Merge branch 'istio-sandbox' into 'master'

Operatorless Istio with CORE packages only SKIP UPGRADE DEBUG Closes #2256 See merge request !4906

Merge branch 'istio-sandbox' into 'master'
66fd6a46 · Michael Martin · 3ef346fc · 49b82d89 · 66fd6a46 · 66fd6a46
Commit 66fd6a46 authored 3 weeks ago by Michael Martin
--- a/chart/templates/tempo/namespace.yaml
+++ b/chart/templates/tempo/namespace.yaml
@@ -7,5 +7,5 @@ metadata:
    app.kubernetes.io/name: tempo
    app.kubernetes.io/component: "core"
    {{- include "commonLabels" . | nindent 4}}
-    istio-injection: {{ ternary "enabled" "disabled" (and .Values.istio.enabled (eq (dig "istio" "injection" "enabled" .Values.tempo) "enabled")) }}
+    istio-injection: {{ ternary "enabled" "disabled" (and (include "istioEnabled" .) (eq (dig "istio" "injection" "enabled" .Values.tempo) "enabled")) }}
 {{- end }}
--- a/chart/templates/tempo/values.yaml
+++ b/chart/templates/tempo/values.yaml
@@ -4,7 +4,7 @@

 {{- define "bigbang.defaults.tempo" -}}

-{{- if .Values.istio.enabled }}
+{{- if include "istioEnabled" . }}
 podAnnotations:
  {{ include "istioAnnotation" . }}
 {{- end }}
@@ -51,14 +51,22 @@ serviceAccount:

 networkPolicies:
  enabled: {{ .Values.networkPolicies.enabled }}
+  istioNamespaceSelector:
+  {{ include "istioNamespaceSelector" . | nindent 4 }}
  controlPlaneCidr: {{ .Values.networkPolicies.controlPlaneCidr }}
  ingressLabels:
+    {{- if .Values.istio.enabled }}
    {{- $gateway := default "public" .Values.tempo.ingress.gateway }}
    {{- $default := dict "app" (dig "gateways" $gateway "ingressGateway" nil .Values.istio) "istio" nil }}
    {{- toYaml (dig "values" "gateways" $gateway "selector" $default .Values.istio) | nindent 4 }}
+    {{- end }}
+    {{- if .Values.istioCore.enabled }}
+    app: public-ingressgateway
+    istio: ingressgateway
+    {{- end }}

 istio:
-  enabled: {{ .Values.istio.enabled }}
+  enabled: {{ include "istioEnabled" . }}
  hardened:
    enabled: {{ or
      (dig "istio" "hardened" "enabled" false .Values.tempo.values)
@@ -71,7 +79,7 @@ istio:
      - "tempo.{{ .Values.domain }}"
    {{- end }}
    gateways:
-    - istio-system/{{ default "public" .Values.tempo.ingress.gateway }}
+    - {{ include "istioGatewayNamespace" . }}/{{ default (include "istioPublicGateway" . ) .Values.tempo.ingress.gateway }}

 monitoring:
  enabled: {{ .Values.monitoring.enabled }}
@@ -81,7 +89,7 @@ serviceMonitor:
  # conditional passes only if all conditionals are true:
  # - istio: enabled
  # - mTLS: SCRICT
-  {{- if and .Values.istio.enabled (eq (dig "istio" "mtls" "mode" "STRICT" .Values.tempo.values) "STRICT") }}
+  {{- if and (include "istioEnabled" .) (eq (dig "istio" "mtls" "mode" "STRICT" .Values.tempo.values) "STRICT") }}
  scheme: https
  tlsConfig:
    caFile: /etc/prom-certs/root-cert.pem

--- a/chart/values.schema.json
+++ b/chart/values.schema.json
@@ -14,6 +14,9 @@
    "flux",
    "networkPolicies",
    "imagePullPolicy",
+    "istioCore",
+    "istioGatewayPublic",
+    "istioGatewayPassthrough",
    "istio",
    "istioOperator",
    "jaeger",
@@ -237,6 +240,59 @@
        "IfNotPresent"
      ]
    },
+    "istioCore": {
+      "properties": {
+        "enabled": true,
+        "sourceType": true,
+        "git": true,
+        "helmRepo": true,
+        "flux": true,
+        "values": true,
+        "postRenderers": true
+      },
+      "allOf": [
+        {
+          "$ref": "#/$defs/basePackage"
+        }
+      ],
+      "additionalProperties": true
+    },
+    "istioGatewayPublic": {
+      "properties": {
+        "enabled": true,
+        "sourceType": true,
+        "git": true,
+        "helmRepo": true,
+        "flux": true,
+        "values": true,
+        "postRenderers": true,
+        "tls": true
+      },
+      "allOf": [
+        {
+          "$ref": "#/$defs/basePackage"
+        }
+      ],
+      "additionalProperties": true
+    },
+    "istioGatewayPassthrough": {
+      "properties": {
+        "enabled": true,
+        "sourceType": true,
+        "git": true,
+        "helmRepo": true,
+        "flux": true,
+        "values": true,
+        "postRenderers": true,
+        "tls": true
+      },
+      "allOf": [
+        {
+          "$ref": "#/$defs/basePackage"
+        }
+      ],
+      "additionalProperties": true
+    },
    "istio": {
      "properties": {
        "enabled": true,

--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -160,6 +160,87 @@ imagePullPolicy: IfNotPresent
 # ----------------------------------------------------------------------------------------------------------------------
 # Istio
 #
+
+istioCore:
+  status: "alpha"
+  # -- Toggle deployment of Istio (helm deployment of istio-base and istiod)
+  enabled: false
+  # -- Choose source type of "git" or "helmRepo"
+  sourceType: "git"
+  git:
+    repo: https://repo1.dso.mil/big-bang/apps/sandbox/istio-core.git
+    path: "./chart"
+    branch: "main"
+    #tag:
+  helmRepo:
+    repoName: "registry1"
+    chartName: "istio-core"
+    #tag:
+  # -- Values to passthrough to the istiod chart
+  values:
+    # k8s 1.29+ native sidecars ~ https://kubernetes.io/docs/reference/command-line-tools-reference/feature-gates
+    # prevent jobs from hanging ~ https://istio.io/latest/blog/2023/native-sidecars/#sidecar-woes
+    istiod:
+      pilot:
+        env:
+          ENABLE_NATIVE_SIDECARS: 'true'
+    # # enable Tetrate FIPS compliant Istio images
+    # defaults:
+    #   global:
+    #     enterprise: true
+  # -- Flux reconciliation overrides specifically for the Istio Gateway Package
+  flux: {}
+  # -- Post Renderers.  See docs/postrenders.md
+  postRenderers: []
+
+istioGatewayPublic:
+  status: "alpha"
+  # -- Toggle deployment of the Istio public ingress gateway
+  enabled: false
+  # -- Choose source type of "git" or "helmRepo"
+  sourceType: "git"
+  git:
+    repo: https://repo1.dso.mil/big-bang/apps/sandbox/istio-gateway.git
+    path: "./chart"
+    branch: "main"
+    #tag:
+  helmRepo:
+    repoName: "registry1"
+    chartName: "istio-gateway"
+    #tag:
+  # -- set the tls key/cert
+  # tls:
+  #   key: ""
+  #   cert: ""
+  # -- Values to passthrough to the istio-gateway chart
+  values: {}
+  # -- Flux reconciliation overrides specifically for the Istio Gateway Package
+  flux: {}
+  # -- Post Renderers.  See docs/postrenders.md
+  postRenderers: []
+
+istioGatewayPassthrough:
+  status: "alpha"
+  # -- Toggle deployment of the Istio passthrough ingress gateway
+  enabled: false
+  # -- Choose source type of "git" or "helmRepo"
+  sourceType: "git"
+  git:
+    repo: https://repo1.dso.mil/big-bang/apps/sandbox/istio-gateway.git
+    path: "./chart"
+    branch: "main"
+    #tag:
+  helmRepo:
+    repoName: "registry1"
+    chartName: "istio-gateway"
+    #tag:
+  # -- Values to passthrough to the istio-gateway chart
+  values: {}
+  # -- Flux reconciliation overrides specifically for the Istio Gateway Package
+  flux: {}
+  # -- Post Renderers.  See docs/postrenders.md
+  postRenderers: []
+
 istio:
  # -- Toggle deployment of Istio.
  enabled: true
@@ -1810,7 +1891,7 @@ addons:
    # -- Redirect the package ingress to a specific Istio Gateway (listed in `istio.gateways`).  The default is "public".
    ingress:
      # the istio gateway for keycloak must have tls.mode: PASSTHROUGH
-      gateway: "passthrough"
+      gateway: ""
      # -- Certificate/Key pair to use as the certificate for exposing Keycloak
      # Setting the ingress cert here will automatically create the volume and volumemounts in the Keycloak Package chart
      key: ""

--- a/docs/assets/scripts/developer/k3d-dev.sh
+++ b/docs/assets/scripts/developer/k3d-dev.sh
@@ -1199,7 +1199,7 @@ function fix_etc_hosts {
    sudo sed -i '/dev.bigbang.mil/d' /etc/hosts
    sudo bash -c "echo '## begin dev.bigbang.mil section (METAL_LB)' >> /etc/hosts"
    sudo bash -c "echo 172.20.1.240  keycloak.dev.bigbang.mil vault.dev.bigbang.mil >> /etc/hosts"
-    sudo bash -c "echo 172.20.1.241 anchore-api.dev.bigbang.mil anchore.dev.bigbang.mil argocd.dev.bigbang.mil gitlab.dev.bigbang.mil registry.dev.bigbang.mil tracing.dev.bigbang.mil kiali.dev.bigbang.mil kibana.dev.bigbang.mil chat.dev.bigbang.mil minio.dev.bigbang.mil minio-api.dev.bigbang.mil alertmanager.dev.bigbang.mil grafana.dev.bigbang.mil prometheus.dev.bigbang.mil nexus.dev.bigbang.mil sonarqube.dev.bigbang.mil tempo.dev.bigbang.mil twistlock.dev.bigbang.mil >> /etc/hosts"
+    sudo bash -c "echo 172.20.1.241 anchore-api.dev.bigbang.mil anchore.dev.bigbang.mil argocd.dev.bigbang.mil gitlab.dev.bigbang.mil registry.dev.bigbang.mil tracing.dev.bigbang.mil kiali.dev.bigbang.mil kibana.dev.bigbang.mil chat.dev.bigbang.mil minio.dev.bigbang.mil minio-api.dev.bigbang.mil alertmanager.dev.bigbang.mil grafana.dev.bigbang.mil prometheus.dev.bigbang.mil neuvector.dev.bigbang.mil nexus.dev.bigbang.mil sonarqube.dev.bigbang.mil tempo.dev.bigbang.mil twistlock.dev.bigbang.mil >> /etc/hosts"
    sudo bash -c "echo '## end dev.bigbang.mil section' >> /etc/hosts"
    # run kubectl to add keycloak and vault's hostname/IP to the configmap for coredns, restart coredns
    kubectl get configmap -n kube-system coredns -o yaml | sed '/^    172.20.0.1 host.k3d.internal$/a\ \ \ \ 172.20.1.240 keycloak.dev.bigbang.mil vault.dev.bigbang.mil' | kubectl apply -f -
@@ -1212,7 +1212,7 @@ ENDSSH
    sudo sed -i '/dev.bigbang.mil/d' /etc/hosts
    sudo bash -c "echo '## begin dev.bigbang.mil section (ATTACH_SECONDARY_IP)' >> /etc/hosts"
    sudo bash -c "echo $(getPrivateIP2)  keycloak.dev.bigbang.mil vault.dev.bigbang.mil >> /etc/hosts"
-    sudo bash -c "echo $PrivateIP anchore-api.dev.bigbang.mil anchore.dev.bigbang.mil argocd.dev.bigbang.mil gitlab.dev.bigbang.mil registry.dev.bigbang.mil tracing.dev.bigbang.mil kiali.dev.bigbang.mil kibana.dev.bigbang.mil chat.dev.bigbang.mil minio.dev.bigbang.mil minio-api.dev.bigbang.mil alertmanager.dev.bigbang.mil grafana.dev.bigbang.mil prometheus.dev.bigbang.mil nexus.dev.bigbang.mil sonarqube.dev.bigbang.mil tempo.dev.bigbang.mil twistlock.dev.bigbang.mil >> /etc/hosts"
+    sudo bash -c "echo $PrivateIP anchore-api.dev.bigbang.mil anchore.dev.bigbang.mil argocd.dev.bigbang.mil gitlab.dev.bigbang.mil registry.dev.bigbang.mil tracing.dev.bigbang.mil kiali.dev.bigbang.mil kibana.dev.bigbang.mil chat.dev.bigbang.mil minio.dev.bigbang.mil minio-api.dev.bigbang.mil alertmanager.dev.bigbang.mil grafana.dev.bigbang.mil prometheus.dev.bigbang.mil neuvector.dev.bigbang.mil nexus.dev.bigbang.mil sonarqube.dev.bigbang.mil tempo.dev.bigbang.mil twistlock.dev.bigbang.mil >> /etc/hosts"
    sudo bash -c "echo '## end dev.bigbang.mil section' >> /etc/hosts"
    # run kubectl to add keycloak and vault's hostname/IP to the configmap for coredns, restart coredns
    kubectl get configmap -n kube-system coredns -o yaml | sed '/^    .* host.k3d.internal$/a\ \ \ \ $(getPrivateIP2) keycloak.dev.bigbang.mil vault.dev.bigbang.mil' | kubectl apply -f -

--- a/tests/package-mapping.yaml
+++ b/tests/package-mapping.yaml
@@ -12,6 +12,18 @@ istioOperator:
  repoName: "istio-operator"
  hrName: "istio-operator"
  filePath: "istio-operator"
+istioCore:
+  repoName: "istio-core"
+  hrName: "istio-core"
+  filePath: "istio-core"
+istioGatewayPublic:
+  repoName: "istio-gateway"
+  hrName: "public-ingressgateway"
+  filePath: "istio-gateway-public"
+istioGatewayPassthrough:
+  repoName: "istio-gateway"
+  hrName: "passthrough-ingressgateway"
+  filePath: "istio-gateway-passthrough"
 clusterAuditor:
  repoName: "cluster-auditor"
  hrName: "cluster-auditor"

--- a/tests/test-values.yaml
+++ b/tests/test-values.yaml
@@ -55,7 +55,6 @@ flux:
 networkPolicies:
  enabled: true
  #controlPlaneCidr: 172.16.0.0/12
-
 istio:
  enabled: true
  ingressGateways:
@@ -79,7 +78,6 @@ istio:
      dashboard:
        auth:
          strategy: "anonymous"
-
 jaeger:
  enabled: false
  sso:
@@ -2213,7 +2211,7 @@ addons:
  keycloak:
    enabled: false
    ingress:
-      gateway: "passthrough"
+      gateway: ""
      key: "" # Gets added via chart/ingress-certs.yaml
      cert: "" # Gets added via chart/ingress-certs.yaml
    values: