Updated istio values umbrella template

Package Merge Request

Package Changes

N/A

Umbrella Template Changes

This MR contains changes to the Istio Umbrella template to address some bugs in the creation of gateways and ingress gateways:

• IngressGateways would only ever work if kubernetesResourceSpec was specified. However, our documentation says it should be k8s. In our defaults we are using kubernetesResourceSpec so it appears the goal was to allow both to work, but that was not the case. Added $values.k8s to the merge so it would work as expected in all cases.

• TLS was being specified even when the protocol was not HTTPS preventing new gateways from being created (See issue here). This occurred on upgrades only and while it worked on fresh installs, it still put the TLS section in which is not valid. This also made it impossible to create standard HTTP endpoints.

• Added logic to allow users to manually specify if they want an HTTP endpoint to redirect to HTTPS in the event they want a more customized gateway. This will allow users to set our autoHttpRedirect to false when they need more granular control while still being able to use the functionality when and where they need it.

The following can be added to the istio.ingressGateways section under the test-values.yaml file to validate:

    twistlock-ingressgateway:
      type: "LoadBalancer"
      kubernetesResourceSpec:
        service:
          ports:
            - name: tcp-health-status
              port: 15021
              targetPort: 15021
              nodePort: 30200
            - name: tcp-twistlock-wss
              port: 8084
              targetPort: 8084
              nodePort: 30201
    additional-ingressgateway:
      type: "LoadBalancer"
      k8s:
        service:
          ports:
            - name: tcp-health-status
              port: 15021
              targetPort: 15021
              nodePort: 30300
            - name: http-redirect
              port: 80
              targetPort: 8080
              nodePort: 30301
            - name: https
              port: 443
              targetPort: 8443
              nodePort: 30302
            - name: http-custom
              port: 8000
              targetPort: 8000
              nodePort: 30303

The following can be added under the istio.gateways:

    twistlock:
      autoHttpRedirect:
        enabled: false
      selector:
        app: "twistlock-ingressgateway"
      servers:
        - hosts:
          - "*"
          port:
            name: tcp-twistlock-wss
            number: 8084
            protocol: TCP
    additional:
      autoHttpRedirect:
        enabled: false
      selector:
        app: "additional-ingressgateway"
      servers:
        - hosts:
          - "*.someotherrandomurl.com"
          port:
            name: http-custom
            number: 8000
            protocol: HTTP
        - hosts:
          - "*.someotherrandomurl.com"
          port:
            name: http-redirect
            number: 8080
            protocol: HTTP
          tls:
            httpsRedirect: true
        - hosts:
          - "*.someotherrandomurl.com"
          port:
            name: https
            number: 8443
            protocol: HTTPS
          tls:
            mode: PASSTHROUGH

Executing the following commands can be used to verify the service and ingress pods are listening on the correct ports:

kubectl get svc -n istio-system -o wide
kubectl get pods -n istio-system -o yaml | grep containerPort -B 20

The following can be executed to verify the gateways are configured as expected:

kubectl get gateways -n istio-system -o yaml

Package MR

N/A

For Issue

Closes (link to issue here)

Upgrade Notices

N/A