
@@ -37,6 +37,8 @@ monitoring:
networkPolicies:
enabled: {{ .Values.networkPolicies.enabled | default false }}
+ istioNamespaceSelector:
+ {{ include "istioNamespaceSelector" . | nindent 4 }}
ingressLabels:
{{- $gateway := default "public" .Values.addons.haproxy.ingress.gateway }}
{{- $default := dict "app" (dig "gateways" $gateway "ingressGateway" nil .Values.istio) "istio" nil }}
@@ -63,7 +65,7 @@ redis-bb:
selector:
app.kubernetes.io/name: redis-bb
app.kubernetes.io/instance: authservice-authservice
- {{- if and .Values.istio.enabled (eq (dig "istio" "mtls" "mode" "STRICT" .Values.addons.authservice.values) "STRICT") }}
+ {{- if and (include "istioEnabled" .) (eq (dig "istio" "mtls" "mode" "STRICT" .Values.addons.authservice.values) "STRICT") }}
scheme: https
tlsConfig:
caFile: /etc/prom-certs/root-cert.pem
diff --git a/chart/templates/grafana/helmrelease.yaml b/chart/templates/grafana/helmrelease.yaml
index 99d7af88035bf56827eb95219a9963810b83e4c3..fa83c22e1a2a943727352a03c5d1327aebb58c73 100644
--- a/chart/templates/grafana/helmrelease.yaml
+++ b/chart/templates/grafana/helmrelease.yaml
@@ -58,12 +58,16 @@ spec:
valuesKey: "overlays"
# TODO: DRY this up
- {{- if or .Values.gatekeeper.enabled .Values.istio.enabled .Values.kyvernoPolicies.enabled .Values.monitoring.enabled }}
+ {{- if or .Values.gatekeeper.enabled (include "istioEnabled" .) .Values.kyvernoPolicies.enabled .Values.monitoring.enabled }}
dependsOn:
{{- if .Values.istio.enabled }}
- name: istio
namespace: {{ .Release.Namespace }}
{{- end }}
+ {{- if .Values.istioCore.enabled }}
+ - name: istio-core
+ namespace: {{ .Release.Namespace }}
+ {{- end }}
{{- if .Values.gatekeeper.enabled }}
- name: gatekeeper
namespace: {{ .Release.Namespace }}
diff --git a/chart/templates/grafana/namespace.yaml b/chart/templates/grafana/namespace.yaml
index 2b60cf2695b7f40a7884f5a45879f787663bca18..b9209894fae2be1e63bc8bf424102ce2d59c7c9d 100644
--- a/chart/templates/grafana/namespace.yaml
+++ b/chart/templates/grafana/namespace.yaml
@@ -7,6 +7,5 @@ metadata:
app.kubernetes.io/name: monitoring
app.kubernetes.io/component: "core"
{{- include "commonLabels" . | nindent 4}}
- istio-injection: {{ ternary "enabled" "disabled" (and .Values.istio.enabled (eq (dig "istio" "injection" "enabled" .Values.grafana) "enabled")) }}
+ istio-injection: {{ ternary "enabled" "disabled" (and (include "istioEnabled" .) (eq (dig "istio" "injection" "enabled" .Values.grafana) "enabled")) }}
{{- end }}
-
diff --git a/chart/templates/grafana/values.yaml b/chart/templates/grafana/values.yaml
index cc7ab5920837e006535c0ac52974edf340028835..0f093e32aafc9cf23f593d4074410f3bad96f10e 100644
--- a/chart/templates/grafana/values.yaml
+++ b/chart/templates/grafana/values.yaml
@@ -8,7 +8,7 @@
hostname: {{ $domainName }}
domain: {{ $domainName }}
-{{- $istioInjection := (and (eq (dig "istio" "injection" "enabled" .Values.grafana) "enabled") .Values.istio.enabled) }}
+{{- $istioInjection := (and (include "istioEnabled" .) (eq (dig "istio" "injection" "enabled" .Values.grafana) "enabled")) }}
{{- $gitlabRedis := (and (ne .Values.addons.gitlab.redis.password "" ) (or .Values.addons.gitlab.enabled .Values.addons.gitlabRunner.enabled)) }}
{{- $authserviceRedisEnabled := (and (dig "values" "redis" "enabled" false .Values.addons.authservice) .Values.addons.authservice.enabled) }}
{{- $redisDatasource := (or $gitlabRedis .Values.addons.argocd.enabled $authserviceRedisEnabled) }}
@@ -18,6 +18,8 @@ flux:
networkPolicies:
enabled: {{ .Values.networkPolicies.enabled }}
+ istioNamespaceSelector:
+ {{ include "istioNamespaceSelector" . | nindent 4 }}
controlPlaneCidr: {{ .Values.networkPolicies.controlPlaneCidr }}
ingressLabels:
{{- $gateway := default "public" .Values.grafana.ingress.gateway }}
@@ -34,7 +36,7 @@ gitlabRunner:
istio:
{{- $grafanaInjection := dig "istio" "injection" "enabled" .Values.grafana }}
- enabled: {{ .Values.istio.enabled }}
+ enabled: {{ include "istioEnabled" . }}
hardened:
enabled: {{ or
(dig "istio" "hardened" "enabled" false .Values.monitoring.values)
@@ -48,7 +50,7 @@ istio:
grafana:
enabled: true
gateways:
- - istio-system/{{ default "public" .Values.grafana.ingress.gateway }}
+ - {{ include "istioGatewayNamespace" . }}/{{ default (include "istioPublicGateway" . ) .Values.grafana.ingress.gateway }}
injection: {{ dig "istio" "injection" "enabled" .Values.grafana }}
anchore:
@@ -237,7 +239,7 @@ datasources:
{{- end }}
grafana.ini:
- {{- if .Values.istio.enabled }}
+ {{- if include "istioEnabled" . }}
server:
root_url: https://grafana.{{ $domainName }}/
{{- end }}
diff --git a/chart/templates/istio-core/git-credentials.yaml b/chart/templates/istio-core/git-credentials.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..0e5dad2418aff92e11a10e24c3bb833c035bc159
--- /dev/null
+++ b/chart/templates/istio-core/git-credentials.yaml
@@ -0,0 +1,7 @@
+{{- $gitCredsSecretDict := dict
+ "name" "istioCore"
+ "targetScope" .Values.istioCore
+ "releaseName" .Release.Name
+ "releaseNamespace" .Release.Namespace
+}}
+{{- include "gitCredsSecret" $gitCredsSecretDict | nindent 0 -}}
diff --git a/chart/templates/istio-core/gitrepository.yaml b/chart/templates/istio-core/gitrepository.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..fa167bda8cdcd0175cf1b11d16231ab91fd3ae2a
--- /dev/null
+++ b/chart/templates/istio-core/gitrepository.yaml
@@ -0,0 +1,24 @@
+{{- if and (eq .Values.istioCore.sourceType "git") (not .Values.offline) .Values.istioCore.enabled }}
+{{- $gitCredsDict := dict
+ "name" "istioCore"
+ "packageGitScope" .Values.istioCore.git
+ "rootScope" .
+ "releaseName" .Release.Name
+}}
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: GitRepository
+metadata:
+ name: istio-core
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app.kubernetes.io/name: istio-core
+ app.kubernetes.io/component: "core"
+ {{- include "commonLabels" . | nindent 4}}
+spec:
+ interval: {{ .Values.flux.interval }}
+ url: {{ .Values.istioCore.git.repo }}
+ ref:
+ {{- include "validRef" .Values.istioCore.git | nindent 4 }}
+ {{ include "gitIgnore" . }}
+ {{- include "gitCredsExtended" $gitCredsDict | nindent 2 }}
+{{- end }}
diff --git a/chart/templates/istio-core/helmrelease.yaml b/chart/templates/istio-core/helmrelease.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..c1d0cef674bd61041e27c85cf6dd112f2a826122
--- /dev/null
+++ b/chart/templates/istio-core/helmrelease.yaml
@@ -0,0 +1,69 @@
+{{- $fluxSettingsIstioCore := merge .Values.istioCore.flux .Values.flux -}}
+{{- if and .Values.istioCore.enabled }}
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+ name: istio-core
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app.kubernetes.io/name: istio-core
+ app.kubernetes.io/component: "core"
+ {{- include "commonLabels" . | nindent 4}}
+ annotations:
+ checksum/bigbang-values: {{ include (print $.Template.BasePath "/istio-core/values.yaml") . | sha256sum }}
+spec:
+ targetNamespace: istio-system
+ chart:
+ spec:
+ {{- if eq .Values.istioCore.sourceType "git" }}
+ chart: {{ .Values.istioCore.git.path }}
+ sourceRef:
+ kind: GitRepository
+ name: istio-core
+ namespace: {{ .Release.Namespace }}
+ {{- else }}
+ chart: {{ .Values.istioCore.helmRepo.chartName }}
+ version: {{ .Values.istioCore.helmRepo.tag }}
+ sourceRef:
+ kind: HelmRepository
+ name: {{ .Values.istioCore.helmRepo.repoName }}
+ namespace: {{ .Release.Namespace }}
+ {{- $repoType := include "getRepoType" (dict "repoName" .Values.istioCore.helmRepo.repoName "allRepos" $.Values.helmRepositories) -}}
+ {{- if (and .Values.istioCore.helmRepo.cosignVerify (eq $repoType "oci")) }} # Needs to be an OCI repo
+ verify:
+ provider: cosign
+ secretRef:
+ name: {{ printf "%s-cosign-pub" .Values.istioCore.helmRepo.repoName }}
+ {{- end }}
+ {{- end }}
+ interval: 5m
+
+ {{- toYaml $fluxSettingsIstioCore | nindent 2 }}
+
+ {{- if .Values.istioCore.postRenderers }}
+ postRenderers:
+ {{ toYaml .Values.istioCore.postRenderers | nindent 4 }}
+ {{- end }}
+ valuesFrom:
+ - name: {{ .Release.Name }}-istio-core-values
+ kind: Secret
+ valuesKey: "common"
+ - name: {{ .Release.Name }}-istio-core-values
+ kind: Secret
+ valuesKey: "defaults"
+ - name: {{ .Release.Name }}-istio-core-values
+ kind: Secret
+ valuesKey: "overlays"
+
+ {{- if or .Values.gatekeeper.enabled .Values.kyvernoPolicies.enabled }}
+ dependsOn:
+ {{- if .Values.gatekeeper.enabled }}
+ - name: gatekeeper
+ namespace: {{ .Release.Namespace }}
+ {{- end }}
+ {{- if .Values.kyvernoPolicies.enabled }}
+ - name: kyverno-policies
+ namespace: {{ .Release.Namespace }}
+ {{- end }}
+ {{- end }}
+{{- end }}
diff --git a/chart/templates/istio-core/imagepullsecret.yaml b/chart/templates/istio-core/imagepullsecret.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..25d5e217d0ef39d273d3fbbff79566510b01d557
--- /dev/null
+++ b/chart/templates/istio-core/imagepullsecret.yaml
@@ -0,0 +1,16 @@
+{{- if .Values.istioCore.enabled }}
+{{- if ( include "imagePullSecret" . ) }}
+apiVersion: v1
+kind: Secret
+metadata:
+ name: private-registry
+ namespace: istio-system
+ labels:
+ app.kubernetes.io/name: istio-core
+ app.kubernetes.io/component: "core"
+ {{- include "commonLabels" . | nindent 4}}
+type: kubernetes.io/dockerconfigjson
+data:
+ .dockerconfigjson: {{ template "imagePullSecret" . }}
+{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/chart/templates/istio-core/namespace.yaml b/chart/templates/istio-core/namespace.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..c50daddde2c0d71d7cdf000e2bb79cee3dd6992f
--- /dev/null
+++ b/chart/templates/istio-core/namespace.yaml
@@ -0,0 +1,25 @@
+{{- if .Values.istioCore.enabled }}
+apiVersion: v1
+kind: Namespace
+metadata:
+ name: istio-system
+ labels:
+ istio-base-managed: Reconcile
+ istio-injection: disabled
+ app.kubernetes.io/name: istio-core
+ app.kubernetes.io/component: "core"
+ {{- include "commonLabels" . | nindent 4}}
+{{- if or .Values.istioGatewayPublic.enabled .Values.istioGatewayPassthrough.enabled }}
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+ name: istio-gateway
+ labels:
+ istio-gateway-managed: Reconcile
+ istio-injection: enabled
+ app.kubernetes.io/name: istio-gateway
+ app.kubernetes.io/component: "core"
+ {{- include "commonLabels" . | nindent 4}}
+{{- end }}
+{{- end }}
diff --git a/chart/templates/istio-core/values.yaml b/chart/templates/istio-core/values.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..918d8ed39231500bf8bd3c912f006d6c80318ef4
--- /dev/null
+++ b/chart/templates/istio-core/values.yaml
@@ -0,0 +1,34 @@
+{{- $pkg := "istioCore" }}
+
+{{- /* Create secret */ -}}
+{{- if (get .Values $pkg).enabled }}
+{{- include "values-secret" (dict "root" $ "package" (get .Values $pkg) "name" ($pkg | kebabcase) "defaults" (include (printf "bigbang.defaults.%s" $pkg | kebabcase) .)) }}
+{{- end }}
+
+{{- define "bigbang.defaults.istio-core" -}}
+createNamespace: true
+
+enterprise: {{ .Values.istioCore.enterprise }}
+imagePullPolicy: {{ .Values.imagePullPolicy }}
+
+imagePullSecrets:
+ - private-registry
+
+istiod:
+ networkPolicies:
+ enabled: {{ .Values.networkPolicies.enabled }}
+ controlPlaneCidr: {{ .Values.networkPolicies.controlPlaneCidr }}
+
+ monitoring:
+ enabled: {{ .Values.monitoring.enabled }}
+
+{{- if .Values.addons.authservice.enabled }}
+ meshConfig:
+ extensionProviders:
+ - name: "authservice"
+ envoyExtAuthzGrpc:
+ service: "authservice.authservice.svc.cluster.local"
+ port: "10003"
+{{- end }}
+
+{{- end }}
diff --git a/chart/templates/istio-gateway-passthrough/git-credentials.yaml b/chart/templates/istio-gateway-passthrough/git-credentials.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..f9ca9c7e512beea2ac3871d2a0c6db798aeabd8f
--- /dev/null
+++ b/chart/templates/istio-gateway-passthrough/git-credentials.yaml
@@ -0,0 +1,7 @@
+{{- $gitCredsSecretDict := dict
+ "name" "istioGatewayPassthrough"
+ "targetScope" .Values.istioGatewayPassthrough
+ "releaseName" .Release.Name
+ "releaseNamespace" .Release.Namespace
+}}
+{{- include "gitCredsSecret" $gitCredsSecretDict | nindent 0 -}}
diff --git a/chart/templates/istio-gateway-passthrough/gitrepository.yaml b/chart/templates/istio-gateway-passthrough/gitrepository.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..adea7847cd09d6c5f3dfe4756ffe97c94a3e50a1
--- /dev/null
+++ b/chart/templates/istio-gateway-passthrough/gitrepository.yaml
@@ -0,0 +1,24 @@
+{{- if and (eq .Values.istioGatewayPassthrough.sourceType "git") (not .Values.offline) .Values.istioGatewayPassthrough.enabled }}
+{{- $gitCredsDict := dict
+ "name" "istioGatewayPassthrough"
+ "packageGitScope" .Values.istioGatewayPassthrough.git
+ "rootScope" .
+ "releaseName" .Release.Name
+}}
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: GitRepository
+metadata:
+ name: istio-gateway-passthrough
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app.kubernetes.io/name: istio-gateway-passthrough
+ app.kubernetes.io/component: "core"
+ {{- include "commonLabels" . | nindent 4}}
+spec:
+ interval: {{ .Values.flux.interval }}
+ url: {{ .Values.istioGatewayPassthrough.git.repo }}
+ ref:
+ {{- include "validRef" .Values.istioGatewayPassthrough.git | nindent 4 }}
+ {{ include "gitIgnore" . }}
+ {{- include "gitCredsExtended" $gitCredsDict | nindent 2 }}
+{{- end }}
diff --git a/chart/templates/istio-gateway-passthrough/helmrelease.yaml b/chart/templates/istio-gateway-passthrough/helmrelease.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..4aa9620c39c191018f57727caeffb858dce9313d
--- /dev/null
+++ b/chart/templates/istio-gateway-passthrough/helmrelease.yaml
@@ -0,0 +1,71 @@
+{{- $fluxSettingsIstioGatewayPassthrough := merge .Values.istioGatewayPassthrough.flux .Values.flux -}}
+{{- if and .Values.istioCore.enabled .Values.istioGatewayPassthrough.enabled }}
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+ name: passthrough-ingressgateway
+ namespace: {{ $.Release.Namespace }}
+ labels:
+ app.kubernetes.io/name: istio-gateway
+ app.kubernetes.io/component: "core"
+ {{- include "commonLabels" $ | nindent 4}}
+ annotations:
+ checksum/bigbang-values: {{ include (print $.Template.BasePath "/istio-gateway-passthrough/values.yaml") $ | sha256sum }}
+spec:
+ releaseName: passthrough-ingressgateway
+ targetNamespace: istio-gateway
+ chart:
+ spec:
+ {{- if eq $.Values.istioGatewayPassthrough.sourceType "git" }}
+ chart: {{ $.Values.istioGatewayPassthrough.git.path }}
+ sourceRef:
+ kind: GitRepository
+ name: istio-gateway-passthrough
+ namespace: {{ $.Release.Namespace }}
+ {{- else }}
+ chart: {{ $.Values.istioGatewayPassthrough.helmRepo.chartName }}
+ version: {{ $.Values.istioGatewayPassthrough.helmRepo.tag }}
+ sourceRef:
+ kind: HelmRepository
+ name: {{ $.Values.istioGatewayPassthrough.helmRepo.repoName }}
+ namespace: {{ $.Release.Namespace }}
+ {{- $repoType := include "getRepoType" (dict "repoName" $.Values.istioGatewayPassthrough.helmRepo.repoName "allRepos" $.Values.helmRepositories) -}}
+ {{- if (and $.Values.istioGatewayPassthrough.helmRepo.cosignVerify (eq $repoType "oci")) }} # Needs to be an OCI repo
+ verify:
+ provider: cosign
+ secretRef:
+ name: {{ printf "%s-cosign-pub" $.Values.istioGatewayPassthrough.helmRepo.repoName }}
+ {{- end }}
+ {{- end }}
+ interval: 5m
+
+ {{- toYaml $fluxSettingsIstioGatewayPassthrough | nindent 2 }}
+
+ {{- if $.Values.istioGatewayPassthrough.postRenderers }}
+ postRenderers:
+ {{ toYaml $.Values.istioGatewayPassthrough.postRenderers | nindent 4 }}
+ {{- end }}
+ valuesFrom:
+ - name: {{ $.Release.Name }}-istio-gateway-passthrough-values
+ kind: Secret
+ valuesKey: "common"
+ - name: {{ $.Release.Name }}-istio-gateway-passthrough-values
+ kind: Secret
+ valuesKey: "defaults"
+ - name: {{ $.Release.Name }}-istio-gateway-passthrough-values
+ kind: Secret
+ valuesKey: "overlays"
+
+ dependsOn:
+ - name: istio-core
+ namespace: {{ $.Release.Namespace }}
+ {{- if $.Values.gatekeeper.enabled }}
+ - name: gatekeeper
+ namespace: {{ $.Release.Namespace }}
+ {{- end }}
+ {{- if $.Values.kyvernoPolicies.enabled }}
+ - name: kyverno-policies
+ namespace: {{ $.Release.Namespace }}
+ {{- end }}
+{{- end }}
diff --git a/chart/templates/istio-gateway-passthrough/imagepullsecret.yaml b/chart/templates/istio-gateway-passthrough/imagepullsecret.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..7469e7a3bfa538691a1bd0d97d4671673ca3da3b
--- /dev/null
+++ b/chart/templates/istio-gateway-passthrough/imagepullsecret.yaml
@@ -0,0 +1,14 @@
+{{- if and .Values.istioGatewayPassthrough.enabled ( include "imagePullSecret" . ) }}
+apiVersion: v1
+kind: Secret
+metadata:
+ name: private-registry-passthrough
+ namespace: istio-gateway
+ labels:
+ app.kubernetes.io/name: istio-gateway-passthrough
+ app.kubernetes.io/component: "core"
+ {{- include "commonLabels" . | nindent 4}}
+type: kubernetes.io/dockerconfigjson
+data:
+ .dockerconfigjson: {{ template "imagePullSecret" . }}
+{{- end }}
diff --git a/chart/templates/istio-gateway-passthrough/values.yaml b/chart/templates/istio-gateway-passthrough/values.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..bf05d16a68d93c392d52d30bf601768d1ce905f2
--- /dev/null
+++ b/chart/templates/istio-gateway-passthrough/values.yaml
@@ -0,0 +1,46 @@
+{{- $pkg := "istioGatewayPassthrough" }}
+
+{{- /* Create secret */ -}}
+{{- if (get .Values $pkg).enabled }}
+{{- include "values-secret" (dict "root" $ "package" (get .Values $pkg) "name" ($pkg | kebabcase) "defaults" (include (printf "bigbang.defaults.%s" $pkg | kebabcase) .)) }}
+{{- end }}
+
+{{- define "bigbang.defaults.istio-gateway-passthrough" -}}
+createNamespace: true
+
+imagePullPolicy: {{ .Values.imagePullPolicy }}
+
+imagePullSecrets:
+ - name: private-registry-passthrough
+
+networkPolicies:
+ enabled: {{ .Values.networkPolicies.enabled }}
+ istioNamespaceSelector:
+ {{ include "istioNamespaceSelector" . | nindent 4 }}
+ controlPlaneCidr: {{ .Values.networkPolicies.controlPlaneCidr }}
+
+labels:
+ istio: ingressgateway
+
+monitoring:
+ enabled: {{ .Values.monitoring.enabled }}
+
+gateway:
+ servers:
+ - hosts:
+ - '*.{{ .Values.domain }}'
+ port:
+ name: http
+ number: 8080
+ protocol: HTTP
+ tls:
+ httpsRedirect: true
+ - hosts:
+ - '*.{{ .Values.domain }}'
+ port:
+ name: https
+ number: 8443
+ protocol: HTTPS
+ tls:
+ mode: PASSTHROUGH
+{{- end -}}
\ No newline at end of file
diff --git a/chart/templates/istio-gateway-public/git-credentials.yaml b/chart/templates/istio-gateway-public/git-credentials.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..5a85066f08d8e9e203e18b907ca4f1704781fdc0
--- /dev/null
+++ b/chart/templates/istio-gateway-public/git-credentials.yaml
@@ -0,0 +1,7 @@
+{{- $gitCredsSecretDict := dict
+ "name" "istioGatewayPublic"
+ "targetScope" .Values.istioGatewayPublic
+ "releaseName" .Release.Name
+ "releaseNamespace" .Release.Namespace
+}}
+{{- include "gitCredsSecret" $gitCredsSecretDict | nindent 0 -}}
diff --git a/chart/templates/istio-gateway-public/gitrepository.yaml b/chart/templates/istio-gateway-public/gitrepository.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..19149609e85e98c6bd115eff9bb94fb87657f00b
--- /dev/null
+++ b/chart/templates/istio-gateway-public/gitrepository.yaml
@@ -0,0 +1,24 @@
+{{- if and (eq .Values.istioGatewayPublic.sourceType "git") (not .Values.offline) .Values.istioGatewayPublic.enabled }}
+{{- $gitCredsDict := dict
+ "name" "istioGatewayPublic"
+ "packageGitScope" .Values.istioGatewayPublic.git
+ "rootScope" .
+ "releaseName" .Release.Name
+}}
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: GitRepository
+metadata:
+ name: istio-gateway-public
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app.kubernetes.io/name: istio-gateway-public
+ app.kubernetes.io/component: "core"
+ {{- include "commonLabels" . | nindent 4}}
+spec:
+ interval: {{ .Values.flux.interval }}
+ url: {{ .Values.istioGatewayPublic.git.repo }}
+ ref:
+ {{- include "validRef" .Values.istioGatewayPublic.git | nindent 4 }}
+ {{ include "gitIgnore" . }}
+ {{- include "gitCredsExtended" $gitCredsDict | nindent 2 }}
+{{- end }}
diff --git a/chart/templates/istio-gateway-public/helmrelease.yaml b/chart/templates/istio-gateway-public/helmrelease.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..59f88adba51a2a25426487e6c7a17658826b3f42
--- /dev/null
+++ b/chart/templates/istio-gateway-public/helmrelease.yaml
@@ -0,0 +1,75 @@
+{{- $fluxSettingsIstioGatewayPublic := merge .Values.istioGatewayPublic.flux .Values.flux -}}
+{{- if and .Values.istioCore.enabled .Values.istioGatewayPublic.enabled }}
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+ name: public-ingressgateway
+ namespace: {{ $.Release.Namespace }}
+ labels:
+ app.kubernetes.io/name: istio-gateway
+ app.kubernetes.io/component: "core"
+ {{- include "commonLabels" $ | nindent 4}}
+ annotations:
+ checksum/bigbang-values: {{ include (print $.Template.BasePath "/istio-gateway-public/values.yaml") $ | sha256sum }}
+spec:
+ releaseName: public-ingressgateway
+ targetNamespace: istio-gateway
+ chart:
+ spec:
+ {{- if eq $.Values.istioGatewayPublic.sourceType "git" }}
+ chart: {{ $.Values.istioGatewayPublic.git.path }}
+ sourceRef:
+ kind: GitRepository
+ name: istio-gateway-public
+ namespace: {{ $.Release.Namespace }}
+ {{- else }}
+ chart: {{ $.Values.istioGatewayPublic.helmRepo.chartName }}
+ version: {{ $.Values.istioGatewayPublic.helmRepo.tag }}
+ sourceRef:
+ kind: HelmRepository
+ name: {{ $.Values.istioGatewayPublic.helmRepo.repoName }}
+ namespace: {{ $.Release.Namespace }}
+ {{- $repoType := include "getRepoType" (dict "repoName" $.Values.istioGatewayPublic.helmRepo.repoName "allRepos" $.Values.helmRepositories) -}}
+ {{- if (and $.Values.istioGatewayPublic.helmRepo.cosignVerify (eq $repoType "oci")) }} # Needs to be an OCI repo
+ verify:
+ provider: cosign
+ secretRef:
+ name: {{ printf "%s-cosign-pub" $.Values.istioGatewayPublic.helmRepo.repoName }}
+ {{- end }}
+ {{- end }}
+ interval: 5m
+
+ {{- toYaml $fluxSettingsIstioGatewayPublic | nindent 2 }}
+
+ {{- if $.Values.istioGatewayPublic.postRenderers }}
+ postRenderers:
+ {{ toYaml $.Values.istioGatewayPublic.postRenderers | nindent 4 }}
+ {{- end }}
+ valuesFrom:
+ - name: {{ $.Release.Name }}-istio-gateway-public-values
+ kind: Secret
+ valuesKey: "common"
+ - name: {{ $.Release.Name }}-istio-gateway-public-values
+ kind: Secret
+ valuesKey: "defaults"
+ - name: {{ $.Release.Name }}-istio-gateway-public-values
+ kind: Secret
+ valuesKey: "overlays"
+
+ dependsOn:
+ - name: istio-core
+ namespace: {{ $.Release.Namespace }}
+ {{- if $.Values.gatekeeper.enabled }}
+ - name: gatekeeper
+ namespace: {{ $.Release.Namespace }}
+ {{- end }}
+ {{- if $.Values.kyvernoPolicies.enabled }}
+ - name: kyverno-policies
+ namespace: {{ $.Release.Namespace }}
+ {{- end }}
+ {{- if $.Values.istioGatewayPassthrough.enabled }}
+ - name: passthrough-ingressgateway
+ namespace: {{ $.Release.Namespace }}
+ {{- end }}
+{{- end }}
diff --git a/chart/templates/istio-gateway-public/imagepullsecret.yaml b/chart/templates/istio-gateway-public/imagepullsecret.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..014bcf840979ca846f9a300f8757fd7d1103c80e
--- /dev/null
+++ b/chart/templates/istio-gateway-public/imagepullsecret.yaml
@@ -0,0 +1,14 @@
+{{- if and .Values.istioGatewayPublic.enabled ( include "imagePullSecret" . ) }}
+apiVersion: v1
+kind: Secret
+metadata:
+ name: private-registry-public
+ namespace: istio-gateway
+ labels:
+ app.kubernetes.io/name: istio-gateway-public
+ app.kubernetes.io/component: "core"
+ {{- include "commonLabels" . | nindent 4}}
+type: kubernetes.io/dockerconfigjson
+data:
+ .dockerconfigjson: {{ template "imagePullSecret" . }}
+{{- end }}
diff --git a/chart/templates/istio-gateway-public/secret-tls.yaml b/chart/templates/istio-gateway-public/secret-tls.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..39b1958997a665c3ea597310405aab115b79c204
--- /dev/null
+++ b/chart/templates/istio-gateway-public/secret-tls.yaml
@@ -0,0 +1,20 @@
+{{- if and .Values.istioCore.enabled .Values.istioGatewayPublic.enabled }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: public-cert
+ namespace: istio-gateway
+ labels:
+ app.kubernetes.io/name: istio-gateway
+ app.kubernetes.io/component: "core"
+ {{- include "commonLabels" $ | nindent 4}}
+type: kubernetes.io/tls
+data:
+ tls.crt: {{ .Values.istioGatewayPublic.tls.cert | b64enc }}
+ tls.key: {{ .Values.istioGatewayPublic.tls.key | b64enc }}
+ {{- if .Values.istioGatewayPublic.tls.ca }}
+ ca.crt: {{ .Values.istioGatewayPublic.tls.ca | b64enc }}
+ {{- end }}
+---
+{{- end }}
diff --git a/chart/templates/istio-gateway-public/values.yaml b/chart/templates/istio-gateway-public/values.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..2faeb806fe08d492348e3608ad8d0cdbb0ad7e11
--- /dev/null
+++ b/chart/templates/istio-gateway-public/values.yaml
@@ -0,0 +1,47 @@
+{{- $pkg := "istioGatewayPublic" }}
+
+{{- /* Create secret */ -}}
+{{- if (get .Values $pkg).enabled }}
+{{- include "values-secret" (dict "root" $ "package" (get .Values $pkg) "name" ($pkg | kebabcase) "defaults" (include (printf "bigbang.defaults.%s" $pkg | kebabcase) .)) }}
+{{- end }}
+
+{{- define "bigbang.defaults.istio-gateway-public" -}}
+createNamespace: true
+
+imagePullPolicy: {{ .Values.imagePullPolicy }}
+
+imagePullSecrets:
+ - name: private-registry-public
+
+networkPolicies:
+ enabled: {{ .Values.networkPolicies.enabled }}
+ istioNamespaceSelector:
+ {{ include "istioNamespaceSelector" . | nindent 4 }}
+ controlPlaneCidr: {{ .Values.networkPolicies.controlPlaneCidr }}
+
+labels:
+ istio: ingressgateway
+
+monitoring:
+ enabled: {{ .Values.monitoring.enabled }}
+
+gateway:
+ servers:
+ - hosts:
+ - '*.{{ .Values.domain }}'
+ port:
+ name: http
+ number: 8080
+ protocol: HTTP
+ tls:
+ httpsRedirect: true
+ - hosts:
+ - '*.{{ .Values.domain }}'
+ port:
+ name: https
+ number: 8443
+ protocol: HTTPS
+ tls:
+ credentialName: public-cert
+ mode: SIMPLE
+{{- end -}}
\ No newline at end of file
diff --git a/chart/templates/jaeger/helmrelease.yaml b/chart/templates/jaeger/helmrelease.yaml
index cf9ba28658407ddcd70e7ece29079ff228e3359c..91357a891c0d562c0f611f037dc322c6bca80b6f 100644
--- a/chart/templates/jaeger/helmrelease.yaml
+++ b/chart/templates/jaeger/helmrelease.yaml
@@ -57,11 +57,15 @@ spec:
kind: Secret
valuesKey: "overlays"
- {{ if or .Values.istio.enabled .Values.monitoring.enabled .Values.jaeger.sso.enabled .Values.elasticsearchKibana.enabled }}
+ {{ if or (include "istioEnabled" .) .Values.monitoring.enabled .Values.jaeger.sso.enabled .Values.elasticsearchKibana.enabled }}
dependsOn:
{{- if .Values.istio.enabled }}
- name: istio
namespace: {{ .Release.Namespace }}
+ {{- end }}
+ {{- if .Values.istioCore.enabled }}
+ - name: istio-core
+ namespace: {{ .Release.Namespace }}
{{- end }}
{{- if .Values.monitoring.enabled }}
- name: monitoring
diff --git a/chart/templates/jaeger/namespace.yaml b/chart/templates/jaeger/namespace.yaml
index dabc0e00f2a292578c969cfe3a6f879c243487b8..a5c6f338312741a8ba3d41ab3e6e7c19c990d0d4 100644
--- a/chart/templates/jaeger/namespace.yaml
+++ b/chart/templates/jaeger/namespace.yaml
@@ -4,7 +4,7 @@ kind: Namespace
metadata:
name: jaeger
labels:
- istio-injection: {{ ternary "enabled" "disabled" (and .Values.istio.enabled (eq (dig "istio" "injection" "enabled" .Values.jaeger) "enabled")) }}
+ istio-injection: {{ ternary "enabled" "disabled" (and (include "istioEnabled" .) (eq (dig "istio" "injection" "enabled" .Values.jaeger) "enabled")) }}
app.kubernetes.io/name: jaeger
app.kubernetes.io/component: "core"
{{- include "commonLabels" . | nindent 4}}
diff --git a/chart/templates/jaeger/values.yaml b/chart/templates/jaeger/values.yaml
index e748950a00fa435bfff0f26df43c43253806c51c..ee48c7de158e2390d3bb44addd3855ab74d98bcb 100644
--- a/chart/templates/jaeger/values.yaml
+++ b/chart/templates/jaeger/values.yaml
@@ -15,18 +15,18 @@ hostname: {{ $domainName }}
domain: {{ $domainName }}
istio:
- enabled: {{ .Values.istio.enabled }}
+ enabled: {{ include "istioEnabled" . }}
hardened:
enabled: {{ or
(dig "istio" "hardened" "enabled" false .Values.jaeger.values)
(dig "hardened" "enabled" false .Values.istio.values)
}}
jaeger:
- enabled: {{ .Values.istio.enabled }}
+ enabled: {{ include "istioEnabled" . }}
gateways:
- - istio-system/{{ default "public" .Values.jaeger.ingress.gateway }}
+ - {{ include "istioGatewayNamespace" . }}/{{ default (include "istioPublicGateway" . ) .Values.jaeger.ingress.gateway }}
-{{- if .Values.istio.enabled }}
+{{- if include "istioEnabled" . }}
annotations:
{{ include "istioAnnotation" . }}
{{- end }}
@@ -34,7 +34,7 @@ annotations:
monitoring:
enabled: {{ .Values.monitoring.enabled }}
# conditional passes only for default istio: enabled, mTLS: SCRICT
- {{- if and .Values.istio.enabled (eq (dig "istio" "mtls" "mode" "STRICT" .Values.jaeger.values) "STRICT") }}
+ {{- if and (include "istioEnabled" . ) (eq (dig "istio" "mtls" "mode" "STRICT" .Values.jaeger.values) "STRICT") }}
serviceMonitor:
scheme: https
tlsConfig:
@@ -51,10 +51,10 @@ sso:
enabled: {{ .Values.jaeger.sso.enabled }}
-{{- if or .Values.jaeger.sso.enabled .Values.istio.enabled .Values.kiali.enabled }}
+{{- if or .Values.jaeger.sso.enabled (include "istioEnabled" .) .Values.kiali.enabled }}
jaeger:
spec:
- {{- if or .Values.jaeger.sso.enabled .Values.istio.enabled }}
+ {{- if or .Values.jaeger.sso.enabled (include "istioEnabled" .) }}
{{- $jaegerAuthserviceKey := (dig "selector" "key" "protect" .Values.addons.authservice.values) }}
{{- $jaegerAuthserviceValue := (dig "selector" "value" "keycloak" .Values.addons.authservice.values) }}
allInOne:
@@ -62,7 +62,7 @@ jaeger:
labels:
{{ $jaegerAuthserviceKey }}: {{ $jaegerAuthserviceValue }}
{{- end }}
- {{- if .Values.istio.enabled }}
+ {{- if include "istioEnabled" . }}
annotations:
{{ include "istioAnnotation" . }}
{{- end }}
@@ -71,12 +71,12 @@ jaeger:
labels:
{{ $jaegerAuthserviceKey }}: {{ $jaegerAuthserviceValue }}
{{- end }}
- {{- if .Values.istio.enabled }}
+ {{- if include "istioEnabled" . }}
annotations:
{{ include "istioAnnotation" . }}
{{- end }}
{{- end }}
- {{- if .Values.istio.enabled }}
+ {{- if include "istioEnabled" . }}
agent:
annotations:
{{ include "istioAnnotation" . }}
@@ -92,6 +92,8 @@ openshift:
enabled: {{ .Values.openshift }}
networkPolicies:
enabled: {{ .Values.networkPolicies.enabled }}
+ istioNamespaceSelector:
+ {{ include "istioNamespaceSelector" . | nindent 4 }}
controlPlaneCidr: {{ .Values.networkPolicies.controlPlaneCidr }}
ingressLabels:
{{- $gateway := default "public" .Values.jaeger.ingress.gateway }}
diff --git a/chart/templates/keycloak/helmrelease.yaml b/chart/templates/keycloak/helmrelease.yaml
index 1390da94ec79ca13604a8c7a6ca9ec214cce7e23..14b6034012d9d33b7a81fbf15bcb3dfcdd7bdcf0 100644
--- a/chart/templates/keycloak/helmrelease.yaml
+++ b/chart/templates/keycloak/helmrelease.yaml
@@ -59,7 +59,7 @@ spec:
kind: Secret
valuesKey: "overlays"
- {{- if or .Values.gatekeeper.enabled .Values.istio.enabled .Values.kyvernoPolicies.enabled .Values.monitoring.enabled }}
+ {{- if or .Values.gatekeeper.enabled (include "istioEnabled" .) .Values.kyvernoPolicies.enabled .Values.monitoring.enabled }}
dependsOn:
{{- if .Values.gatekeeper.enabled }}
- name: gatekeeper
@@ -69,6 +69,10 @@ spec:
- name: istio
namespace: {{ .Release.Namespace }}
{{- end }}
+ {{- if .Values.istioCore.enabled }}
+ - name: istio-core
+ namespace: {{ .Release.Namespace }}
+ {{- end }}
{{- if .Values.kyvernoPolicies.enabled }}
- name: kyverno-policies
namespace: {{ .Release.Namespace }}
diff --git a/chart/templates/keycloak/namespace.yaml b/chart/templates/keycloak/namespace.yaml
index 0a37a9e353accd95ad25f6b2fbb9ec0263e89ab3..065544a6ccee19819b4f72faa9a5ebf912b22202 100644
--- a/chart/templates/keycloak/namespace.yaml
+++ b/chart/templates/keycloak/namespace.yaml
@@ -5,7 +5,7 @@ kind: Namespace
metadata:
name: {{ $name }}
labels:
- istio-injection: {{ ternary "enabled" "disabled" (and .Values.istio.enabled (eq (dig "istio" "injection" "enabled" .Values.addons.keycloak) "enabled")) }}
+ istio-injection: {{ ternary "enabled" "disabled" (and (include "istioEnabled" .) (eq (dig "istio" "injection" "enabled" .Values.addons.keycloak) "enabled")) }}
app.kubernetes.io/name: {{ $name }}
app.kubernetes.io/component: "security-tools"
{{- include "commonLabels" . | nindent 4 }}
diff --git a/chart/templates/keycloak/values.yaml b/chart/templates/keycloak/values.yaml
index 7f6de7f0b066a42439ba06c00ae392e7ab842516..eaac46fb5061bf7260916e80afea55a7cb27b824 100644
--- a/chart/templates/keycloak/values.yaml
+++ b/chart/templates/keycloak/values.yaml
@@ -18,10 +18,10 @@ domain: {{ $domainName }}
openshift: {{ .Values.openshift }}
-{{- $istioInjection := (and (eq (dig "istio" "injection" "enabled" .Values.addons.keycloak) "enabled") .Values.istio.enabled) }}
+{{- $istioInjection := (and (include "istioEnabled" .) (eq (dig "istio" "injection" "enabled" .Values.addons.keycloak) "enabled")) }}
istio:
- enabled: {{ .Values.istio.enabled }}
+ enabled: {{ include "istioEnabled" . }}
hardened:
enabled: {{ or
(dig "istio" "hardened" "enabled" false .Values.addons.keycloak.values)
@@ -31,7 +31,7 @@ istio:
keycloak:
enabled: true
gateways:
- - istio-system/{{ default "public" .Values.addons.keycloak.ingress.gateway }}
+ - {{ include "istioGatewayNamespace" . }}/{{ default (include "istioPassthroughGateway" . ) .Values.addons.keycloak.ingress.gateway }}
{{- if $istioInjection }}
podAnnotations:
@@ -41,6 +41,8 @@ podAnnotations:
networkPolicies:
enabled: {{ .Values.networkPolicies.enabled }}
controlPlaneCidr: {{ .Values.networkPolicies.controlPlaneCidr }}
+ istioNamespaceSelector:
+ {{ include "istioNamespaceSelector" . | nindent 4 }}
ingressLabels:
{{- $gateway := default "passthrough" .Values.addons.keycloak.ingress.gateway }}
{{- $default := dict "app" (dig "gateways" $gateway "ingressGateway" nil .Values.istio) "istio" nil }}
diff --git a/chart/templates/kiali/helmrelease.yaml b/chart/templates/kiali/helmrelease.yaml
index 800b1a5f74763083af2af46e0f360ea398148a75..0b720284fbff0fbd73b7a545de4a1861816cbae1 100644
--- a/chart/templates/kiali/helmrelease.yaml
+++ b/chart/templates/kiali/helmrelease.yaml
@@ -55,11 +55,15 @@ spec:
kind: Secret
valuesKey: "overlays"
- {{ if or .Values.istio.enabled .Values.monitoring.enabled }}
+ {{ if or (include "istioEnabled" . ) .Values.monitoring.enabled }}
dependsOn:
{{- if .Values.istio.enabled }}
- name: istio
namespace: {{ .Release.Namespace }}
+ {{- end }}
+ {{- if .Values.istioCore.enabled }}
+ - name: istio-core
+ namespace: {{ .Release.Namespace }}
{{- end }}
{{- if .Values.monitoring.enabled }}
- name: monitoring
diff --git a/chart/templates/kiali/namespace.yaml b/chart/templates/kiali/namespace.yaml
index 56ef0e8f10ca2efc315792214726805aa39742c6..e94074d054b8d3dd8240f6577518926a11622f13 100644
--- a/chart/templates/kiali/namespace.yaml
+++ b/chart/templates/kiali/namespace.yaml
@@ -4,7 +4,7 @@ kind: Namespace
metadata:
name: kiali
labels:
- istio-injection: {{ ternary "enabled" "disabled" (and .Values.istio.enabled (eq (dig "istio" "injection" "enabled" .Values.kiali) "enabled")) }}
+ istio-injection: {{ ternary "enabled" "disabled" (and (include "istioEnabled" .) (eq (dig "istio" "injection" "enabled" .Values.kiali) "enabled")) }}
app.kubernetes.io/name: kiali
app.kubernetes.io/component: "core"
{{- include "commonLabels" . | nindent 4}}
diff --git a/chart/templates/kiali/values.yaml b/chart/templates/kiali/values.yaml
index a42a8cebeaf878f44d2b78021a989dc0ab0d1b5e..dbd9de02bc332d21568c85a711b344c2eab2cc9a 100644
--- a/chart/templates/kiali/values.yaml
+++ b/chart/templates/kiali/values.yaml
@@ -16,7 +16,7 @@ image:
pullPolicy: {{ .Values.imagePullPolicy }}
istio:
- enabled: {{ .Values.istio.enabled }}
+ enabled: {{ include "istioEnabled" . }}
hardened:
enabled: {{ or
(dig "istio" "hardened" "enabled" false .Values.kiali.values)
@@ -26,9 +26,9 @@ istio:
enabled: {{ .Values.monitoring.enabled }}
kiali:
gateways:
- - istio-system/{{ default "public" .Values.kiali.ingress.gateway }}
+ - {{ include "istioGatewayNamespace" . }}/{{ default (include "istioPublicGateway" . ) .Values.kiali.ingress.gateway }}
-{{- if .Values.istio.enabled }}
+{{- if include "istioEnabled" . }}
podAnnotations:
{{ include "istioAnnotation" . }}
{{- end }}
@@ -43,9 +43,12 @@ elasticsearch:
enabled: {{ .Values.elasticsearchKibana.enabled }}
cr:
spec:
+ {{- if .Values.istioCore.enabled }}
+ istio_namespace: istio-system
+ {{- end}}
deployment:
image_pull_policy: {{ .Values.imagePullPolicy }}
- {{- if .Values.istio.enabled }}
+ {{- if include "istioEnabled" . }}
pod_annotations:
{{ include "istioAnnotation" . }}
{{- end }}
@@ -97,6 +100,7 @@ cr:
- app_label: istiod
is_core: true
is_proxy: false
+ {{- if .Values.istio.enabled }}
{{- range $name, $values := .Values.istio.ingressGateways }}
{{ if ne $values.enabled false }}
- app_label: {{ $name }}
@@ -111,6 +115,23 @@ cr:
is_proxy: true
{{- end }}
{{- end }}
+ {{- end }}
+ {{- if .Values.istioGatewayPublic.enabled }}
+ - app_label: public-ingressgateway
+ is_core: true
+ is_proxy: true
+ namespace: istio-gateway
+ {{- end }}
+ {{- if .Values.istioGatewayPassthrough.enabled }}
+ - app_label: passthrough-ingressgateway
+ is_core: true
+ is_proxy: true
+ namespace: istio-gateway
+ {{- end }}
+ {{- if .Values.istioCore.enabled }}
+ ingress_gateway_namespace: istio-gateway
+ egress_gateway_namespace: istio-gateway
+ {{- end }}
api:
namespaces:
# bigbang watches all!
@@ -118,8 +139,16 @@ cr:
networkPolicies:
enabled: {{ .Values.networkPolicies.enabled }}
controlPlaneCidr: {{ .Values.networkPolicies.controlPlaneCidr }}
+ istioNamespaceSelector:
+ {{ include "istioNamespaceSelector" . | nindent 4 }}
ingressLabels:
+ {{- if .Values.istio.enabled }}
{{- $gateway := default "public" .Values.kiali.ingress.gateway }}
{{- $default := dict "app" (dig "gateways" $gateway "ingressGateway" nil .Values.istio) "istio" nil }}
{{- toYaml (dig "values" "gateways" $gateway "selector" $default .Values.istio) | nindent 4 }}
+ {{- end }}
+ {{- if .Values.istioCore.enabled }}
+ app: public-ingressgateway
+ istio: ingressgateway
+ {{- end }}
{{- end -}}
diff --git a/chart/templates/kyverno-policies/values.yaml b/chart/templates/kyverno-policies/values.yaml
index 730aa4be62bec56bd20702695733f010110761ff..edb9c7f3c09fdcd27608234956acb35c7703704c 100644
--- a/chart/templates/kyverno-policies/values.yaml
+++ b/chart/templates/kyverno-policies/values.yaml
@@ -55,7 +55,7 @@ policies:
# Istio services (istio ingress) can create type: NodePort services
disallow-nodeport-services:
validationFailureAction: Enforce
- {{- if $nodePortIngressGateways }}
+ {{- if or $nodePortIngressGateways .Values.istioCore.enabled }}
exclude:
any:
- resources:
@@ -67,6 +67,20 @@ policies:
{{- end }}
namespaces:
- "istio-system"
+ {{- if .Values.istioCore.enabled }}
+ - resources:
+ kinds:
+ - Service
+ names:
+ {{- if .Values.istioGatewayPassthrough.enabled }}
+ - "istio-gateway-passthrough-ingressgateway"
+ {{- end }}
+ {{- if .Values.istioGatewayPublic }}
+ - "public-ingressgateway"
+ {{- end }}
+ namespaces:
+ - "istio-gateway"
+ {{- end }}
{{- end }}
disallow-image-tags:
@@ -74,13 +88,14 @@ policies:
validationFailureAction: Enforce
disallow-istio-injection-bypass:
- enabled: {{ .Values.istio.enabled }}
+ enabled: {{ include "istioEnabled" . }}
exclude:
any:
# Istio does not inject itself
- resources:
namespaces:
- istio-system
+ - istio-gateway
disallow-namespaces:
enabled: true
@@ -268,7 +283,7 @@ policies:
- app.kubernetes.io/version
require-istio-on-namespaces:
- enabled: {{ .Values.istio.enabled }}
+ enabled: {{ include "istioEnabled" . }}
exclude:
any:
- resources:
@@ -285,6 +300,7 @@ policies:
# Istio does not inject itself
- istio-operator
- istio-system
+ - istio-gateway
add-default-securitycontext:
validationFailureAction: Enforce
@@ -380,7 +396,7 @@ policies:
require-non-root-group:
validationFailureAction: Enforce
- {{ if .Values.istio.enabled }}
+ {{ if include "istioEnabled" . }}
parameters:
excludeContainers:
- istio-init
@@ -398,6 +414,13 @@ policies:
- resources:
namespaces:
- kube-system
+ {{ if .Values.istioCore.enabled }}
+ - resources:
+ namespaces:
+ - istio-system
+ names:
+ - istiod*
+ {{- end }}
{{- if $deployNodeAgent }}
# Velero. The node agent backup tool requires root group access to see the host's runtime pod directory which is
# mounted inside velero/node agent pods.
@@ -462,7 +485,7 @@ policies:
require-non-root-user:
validationFailureAction: Enforce
- {{ if .Values.istio.enabled }}
+ {{ if include "istioEnabled" . }}
parameters:
excludeContainers:
- istio-init
@@ -586,7 +609,7 @@ policies:
allow:
# Defaults from https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
- NET_BIND_SERVICE
- {{- if .Values.istio.enabled }}
+ {{- if include "istioEnabled" . }}
# Istio requires NET_ADMIN and NET_RAW for sidecar init: https://istio.io/latest/docs/ops/deployment/requirements/#pod-requirements
# It uses these permissions to setup iptables for network routing
# Cannot create exclusion since sidecar is injected in most containers, so allow the capabilities globally
@@ -1128,7 +1151,7 @@ policies:
- gitlab-runner-*
istio:
- enabled: {{ .Values.istio.enabled }}
+ enabled: {{ include "istioEnabled" . }}
{{- end }}
diff --git a/chart/templates/kyverno-reporter/values.yaml b/chart/templates/kyverno-reporter/values.yaml
index 0e01f9ae0dc29b0cdbdeef4b2bdd98b6fd33f5f5..f415f7c9cc1f31c81f3e0ef5bb84af4569f6cb25 100644
--- a/chart/templates/kyverno-reporter/values.yaml
+++ b/chart/templates/kyverno-reporter/values.yaml
@@ -67,6 +67,8 @@ openshift: {{ .Values.openshift }}
networkPolicies:
enabled: {{ .Values.networkPolicies.enabled }}
+ istioNamespaceSelector:
+ {{ include "istioNamespaceSelector" . | nindent 4 }}
controlPlaneCidr: {{ .Values.networkPolicies.controlPlaneCidr }}
{{- end -}}
diff --git a/chart/templates/loki/helmrelease.yaml b/chart/templates/loki/helmrelease.yaml
index 4e58d99a9efc329a741b791d09b9eee803c2b730..6bef4d220a3713937fa60ac6934893f5a4650ef7 100644
--- a/chart/templates/loki/helmrelease.yaml
+++ b/chart/templates/loki/helmrelease.yaml
@@ -78,6 +78,10 @@ spec:
- name: istio
namespace: {{ .Release.Namespace }}
{{- end }}
+ {{- if .Values.istioCore.enabled }}
+ - name: istio-core
+ namespace: {{ .Release.Namespace }}
+ {{- end }}
{{- if .Values.kyvernoPolicies.enabled }}
- name: kyverno-policies
namespace: {{ .Release.Namespace }}
diff --git a/chart/templates/loki/namespace.yaml b/chart/templates/loki/namespace.yaml
index bd0e5687fe0d081ff5e6fc0fa88f856f30eb606a..ce2a721278704b8b66c9a20ce821130afa8bd1c0 100644
--- a/chart/templates/loki/namespace.yaml
+++ b/chart/templates/loki/namespace.yaml
@@ -7,5 +7,5 @@ metadata:
app.kubernetes.io/name: logging
app.kubernetes.io/component: "core"
{{- include "commonLabels" . | nindent 4}}
- istio-injection: {{ ternary "enabled" "disabled" (and .Values.istio.enabled (eq (dig "istio" "injection" "enabled" .Values.loki) "enabled")) }}
+ istio-injection: {{ ternary "enabled" "disabled" (and (include "istioEnabled" .) (eq (dig "istio" "injection" "enabled" .Values.loki) "enabled")) }}
{{- end }}
diff --git a/chart/templates/loki/values.yaml b/chart/templates/loki/values.yaml
index f0b67d1110152ace4d055b35d8d788e42212075d..c2c38ce8a3db354829b414950aff25da5e750d2c 100644
--- a/chart/templates/loki/values.yaml
+++ b/chart/templates/loki/values.yaml
@@ -13,8 +13,8 @@ clusterName: ""
openshift: {{ .Values.openshift }}
istio:
- enabled: {{ .Values.istio.enabled }}
- {{- if or
+ enabled: {{ include "istioEnabled" . }}
+ {{- if or
(dig "hardened" "enabled" false .Values.istio.values)
(dig "istio" "hardened" "enabled" false .Values.monitoring.values)
(dig "istio" "hardened" "enabled" false .Values.addons.authservice.values)
@@ -34,6 +34,10 @@ istio:
minioOperator:
enabled: {{ .Values.addons.minioOperator.enabled }}
{{- end }}
+ loki:
+ enabled: true
+ gateways:
+ - {{ include "istioGatewayNamespace" . }}/{{ default (include "istioPublicGateway" . ) }}
imagePullSecrets:
- name: private-registry
@@ -44,13 +48,15 @@ image:
networkPolicies:
enabled: {{ .Values.networkPolicies.enabled }}
controlPlaneCidr: {{ .Values.networkPolicies.controlPlaneCidr }}
+ istioNamespaceSelector:
+ {{ include "istioNamespaceSelector" . | nindent 4 }}
monitoring:
enabled: {{ .Values.monitoring.enabled }}
serviceMonitor:
enabled: {{ .Values.monitoring.enabled }}
# conditional passes only for default istio: enabled, mTLS: SCRICT
- {{- if and .Values.istio.enabled (eq (dig "istio" "mtls" "mode" "STRICT" .Values.loki.values) "STRICT") }}
+ {{- if and (include "istioEnabled" . ) (eq (dig "istio" "mtls" "mode" "STRICT" .Values.loki.values) "STRICT") }}
scheme: https
tlsConfig:
caFile: /etc/prom-certs/root-cert.pem
@@ -102,7 +108,7 @@ loki:
filesystem:
directory: /var/loki/chunks
{{- end }}
- {{- if .Values.istio.enabled }}
+ {{- if include "istioEnabled" . }}
podAnnotations:
{{ include "istioAnnotation" . }}
{{- end }}
diff --git a/chart/templates/metrics-server/namespace.yaml b/chart/templates/metrics-server/namespace.yaml
index ac5f12982612cfe3debe827189527e37c69c0248..db44ee2f9e6f4a077a4779a7ce263d0cd734329c 100644
--- a/chart/templates/metrics-server/namespace.yaml
+++ b/chart/templates/metrics-server/namespace.yaml
@@ -9,6 +9,6 @@ metadata:
app.kubernetes.io/name: metrics-server
app.kubernetes.io/component: "cluster-utilities"
{{- include "commonLabels" . | nindent 4}}
- istio-injection: {{ ternary "enabled" "disabled" (and .Values.istio.enabled (eq (dig "istio" "injection" "enabled" .Values.addons.metricsServer) "enabled")) }}
+ istio-injection: {{ ternary "enabled" "disabled" (and (include "istioEnabled" .) (eq (dig "istio" "injection" "enabled" .Values.addons.metricsServer) "enabled")) }}
name: metrics-server
{{- end }}
diff --git a/chart/templates/minio-operator/helmrelease.yaml b/chart/templates/minio-operator/helmrelease.yaml
index 65d539cdffcf745d48a71b0f90b11378dab49d54..ee2d0ea685d5e57cae5245146d7b4cbf17142426 100644
--- a/chart/templates/minio-operator/helmrelease.yaml
+++ b/chart/templates/minio-operator/helmrelease.yaml
@@ -69,6 +69,10 @@ spec:
- name: istio
namespace: {{ .Release.Namespace }}
{{- end }}
+ {{- if .Values.istioCore.enabled }}
+ - name: istio-core
+ namespace: {{ .Release.Namespace }}
+ {{- end }}
{{- if .Values.kyvernoPolicies.enabled }}
- name: kyverno-policies
namespace: {{ .Release.Namespace }}
diff --git a/chart/templates/minio-operator/namespace.yaml b/chart/templates/minio-operator/namespace.yaml
index e18fda7f8c846f815a654404db343bf7b25c3033..42f9a5b84a5c1fa7cce751d5f53af99ccefa09c8 100644
--- a/chart/templates/minio-operator/namespace.yaml
+++ b/chart/templates/minio-operator/namespace.yaml
@@ -4,7 +4,7 @@ kind: Namespace
metadata:
name: minio-operator
labels:
- istio-injection: {{ ternary "enabled" "disabled" (and .Values.istio.enabled (eq (dig "istio" "injection" "enabled" .Values.addons.minioOperator) "enabled")) }}
+ istio-injection: {{ ternary "enabled" "disabled" (and (include "istioEnabled" .) (eq (dig "istio" "injection" "enabled" .Values.addons.minioOperator) "enabled")) }}
app.kubernetes.io/name: minioOperator
app.kubernetes.io/component: "application-utilities"
{{- include "commonLabels" . | nindent 4}}
diff --git a/chart/templates/minio-operator/values.yaml b/chart/templates/minio-operator/values.yaml
index a3166366fe6d763f864f1b99df3e512944652b93..482aca0f1b021694eb05d1589fa431dfdb7506e4 100644
--- a/chart/templates/minio-operator/values.yaml
+++ b/chart/templates/minio-operator/values.yaml
@@ -38,13 +38,15 @@ operator:
networkPolicies:
enabled: {{ .Values.networkPolicies.enabled }}
controlPlaneCidr: {{ .Values.networkPolicies.controlPlaneCidr }}
+ istioNamespaceSelector:
+ {{ include "istioNamespaceSelector" . | nindent 4 }}
ingressLabels:
{{- $gateway := default "public" .Values.addons.minio.ingress.gateway }}
{{- $default := dict "app" (dig "gateways" $gateway "ingressGateway" nil .Values.istio) "istio" nil }}
{{- toYaml (dig "values" "gateways" $gateway "selector" $default .Values.istio) | nindent 4 }}
istio:
- enabled: {{ .Values.istio.enabled }}
+ enabled: {{ include "istioEnabled" . }}
hardened:
enabled: {{ or
(dig "istio" "hardened" "enabled" false .Values.addons.minioOperator.values)
@@ -53,9 +55,9 @@ istio:
}}
console:
gateways:
- - istio-system/{{ default "public" .Values.addons.minio.ingress.gateway }}
+ - {{ include "istioGatewayNamespace" . }}/{{ default (include "istioPublicGateway" . ) .Values.addons.minio.ingress.gateway }}
-{{- if .Values.istio.enabled }}
+{{- if include "istioEnabled" . }}
annotations:
{{ include "istioAnnotation" . }}
{{- end }}
diff --git a/chart/templates/minio/namespace.yaml b/chart/templates/minio/namespace.yaml
index 5133e83cc2a95d039eda909cab0d730388d69ab0..c8fe4c9417e2afd95a1e6926e8841ed4ed235a1e 100644
--- a/chart/templates/minio/namespace.yaml
+++ b/chart/templates/minio/namespace.yaml
@@ -4,7 +4,7 @@ kind: Namespace
metadata:
name: minio
labels:
- istio-injection: {{ ternary "enabled" "disabled" (and .Values.istio.enabled (eq (dig "istio" "injection" "enabled" .Values.addons.minio) "enabled")) }}
+ istio-injection: {{ ternary "enabled" "disabled" (and (include "istioEnabled" .) (eq (dig "istio" "injection" "enabled" .Values.addons.minio) "enabled")) }}
app.kubernetes.io/name: minio
app.kubernetes.io/component: "application-utilities"
{{- include "commonLabels" . | nindent 4}}
diff --git a/chart/templates/minio/values.yaml b/chart/templates/minio/values.yaml
index e62638202dc039d843cd5bbb89a13c9e5635ec5c..5b0d1c53ea13c3ab15f09d1c2aff4259ee8c7730 100644
--- a/chart/templates/minio/values.yaml
+++ b/chart/templates/minio/values.yaml
@@ -9,13 +9,13 @@ hostname: {{ $domainName }}
domain: {{ $domainName }}
istio:
- enabled: {{ .Values.istio.enabled }}
+ enabled: {{ include "istioEnabled" . }}
console:
gateways:
- - istio-system/{{ default "public" .Values.addons.minio.ingress.gateway }}
+ - {{ include "istioGatewayNamespace" . }}/{{ default (include "istioPublicGateway" . ) .Values.addons.minio.ingress.gateway }}
api:
gateways:
- - istio-system/{{ default "public" .Values.addons.minio.ingress.gateway }}
+ - {{ include "istioGatewayNamespace" . }}/{{ default (include "istioPublicGateway" . ) .Values.addons.minio.ingress.gateway }}
hardened:
enabled: {{ or
(dig "istio" "hardened" "enabled" false .Values.addons.minioOperator.values)
@@ -23,7 +23,7 @@ istio:
(dig "hardened" "enabled" false .Values.istio.values)
}}
-{{- if .Values.istio.enabled }}
+{{- if include "istioEnabled" . }}
annotations:
{{ include "istioAnnotation" . }}
{{- end }}
diff --git a/chart/templates/monitoring/helmrelease.yaml b/chart/templates/monitoring/helmrelease.yaml
index d526e0f19586744f3191fdc38360099f7f9d9100..023d1186b9b0ae8b080f2760bf119cbb31fb72a3 100644
--- a/chart/templates/monitoring/helmrelease.yaml
+++ b/chart/templates/monitoring/helmrelease.yaml
@@ -56,12 +56,16 @@ spec:
valuesKey: "overlays"
# TODO: DRY this up
- {{- if or .Values.gatekeeper.enabled .Values.istio.enabled .Values.kyvernoPolicies.enabled .Values.addons.vault.enabled }}
+ {{- if or .Values.gatekeeper.enabled (include "istioEnabled" .) .Values.kyvernoPolicies.enabled .Values.addons.vault.enabled }}
dependsOn:
{{- if .Values.istio.enabled }}
- name: istio
namespace: {{ .Release.Namespace }}
{{- end }}
+ {{- if .Values.istioCore.enabled }}
+ - name: istio-core
+ namespace: {{ .Release.Namespace }}
+ {{- end }}
{{- if .Values.gatekeeper.enabled }}
- name: gatekeeper
namespace: {{ .Release.Namespace }}
diff --git a/chart/templates/monitoring/namespace.yaml b/chart/templates/monitoring/namespace.yaml
index 89b930f4ed47d36fbe464641af965f3431129edc..818b8e84e003a499e0ee5860f924eaa179208146 100644
--- a/chart/templates/monitoring/namespace.yaml
+++ b/chart/templates/monitoring/namespace.yaml
@@ -7,5 +7,5 @@ metadata:
app.kubernetes.io/name: monitoring
app.kubernetes.io/component: "core"
{{- include "commonLabels" . | nindent 4}}
- istio-injection: {{ ternary "enabled" "disabled" (and .Values.istio.enabled (eq (dig "istio" "injection" "enabled" .Values.monitoring) "enabled")) }}
+ istio-injection: {{ ternary "enabled" "disabled" (and (include "istioEnabled" .) (eq (dig "istio" "injection" "enabled" .Values.monitoring) "enabled")) }}
{{- end }}
diff --git a/chart/templates/monitoring/values.yaml b/chart/templates/monitoring/values.yaml
index 886110eeee9a09a3619ca20d4d9e6b07f1e55a2d..be54fc9c6a4bfa6d9a889da86eb55f6fd6aabba5 100644
--- a/chart/templates/monitoring/values.yaml
+++ b/chart/templates/monitoring/values.yaml
@@ -8,7 +8,7 @@
hostname: {{ $domainName }}
domain: {{ $domainName }}
-{{- $istioInjection := (and (eq (dig "istio" "injection" "enabled" .Values.monitoring) "enabled") .Values.istio.enabled) }}
+{{- $istioInjection := (and (include "istioEnabled" .) (eq (dig "istio" "injection" "enabled" .Values.monitoring) "enabled")) }}
{{- $gitlabRedis := (and (ne .Values.addons.gitlab.redis.password "" ) (or .Values.addons.gitlab.enabled .Values.addons.gitlabRunner.enabled)) }}
{{- $authserviceRedisEnabled := (and (dig "values" "redis" "enabled" false .Values.addons.authservice) .Values.addons.authservice.enabled) }}
{{- $redisDatasource := (or $gitlabRedis .Values.addons.argocd.enabled $authserviceRedisEnabled) }}
@@ -21,11 +21,19 @@ flux:
networkPolicies:
enabled: {{ .Values.networkPolicies.enabled }}
+ istioNamespaceSelector:
+ {{ include "istioNamespaceSelector" . | nindent 4 }}
controlPlaneCidr: {{ .Values.networkPolicies.controlPlaneCidr }}
ingressLabels:
+ {{- if .Values.istio.enabled }}
{{- $gateway := default "public" .Values.monitoring.ingress.gateway }}
{{- $default := dict "app" (dig "gateways" $gateway "ingressGateway" nil .Values.istio) "istio" nil }}
{{- toYaml (dig "values" "gateways" $gateway "selector" $default .Values.istio) | nindent 4 }}
+ {{- end }}
+ {{- if .Values.istioCore.enabled }}
+ app: public-ingressgateway
+ istio: ingressgateway
+ {{- end }}
openshift: {{ .Values.openshift }}
@@ -37,7 +45,7 @@ gitlabRunner:
istio:
{{- $monitoringInjection := dig "istio" "injection" "enabled" .Values.monitoring }}
- enabled: {{ .Values.istio.enabled }}
+ enabled: {{ include "istioEnabled" . }}
hardened:
enabled: {{ or
(dig "istio" "hardened" "enabled" false .Values.monitoring.values)
@@ -76,7 +84,7 @@ istio:
namespace: authservice
{{- end }}
gateways:
- - istio-system/{{ default "public" .Values.monitoring.ingress.gateway }}
+ - {{ include "istioGatewayNamespace" . }}/{{ default (include "istioPublicGateway" . ) .Values.monitoring.ingress.gateway }}
alertmanager:
enabled: true
{{- if and .Values.monitoring.sso.enabled (eq $monitoringInjection "disabled") }}
@@ -85,7 +93,7 @@ istio:
namespace: authservice
{{- end }}
gateways:
- - istio-system/{{ default "public" .Values.monitoring.ingress.gateway }}
+ - {{ include "istioGatewayNamespace" . }}/{{ default (include "istioPublicGateway" . ) .Values.monitoring.ingress.gateway }}
injection: {{ dig "istio" "injection" "enabled" .Values.monitoring }}
alertmanager:
@@ -112,7 +120,7 @@ alertmanager:
{{ include "istioAnnotation" . }}
{{- end }}
{{- end }}
- {{- if and .Values.istio.enabled (eq (dig "istio" "mtls" "mode" "STRICT" .Values.monitoring.values) "STRICT") }}
+ {{- if and (include "istioEnabled" .) (eq (dig "istio" "mtls" "mode" "STRICT" .Values.monitoring.values) "STRICT") }}
serviceMonitor:
scheme: https
tlsConfig:
@@ -143,7 +151,7 @@ prometheus:
thanosServiceMonitor:
enabled: true
- {{- if and .Values.istio.enabled (eq (dig "istio" "mtls" "mode" "STRICT" .Values.monitoring.values) "STRICT") }}
+ {{- if and (include "istioEnabled" .) (eq (dig "istio" "mtls" "mode" "STRICT" .Values.monitoring.values) "STRICT") }}
serviceMonitor:
scheme: https
tlsConfig:
@@ -154,7 +162,7 @@ prometheus:
{{- end }}
{{- end }}
prometheusSpec:
- {{- if and .Values.istio.enabled (eq (dig "istio" "mtls" "mode" "STRICT" .Values.monitoring.values) "STRICT") }}
+ {{- if and (include "istioEnabled" .) (eq (dig "istio" "mtls" "mode" "STRICT" .Values.monitoring.values) "STRICT") }}
alertingEndpoints:
- name: monitoring-monitoring-kube-alertmanager
namespace: monitoring
diff --git a/chart/templates/neuvector/helmrelease.yaml b/chart/templates/neuvector/helmrelease.yaml
index a667f095d66ef8b27135501d6814eb208fd36c9e..e5faf6421766148317d98d6e0cf2f8805f94937b 100644
--- a/chart/templates/neuvector/helmrelease.yaml
+++ b/chart/templates/neuvector/helmrelease.yaml
@@ -55,7 +55,7 @@ spec:
kind: Secret
valuesKey: "overlays"
- {{- if or .Values.gatekeeper.enabled .Values.istio.enabled .Values.kyvernoPolicies.enabled .Values.monitoring.enabled }}
+ {{- if or .Values.gatekeeper.enabled (include "istioEnabled" .) .Values.kyvernoPolicies.enabled .Values.monitoring.enabled }}
dependsOn:
{{- if .Values.gatekeeper.enabled }}
- name: gatekeeper
@@ -65,6 +65,10 @@ spec:
- name: istio
namespace: {{ .Release.Namespace }}
{{- end }}
+ {{- if .Values.istioCore.enabled }}
+ - name: istio-core
+ namespace: {{ .Release.Namespace }}
+ {{- end }}
{{- if .Values.kyvernoPolicies.enabled }}
- name: kyverno-policies
namespace: {{ .Release.Namespace }}
diff --git a/chart/templates/neuvector/namespace.yaml b/chart/templates/neuvector/namespace.yaml
index a231b71f7c8b281ea1291eca1317aa5489cef545..2a5da6412cf7deb5eead0abc6017b781bdaa30bc 100644
--- a/chart/templates/neuvector/namespace.yaml
+++ b/chart/templates/neuvector/namespace.yaml
@@ -7,5 +7,5 @@ metadata:
app.kubernetes.io/name: neuvector
app.kubernetes.io/component: "sandbox"
{{- include "commonLabels" . | nindent 4}}
- istio-injection: {{ ternary "enabled" "disabled" (and .Values.istio.enabled (eq (dig "istio" "injection" "enabled" .Values.neuvector) "enabled")) }}
+ istio-injection: {{ ternary "enabled" "disabled" (and (include "istioEnabled" .) (eq (dig "istio" "injection" "enabled" .Values.neuvector) "enabled")) }}
{{- end }}
\ No newline at end of file
diff --git a/chart/templates/neuvector/values.yaml b/chart/templates/neuvector/values.yaml
index 832672c5a46687067a8cbee8f76615e1368f2694..00f975a538bf2d5ac66ea93afcb34f22a0af020a 100644
--- a/chart/templates/neuvector/values.yaml
+++ b/chart/templates/neuvector/values.yaml
@@ -7,10 +7,10 @@ domain: {{ default .Values.domain .Values.hostname }}
openshift: {{ .Values.openshift }}
-{{ $istioInjection := (and .Values.istio.enabled (eq (dig "istio" "injection" "enabled" .Values.neuvector) "enabled")) }}
+{{ $istioInjection := (and (include "istioEnabled" .) (eq (dig "istio" "injection" "enabled" .Values.neuvector) "enabled")) }}
istio:
- enabled: {{ .Values.istio.enabled }}
+ enabled: {{ include "istioEnabled" . }}
hardened:
enabled: {{ or
(dig "istio" "hardened" "enabled" false .Values.neuvector.values)
@@ -18,7 +18,7 @@ istio:
}}
neuvector:
gateways:
- - istio-system/{{ default "public" .Values.neuvector.ingress.gateway }}
+ - {{ include "istioGatewayNamespace" . }}/{{ default (include "istioPublicGateway" . ) .Values.monitoring.ingress.gateway }}
injection: {{ ternary "enabled" "disabled" $istioInjection }}
monitoring:
@@ -113,7 +113,7 @@ cve:
{{- end }}
{{- end }}
-{{- if or .Values.istio.enabled $.Values.kiali.enabled }}
+{{- if or (include "istioEnabled" .) $.Values.kiali.enabled }}
manager:
{{- if $istioInjection }}
podAnnotations:
@@ -124,10 +124,18 @@ manager:
networkPolicies:
enabled: {{ .Values.networkPolicies.enabled }}
controlPlaneCidr: {{ .Values.networkPolicies.controlPlaneCidr }}
+ istioNamespaceSelector:
+ {{ include "istioNamespaceSelector" . | nindent 4 }}
ingressLabels:
+ {{- if .Values.istio.enabled }}
{{- $gateway := default "public" .Values.neuvector.ingress.gateway }}
{{- $default := dict "app" (dig "gateways" $gateway "ingressGateway" nil .Values.istio) "istio" nil }}
{{- toYaml (dig "values" "gateways" $gateway "selector" $default .Values.istio) | nindent 4 }}
+ {{- end }}
+ {{- if .Values.istioCore.enabled }}
+ app: public-ingressgateway
+ istio: ingressgateway
+ {{- end }}
{{- end }}
{{- /* Create secret */ -}}
diff --git a/chart/templates/promtail/helmrelease.yaml b/chart/templates/promtail/helmrelease.yaml
index 921a3acf304ba4e703c11fc6dce4e7fbdebb6e95..40c0518b5bb3d9faf241d0b7f0a3075a307da9d0 100644
--- a/chart/templates/promtail/helmrelease.yaml
+++ b/chart/templates/promtail/helmrelease.yaml
@@ -70,6 +70,10 @@ spec:
- name: istio
namespace: {{ .Release.Namespace }}
{{- end }}
+ {{- if .Values.istioCore.enabled }}
+ - name: istio-core
+ namespace: {{ .Release.Namespace }}
+ {{- end }}
{{- if .Values.kyvernoPolicies.enabled }}
- name: kyverno-policies
namespace: {{ .Release.Namespace }}
diff --git a/chart/templates/promtail/namespace.yaml b/chart/templates/promtail/namespace.yaml
index a65c30ac6d647bf6624c73411aa8c3088159133c..93c357ba4c7cb0839500489e91a71e62fc2640ee 100644
--- a/chart/templates/promtail/namespace.yaml
+++ b/chart/templates/promtail/namespace.yaml
@@ -7,5 +7,5 @@ metadata:
app.kubernetes.io/name: promtail
app.kubernetes.io/component: "core"
{{- include "commonLabels" . | nindent 4}}
- istio-injection: {{ ternary "enabled" "disabled" (and .Values.istio.enabled (eq (dig "istio" "injection" "enabled" .Values.promtail) "enabled")) }}
+ istio-injection: {{ ternary "enabled" "disabled" (and (include "istioEnabled" .) (eq (dig "istio" "injection" "enabled" .Values.promtail) "enabled")) }}
{{- end }}
diff --git a/chart/templates/promtail/values.yaml b/chart/templates/promtail/values.yaml
index 30632d2a7d37aecb180561ffca72f3477cf27bba..2b9f1323300468c8b00bdf4df59fe05cd3374a95 100644
--- a/chart/templates/promtail/values.yaml
+++ b/chart/templates/promtail/values.yaml
@@ -12,7 +12,7 @@ image:
openshift: {{ .Values.openshift }}
istio:
- enabled: {{ .Values.istio.enabled }}
+ enabled: {{ include "istioEnabled" . }}
hardened:
enabled: {{ or
(dig "istio" "hardened" "enabled" false .Values.promtail.values)
@@ -25,7 +25,7 @@ loki:
serviceMonitor:
enabled: {{ .Values.monitoring.enabled }}
# conditional passes only for default istio: enabled, mTLS: SCRICT
- {{- if and .Values.istio.enabled (eq (dig "istio" "mtls" "mode" "STRICT" .Values.promtail.values) "STRICT") }}
+ {{- if and (include "istioEnabled" . ) (eq (dig "istio" "mtls" "mode" "STRICT" .Values.promtail.values) "STRICT") }}
scheme: https
tlsConfig:
caFile: /etc/prom-certs/root-cert.pem
@@ -41,7 +41,7 @@ networkPolicies:
enabled: {{ .Values.networkPolicies.enabled }}
controlPlaneCidr: {{ .Values.networkPolicies.controlPlaneCidr }}
-{{- if .Values.istio.enabled }}
+{{- if include "istioEnabled" . }}
podAnnotations:
{{ include "istioAnnotation" . }}
{{- end }}
diff --git a/chart/templates/sonarqube/values.yaml b/chart/templates/sonarqube/values.yaml
index 7b1da3aa418a6457bb14b9a271bef02904f34431..93454f437693266f58fcab47127f9d5bb29a46e1 100644
--- a/chart/templates/sonarqube/values.yaml
+++ b/chart/templates/sonarqube/values.yaml
@@ -30,6 +30,8 @@ monitoring:
networkPolicies:
enabled: {{ .Values.networkPolicies.enabled }}
+ istioNamespaceSelector:
+ {{ include "istioNamespaceSelector" . | nindent 4 }}
ingressLabels:
{{- $gateway := default "public" .Values.addons.sonarqube.ingress.gateway }}
{{- $default := dict "app" (dig "gateways" $gateway "ingressGateway" nil .Values.istio) "istio" nil }}
diff --git a/chart/templates/tempo/helmrelease.yaml b/chart/templates/tempo/helmrelease.yaml
index e7ca5d51436eaa69b0c1a12c300618dbd79d140e..2b4b68255d11b10e6e8515cbb2d88c349e5dc1bc 100644
--- a/chart/templates/tempo/helmrelease.yaml
+++ b/chart/templates/tempo/helmrelease.yaml
@@ -56,7 +56,7 @@ spec:
- name: {{ .Release.Name }}-tempo-values
kind: Secret
valuesKey: "overlays"
- {{- if or .Values.monitoring.enabled .Values.istio.enabled .Values.tempo.sso.enabled }}
+ {{- if or .Values.monitoring.enabled .Values.tempo.sso.enabled (include "istioEnabled" .) }}
dependsOn:
{{- if .Values.monitoring.enabled }}
- name: monitoring
@@ -70,5 +70,9 @@ spec:
- name: istio
namespace: {{ .Release.Namespace }}
{{- end }}
+ {{- if .Values.istioCore.enabled }}
+ - name: istio-core
+ namespace: {{ .Release.Namespace }}
+ {{- end }}
{{- end }}
{{- end }}
diff --git a/chart/templates/tempo/namespace.yaml b/chart/templates/tempo/namespace.yaml
index 8ce52cc3a30fcd58538181a130ff80fda5a6e922..1419d53a4e678922e9cdea1dd08e50e0cbf344dd 100644
--- a/chart/templates/tempo/namespace.yaml
+++ b/chart/templates/tempo/namespace.yaml
@@ -7,5 +7,5 @@ metadata:
app.kubernetes.io/name: tempo
app.kubernetes.io/component: "core"
{{- include "commonLabels" . | nindent 4}}
- istio-injection: {{ ternary "enabled" "disabled" (and .Values.istio.enabled (eq (dig "istio" "injection" "enabled" .Values.tempo) "enabled")) }}
+ istio-injection: {{ ternary "enabled" "disabled" (and (include "istioEnabled" .) (eq (dig "istio" "injection" "enabled" .Values.tempo) "enabled")) }}
{{- end }}
diff --git a/chart/templates/tempo/values.yaml b/chart/templates/tempo/values.yaml
index b7aeaa2733d696c5085c0982ae9357244a5d8016..b71fa16f18a6e346a5b4c885d2aab80e4e032435 100644
--- a/chart/templates/tempo/values.yaml
+++ b/chart/templates/tempo/values.yaml
@@ -4,7 +4,7 @@
{{- define "bigbang.defaults.tempo" -}}
-{{- if .Values.istio.enabled }}
+{{- if include "istioEnabled" . }}
podAnnotations:
{{ include "istioAnnotation" . }}
{{- end }}
@@ -51,14 +51,22 @@ serviceAccount:
networkPolicies:
enabled: {{ .Values.networkPolicies.enabled }}
+ istioNamespaceSelector:
+ {{ include "istioNamespaceSelector" . | nindent 4 }}
controlPlaneCidr: {{ .Values.networkPolicies.controlPlaneCidr }}
ingressLabels:
+ {{- if .Values.istio.enabled }}
{{- $gateway := default "public" .Values.tempo.ingress.gateway }}
{{- $default := dict "app" (dig "gateways" $gateway "ingressGateway" nil .Values.istio) "istio" nil }}
{{- toYaml (dig "values" "gateways" $gateway "selector" $default .Values.istio) | nindent 4 }}
+ {{- end }}
+ {{- if .Values.istioCore.enabled }}
+ app: public-ingressgateway
+ istio: ingressgateway
+ {{- end }}
istio:
- enabled: {{ .Values.istio.enabled }}
+ enabled: {{ include "istioEnabled" . }}
hardened:
enabled: {{ or
(dig "istio" "hardened" "enabled" false .Values.tempo.values)
@@ -71,7 +79,7 @@ istio:
- "tempo.{{ .Values.domain }}"
{{- end }}
gateways:
- - istio-system/{{ default "public" .Values.tempo.ingress.gateway }}
+ - {{ include "istioGatewayNamespace" . }}/{{ default (include "istioPublicGateway" . ) .Values.tempo.ingress.gateway }}
monitoring:
enabled: {{ .Values.monitoring.enabled }}
@@ -81,7 +89,7 @@ serviceMonitor:
# conditional passes only if all conditionals are true:
# - istio: enabled
# - mTLS: SCRICT
- {{- if and .Values.istio.enabled (eq (dig "istio" "mtls" "mode" "STRICT" .Values.tempo.values) "STRICT") }}
+ {{- if and (include "istioEnabled" .) (eq (dig "istio" "mtls" "mode" "STRICT" .Values.tempo.values) "STRICT") }}
scheme: https
tlsConfig:
caFile: /etc/prom-certs/root-cert.pem
diff --git a/chart/values.schema.json b/chart/values.schema.json
index 3733ee0e04c695f33bccf51d8f8870bd3df79646..78665a8e663c16451e07c813fc6d42cd362571f9 100644
--- a/chart/values.schema.json
+++ b/chart/values.schema.json
@@ -14,6 +14,9 @@
"flux",
"networkPolicies",
"imagePullPolicy",
+ "istioCore",
+ "istioGatewayPublic",
+ "istioGatewayPassthrough",
"istio",
"istioOperator",
"jaeger",
@@ -237,6 +240,59 @@
"IfNotPresent"
]
},
+ "istioCore": {
+ "properties": {
+ "enabled": true,
+ "sourceType": true,
+ "git": true,
+ "helmRepo": true,
+ "flux": true,
+ "values": true,
+ "postRenderers": true
+ },
+ "allOf": [
+ {
+ "$ref": "#/$defs/basePackage"
+ }
+ ],
+ "additionalProperties": true
+ },
+ "istioGatewayPublic": {
+ "properties": {
+ "enabled": true,
+ "sourceType": true,
+ "git": true,
+ "helmRepo": true,
+ "flux": true,
+ "values": true,
+ "postRenderers": true,
+ "tls": true
+ },
+ "allOf": [
+ {
+ "$ref": "#/$defs/basePackage"
+ }
+ ],
+ "additionalProperties": true
+ },
+ "istioGatewayPassthrough": {
+ "properties": {
+ "enabled": true,
+ "sourceType": true,
+ "git": true,
+ "helmRepo": true,
+ "flux": true,
+ "values": true,
+ "postRenderers": true,
+ "tls": true
+ },
+ "allOf": [
+ {
+ "$ref": "#/$defs/basePackage"
+ }
+ ],
+ "additionalProperties": true
+ },
"istio": {
"properties": {
"enabled": true,
diff --git a/chart/values.yaml b/chart/values.yaml
index 9b27725db2ce6edbe606390e936682468ff1910e..0fa5ef4e1a646763b43f2753dfe894d7eda006e6 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -160,6 +160,87 @@ imagePullPolicy: IfNotPresent
# ----------------------------------------------------------------------------------------------------------------------
# Istio
#
+
+istioCore:
+ status: "alpha"
+ # -- Toggle deployment of Istio (helm deployment of istio-base and istiod)
+ enabled: false
+ # -- Choose source type of "git" or "helmRepo"
+ sourceType: "git"
+ git:
+ repo: https://repo1.dso.mil/big-bang/apps/sandbox/istio-core.git
+ path: "./chart"
+ branch: "main"
+ #tag:
+ helmRepo:
+ repoName: "registry1"
+ chartName: "istio-core"
+ #tag:
+ # -- Values to passthrough to the istiod chart
+ values:
+ # k8s 1.29+ native sidecars ~ https://kubernetes.io/docs/reference/command-line-tools-reference/feature-gates
+ # prevent jobs from hanging ~ https://istio.io/latest/blog/2023/native-sidecars/#sidecar-woes
+ istiod:
+ pilot:
+ env:
+ ENABLE_NATIVE_SIDECARS: 'true'
+ # # enable Tetrate FIPS compliant Istio images
+ # defaults:
+ # global:
+ # enterprise: true
+ # -- Flux reconciliation overrides specifically for the Istio Gateway Package
+ flux: {}
+ # -- Post Renderers. See docs/postrenders.md
+ postRenderers: []
+
+istioGatewayPublic:
+ status: "alpha"
+ # -- Toggle deployment of the Istio public ingress gateway
+ enabled: false
+ # -- Choose source type of "git" or "helmRepo"
+ sourceType: "git"
+ git:
+ repo: https://repo1.dso.mil/big-bang/apps/sandbox/istio-gateway.git
+ path: "./chart"
+ branch: "main"
+ #tag:
+ helmRepo:
+ repoName: "registry1"
+ chartName: "istio-gateway"
+ #tag:
+ # -- set the tls key/cert
+ # tls:
+ # key: ""
+ # cert: ""
+ # -- Values to passthrough to the istio-gateway chart
+ values: {}
+ # -- Flux reconciliation overrides specifically for the Istio Gateway Package
+ flux: {}
+ # -- Post Renderers. See docs/postrenders.md
+ postRenderers: []
+
+istioGatewayPassthrough:
+ status: "alpha"
+ # -- Toggle deployment of the Istio passthrough ingress gateway
+ enabled: false
+ # -- Choose source type of "git" or "helmRepo"
+ sourceType: "git"
+ git:
+ repo: https://repo1.dso.mil/big-bang/apps/sandbox/istio-gateway.git
+ path: "./chart"
+ branch: "main"
+ #tag:
+ helmRepo:
+ repoName: "registry1"
+ chartName: "istio-gateway"
+ #tag:
+ # -- Values to passthrough to the istio-gateway chart
+ values: {}
+ # -- Flux reconciliation overrides specifically for the Istio Gateway Package
+ flux: {}
+ # -- Post Renderers. See docs/postrenders.md
+ postRenderers: []
+
istio:
# -- Toggle deployment of Istio.
enabled: true
@@ -1810,7 +1891,7 @@ addons:
# -- Redirect the package ingress to a specific Istio Gateway (listed in `istio.gateways`). The default is "public".
ingress:
# the istio gateway for keycloak must have tls.mode: PASSTHROUGH
- gateway: "passthrough"
+ gateway: ""
# -- Certificate/Key pair to use as the certificate for exposing Keycloak
# Setting the ingress cert here will automatically create the volume and volumemounts in the Keycloak Package chart
key: ""
diff --git a/docs/assets/scripts/developer/k3d-dev.sh b/docs/assets/scripts/developer/k3d-dev.sh
index 6cb606d521caeccbcf71adb273a921a8e3f6369c..5c75ce99cde906801115f1ed6298ac981bb93348 100755
--- a/docs/assets/scripts/developer/k3d-dev.sh
+++ b/docs/assets/scripts/developer/k3d-dev.sh
@@ -1199,7 +1199,7 @@ function fix_etc_hosts {
sudo sed -i '/dev.bigbang.mil/d' /etc/hosts
sudo bash -c "echo '## begin dev.bigbang.mil section (METAL_LB)' >> /etc/hosts"
sudo bash -c "echo 172.20.1.240 keycloak.dev.bigbang.mil vault.dev.bigbang.mil >> /etc/hosts"
- sudo bash -c "echo 172.20.1.241 anchore-api.dev.bigbang.mil anchore.dev.bigbang.mil argocd.dev.bigbang.mil gitlab.dev.bigbang.mil registry.dev.bigbang.mil tracing.dev.bigbang.mil kiali.dev.bigbang.mil kibana.dev.bigbang.mil chat.dev.bigbang.mil minio.dev.bigbang.mil minio-api.dev.bigbang.mil alertmanager.dev.bigbang.mil grafana.dev.bigbang.mil prometheus.dev.bigbang.mil nexus.dev.bigbang.mil sonarqube.dev.bigbang.mil tempo.dev.bigbang.mil twistlock.dev.bigbang.mil >> /etc/hosts"
+ sudo bash -c "echo 172.20.1.241 anchore-api.dev.bigbang.mil anchore.dev.bigbang.mil argocd.dev.bigbang.mil gitlab.dev.bigbang.mil registry.dev.bigbang.mil tracing.dev.bigbang.mil kiali.dev.bigbang.mil kibana.dev.bigbang.mil chat.dev.bigbang.mil minio.dev.bigbang.mil minio-api.dev.bigbang.mil alertmanager.dev.bigbang.mil grafana.dev.bigbang.mil prometheus.dev.bigbang.mil neuvector.dev.bigbang.mil nexus.dev.bigbang.mil sonarqube.dev.bigbang.mil tempo.dev.bigbang.mil twistlock.dev.bigbang.mil >> /etc/hosts"
sudo bash -c "echo '## end dev.bigbang.mil section' >> /etc/hosts"
# run kubectl to add keycloak and vault's hostname/IP to the configmap for coredns, restart coredns
kubectl get configmap -n kube-system coredns -o yaml | sed '/^ 172.20.0.1 host.k3d.internal$/a\ \ \ \ 172.20.1.240 keycloak.dev.bigbang.mil vault.dev.bigbang.mil' | kubectl apply -f -
@@ -1212,7 +1212,7 @@ ENDSSH
sudo sed -i '/dev.bigbang.mil/d' /etc/hosts
sudo bash -c "echo '## begin dev.bigbang.mil section (ATTACH_SECONDARY_IP)' >> /etc/hosts"
sudo bash -c "echo $(getPrivateIP2) keycloak.dev.bigbang.mil vault.dev.bigbang.mil >> /etc/hosts"
- sudo bash -c "echo $PrivateIP anchore-api.dev.bigbang.mil anchore.dev.bigbang.mil argocd.dev.bigbang.mil gitlab.dev.bigbang.mil registry.dev.bigbang.mil tracing.dev.bigbang.mil kiali.dev.bigbang.mil kibana.dev.bigbang.mil chat.dev.bigbang.mil minio.dev.bigbang.mil minio-api.dev.bigbang.mil alertmanager.dev.bigbang.mil grafana.dev.bigbang.mil prometheus.dev.bigbang.mil nexus.dev.bigbang.mil sonarqube.dev.bigbang.mil tempo.dev.bigbang.mil twistlock.dev.bigbang.mil >> /etc/hosts"
+ sudo bash -c "echo $PrivateIP anchore-api.dev.bigbang.mil anchore.dev.bigbang.mil argocd.dev.bigbang.mil gitlab.dev.bigbang.mil registry.dev.bigbang.mil tracing.dev.bigbang.mil kiali.dev.bigbang.mil kibana.dev.bigbang.mil chat.dev.bigbang.mil minio.dev.bigbang.mil minio-api.dev.bigbang.mil alertmanager.dev.bigbang.mil grafana.dev.bigbang.mil prometheus.dev.bigbang.mil neuvector.dev.bigbang.mil nexus.dev.bigbang.mil sonarqube.dev.bigbang.mil tempo.dev.bigbang.mil twistlock.dev.bigbang.mil >> /etc/hosts"
sudo bash -c "echo '## end dev.bigbang.mil section' >> /etc/hosts"
# run kubectl to add keycloak and vault's hostname/IP to the configmap for coredns, restart coredns
kubectl get configmap -n kube-system coredns -o yaml | sed '/^ .* host.k3d.internal$/a\ \ \ \ $(getPrivateIP2) keycloak.dev.bigbang.mil vault.dev.bigbang.mil' | kubectl apply -f -
diff --git a/tests/package-mapping.yaml b/tests/package-mapping.yaml
index b98854f2604d4ce50dccc66761905f22cd60d6d9..a6b01fee8d1ef8186139d76088782d45786e804a 100644
--- a/tests/package-mapping.yaml
+++ b/tests/package-mapping.yaml
@@ -12,6 +12,18 @@ istioOperator:
repoName: "istio-operator"
hrName: "istio-operator"
filePath: "istio-operator"
+istioCore:
+ repoName: "istio-core"
+ hrName: "istio-core"
+ filePath: "istio-core"
+istioGatewayPublic:
+ repoName: "istio-gateway"
+ hrName: "public-ingressgateway"
+ filePath: "istio-gateway-public"
+istioGatewayPassthrough:
+ repoName: "istio-gateway"
+ hrName: "passthrough-ingressgateway"
+ filePath: "istio-gateway-passthrough"
clusterAuditor:
repoName: "cluster-auditor"
hrName: "cluster-auditor"
diff --git a/tests/test-values.yaml b/tests/test-values.yaml
index a168dda9bdebff76a34a6f1e89c2f7f2cea3d253..a3968b8b549aa32c3d7239b6dbf2d966e4c78110 100644
--- a/tests/test-values.yaml
+++ b/tests/test-values.yaml
@@ -55,7 +55,6 @@ flux:
networkPolicies:
enabled: true
#controlPlaneCidr: 172.16.0.0/12
-
istio:
enabled: true
ingressGateways:
@@ -79,7 +78,6 @@ istio:
dashboard:
auth:
strategy: "anonymous"
-
jaeger:
enabled: false
sso:
@@ -2213,7 +2211,7 @@ addons:
keycloak:
enabled: false
ingress:
- gateway: "passthrough"
+ gateway: ""
key: "" # Gets added via chart/ingress-certs.yaml
cert: "" # Gets added via chart/ingress-certs.yaml
values: